Nortel 3050, 3070, NVG 3050, NVG 3070, 1000 Command Reference Manual

...

Nortel VPN Gateway

Command Reference

Release: 7.0 Document Revision: 01.01

www.nortel.com

NN46120-103

216369-E

Nortel VPN Gateway Release: 7.0 Publication: NN46120-103 Document status: Standard Document release date: 10 September 2007

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

*Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks.

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

Licensing

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (

ttp://www.openssl.org/)

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

This product includes software developed by the Apache Software Foundation (h

ttp://www.apache.org/).

See Appendix D, "License Information", in the User’s Guide for more information.

Contents

Preface 5

Who Should Use This Book 6 Related Documentation 7 Product Names 8 Typographic Conventions 9 How to Get Help 10 Getting help from Nortel Web site 10 Getting help over the phone from a Nortel Solutions Center 10 Getting help from a specialist by using an Express Routing Code 10 Getting help through a Nortel distributor or reseller 10

Command Reference 11

Menu Basics 12 Global Commands 13 CommandLine History and Editing 16 Command Line Interface Shortcuts 18 Variables 22 The Main Menu 25

/info Information Menu 26 /stats Statistics Menu 42 /cfg Configuration Menu 81 /cfg/ vpn #/syslog Syslog VPN configuration 419 /boot Boot Menu 468 /maint Maintenance Menu 472 /maint/logLogging system configuration 477 /maint/log/ in-memoryInternal memory configuration 477

CLI Dumps 479 Index 495

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Preface

This Command Reference lists all the CLI commands available in the Nortel VPN Gateway (NVG) software. The software supports both SSL Acceleration and VPN.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

6 Preface

Who Should Use This Book

This Command Reference is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Licensing 7

Related Documentation

For full documentation on installing, configuring and using the many features of the SSL VPN, see the following manuals:

• VPN Gateway 7.0 User’s Guide

(part number 216368-F September 2007) Describes the initial setup procedure, upgrades, operator user management, certificate management, troubleshooting and other general operations that apply to both SSL Acceleration and VPN.

• VPN Gateway 7.0 Command Reference Guide

(part number 216369-E September 2007) Describes each command line in detail. The commands are listed per menu according to the order listed in the Command Line Interface (CLI).

•

VPN Gateway 7.0 Application Guide for SSL Acceleration

(part number 216370-D April 2006) Provides examples on how to configure SSL Acceleration through the CLI.

•

VPN Gateway 7.0 CLI Application Guide for VPN

(part number 216371-E September 2007) Provides examples on how to configure VPN deployment through the CLI.

•

VPN Gateway 7.0 BBI Application Guide for VPN

(part number 217239-D, September 2007) Provides examples on how to configure VPN deployment through the BBI (Browser-Based Management Interface).

• VPN Gateway 7.0 VPN Administrator’s Guide

(part number 217238-D, September 2007) VPN management guide intended for end-customers in a Secure Service Partitioning configuration.

• VPN Gateway 3050/3070 Hardware Installation Guide

(part number 216213-B, March 2005) Describes installation of the VPN Gateway 3050 and 3070 hardware models.

• VPN Gateway 7.0 Release Notes

(part number 216372-P, September 2007) Lists new features available in version 7.0 and provides up-to-date product information.

The preceding manuals are available for download (see “How to Get

Help” (page 10)).

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

8 Preface

Product Names

The software described in this manual runs on several different hardware models. Whenever the terms Nortel VPN Gateway, VPN Gateway or NVG are used in the documentation, the following hardware models are implied:

• Nortel VPN Gateway 3050 (NVG 3050)

• Nortel VPN Gateway 3070 (NVG 3070)

• Nortel SSL VPN Module 1000 (SVM 1000)

The integrated SSL Accelerator (SSL processor) on the Nortel 2424-SSL switch Similarly, all references to the old product name iSD-SSL or iSD in commands or screen outputs should be interpreted as applying to the preceding hardware models.

Note:

Manufacturing of the Nortel SSL Accelerator (formerly Alteon

SSL Accelerator) has been discontinued.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Licensing 9

Typographic Conventions

The following table describes the typographic styles used in this book.

Table 1 Typographic Conventions

Typeface or Symbol

Meaning Example

AaBbCc123

This type is used for names of commands, files, and directories used within the text.

View the readme.txt file.

It also depicts on-screen computer output and prompts.

Main#

AaBbCc123

This bold type appears in command examples. It shows text that must be typed in exactly as shown.

Main# sys

<AaBbCc123> This italicized type appears

in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

To establish a Telnet session, enter: host#

telnet <IP address>

This also shows book titles, special terms, or words to be emphasized.

Read your User’s Guide thoroughly.

[ ] Command items shown

inside brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.

host# ls[-a]

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

10 Preface

How to Get Help

This section explains how to get help for Nortel products and services.

Getting help from Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: w

ww.nortel.com/support

This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. From this site, you can:

• download software, documentation, and product bulletins for answers

to technical issues

• sign up for automatic notification of new software and documentation

for Nortel equipment

•

open and manage technical support cases

Getting help over the phone from a Nortel Solutions Center

If you do not find the information you require on the Nortel Technical Support web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.

In North America, call 1-800-4NORTEL (1-800-466-7835). Outside North America, go to the following web site to obtain the phone number for your region: w

ww.nortel.com/callus

Getting help from a specialist by using an Express Routing Code

An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to:w

ww.nortel.com/erc

Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Command Reference

This chapter describes how to use the command line interface on the Nortel VPN Gateway (NVG). The chapter also provides explanations of all available commands.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

12 Command Reference

Menu Basics

The Command Line Interface (CLI) is used for viewing information and statistics. In addition, the administrator can use the CLI for configuring all levels of the VPN Gateway.

The various CLI commands are grouped into a series of menus and submenus. Each menu displays a list of commands and/or submenus that are available, along with a summary of what each command will do. Below each menu is a prompt where you can enter any command appropriate to the current menu.

When creating new CLI objects, for example a new interface or a new group, you will enter a wizard providing the relevant questions for that object. The regular menu for the object will be displayed after the wizard is completed.

This section describes the Main menu commands, and provides a list of commands and shortcuts that are commonly available from all the menus within the CLI.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Getting help through a Nortel distributor or reseller 13

Global Commands

Some basic commands are recognized throughout the menu hierarchy. These commands are useful for obtaining online help, navigating through menus, and for applying and saving configuration changes:

Table 2 Global Commands

Command

Action

help

Display a summary of the global commands.

help <command>

Displays help on a specific command in the command line interface. Example: Typing the "/cfg/sys" command at any prompt in the CLI will display the System menu. The same result is achieved by only typing /cfg/sys (no quotation marks) at any menu prompt.

Display the current menu.

Go up one level in the menu structure.

If placed at the beginning of a command, go to the Main menu. Otherwise, this is used to separate multiple commands placed on the same line.

cd " <menu/path> "

Display the menu indicated within quotation marks. Example: Typing cd "/cfg/sys" at any prompt in the CLI will display the System menu. The same result is achieved by only typing /cfg/sys (no quotation marks) at any menu prompt.

pwd

Display the command path used to reach the current menu.

apply

Apply pending configuration changes.

diff

Show any pending configuration changes. Passwords and secrets (if any) are displayed as (SECRET).

revert

Remove pending configuration changes between "apply" commands. Use this command to restore configuration parameters set since last "apply" command.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

14 Command Reference

Table 2 Global Commands (cont’d.)

Command

Action

paste

Lets you restore a previously dumped configuration. Before pasting the configuration, you need to provide the password phrase you specified when executing the dump command. For more information, see the dump command.

exit

Terminate the current session and log out. If you have unapplied (pending) configuration changes when using the exit command, you will be notified. If you choose to log out anyhow without using the apply command, your pending configuration changes will be lost.

quit

Same as Exit. If you have unapplied (pending) configuration changes when using the quit command, you will be notified. If you choose to log out anyhow without using the apply command, your pending configuration changes will be lost.

CTRL+^

Exit from the command line interface in case the VPN Gateway has stopped responding. This command should only be used when connected to a specific VPN Gateway through a console connection, not when connected to the Management IP of the cluster through a Telnet or SSH connection.

netstat

Use this command to show the current network status of the VPN Gateway. The netstat command provides information about active TCP connections, as well as the state of all TCP/IP servers and the sockets used by them.

nslookup

Use this command to find the IP address or host name of a machine. To use this command, you must have configured the VPN Gateway to use a DNS server. Example: >> Configuration# nslookup Enter Hostname | IpAddress: 47.80.21.24; Server: zsc4s011.us.nortel.com ; Address: 47.81.2.10

ping

Use this command to verify station-to-station connectivity across the network. The format is as follows:

ping <IP address or host name>

The DNS parameters must be configured if specifying host names (see /cfg/vpn <id> /adv/dns/servers DNS Servers Configuration).

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Getting help through a Nortel distributor or reseller 15

Table 2 Global Commands (cont’d.)

Command

Action

traceroute

Use this command to identify the route used for station-to-station connectivity across the network. The format is as follows:

traceroute <IP address or host name of target station>

As with ping, the DNS parameters must be configured if specifying host names.

cur

Use this command to view all the current settings for the active menu. Passwords and secrets (if any) are displayed as (SECRET).

curb

Use this command for a brief version of the current settings for the active menu.

dump

Use this command to dump the current configuration for the active menu. The dumped information can be cut and pasted in to another operator’s CLI at the same menu level. The dump command is also available in all statistics menus to display statistics information for the active menu. When the dump command is used, no secret value will be dumped unless a dump password has been given, and in this case the secret value is encrypted. To paste a dump, the paste command should be used. The password given at the dumpcommand should then be supplied.

lines n

Set the number of lines (n) that is displayed on the screen at one time. The default value is 24 lines. When used without a value, the current setting is displayed.

verbose

Sets the level of information displayed on the screen: 0 = Quiet: Nothing appears except errors—not even prompts. 1 = Normal: Prompts and requested output are shown, but no menus. 2 = Verbose: Everything is shown. The default level is 2. When used without a value, the current setting is displayed.

slist

Use this command to display a list of all Admin user sessions currently running in the cluster.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

16 Command Reference

CommandLine History and Editing

Using the command line interface, you can retrieve and modify previously entered commands with just a few keystrokes. The following options are available globally at the command line:

Table 3 Command Line History and Editing Options

Option

Description

history

Display a numbered list of the last 10 previously entered commands.

Repeat the last entered command.

! n

Repeat the n

command shown on the history list.

pushd

"Bookmarks" your current position in the menu structure. After moving to another level or command in the menu structure, you can easily return to the bookmarked position by typing the popd command. The

pushd command can be combined with command

stacking, as in this example:

>> Information# pushd "/cfg/ssl/server 1/ssl"

>> SSL Settings# When you issue the popd command,

you are immediately taken back to the prompt from where you issued the pushd command, the Information prompt in this example.

popd

Takes you back to a position in the menu structure that has been "bookmarked" by using the pushd command.

<Ctrl-p> (Also the up arrow key.) Recall the previous command from the

history list. This can be used multiple times to work backward through the last 10 commands. The recalled command can be entered as is, or edited using the following options.

<Ctrl-n> (Also the down arrow key.) Recall the next command from the

history list. This can be used multiple times to work forward through the last 10 commands. The recalled command can be

entered as is, or edited using the following options. <Ctrl-a> Move the cursor to the beginning of command line. <Ctrl-e> Move cursor to the end of the command line. <Ctrl-b> (Also the left arrow key.) Move the cursor back one position to

the left. <Ctrl-f> (Also the right arrow key.) Move the cursor forward one

position to the right. <Backspace> (Also the Delete key.) Erase one character to the left of the

cursor position. <Ctrl-d> Delete one character at the cursor position.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Getting help through a Nortel distributor or reseller 17

Table 3 Command Line History and Editing Options (cont’d.)

Option

Description

<Ctrl-k> Kill (erase) all characters from the cursor position to the end of

the command line. <Ctrl-l> Rewrites the most recent command. <Ctrl-c>

Abort an on-going transaction. If pressed when there is no

on-going transaction, the current menu is displayed.

Note: Using <Ctrl-c> will not abort screen output generated from

using the cur command. To abort the heavy screen output that

may result from using the cur command, press <q>. <Ctrl-u> Clear the entire line. Other keys Insert new characters at the cursor position.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

18 Command Reference

Command Line Interface Shortcuts

Command Stacking

You can type multiple commands separated by forward slashes (/) on a single line to access a submenu and one of the related menu options. Type as many commands as required to access the desired submenu and menu option. For example, the keyboard shortcut to access the

list

command in the NTP Servers menu from the Main menu prompt is as follows:

>> Main# cfg/sys/time/ntp/list

You can also use command stacking to go up one or more levels in the menu system, and then go directly to another submenu and one of the related menu options in that submenu. For example, to go up two levels from the NTP Servers menu to the System menu, and from there to the DNS settings menu to access the DNS servers menu, you would type:

>> NTP Servers# ../../dns/servers

Command Abbreviation

Most commands can be abbreviated by entering the first characters which distinguish the command from the others in the same menu or submenu. For example, the command shown in the first preceding example could also be entered as follows:

>> Main# c/sy/t/n/l

TAB Command Completion

By typing the first letter of a command at any menu prompt and pressing TAB, all commands in that menu beginning with the letter you typed are displayed. By typing additional letters, you can further refine the list of commands or options displayed. If only one command matches the letter(s) you typed, that command is supplied on the command line when pressing TAB. You can then execute the command by pressing ENTER. If the TAB key is pressed without any input on the command line, the currently active menu is displayed.

TAB Value Presentation

Pressing the TAB key also displays available options, for example if you want to view previously configured values.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

UsingSubmenu Name as Command Argument 19

>> Main# cfg/vpn #/linkset #/link Enter Link number (1-256): <press TAB> Windows file share link(1) Net Direct link(2) Enter Link number (1-256):

In the preceding example, with the object name followed by the object ID within parenthesis, both the name and the integer (for example 2) can be used to select the object.

Example: To select Net Direct link, enter N and press TAB. This will complete the object name so that the full name is printed. Then press ENTER to select this value.

In the example below, with the object ID followed by the object name within parenthesis, only the integer (for example 2) can be used to select the object.

>> AAA# defippool <press TAB> Usage: defippool <integer>

2(RADIUS) 1(Local)

UsingSubmenu Name as Command Argument

To display the properties related to a specific submenu, you can provide the submenu name as an argument to the cur command (at a menu prompt one level up from the desired submenu information).

For example, to display system information at the Configuration menu prompt (/cfg), type the following command:

>> Configuration# cur sys System:

Management IP (MIP) address = 192.168.128.211

Cluster Host 1: Type of the host = master IP address = 192.168.128.213 SysName = SysLocation = License = IPsec user sessions: 250 Secure Service Partitioning PortalGuard TPS: unlimited SSL user sessions: 250 Default gateway address = 192.168.128.3 Ports = 1 : 2 Hardware platform = 3070 Host Routes: No items configured

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

20 Command Reference

Host Interface 1: IP address = 10.1.82.145 Network mask = 255.255.255.0 Default gateway address = 0.0.0.0 VLAN tag id = 0 Mode = failover Primary port = 0 Host Interface Routes: No items configured

Without having to descend into the System menu (/cfg/sys), system-specific information only is displayed directly at the Configuration menu prompt. If the cur command had been used without the sys submenu argument in the preceding example, information related to both the Configuration menu and all submenus would have been displayed.

UsingSlashes (/) and Spaces in Commands

If you need to use a forward slash (/) or a space in a command string, make sure the string containing the slash or space is within double quotation marks before you run the command. One example of a command where double quotation marks is required, is when you specify a directory path and file name on the same line as the ftp command in the CLI.

Example:

>> Software Management# download ftp 10.0.0.1 "pub/SSL-7.0.1upgrade_complete.pkg"

IP Address and Network Mask Formats

IP Addresses

IP addresses can be specified in different ways in the CLI:

• Dotted decimal notation. Specify the IP address as is, for example

10.0.0.1.

•

According to the formats below: A.B.C.D = A.B.C.D, i.e. same as above A.B.D = A.B.0.D, i.e. 10.1.10 translates to 10.1.0.10 A.D = A.0.0.D, i.e. 10.1translates to 10.0.0.1 D = 0.0.0.D, i.e. 10translates to 0.0.0.10

Network Masks

A network mask can be entered in number of bits or in dotted decimal notation.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

IP Address and Network Mask Formats 21

Example: The network mask 255.0.0.0 can also be entered as 8. The network mask 255.255.0.0 can also be entered as 16. The network mask 255.255.255.0can also be entered as 24. The network mask 255.255.255.255can also be entered as 32.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

22 Command Reference

Variables

Some of the commands and features in the NVG software can take variables. The table below lists available variables and areas where they can be used.

Variable Usage

<var:user>

Expands to the user name specified when the user logged in to the VPN, for example on the Portal login page. The variable can for example be included in Portal link specifications (see ), in single-sign-on headers (see “

/cfg/vpn <id> /aaa/ssoheaders

Single-Sign-On Headers Configuration” (page

257)), for proxy mapping (see “/cfg/vpn <id> /server/proxymap Proxy Mapping Configuration” (page 282)), in redirect URLs and static texts

(see “/cfg/vpn <id> /portal SSL VPN Portal

Configuration” (page 323)).

<var:password> Expands to the password specified when the user

logged in to the VPN. The variable can for example be included in Portal link specifications (see ), in single-sign-on headers (see “ /cfg/vpn <id>

/aaa/ssoheaders Single-Sign-On Headers Configuration” (page 257)), for proxy mapping (see “/cfg/vpn <id> /server/proxymap Proxy Mapping Configuration” (page 282)) and in redirect URLs

(see “/cfg/vpn <id> /portal SSL VPN Portal

Configuration” (page 323)).

<var:group>

Expands to the group in which the logged on user is a member. The variable can for example be included in Portal link specifications (see ), in single-sign-on headers (see “ /cfg/vpn <id> /aaa/ssoheaders

Single-Sign-On Headers Configuration” (page 257)), in

redirect URLs and static texts (see “/cfg/vpn <id>

/portal SSL VPN Portal Configuration” (page 323)).

<var:portal> Expands to the Portal’s IP address. The variable can

for example be included in single-sign-on headers (see

“ /cfg/vpn <id> /aaa/ssoheaders Single-Sign-On Headers Configuration” (page 257)) and in redirect

URLs (see “/cfg/vpn <id> /portal SSL VPN

Portal Configuration” (page 323)).

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

IP Address and Network Mask Formats 23

Variable Usage

<var:domain> Expands to the domain name specified for the

authentication method by which the logged in user was authenticated. The domain name is specified with the /

cfg /vpn #/aaa/auth #/domain command. The variable can for example be included in Portal link specifications (see ) and in single-sign-on headers (see

“ /cfg/vpn <id> /aaa/ssoheaders Single-Sign-On Headers Configuration” (page 257)).

<var:method> Expands to the access protocol used, i.e. http or https. <var:sslsid> Expands to the SSL session ID in binary format. <var:clicert> Expands to a Base 64 encoded version of the

client certificate, if one was present when the user was logged in to the VPN. The variable can be used when creating dynamic HTTP headers (see

“/cfg/ssl/server <id> /http/dynheader Dynamic Header Configuration” (page 115)).

<md5:...> Expands the variable or variables (for example

<md5:<user>:<password>>) and computes an MD5 checksum which is Base 64 encoded. Can be used when creating dynamic HTTP headers (see

“/cfg/ssl/server <id> /http/dynheader Dynamic Header Configuration” (page 115)) and

single-sign-on headers (see “ /cfg/vpn <id>

/aaa/ssoheaders Single-Sign-On Headers Configuration” (page 257)).

<base64:...> Expands the variable or variables (for example

<base64:<user>:<password>>) and encodes them using Base 64. Can be used when creating dynamic HTTP headers (see “/cfg/ssl/server <id>

/http/dynheader Dynamic Header Configuration” (page 115)) and single-sign-on headers (see “ /cfg/vpn <id> /aaa/ssoheaders Single-Sign-On Headers Configuration” (page 257)).

<var:tgFailureReason>Expands to the Tunnel Guard rule expression and the

Tunnel Guard rule comment specified for the current SRS rule when a Tunnel Guard check has failed. For more information, see the "Configure Tunnel Guard" chapter in the Application Guide for VPN.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

24 Command Reference

Variable Usage

<var:tgFailureDetail> Expands to the software definition comment specified

for the current SRS rule, along with a detailed specification of missing/present files/processes etc generated by the Tunnel Guard applet when a Tunnel Guard check has failed. For more information, see the "Configure Tunnel Guard" chapter in the

Application

Guide for VPN.

Note that this variable is not expanded if /cfg/vpn #/aaa/tg/details is set to off.

Operator-defined variables

Custom variables can be created to retrieve the desired values from RADIUS and LDAP databases (see “/cfg/vpn <id> /aaa/auth <id>

/radius/macro RADIUS Macro Configuration” (page 188) and “/cfg/vpn <id> /aaa/auth <id> /ldap/ldapmacro LDAP Macro Configuration” (page

199)).

Note: Variables included in links are URL encoded whereas variables

included in static texts (for example on the Portal page and on the Portal login page) are not URL encoded.

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Menu Summary 25

The Main Menu

The Main menu appears after a successful connection and login. Table 4

"Administrator Main Menu" (page 25) shows the Main menu as it appears

when logged in as Administrator. Note that some of the commands are not available when logged in as Operator.

Table 4 Administrator Main Menu

[Main Menu] info - Information menu stats - Statistics menu cfg - Configuration menu boot - Boot menu maint - Maintenance menu diff - Show pending config changes [global command] apply - Apply pending config changes [global command] revert- Revert pending config changes [global command] paste - Restore saved config with key [global command] help - Show command help [global command] exit - Exit [global command, always available]

Menu Summary

•

Information menu

Provides submenus for displaying information about the current status of the VPN Gateway. For more information, see “/info Information

Menu” (page 26).

•

Statistics menu

Provides submenus for displaying NVG performance statistics. For more information, see “/stats Statistics Menu” (page 42).

•

Configuration menu

Provides submenus for configuring the NVG cluster, for example for SSL offload and VPN deployment. Some of the commands in the Configuration menu are available only when logged in as the Administrator user. For more information, see “ /cfg Configuration

Menu” (page 81).

• Boot menu

Is used for upgrading NVG software and for rebooting, if necessary. The Boot menu is only accessible when logged in as the Administrator user. For more information, see “/boot Boot Menu” (page 468).

• Maintenance menu

Is used for sending technical support information to an FTP/TFTP/SFTP server. For more information, see “/maint

Maintenance Menu” (page 472).

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

26 Command Reference

/info Information Menu

The Information menu is used for viewing information and events for VPN Gateways in a cluster.

[Information Menu]

servers - Show configured SSL servers

certs - Show configured certificates

hsm - Show local HSM information

sslvpn - Show configured VPNs

users - Show logged in SSL VPN portal users

idleusers - Show idle logged in SSL VPN portal users

ipsec - Show logged inIPsec users

botuns - Show IPsec BO tunnels

ippool - Show IP pool allocations

ip - Find information about an IP address

sys - Show system configuration

sonmp - SONMP topology

licenses - Show SSL VPN portal license usage

access - Print the access rules of an SSL VPN portal

user

kick - Kick an SSL VPN portal user

isd list - Show all hosts and their operational

status

local - Show local host information

Ethernet - Show local Ethernet status information

ports - Showlocal port(s) information

id - Show user name and groups for current user

events - Inspect Events menu

Table 5 Information Menu Options (/info)

Command Syntax and Usage

servers

Displays the current SSL server settings, including SSL specific settings for each configured virtual SSL server.

certs

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Menu Summary 27

Table 5 Information Menu Options (/info) (cont’d.)

Command Syntax and Usage

Displays the certificate name, serial number, expiration date, and key size for each installed certificate. Information related to the subject part of the certificate is also displayed.

hsm

Displays status information related to the HSM cards on each NVG device in the cluster. Information about the current security mode (Extended mode or FIPS mode) is displayed, as well as current login status and login user information (HSM-SO or HSM-USER).

For a sample screen output, see “/info/hsm HSM Command” (page 33).

Note: HSM information is only displayed when you are using the ASA 310-FIPS model.

sslvpn

Displays information about the current SSL VPN settings, for example login session idle timeout value (shared by all configured VPNs), as well as information related to each specific VPN configuration. For each VPN, information about authentication methods, authentication order, user access groups and the access rules associated with each group is displayed.

users

Displays the user name, login time, source IP address, access method (SSL or IPsec), group membership and profile of all remote users that are currently logged in to a VPN. The users are listed per VPN.

Examples of argument usage:

>> Information# users

Lists all currently logged in users for all VPNs.

>> Information# users 2

Lists all users currently logged in to VPN 2.

>> Information# users 2 j*

Lists users currently logged in to VPN 2, whose user name begins with the letter "j ".

>> Information# users 2 joe

Lists users currently logged in to VPN 2, whose user name is exactly "joe ".

For a sample screen output, see “info/users Users Command” (page

33).

idleusers <number of seconds> <VPN ID> <prefix>

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

28 Command Reference

Table 5 Information Menu Options (/info) (cont’d.)

Command Syntax and Usage

Lists all users that have been idle longer than the time specified in the command argument.

Examples of argument usage:

>> Information# idle 30

Lists all SSL users who have been idle more than 30 seconds.

>> Information# idle 5m 2

Lists all SSL users currently logged in to VPN 2 who have been idle more than 5 minutes.

>> Information# idle 1h 2 j*

Lists all SSL users currently logged in to VPN 2, whose user name begins with the letter "j", who have been idle more than 1 hour.

>> Information# idle 1h 2 joe

Lists all SSL users currently logged in to VPN 2, whose user name is exactly "joe", who have been idle more than 1 hour.

The information includes VPN ID, user name, login time, last time active, source IP address and access method.

For a sample screen output, see “info/idleusers Idleusers Command”

(page 34).

ipsec <VPN ID> <prefix>

Shows currently logged in IPsec users. The information includes user name, user tunnel profile name, actual source IP address, new source IP address allocated from IP pool, encrypted/decrypted data in kBytes and session length.

Examples of argument usage:

>> Information# ipsec

Lists all currently logged in users for all VPNs.

>> Information# ipsec 2

Lists all users currently logged in to VPN 2.

>> Information# ipsec 2 s*

Lists all users currently logged in to VPN 2, whose user tunnel profile name begins with the letter "s ".

>> Information# ipsec 2 staff

Lists users currently logged in to VPN 2, whose user tunnel profile name is exactly "staff ".

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

Menu Summary 29

Table 5 Information Menu Options (/info) (cont’d.)

Command Syntax and Usage

For a sample screen output, see “info/ipsec Ipsec Command” (page 35).

Note: This command is not available if the VPN Gateway software runs on the ASA 310 or ASA 410 hardware platforms.

botuns <VPN ID> <prefix>

Shows the number of active branch office tunnel sessions for all VPNs. The information includes branch office tunnel profile name, the NVG host from which the tunnel is set up, the tunnel state, encrypted/decrypted data in kBytes and session length.

Examples of argument usage:

>> Information# botuns

Lists all currently active branch office tunnels for all VPNs.

>> Information# botuns 2

Lists all currently active branch office tunnels for VPN 2.

>> Information# botuns 2 d*

Lists all currently active branch office tunnels for VPN 2, whose tunnel profile name begins with the letter "d ".

>> Information# botuns 2 denver

Lists all currently active branch office tunnels for VPN 2, whose tunnel profile name is exactly "denver ".

For a sample screen output, see “info/botuns Botuns Command” (page

35).

ippool <VPN ID>

Shows IP pool allocations per IP pool and VPN. The information includes configured IP address range, free IP addresses or ranges and currently allocated IP addresses. It also shows which VPN Gateway (iSD) that owns the IP address.

Examples of argument usage:

>> Information# ippool

Shows IP pool allocations for all VPNs.

>> Information# ippool 2

Shows IP pool allocations for VPN

For a sample screen output, see “info/ippool Ippool Command” (page

36).

ip <IP address>

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

30 Command Reference

Table 5 Information Menu Options (/info) (cont’d.)

Command Syntax and Usage

Finds information about a specific IP address allocated from the IP address pool. The information includes the VPN Gateway that owns the IP address, to which VPN the remote user has connected, user name, actual source IP, login time, user groups to which the user belongs, source IP allocated from IP pool and user profile information (access method, source IP, authentication server, client certificate present, Nortel IE cache wiper running, Tunnel Guard activated, domain).

For a sample screen output, see “info/ip Ip Command” (page 37).

sys

Displays information about the current system configuration, for example network mask, default gateway address, static routes, NTP servers, DNS servers, syslog servers, networks, number of VPN Gateways included in the cluster along with IP addresses etc.

sonmp

Displays information about the current network topology, if SONMP participation is enabled (using the /cfg/sys/adm/sonmp command).

For a sample screen output, see “/info/sonmp Sonmp Command” (page

38).

licenses <VPN ID>

Shows information about the license pool and current usage per VPN and license type.

To limit the presentation to a specific VPN, enter the desired VPN ID following the command.

Example:

>> Information# licenses 2

For a sample screen output, see “/info/licenses Licenses Command”

(page 39).

access <VPN ID> <user name>

By specifying a VPN number and a user name following the access command, a detailed view of a logged in user’s access rights is displayed. The information is presented in a table showing the user’s access rights to specific networks, ports, protocols and paths.

kick <VPN ID> <user name>

Nortel VPN Gateway

Command Reference

NN46120-103 01.01 Standard

10 September 2007

+ 486 hidden pages

Nortel 3050, 3070, NVG 3050, NVG 3070, 1000 Command Reference Manual

Specifications and Main Features

Frequently Asked Questions

User Manual