Black Box LR1114A-T1-E1, LR1102A-T1-E1, LR1112A-T1-E1, LR1104A-T1-E1 User Manual

May 2004 LR1102A-T1/E1 LR1104A-T1/E1 LR1112A-T1/E1 LR1114A-T1/E1

Black Box LR11xx Series Router Configurations

CUSTOMER

SUPPORT

INFORMATION

Order toll-free in the U.S. 24 hours, 7 A.M. Monday to midnight Friday: 877-877-BBOX FREE technical support, 24 hours a day, 7 days a week: Call 724-746-5500 or fax 724-746-0746 Mail order: Black Box Corporation, 1000 Park Drive, Lawrence, PA 15055-1018 Web site: www.blackbox.com • E-mail: info@blackbox.com

Black Box LR11xx Series Router Configurations Guide

FEDERAL COMMUNICATIONS COMMISSION

AND

CANADIAN DEPARTMENT OF COMMUNICATIONS

RADIO FREQUENCY INTERFERENCE STATEMENTS

This equipment generates, uses, and can radiate radio frequency energy and if not installed and used properly, that is, in strict accordance with the manufacturer’s instructions, may cause interference to radio communication. It has been tested and found to comply with the limits for a Class A computing device in accordance with the specifications in Subpart B of Part 15 of FCC rules, which are designed to provide reasonable protection against such interference when the equipme nt is operated in a commercial environment . Operation of this equipment in a residential area is likely to cause interference, in which case the user at his own expense will be required to take whatever measures may be necessary to correct the interference.

Changes or modifications not expressly approved by the party responsible for compliance could void the user’s authority to operate the equip ment.

This digital apparatus does not exceed the Class A limits for radio noise emission from digital apparatus set out in the Radio Interference Regulation of the Canadian Depar tm e nt of Com m un i c at ion s .

Le présent appareil numérique n’émet pas de bruits radioélectriqu es dépassant les limites applicables aux appareils numériques de la classe A prescrites dans le Règlement sur le brouillage radioélectrique publié par le ministère des Communications du Canada.

Normas Oficiales Mexicanas (NOM)

Electrical Safety Statement

INSTRUCCIONES DE SEGURIDAD

1. Todas las instrucciones de seguridad y operación deberán ser leídas antes de que el aparato eléctrico sea operado.

2. Las instrucciones de seguridad y operación deberán ser guardadas para referencia futura.

3. Todas las adve rtencias en el aparato eléctrico y en sus instrucciones de operación deben ser respetadas.

4. Todas las instrucciones de operación y uso deben ser seguidas.

5. El aparato eléctrico no deberá ser usado cerca del agua—por ejemplo, cerca de la tina de baño, lavabo, sótano mojado o cerca de una alberca, e tc.

6. El aparato eléctrico debe ser usado únic amente con carritos o pedestales que sean recomendados por el f a bricante.

7. El aparato eléctrico debe ser mo ntado a la pared o al techo sólo como sea recomendado por el fabricante.

8. Servicio—El usuario no deb e intentar dar servic io al equipo eléctric o más allá a lo descrito en las instrucciones de operació n. Todo otro servicio deberá ser referido a personal de servicio calificado.

9. El aparato eléctrico debe ser situado de tal manera que su posición no interfiera su uso. La colocación del aparato eléctrico sobre una cama, sofá, alfombra o superficie similar puede bloquea la ventilación, no se debe colocar en libreros o gabinetes que impida n el flujo de aire por los or ificios de ventilación.

10. El equipo eléctrico deber ser situado fuera del alcance de fuentes de calor como radiadores, registros de calor, estufas u otros aparatos (incluyendo amplificadores) que producen calor.

11. El aparato eléctrico deberá ser connectado a una fuente de pode r sól o del tipo descrito en el instructivo de operación, o como se indique en el aparato.

12. Precaución debe ser tomada de tal manera que la tierra fisica y la polarización del equipo no sea eliminada.

13. Los cables de la fuente de poder deben ser guiados de tal manera que no sean pisados ni pellizcados por objetos colocados sobre o contra ellos, poniendo particular atención a los contactos y receptáculos donde salen del aparato.

14. El equipo eléctrico debe ser limpiado únicamente de acuerdo a las recomendaciones del fabricante.

15. En caso de existir, una antena externa deberá ser localizada lejos de las lineas de energia.

Black Box LR11xx Series Router Configurations Guide

16. El cable de corriente deberá ser desconectado del cuando el equipo no sea usado por un largo periodo de tiempo.

17. Cuidado debe ser tomado de tal manera que objectos liquidos no sean derramados sobre la cubierta u orificios de ventilación.

18. Servicio por pers onal calificado de berá ser provisto cuando:

A: El cable de poder o el contacto ha sido dañado; o

B: Objectos han caído o líquido ha sido derramado dentro del aparato ; o

C: El aparato ha sido expuesto a la llu via ; o

D: El aparato parece no operar normalmente o muestra un cambio en su desem-

peño; o

E: El aparato ha sido tira do o su cubierta ha sido dañada.

DHCP RELAY........................................................................................13

DHCP Relay ......................................................................................13

Feature Overview ...........................................................................13

Functionality ..................................................................................13

BOOTP Requests ............................. ...... ........................................13

BOOTP Replies ..............................................................................14

Using DHCP Relay with NAT ................................ .......................14

Command Line Interface ...............................................................14

Enabling DHCP Relay ...................................................................14

Disabling DHCP Relay ............................... ...... .............................15

Configuring the Gateway Address field when NAT is enabled .....15

Displaying DHCP Configuration ...................................................15

Displaying Statistics ......................................................................15

DHCP Limitations .........................................................................16

Contents

ONFIGURING INTERNET GROUP MANAGEMENT PROTOCOL ...........17

IGMP Configuration ..........................................................................17

IGMP Commands ..........................................................................18

IGMP Configuration Examples .....................................................1 8

Example 1 .......................................................................................18

Example 2 .......................................................................................18

Example 3 .......................................................................................18

Example 4 .......................................................................................18

Example 5 .......................................................................................19

Example 6 .......................................................................................19

Example 7 .......................................................................................19

Example 8 .......................................................................................19

Example 9 .......................................................................................19

Example 10 .....................................................................................19

Example 11 .....................................................................................19

Example 12 .....................................................................................19

Example 13 .....................................................................................19

ILTERING IP TRAFFIC.........................................................................21

IP Packet Filter Lists ...................................... ...... .............................21

Example1 .......................................................................................21

Configure the Black Box LR1104A. ..............................................21

Example 2 ......................................................................................22

Configure the Black Box LR1104A ...............................................22

Example 3 ......................................................................................22

Configure the Black Box LR1104A ...............................................22

ONFIGURING SECURITY......................................................................2 3

IPSec Configurations .........................................................................23

Example 1: Managing the Black Box LR1104A Securely Over

an IPSec Tunnel .................................................................................24

Example 2: Single Proposal: Tunnel Mode Between Two Black

Black Box LR11xx Series Router Configurations Guide

Box Security Gateways .....................................................................28

Example 3: Multiple IPSec Proposals: Tunnel Mode Between

Two Black Box Security Gateways .................................................. 33

Example 4: IPSec remote access to corporate LAN using user

group method .................................................................................... 35

Example 5: IPSec remote access to corporate LAN using mode

configuration method ........................................................................ 40

IPS

EC SPECIFICATIONS ........................................................................ 47

IPSec Appendix ..................................................................................47

Black Box IKE and IPSec Defaults .............................................. 48

IKE Defaults .................................................................................. 48

IPSec Defaults ...............................................................................48

ORWARDING IP TRAFFIC.................................................................... 51

IP Multiplexing ..................... ..... ................................................... ....51

Packet Forwarding Modes ............................. ................................ 51

Proxy ARP and Packet Forwarding .............................................. 51

Addressing in IP Multiplexing Networks ..................................... 52

Single Subnet ................................................................................ 53

Split Subnet ...................................................................................53

Secondary Addressing – POP Only .............................................. 54

Secondary Addressing – 30 Bit ..................................................... 54

Secondary Addressing – 29 Bit ..................................................... 55

Pros and Cons of Different IP Addressing Schemes ..................... 55

Routing Considerations for IP Multiplexing ................................. 55

IP M

ULTIPLEXING HDLC CONFIGURATIONS .................................... 57

Connecting a Black Box Router to a Router/CSU via HDLC .......... 57

Configure the Black Box LR1104A at Site 2 ................................58

ULTIPLEXING PPP AND MLPPP CONFIGURATIONS.................. 59

IP M

Configuring Multiple PPP and MLPPP Bundles .............................. 59

Configure the Black Box LR1104A at the Main Site ...................61

ONFIGURING PPP, MLPPP, AND HDLC........................................... 63

Layer Two Configurations: PPP, MLPPP, and HDLC .....................63

MLPPP Configuration ................................................................... 64

Configure the Black Box LR1114A System at Site 1 ...................64

PPP and MLPPP Configuration .................................................... 64

Configure the Black Box LR1104A System at the Main Site ....... 64

HDLC Configuration ....................................................................64

Configure the Black Box LR1104A System at the Main Site ....... 64

ONFIGURING FIREWALLS................................................................... 65

Firewalls ............................................................................................ 65

Firewall Configuration Examples ..................................................... 66

Basic Firewall Configuration ........................................................ 66

Stopping DoS Attacks ...................................................................73

Packet Reassembly ........................................................................ 74

NAT Configurations ......................................................................... 74

NAT Configuration Examples ...........................................................74

Dynamic NAT (many to many) .....................................................75

Static NAT (one to one) ................................................................. 7 6

Port Address Translation (Many to one) ........................................77

ULTIPATH MULTICAST CONFIGURATIONS .......................................79

Multipath Multicast ...........................................................................79

Multipath Commands ........................................................................80

Multipath Examples .......................................................................80

ONFIGURING NAT...............................................................................81

Network Address Translation ............................................................81

Dynamic NAT ................................................................................81

Static NAT .....................................................................................81

Configuration for Figure 1 .............................................................82

Configuration for Figure 2 .............................................................83

Reverse NAT ................................................................................. 8 3

Configuration for Figure 3 .............................................................84

Contents

NAT C

ONFIGURATION EXAMPLES.......................................................85

NAT Configurations ..........................................................................85

NAT Configuration Examples ...........................................................85

Dynamic NAT (many to many) .....................................................85

Static NAT (one to one) ................................................................. 8 7

Port Address Translation (Many to one) ........................................88

Method:1 – Specifying NAT address with the policy command ...88

Method:2 – Attaching nat pool to the policy .................................88

EMOTE ACCESS VPNS ........................................................................89

Secure Remote Access Using IPSec VPN ........................................89

Access Methods .................................................................................89

Remote Access: User Group ..........................................................89

Remote Access: Mode Configuration ............................................90

Configuration Examples ....................................................................90

IPSec Remote Access User Group Method – Single Proposal,

Pre-shared Key Authentication .........................................................90

IPSec Remote Access Mode Configuration Group Method .............92

ETWORKING WITH ROUTING INFORMATION PROTOCOL.................95

Routing Information Protocol ...........................................................95

Configuring RIP for Ethernet 0 and WAN 1 Interfaces ................95

Displaying RIP Configuration .......................................................9 5

Displaying All Configured RIP Interfaces .....................................95

ONFIGURING STATIC ROUTES............................................................97

Static Routing Configuration .............................................................97

Configure the Router at Site “A” ...................................................98

Configure the Router at site “B” ....................................................98

ONFIGURING OPEN SHORTEST PATH FIRST ROUTING.....................99

OSPF Routing Protocol .....................................................................99

Black Box LR11xx Series Router Configurations Guide

Configuring the host name ............................................................ 99

Configuring interface ethernet 0 ...................................................99

Configuring interface bundle Dallas ............................................. 99

Configuring ospf ........................................................................... 100

Configuring ospf interface parameters .......................................... 100

Displaying neighbors ....................................................................100

Displaying ospf routes ................................................................... 100

Displaying IP routes ...................................................................... 100

ONFIGURING GENERIC ROUTING ENCAPSULATION......................... 101

Configuring GRE .............................................................................. 101

Installing Licenses ............................................................................ 101

GRE Configuration Examples .......................................................... 102

Configuring Site to Site Tunnel ....................................................103

Configuring GRE Site to Site with IPSec .........................................105

Configuring GRE Site to Site with IPSec and OSPF ........................ 106

ONFIGURING OSPF AND FRAME RELAY..........................................107

OSPF - Frame Relay ......................................................................... 107

Configuring the host name ............................................................ 108

Configuring interface ethernet 0 ...................................................108

Configuring interface bundle Dallas ............................................. 108

Configuring OSPF .........................................................................108

Configuring interface Dallas parameters ...................................... 108

Configuring interface ethernet 0 parameters ................................. 108

Displaying OSPF parameters ........................................................ 108

ONFIGURING PROTOCOL INDEPENDENT MULT ICASTING ROUTING 109

PIM Configuration ....................................................... ..................... 109

PIM Commands ................................. ...........................................109

PIM Configuration Examples .................................. ...... ..... .......... 112

MTRACE CONFIGURATION....................................................................117

Multicast Traceroute Facility ............................................................ 117

mtrace Command .......................................................................... 117

Restrictions .................................................................................... 117

mtrace Example .............................................................................118

ONFIGURING QUALITY OF SERVICE ROUTING................................. 119

Configuring QoS ...............................................................................119

Features ......................................................................................... 119

Definitions ..................................................................................... 120

Classification Types ......................................................................120

Create bundle AppTest .................................................................. 121

Create traffic classes ...................................................................... 121

Assign classification types ............................................................. 121

VLAN Identifiers .......................................................................... 121

Create bundle VLANtest ............................................................... 122

Create traffic classes and assign classifications ............................. 122

Bulk Statistics ................................................................................ 122

Configuring bulk statistics ............................................................. 123

VIRTUAL LAN TAGGING....................................................................... 1 25

Managing Traffic with VLAN Tagging ............................................125

Reston configuration: Black Box LR1104A ..................................126

Configure interface bundle balt1 ....................................................126

Configure interface balt1 pvc 100 ..................................................126

Configure interface bundle dc1 ......................................................126

Configure interface ethernet 0 ....................................................... .126

Configure ip routing .......................................................................127

DC configuration: Black Box LR1114A .......................................127

Configure interface ethernet 0 ....................................................... .127

Configure interface bundle mip .....................................................127

Configure ip routing .......................................................................127

ANAGING REDUNDANT CONNECTIONS..............................................129

Trunk Group/Failover ........................................................................129

Configuration Details .....................................................................129

Configure the Black Box LR1114A for Failover Operation ..........130

Contents

WAN I

NTERFACE CONFIGURATIONS ...................................................131

T1 Interface Configuration ................................................................131

Module Configuration ...................................................................131

T1 ...................................................................................................131

Bundle Configuration ....................................................................131

Fractional T1 ..................................................................................131

IRTUAL LAN FORWARDING...............................................................133

Managing VLAN Traffic ...................................................................133

POP configuration: Black Box LR1104A .....................................135

Configure mlppp bundle interface .................................................135

Configure interface ethernet 0 ....................................................... .135

Configure in-band vlan forwarding table .......................................135

Configure rate limiting for vlans ....................................................135

Bldg1 configuration: Black Box LR1114A ...................................135

Configure interface bundle uplink ................................................. 1 36

Configure inband VLAN forwarding table ....................................136

Configure rate limiting for VLANs ................................................ 1 36

Configure SNMP ............................................................................136

UTLILINK FRAME RELAY ..................................................................137

Multilink Frame Relay FRF.15 and FRF.16 .....................................137

Features ..........................................................................................137

# Configure Ethernet interface .......................................................138

# Configure CVC1 .........................................................................138

# Congfigure CVC2 .......................................................................138

# Configure CVC3 .........................................................................138

#Configure AVC ............................................................................. 1 38

ONFIGURING FRAME RELAY AND MULTILINK FRAME RELAY ....... 1 39

Layer Two Configurations FR and MFR ..........................................139

FR Configuration ...........................................................................140

Configure the HSSI Bundle at Site 1 .............................................140

Configure the Clear Channel Bundle on the LR1104A .................141

MFR Configuration ................................................. .......................141

Black Box LR11xx Series Router Configurations Guide

Configure the LR1104A LR1104A at Site 1 ................................. 141

Configure the LR1104A ................................................................ 141

Configure the LR1104A LR1114A at Site 2 ................................. 142

Configure the LR1104A ................................................................ 142

DHCP R

ELAY

1.1DHCP Relay

This application describes the functionality of the DHCP relay feature and includes CLI command examples.

1.1.1 Feature Overview

Black Box DHCP relay feature eliminates the need for a DHCP server on every LAN, because DHCP requests can be relayed to a single remote DHCP server. Black Box’s implementation of DHCP relay is based on RFC 1532. BOOTP/DHCP messages are relayed (vs. forwarded) between the server and client.

Figure 1 DHCP Relay Overview

LAN

Tasman 1400 DHCP Relay Agent

LAN

LR1114A

Tasman 1400 DHCP Relay Agent

WAN

Tasman 6300

LR1104A

DHCP Serve

1.1.2 Functionality

The DHCP relay feature uses BOOTP requests and replies to negotiate packet delivery between the DHCP client and server.

1.1.2.1 BOOTP Requests

BOOTP requests are messages from client to server. Request messages include DHCP DISCOVER, DHCP REQUEST, DHCP RELEASE, etc. The relay agent modifies the packet header by adding relay information to the DHCP gateway address (giaddr) field. The server replies to the gateway address specified in the packet’s giaddr field.

Black Box LR11xx Series Router Configurations Guide

1 N

Figure 2 BOOTP Requests

Broadcast BOOTREQUEST

Tasman 1400

DHCP Client DHCP Serve

DHCP Relay Agent

Unicast BOOTREQUEST

1.1.2.2 BOOTP Replies

BOOTP replies are messages from the server to the client. Reply messages include DHCP OFFER, DHCP ACK, DHCP NAK, etc. The relay agent looks up the MAC address and either sends the packet to the client or broadcasts it on the LAN.

Figure 3 BOOTP Replies

Unicast/Broadcast

BOOTREPLY

Tasman 1400

DHCP Client DHCP Serve

DHCP Relay Agent

Unicast

BOOTREPLY

1.1.3 Using DHCP Relay with NAT

When NAT is enabled, the DHCP server may discard packets because the giaddr does not match the source of the packet. Additionally, it may not know how to route the packet back to the client. See Figure 4. The solution is that the gateway address (giaddr) field needs to have IP add ress 192. 168.2 0.1 (in this ex ample). The DHCP serv er config urati on shoul d be able to give 10.1.1.x addresses for packets from 192.168.20.1. However, there may be a limitation that the DHCP server does not allow configuration using IP addresses from a different subnet, although this is mentioned in the RFC.

Figure 4 A Typical Scenario

Network Address Translation

PRIVATE PUBLIC

192.168.20.1

Tasman 1400

DHCP Relay Agent

Router

DHCP Serve

0.1.1.x etwork

DHCP Client

10.1.1.1

DHCP Client

1.1.4 Command Line Interface

The following are examples of command strings relevant to DHCP relay:

1.1.4.1 Enabling DHCP Relay

DHCP Relay

Blackbox> configure terminal Blackbox/configure> interface ethernet 0 Blackbox/configure/interface/ethernet 0> dhcp server_address 20.1.1.1

1.1.4.2 Disabling DHCP Relay

Blackbox/configure/interface/ethernet 0> no dhcp server_address 20.1.1.1

1.1.4.3 Configuring the Gateway Address field when NAT is enabled

Blackbox/configure/interface/ethernet 0> dhcp gateway_address 192.168.20.1

1.1.5 Displaying DHCP Configuration

The following screen captures show the displayed results of issuing show commands relevant to DHCP relay, with and without gateway addresses configur ed.

Figure 5 show dhcp_relay Command

> show dhcp_relay

DHCP RELAY CONFIGURATION

--------------------------Ethernet 0: Disabled Ethernet 1: Enabled: DHCP Server 10.1.1.1

Figure 6 show dhcp_relay Command

> show dhcp_relay

DHCP RELAY CONFIGURATION

--------------------------Ethernet 0: Disabled Ethernet 1: Enabled: DHCP Server 10.1.1.1 (Gateway Address: 192.168.20.1)

1.1.6 Displaying Statistics

Black Box LR11xx Series Router Configurations Guide

Figure 7 Displaying Ethernet Interface Statistics

> show interface ethernet 1

ethernet 1 ipaddr 192.168.120.1 netmask 255.255.255.0 description status down, operationally down configured auto speed mode actual speed 100 mode half_duplex mtu 1500

ethernet1 (unit number 1) Type: ETHERNET (802.3) Flags: (0x807c203) UP, MULTICAST-ROUTE Internet Address: 192.168.120.1 Internet Netmask: 255.255.255.0 Internet Broadcast: 192.168.120.255 Maximum Transfer Unit: 1500 bytes Mac Address: 00:00:23:00:60:01

port counters since last boot/clear Bytes Rx 0 Bytes Tx 0

Packets Rx 0 Packets Tx 0

Runts Rx 0 Collisions 0

Babbels Rx 0 Late Collisions 0

Err Packets Rx 0 Up/Down States (Phys) 0

Up/Down States (Admin) 2

port counters for the last five minutes Bytes Rx 0 Bytes Tx 0

Packets Rx 0 Packets Tx 0

Runts Rx 0 Collisions 0

Babbels Rx 0 Late Collisions 0

1.1.7 DHCP Limitations

There are limitations when using DHCP relay on a Black Box system. Only one DHCP server can be specified per interface. DHCP can be enabled only on Ethernet interfaces (not on bundles). And last, DHCP can be enabled in IP routing (static and dynamic) mode, but not in IP Mux mode.

ONFIGURING INTERNET

ANAGEMENT

2.1IGMP Configuration

Internet Group Management Protocol (IGMP) is enabled on hosts and routers that want to receive multicast traffic. IGMP informs locally-attached routers of their multicast group memberships. Hosts inform routers of the groups of which they are members by multicasting IGMP Group Membership Reports. When multicast routers listen for these reports, they can exchange group membership information with other multicast routers. This reporting system allows distribution trees to be formed to deliver multicast datagrams. The original version of IGMP was defined in RFC 1112, Host Extensions for IP Multicasting. Extensions to IGMP, known as IGMP version 2.

IGMPv2 improves performance and supports the following message types:

 IGMP Query: IGMP Query is sent by the router to know which groups have members on the attached network.  IGMP Reports: IGMP reports are sent as a response to the query by hosts to announce their group membership.

Reports can be sent “unsolicited” when the hosts come up.

 IGMP Leaves: IGMP Leaves are sent by the host when it relinquishes membership of a group.

The latest extension to the IGMP standard is Version 3, which includes interoperability with version 2 and version 1 hosts, also provides support for source filtering. Source filtering enables a multicast receiver host to signal to a router which groups it wants to receive multicast traffic from, and from which source(s) this traffic is expected. This membership information enables the router to forward traffic only from those sources from which receivers requested the traffic.

IGMPv3 supports applications that explicitly signal sources from which they want to receive traffic. With IGMPv3, receivers signal membership to a multicast host group in the following two modes:

 INCLUDE mode: In this mode, the receiver announces membership to a host group and provides a list of IP

addresses (the INCLUDE list) from which it wants to receive traffic.

 EXCLUDE mode: In this mode, the receiver announces membership to a host group and provides a list of IP

addresses (the EXCLUDE list) from which it does not want to receive traffic. This indicates that the host wants to receive traffic only from other sources whose IP addresses are not listed in the EXCLUDE list. To receive traffic from all sources, like in the case o f the In ternet S t an dard Multicast (ISM) s erv ice mod el, a h os t exp resses EXCLUDE mode membership with an empty EXCLUDE list.

IGMPv3 is used by the hosts to express their desire to be a part of the source-specific multicast (SSM) which is an emerging standard used by routers to direct multicast traffic to the host only if its is from a specific source.

ROUP

ROTOCOL

Black Box LR11xx Series Router Configurations Guide

2.1.1 IGMP Commands

The IGMP commands are:

ip igmp ignore-v1-messages ignore-v2-messages last-member-query-count last-member-query-interval query-interval query-response-interval require-router-alert robustness send-router-alert startup-query-count startup-query-interval group filter version debug ip igmp debug ip igmp state debug ip igmp normal debug ip igmp packet query debug ip igmp packet report debug ip igmp packet leave show ip igmp groups show ip igmp interface clear ip igmp groups

2.1.2 IGMP Configuration Examples

Use the examples shown in this section to use IGMP in multicast configurations.

2.1.2.1 Exampl e 1

The following example enables IGMP.

Blackbox/configure> ip igmp

2.1.2.2 Exampl e 2

With the command line still in Interface Configuration Mode, the following example disables IGMP.

Blackbox/configure> no ip igmp

2.1.2.3 Exampl e 3

In the following example, the ignor e-v 1-messag es command is used to disable processing of IGMPv1 messages on interface ethernet 0.

Blackbox/configure/ip/igmp/interface ethernet0> ignore-v1-messages Blackbox/configure/ip/igmp/interface ethernet0> exit 3 Blackbox/configure>

2.1.2.4 Exampl e 4

In the following example, the ignore-v2-messages command disables processing of IGMPv1 messages on interface ethernet 0.

IGMP Configuration

Blackbox/configure/ip/igmp/interface ethernet0> ip igmp ignore-v2-messages Blackbox/configure/ip/igmp/interface ethernet0> exit 3 Blackbox/configure>

2.1.2.5 Example 5

The following example configures the Last Member Query Count to be 4 on ethernet 0.

Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-count 4

2.1.2.6 Example 6

In the following example for interface ethernet 0, the Robustness is configured to be 4. The Last Member Query count is configured to be 5.

Blackbox/configure/ip/igmp/interface ethernet0> robustness 4 Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-count 5 Blackbox/configure/ip/igmp/interface ethernet0> exit 3 Blackbox/configure>

2.1.2.7 Example 7

The following example configures ethernet 0 with the default Last Member Query Interval of 2000 milliseconds (20 seconds).

Blackbox/configure/ip/igmp/interface ethernet0> last-member-query-interval 2000

2.1.2.8 Example 8

The following example configures ethernet 0 with the default Query Interval to be 200 seconds.

Blackbox/configure/ip/igmp/interface ethernet0> query-interval 200

2.1.2.9 Example 9

The following example configures the default Query Response Interval to be 10 seconds (or 100 deciseconds) for ethernet 0.

Blackbox/configure/ip/igmp/interface ethernet0> query-response-time 100

2.1.2.10Example 10

The following example turns require-router-alert on for interface ethernet 0.

Blackbox/configure/ip/igmp/interface ethernet0> require-router-alert

2.1.2.11Example 11

The following example configures the default Robustness to be 3 for interface ethernet 0.

Blackbox/configure/ip/igmp/interface ethernet0> ip igmp robustness 3

2.1.2.12Example 12

The following example turns the send-router-alert option off for interface ethernet 1.

Blackbox/configure/ip/igmp/interface ethernet1> no send-router-alert

2.1.2.13Example 13

The following example configures IGMP version 2 to run on interface ethernet 0.

Blackbox/configure/ip/igmp/interface ethernet0> version 2 Blackbox/configure/ip/igmp/interface ethernet0> exit 3 Blackbox/configure>

Black Box LR11xx Series Router Configurations Guide

ILTERING

3.1IP Packet Filter Lists

Black Box systems can be configured for IP traffic filtering capabilities. IP traffic filtering allows creation of rule sets that selectively block TCP/IP packets on a specified interface. Filters are applied independently to all interfaces: Ethernet, serial, or WAN, as well as independently to interface direction: IN (packets coming in to the Black Box system) or OUT (packets going out of the Black Box system).

IP packet filtering capability can be used to restrict access to the Black Box system from untrusted, external networks or from specific, internal networks. An example would be a filter that prohibits external users from establishing Telnet sessions to the Black Box system, and allows only specific internal users Telnet access to the system.

 At the end of every rule list is an implied “deny all traffic” statement. Therefore, all packets not explicitly permitted

by filtering rules, are denied. This effectively means that once you enter a “deny” statement in your filter list, you are implicitly denying all packets from crossing the interface. Therefore, it is important that each filter list contain at least one “permit” statement.

 The order in which you enter the filtering rules is important. As the Black Box system is evaluating each packet, the

Black Box OS tests the packet against each rule statement sequentially. After a match is found, no more rule statements are checked. For example, if you create a rule statement that explicitly permits all traffic, all traffic is passed since no further rules are checked.

 The Black Box OS permits easy re-ordering of filter commands through filter_list insert and delete commands.

IP T

RAFFIC

3.1.1 Example1

Consider a Black Box connected via a bundle “WAN1” (wan IP address 200.1.1.1) to an ISP, with Ethernet 0 (IP address 222.199.19.3) connected to the internal network. The network administrator wants to completely block Telnet access to the Black Box from all external networks as well as from all internal networks except 222.199.19.0/28. All other TCP/IP traffic, such as FTP, Ping, and HTTP, is to flow unrestricted through the Black Box system.

3.1.1.1 Configu re the Black Box LR1104A.

Blackbox> configure term Blackbox/configure> ip Blackbox/configure/ip> filter_list filtera (gives the list a name) Blackbox/configure/ip/filter_list> add deny tcp any 200.1.1.1 dport =23 Blackbox/configure/ip/filter_list> add permit tcp 222.199.19.0/28 222.199.19.3 dport =23 Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.3 dport =23 Blackbox/configure/ip/filter_list> add permit ip any any Blackbox/configure/ip/filter_list> exit

Black Box LR11xx Series Router Configurations Guide

Blackbox/configure/ip> apply_filter ether0 filtera in Blackbox/configure/ip> apply_filter WAN1 filtera in Blackbox/configure/ip> exit Blackbox/configure> exit Blackbox> save local

3.1.2 Exa mple 2

Consider the same network addressing as in example 1. The network administrator has a slightly different requirement - he wishes to permit FTP sessions from all networks to the internal FTP server (222.199.19.12), deny FTP sessions to all other addresses, and permit all other traffic to flow through the Black Box unit.

3.1.2.1 Config ure the Black Box LR1104A

Blackbox> configure terminal Blackbox/configure> ip Blackbox/configure/ip> filter_list filterb (gives the list a name) Blackbox/configure/ip/filter_list> add permit tcp any 222.199.19.12 dport =21 Blackbox/configure/ip/filter_list> add deny tcp any 222.199.19.0 dport =21 Blackbox/configure/ip/filter_list> add permit ip any any Blackbox/configure/ip/filter_list> exit

Blackbox/configure/ip> apply_filter WAN1 filterb in Blackbox/configure/ip> exit Blackbox/configure> exit Blackbox> save local

3.1.3 Exa mple 3

Example 3 focuses on a filter list where the network administrator is specifically denying all traffic from a specific external network (197.100.200.0/24) access through the Black Box unit.

3.1.3.1 Config ure the Black Box LR1104A

Blackbox> configure terminal Blackbox/configure> ip Blackbox/configure/ip> filter_list filterc (gives the list a name) Blackbox/configure/ip/filter_list> add deny ip 197.100.200.0/24 any Blackbox/configure/ip/filter_list> add permit ip any any Blackbox/configure/ip/filter_list> exit

Blackbox/configure/ip> apply_filter WAN1 filterc in Blackbox/configure/ip> exit Blackbox/configure> exit Blackbox> save local

ONFIGURING

ECURITY

4.1IPSec Configurations

This guide provides information and examples on how to configure IPSec. There are three licenses that control access to the features:

 Basic VPN Management (vpn_mgmt)—allows users to manage a remote Black Box router.  Firewall (firewall)—allows users to manage the firewall features. Also includes Basic VPN Management.  Advanced VPN and firewall (vpn_plus_firewall)—Allo ws users to manage remote LANs. Also includes

Basic VPN and Firewall licenses.

To see the licenses available in this release, enter:

Blackbox/configure> system licenses ?

NAME licenses - Configure feature upgrade licenses

SYNTAX licenses license_type <cr>

DESCRIPTION license_type -- Specifies the type of feature upgrade license The parameter may have any of the following values: enable_1_port -- Enable 1 port enable_2_ports-- Enable 2 ports enable_3_ports-- Enable 3 ports enable_4_ports-- Enable 4 ports BGP4 -- BGP4 routing vpn_mgmt -- Enable VPN Mgmt License firewall -- Enable Firewall and VPN Mgmt License vpn_plus_firewall-- Enable Advance VPN and Firewall License

To install the advanced VPN and firewall license and use all the security features available in this release, enter:

Black Box LR11xx Series Router Configurations Guide

N 1

Blackbox/configure> system licenses vpn_plus_firewall Enter Security Upgrade License key: 024f3bc296b4ea7265

4.2 Example 1: Managing the Black Box LR1104A Securely Over an IPSec Tunnel

The following example demonstrates how to manage a Black Box router through an IP security tunnel. Steps are presented for configuring the Black Box1 and Black Box2 routers to assist any host on the LAN side of Black Box-2 to manage the Black Box1 router through the IP security tunnel.

The security requirements are as follows:

 Phase 1: 3DES with SHA1  Phase 2: IPSec ESP with AES and HMAC-SHA1

Figure 8 T unnel Mode Between Two Black Box Security Gateways - Multiple Proposals

TRUSTED

etwork

0.0.1.0/24

Black Box 1

Tasman1

172.16.0.1

IPSec ESP

UNTRUSTED

172.16.0.2

Tasman2

Black Box 2

TRUSTED

Network

10.0.2.0/2

Step 1: Configure a WAN bundle of network type untrusted

Black Box1/configure> interface bundle wan1

message: Configuring new bundle

Black Box1/configure/interface/bundle wan1> link t1 1 Black Box1/configure/interface/bundle wan1> encapsulation ppp Black Box1/configure/interface/bundle wan1> ip address 172.16.0.1 24 Black Box1/configure/interface/bundle wan1> crypto untrusted Black Box1/configure/interface/bundle wan1> exit

Step 2: Configure the Ethernet interface with trusted network type

Black Box1/configure> interface ethernet 0

message: Configuring existing Ethernet interface

Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24 Black Box1/configure/interface/ethernet 0> crypto trusted Black Box1/configure/interface/ethernet 0> exit

Step 3: Display the crypto interfaces

Example 1: Managing the Black

Blackbox> show crypto interfaces

Interface Network Name Type

--------- ------wan1 Untrusted ethernet0 trusted

Blackbox>

Step 4: Add route to peer LAN

Black Box1/configure> ip route 10.0.2.0 24 wan1

Step 5: Configure IKE to the peer gateway

Black Box1/configure> crypto ike policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1

message: Default proposal created with priority1-des-sha1-pre_shared-g1.

message: Key String has to be configured by the user.

Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1 Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm 3des-cbc Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> exit Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit

Step 6: Display IKE policies

Blackbox> show crypto ike policy all

Policy Peer Mode Transform

------ ---- ---- --------Black Box 172.14.0.2 Main P1 pre-g1-3des-sha

Blackbox>

Step 7: Display IKE policies in detail

Displays the encryption algorithm, hash algorithm, authentication mode, and other details of the IKE policies.

Step 8: Configure the IPSec tunnel to the remote host

Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 172.16.0.1 32

10.0.2.0 24

message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.

Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm aes128-cbc Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit

Step 9: Display IPSec policies

Displays the policy just added.

Step 10: Display IPSec policies in detail

Shows the details of the IPSec policies.

Black Box LR11xx Series Router Configurations Guide

Step 10.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable onl y if firewall license is also

enabled)

Black Box1/configure> firewall internet Black Box1/configure/firewall internet> policy 1000 in service ike self Black Box1/configure/firewall internet/policy 1000 in> exit Black Box1/configure/firewall internet> exit

Step 10.2: Configure firewall policies to allow desired services through untrusted interface to manage the router (applicable only if

firewall license is also enabled)

Black Box1/configure> firewall internet Black Box1/configure/firewall internet> policy 1001 in service snmp self Black Box1/configure/firewall internet/policy 1001 in> exit Black Box1/configure/firewall internet> policy 1002 in service telnet self Black Box1/configure/firewall internet/policy 1002 in> exit Black Box1/configure/firewall internet> policy 1003 in protocol icmp self Black Box1/configure/firewall internet/policy 1003 in> exit Black Box1/configure/firewall internet> exit

Step 10.3: Display firewall policies in the internet map (applicable only if firewall license is enabled)

Black Box1> show firewall policy internet Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter, R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, E - Policy Enabled, M - Smtp-Filter

Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced

--- --- ----------- ---------------- ----------------- ------ -------1000 in any any ike PERMIT SE 1001 in any any snmp PERMIT SE 1002 in any any telnet PERMIT SE 1003 in any any any any icmp PERMIT SE 1024 out any any any any any PERMIT SE

Step 10.4: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)

Black Box1> show firewall policy internet detail

Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is ike Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Policy with Priority 1001 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is snmp Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Example 1: Managing the Black

Policy with Priority 1002 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Service Name is telnet Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Policy with Priority 1003 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Dest Port is any, Protocol is icmp Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0 Policy with Priority 1024 is enabled, Direction is outbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Step 11 : Enable SNMP on the Black Box1 router

Black Box LR11xx Series Router Configurations Guide

N 1

Black Box1/configure/crypto/> exit Black Box1/configure> snmp Black Box1/configure/snmp> community public rw Black Box1/configure/snmp> exit

Step 12: Display SNMP communities

Blackbox>show snmp communities

Community = public, privileges=rw

Blackbox>

Step 13: Repeat step s 1 - 10 with sui table modif icatio ns on Black Bo x2 prior t o managing Black Box1 fr om Bla ck Box2’ s LAN side

Step 14: Test the IPSec tunnel for managing the Black Box1 router from a host on Black Box2’s LAN.

Step 15: When the SNMP manager starts managing Black Box1 from Black Box2’s LAN, display the IKE and IPSec SA tables using:

show crypto ike sa all show crypto ike sa all detail show crypto ipsec sa all show crypto ipsec sa all detail

4.3 Example 2: Single Proposal: Tunnel Mode Between Two Black Box Security Gateways

The following example demonstrates how to form an IP security tunnel to join two private networks: 10.0.1.0/24 and

10.0.2.0/24. The security requirements are as follows:

 Phase 1: 3DES with SHA1  Phase 2: IPSec ESP with AES (256-bit) and HMAC-SHA1

Figure 9 Tunnel Mode Between Two Black Box Security Gateways - Single Proposa ls

172.16.0.1

TRUSTED

etwork

0.0.1.0/24

Tasman1

BlackBox 1

IPSec ESP

UNTRUSTED

Step 1: Configure a WAN bundle of network type untrusted

172.16.0.2

Tasman2

BlackBox 2

TRUSTED

Network

10.0.2.0/2

Example 2: Single Proposal: Tun-

Step 2: Configure the Ethernet interface with trusted network type

Black Box1/configure> interface ethernet 0

message: Configuring existing Ethernet interface

Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24 Black Box1/configure/interface/ethernet 0> crypto trusted Black Box1/configure/interface/ethernet 0> exit

Step 3: Display the crypto interfaces

Blackbox> show crypto interfaces

Interface Network Name Type

--------- ------wan1 Untrusted ethernet0 trusted

Blackbox>

Step 4: Add route to peer LAN

Black Box1/configure> ip route 10.0.2.0 24 wan1

Step 5: Configure IKE to the peer gateway

Black Box1/configure> crypto ike policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> local-address 172.16.0.1

message: Default proposal created with priority1-des-sha1-pre_shared-g1.

message: Key String has to be configured by the user.

Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> key secretkey Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1 Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm 3des-cbc Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> proposal 1> exit Black Box1/configure/crypto/ike/policy Black Box2 172.16.0.2> exit Black Box1/configure/crypto/exit Black Box1/configure>

Step 6: Display IKE policies

Blackbox> show crypto ike policy all

Policy Peer Mode Transform

------ ---- ---- --------Black Box 172.14.0.2 Main P1 pre-g1-3des-sha

Blackbox>

Step 7: Configure IPSec tunnel to the remote host

Black Box1/configure/crypto> ipsec policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 10.0.1.0 24

10.0.2.0 24

NOTE

Black Box LR11xx Series Router Configurations Guide

For IPSec only – wh en you cr eate an ou tbound tunnel, an inbo und tun nel is au tomatica lly created . The in bound tunnel applies the name that you provide for the outbound tunnel and adds the prefix “IN” to the name.

message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.

Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm aes256-cbc Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit

Step 8: Display IPSec policies

Using the show crypto ipsec policy all command.

Step 8.1: Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also

enabled)

Step 8.2: Display firewall policies in the internet map (applicable only if firewall license is enabled)

Black Box1> show firewall policy internet Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter, R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, E - Policy Enabled, M - Smtp-Filter

Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced

--- --- ----------- ---------------- ----------------- ------ -------1000 in any any ike PERMIT SE 1024 out any any any any any PERMIT SE

Step 8.3: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)

Black Box1> show firewall policy internet detail

Policy with Priority 1024 is enabled, Direction is outbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Example 2: Single Proposal: Tun-

Step 8.4: Configure firewall policies to allow transit traffic from remote LAN to the local LAN (applicable only if firewall license is

also enabled)

Black Box1/configure> firewall corp Black Box1/configure/firewall corp> policy 1000 in address 10.0.2.0 24 10.0.1.0 24 Black Box1/configure/firewall corp/policy 1000 in> exit Black Box1/configure/firewall corp> exit

Step 8.5: Display firewall policies in the corp map (applicable only if firewall license is enabled)

Black Box1> show firewall policy corp

Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter, R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, E - Policy Enabled, M - Smtp-Filter

Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced

--- --- ----------- ---------------- ----------------- ------ -------1000 in 10.0.2.0/24 10.0.1.0/24 any any any PERMIT E 1022 out any any any any any PERMIT SE 1023 in any any any any any PERMIT SE 1024 out any any any any any PERMIT E

Step 8.6: Display firewall policies in the corp map in detail (applicable only if firewall license is enabled)

Black Box LR11xx Series Router Configurations Guide

Black Box1> show firewall policy corp detail

Policy with Priority 1000 is enabled, Direction is inbound Action permit, Traffic is transit Logging is disable Source Address is 10.0.2.0/24, Dest Address is 10.0.1.0/24 Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Max-Connections 1024, Connection-Rate is disabled Policing is disabled, Bandwidth is disabled Bytes In 0, Bytes Out 0

Policy with Priority 1022 is enabled, Direction is outbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Policy with Priority 1023 is enabled, Direction is inbound Action permit, Traffic is self Logging is disable Source Address is any, Dest Address is any Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Bytes In 0, Bytes Out 0

Policy with Priority 1024 is enabled, Direction is outbound Action permit, Traffic is transit Logging is disable Source Address is any, Dest Address is any Source Port is any, Dest Port is any, any Schedule is disabled, Ftp-Filter is disabled Smtp-Filter is disabled, Http-Filter is disabled Rpc-Filter is disabled, Nat is disabled Max-Connections 1024, Connection-Rate is disabled Policing is disabled, Bandwidth is disabled Bytes In 11258, Bytes Out 5813

Step 9: Repeat steps 1 - 8 with suitable modifications on Black Box2 prior to passing traffic.

Step 10: Test the IPSec tunnel between Black Box1 and Black Box2 by passing traffic from the 10.0.1.0 to the 10.0.2.0 network

Example 3: Multiple IPSec Pro-

N 1

Step 11: After transit traffic is passed through the tunnel, display the IKE and IPSec SA tables.

Use the show crypto ike sa all and show crypto ipsec sa all commands.

4.4 Example 3: Multiple IPSec Proposals: Tunnel Mode Between Two Black Box Security Gateways

The following example demonstrates how a security gateway can use multiple ipsec (phase2) proposals to form an IP security tunnel to join two private networks: 10.0.1.0/24 and 10.0.2.0/24.

IKE Proposal offered by both Black Box1 and Black Box2:

 Phase 1: 3DES and SHA1

IPSec Proposals offered by Black Box1:

 Ph ase 2: Proposal1: IPSec ESP with DES and HMAC-SHA1  Ph ase 2: Proposal2: IPSec ESP with AES (256-bit) and HMAC-SHA1

IPSec Proposal offered by Black Box2:

 Ph ase 2: Proposal1: IPSec ESP with AES (256-bit) and HMAC-SHA1

In this example, the Black Box1 router offers two IPSec proposals to the peer while the Black Box2 router offers only one proposal. As a result of quick mode negotiation, the two routers are expected to converge on a mutually acceptable proposal, which is the proposal “IPSec ESP with AES (256-bit) and HMAC-SHA1” in this example.

Figure 10 Tunnel Mode Between Two Black Box Security Gateways - Multiple Proposals

TRUSTED

etwork

0.0.1.0/24

BlackBox 1

Tasman1

172.16.0.1

IPSec ESP

UNTRUSTED

172.16.0.2

Tasman2

BlackBox 2

TRUSTED

Network

10.0.2.0/2

Step 1: Configure a WAN bundle of network type untrusted

Step 2: Configure the Ethernet interface with trusted network type

Black Box1/configure> interface ethernet 0

message: Configuring existing Ethernet interface

Black Box1/configure interface/ethernet 0> ip address 10.0.1.1 24 Black Box1/configure/interface/ethernet 0> crypto trusted Black Box1/configure/interface/ethernet 0> exit

Step 3: Display the crypto interfaces

Black Box LR11xx Series Router Configurations Guide

Blackbox> show crypto interfaces

Interface Network Name Type

--------- ------wan1 Untrusted ethernet0 trusted

Blackbox>

Step 4: Add route to peer LAN

Black Box1/configure> ip route 10.0.2.0 24 wan1

Step 5: Configure IKE to the peer gateway

Black Box1/configure> crypto ike policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ike/policy/Black Box2 172.16.0.2> local-address 172.16.0.1

message: Default proposal created with priority1-des-sha-pre_shared-g1.

message: Key String has to be configured by the user.

Step 6: Display IKE policies

Blackbox> show crypto ike policy all

Policy Peer Mode Transform

------ ---- ---- --------Black Box 172.14.0.2 Main P1 pre-g1-3des-sha

Blackbox>

Step 7: Configure IPSec tunnel to the remote host

Black Box1/configure>crypto ipsec policy Black Box2 172.16.0.2 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> match address 10.0.1.0 24

10.0.2.0 24

message: Default proposal created with priority1-esp-3des-sha1-tunnel and activated.

Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 1 Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> encryption-algorithm des-cbc Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 1> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> proposal 2

message: Proposal added with priority2-esp-3des-sha1-tunnel.

Example 4: IPSec remote access

Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> encryption_algorithm aes256-cbc Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2/proposal 2> exit Black Box1/configure/crypto/ipsec/policy Black Box2 172.16.0.2> exit Black Box1/configure/crypto> exit Black Box1/configure>

Step 8: Display the IPSec policies

Use the show crypto ipsec policy all command.

Step 9: Repeat steps 1 - 8 with suitable modifications on Black Box2 prior to passing bi-directional traffic.

Step 10: Test the IPSec tunnel between Black Box1 and Black Box2 by passing traffic from the 10.0.1.0 network to the

10.0.2.0 network

Step 11: After traffic is passed through the tunnel, display the IKE and IPSec SA tables.

Use the show crypto ike sa all and show crypto ipsec sa all commands.

4.5 Example 4: IPSec remote access to corporate LAN using user group method

The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using user group method with extended authentication (XAUTH) for remote VPN clients. The client could be any standard IPSec VPN client.

In this example, the client needs to access the corporate private network 10.0.1.0/24 through the VPN tunnel. The security requirements are as follows:

Phase 1: 3DES with SHA1, Xauth (Radius PAP) Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1

VPN Client 1

Local Address: D ynamic

Local ID :

blackbox.com

Corporate

Headquarters

10.0.1.0/24

Tasman #1

blackbox 1

VPN Ser ve r

172.16.0.1

david@tasmannetworks

Local Address: D ynamic

mike@tasmannetworks.

com

VPN Client 2

Local ID :

blackbox.com

com

Step 1: As in Step1 of Example 1

Black Box LR11xx Series Router Configurations Guide

Step 2: As in Step2 of Example 1

Step 3: As in Step3 of Example 1

Step 4: Configure dynamic IKE policy for a group of mobile users

Black Box1/configure> crypto Black Box1/configure/crypto> dynamic Black Box1/configure/crypto/dynamic> ike policy sales Black Box1/configure/crypto/dynamic/ike/policy sales> local-address 172.16.0.1 Black Box1/configure/crypto/dynamic/ike/policy sales> remote-id email-id david@BlackBox.com david

A new user david is added to the grou p sales . The defau lt propos al created wi th priori ty1-des -sha1-pr e_shared -g1 and t he Key String has to be configured by the user.

Black Box1/configure/crypto/dynamic/ike/policy sales> remote-id email-id mike@BlackBox.com New user mike is added to the group sales

Black Box1/configure/crypto/dynamic/ike/policy sales> key secretkeyforsalesusers Black Box1/configure/crypto/dynamic/ike/policy sales> proposal 1 Black Box1/configure/crypto/dynamic/ike/policy sales/proposal 1> encryption-algorithm 3des-cbc Black Box1/configure/crypto/dynamic/ike/policy sales/proposal 1> exit Black Box1/configure/crypto/dynamic/ike/policy sales> client authentication radius pap Black Box1/configure/crypto/dynamic/ike/policy sales> exit Black Box1/configure/crypto/dynamic>

Step 5: Display dynamic IKE policies

Black Box1> show crypto dynamic ike policy all

Policy Remote-id Mode Transform Address-Pool

------ --------- ---- --------- -----------sales U david@Blackbox... Aggressive P1 pre-g1-3des-sha1

Step 6: Display dynamic IKE policies in detail

Black Box1> show crypto dynamic ike policy all detail

Policy name sales, User group name sales Aggressive mode, Response Only, PFS is not enabled, Shared Key is ***** Client authentication is Radius(PAP) Local addr: 172.16.0.1, Local ident 172.16.0.1 (ip-address) Remote idents are david@Blackbox.com (email-id), mike@Blackbox.com ( email-id)

Proposal of priority 1 Encryption algorithm: 3des Hash Algorithm: sha1 Authentication Mode: pre-shared-key DH Group: group1 Lifetime in seconds: 86400

Lifetime in kilobytes: unlimited

Step 7: Configure dynamic IPSec policy for a group of mobile users

Example 4: IPSec remote access

Black Box1/configure/crypto/dynamic> ipsec policy sales

Black Box1/configure/crypto/dynamic/ipsec/policy sales> match address 10.0.1.0 24 Default proposal created with priority1-esp-3des-sha1-tunnel and activated.

Black Box1/configure/crypto/dynamic/ipsec/policy sales> proposal 1 Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> encryption-algorithm aes256-cbc Black Box1/configure/crypto/dynamic/ipsec/policy sales/proposal 1> exit Black Box1/configure/crypto/dynamic/ipsec/policy sales> exit Black Box1/configure/crypto/dynamic>

Step 8: Display dynamic IPSec policies

Black Box1> show crypto dynamic ipsec policy all

Policy Match Proto Transform

------ ----- ----- --------sales S 10.0.1.0/24/any Any P1 esp-aes-sha1-tunl D any/any/any INsales S any/any/any Any P1 esp-aes-sha1-tunl

D 10.0.1.0/24/any

Step 9: Display dynamic IPSec policies in detail

Black Box LR11xx Series Router Configurations Guide

Black Box1> show crypto dynamic ipsec policy all detail

Policy sales is enabled, User group name sales Direction is outbound, Action is Apply Key Management is Automatic PFS Group is disabled Match Address: Protocol is Any Source ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any) Destination ip address (ip/mask/port): (any/any/any)

Proposal of priority 1 Protocol: esp Mode: tunnel Encryption Algorithm: aes256(key length=256 bits) Hash Algorithm: sha1 Lifetime in seconds: 3600 Lifetime in Kilobytes: 4608000

Policy INsales is enabled, User group name sales Direction is inbound, Action is Apply Key Management is Automatic PFS Group is disabled Match Address: Protocol is Any Source ip address (ip/mask/port): (any/any/any) Destination ip address (ip/mask/port): (10.0.1.0/255.255.255.0/any)

Proposal of priority 1 Protocol: esp Mode: tunnel Encryption Algorithm: aes256(key length=256 bits) Hash Algorithm: sha1 Lifetime in seconds: 3600

Lifetime in Kilobytes: 4608000

Step 10: Configure radius server (applicable only if client authentication is configured in dynamic IKE policy)

Black Box1/configure> aaa Black Box1/configure/aaa> radius Black Box1/configure/aaa/radius> primary_server 172.168.2.1 Primary Radius server configured. Black Box1/configure/aaa/radius> secondary_server 192.168.2.1 Secondary Radius server configured. Black Box1/configure/aaa/radius> exit Black Box1/configure/aaa> exit

Step 11 : Configure firewall policies to allow IKE negotiation through untrusted interface (applicable only if firewall license is also

enabled)

Example 4: IPSec remote access

Step 12: Display firewall policies in the internet map (applicable only if firewall license is enabled)

Black Box1> show firewall policy internet Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter, R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, E - Policy Enabled, M - Smtp-Filter

Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced

--- --- ----------- ---------------- ----------------- ------ -------1000 in any any ike PERMIT SE 1024 out any any any any any PERMIT SE

Step 13: Display firewall policies in the internet map in detail (applicable only if firewall license is enabled)

Black Box1> show firewall policy internet detail

Bytes In 0, Bytes Out 0

Step 14: Config ure firewall policies for a group of mobile use rs to allow access to the loc a l LAN (appli cable on ly if fire wa ll license is

enabled)

Black Box1/configure/firewall corp> Black Box1/configure/firewall corp> policy 1000 in user-group sales address any any 10.0.1.0 24 Black Box1/configure/firewall corp/policy 1000 in >exit Black Box1/configure/firewall corp>

Step 15: Display firewall policies in the corp map (applicable only if firewall license is enabled)

Black Box LR11xx Series Router Configurations Guide

Black Box1> show firewall policy corp Advanced: S - Self Traffic, F - Ftp-Filter, H - Http-Filter, R - Rpc-Filter, N - Nat-Ip/Nat-Pool, L - Logging, E - Policy Enabled, M - Smtp-Filter

Pri Dir Source Addr Destination Addr Sport Dport Proto Action Advanced

--- --- ----------- ---------------- ----------------- ------ -------1000 in any 10.0.1.0/24 any any any PERMIT E 1022 out any any any any any PERMIT SE 1023 in any any any any any PERMIT SE

1024 out any any any any any PERMIT E

Step 16: Display firewall policies in the corp map in detail (applicable only if firewall license is enabled)

4.1Example 5: IPSec remote access to corporate LAN using mode configuration method

The following example demonstrates how to configure a Black Box router to be an IPSec VPN server using mode-configuration method. The client could be any standard mode configuration enabled IPSec VPN client.

In this example, the client needs to access the corporate private network 10.0 .1. 0/24 through the VPN tunnel. The server has a pool of ip addresses from 20.1.1.100 through 20.1.1.150 to be allocated for mode configuration enabled VPN clients. The assigned IP address will be used by the VPN client as the source address in the inner IP header. The outer IP header will carry the dynamic IP address assigned by the Internet Service Provider as the source address. The security requirements are as follows:

Phase 1: 3DES with SHA1, Mode Configuration Phase 2: IPSec ESP tunnel with AES256 and HMAC-SHA1

Black Box 1

Corporate

Headquarters

10.0.1.0/24

Tasman #1 VPN Ser v e r

172.16.0.1

Mode Config IP

Pool:

10.0.1.100-

10.0.1.150

Example 5: IPSec remote access

VPN Client 1

Local Outer A ddress:

Dynamic

Local Inner Assigned

Address: 10. 0. 1. 100/ 32

Local ID:

blackbox.com

david@tasmannetworks.

com

VPN Client 2

Local Outer Address:

Dynamic

Local Inner A s si gned

Address: 10 . 0. 1.101/32

Local ID:

blackbox.com

mike@tasmannetworks.

com