HighAssurance
TM
4000 Gateway
The Foundation of Internet Security
User's Guide
© 2004 SafeNet, Inc. All rights reserved.
SafeNet is a registered trademark and SafeEnterprise and HighAssurance are trademarks of
SafeNet, Inc.
All other product and company names may be the property of their respective owners.
SafeNet, Inc.
(800) 533-3958 Sales
(800) 545-6608 Customer Support
www.safenet-inc.com
SafeNet Proprietary
40001-00C 2/09/04
Contents
Chapter 1 Product Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Product Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 8
LED Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Sample Deployments . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Tunnels. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Software Requirements . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
FIPS 140-2 Level 2 Operation. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Chapter 2 Installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Unpack the Shipping Carton . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Location Considerations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Required Hardware . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Mount the HA4000 in a Rack . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Connect the Cables . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Power On the HA4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Chapter 3 Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Before You Start . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Save Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
CLI Hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Command Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Configure the Management Port . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Log On to the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Assign IP Addresses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Prepare the Device for Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Configure the Remote Interface. . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Assign the Remote Port IP Address . . . . . . . . . . . . . . . . . . . . . . . . . 20
Set the Remote Port Auto-Negotiation and Flow Control . . . . . . . . . . . 20
Assign IKE Default Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
IKE ID Validation for Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Configure the Local Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Configure the PMTU . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configure DF Bit Handling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Set Date and Time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Set Session Timer . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configure SNMP. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Name the HA4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34
Administrative Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Set Passwords . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Save the Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Reboot the HA4000 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
View Configurations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Chapter 4 Maintenance Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
System Backup and Restore. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Back up the File System . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Restore the Backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Install Software Updates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Contents iii
Configure the FTP Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Load Software Updates. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Install Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Install a New Certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Physical Inspection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Audit Logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Audit Log Resources. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Restore Factory Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Restore HA4000 Factory Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Chapter 5 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Possible Problems and Solutions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
IPSec Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
show all Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Chapter 6 CLI Command Reference . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
CLI Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Command Hierarchy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Syntax Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Examples . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Command Usage Tips. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
User Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Command Shortcuts. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Appendix A MIB Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Appendix B Product Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Appendix C Cable Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
DB-9 Null Modem Cable. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
RJ-45 Ethernet Straight Through Cable . . . . . . . . . . . . . . . . . . . . . . . . . 88
RJ-45 Ethernet Crossover Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Appendix D Electrostatic Discharge. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 90
Appendix E Regulatory Information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Safety/Emissions/Immunity Specifications . . . . . . . . . . . . . . . . . . . . . . . 91
FCC Information (USA) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 91
Interference-Causing Equipment Standard Compliance Notice (Canada) . . 91
European Notice . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 92
Glossary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 93
Contents iv
List of Figures
Figure 1-1 HA4000 Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 7
Figure 3-1 Management Port and Network Management Station on Different Subnets 19
Figure 3-2 Two Remote Ports on the Same Subnet. . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 3-3 Router Between Two HA4000 Gateways . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 3-4 HA4000 Gateways Connected Back-to-Back (Transparent) . . . . . . . . . . . 27
Figure 3-5 ARP Used to Resolve Layer 2 MAC Addresses . . . . . . . . . . . . . . . . . . . . . 28
Figure 3-6 Packets Forwarded to a Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Figure 4-1 Tamper Evident Seal on Back Panel of the Chassis . . . . . . . . . . . . . . . . . 45
Figure C-1 DB-9 Null Model Cable Specifications. . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Figure C-2 RF-45 Ethernet Straight-Through Cable . . . . . . . . . . . . . . . . . . . . . . . . . 88
Figure C-3 RJ-45 Ethernet Crossover Cable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
List of Figures v
List of Tables
Table 1-1 Front Panel LED Indicators. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Table 3-1 SNMP Trap Types . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Table 3-2 HA4000 SNMP Agent Parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Table 3-3 Show Command Attributes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Table 5-1 HA4000 Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Table 5-2 CLI IPSec Diagnostic Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 5-3 AES Messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Table 5-4 HA4000 Security Association Fields. . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
Table 5-5 SPD Selectors. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Table 6-1 CLI Command Shortcuts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
Table B-1 System Specifications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86
Table C-1 Null Model Pin Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 87
Table C-2 Straight-Through Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . 88
Table C-3 Crossover Cable Connections . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
List of Tables vi
Product Overview
The SafeNet HighAssurance™ 4000 (HA4000) Gateway is a high-performance,
integrated security appliance that offers IPSec encryption at multi-Gigabyte rates.
Supporting wire speed Gigabit Ethernet, the HA4000 enables secure remote data
backup and disaster recovery, data replication, and storage hosting.
Housed in a tamper-evident chassis, the HA4000 has two Gigabit Ethernet ports.
Traffic on the local port is received in the clear, while traffic on the remote port has
security processing applied to it.
Fully compatible with existing IP networks, the HA4000 can be seamlessly
deployed into Gigabit Ethernet environments, including IP site-to-site VPNs and
storage over IP networks. Its high-speed Triple DES (3DES), IPSec processing
capabilities eliminate bottlenecks while providing data authentication, encryption
and integrity. The HA4000 supports both the Encapsulating Security Payload (ESP)
and Authentication Header (AH) protocols in tunnel mode.
The HA4000 gateway is ideal for bandwidth-intensive, latency-sensitive
applications that demand security and speed, such as storage over IP, site-to-site
VPNs, and the transfer of medical imaging over the Internet. The HA4000 provides
secure transport over private or public IP networks in protected tunnels between
local or remote sites.
Chapter 1
Figure 1-1 shows the HA4000 gateway.
Figure 1-1 HA4000 Gateway
Chapter 1. Product Overview 7
Product Features
z Mounts in any standard 19-inch rack or on a tabletop
z Two Gigabit Ethernet data ports for encrypting and decrypting network traffic
with single mode and multimode fiber GBIC interfaces
z FIPS 140-2 Level 2 compliant, validated by the National Institute of Standards
of Technology (NIST)
z Tamper-evident chassis with no ability to insert probes
z Hardware-based IPSec encryption processing
z Low latency
z 8000 concurrent tunnels
z Full duplex, 1.8 Gbps 3DES encryption and decryption
z Comprehensive security standards support
z Key management
Internet Key Exchange (IKE): RFC 2409, NIST FIPS PUB 186
Manual keys
Diffie-Hellman key exchange (groups 1, 2, and 5)
Product Features
z Encryption
Advanced Encryption Standard (AES): FIPS 197 (256 bit keys)
3DES: ANSI X9.52 algorithm (168 bit keys), standard CBC mode
Data Encryption Standard (DES): FIPS 46-2 (56 bit keys), standard CBC
mode
z HMAC-SHA-1-96 and HMAC-MD5-96 Message Integrity
z Simple Network Management Protocol (SNMP), version 2c, MIB-managed
objects support
z Alarm condition detection and reporting
z Secure CLI access through the 10/100 Ethernet port
z Secure download of software updates
z X.509 v3 digital certificate support
Chapter 1. Product Overview 8
LED Indicators
Table 1-1 shows how to interpret the LEDs on the HA4000 gateway’s front panel.
Indicator Light State Definition
Power (green) Off Unit is powered off.
Remote Yellow (link status) Off Loss of signal on the remote interface.
Sample Deployments
Table 1-1 Front Panel LED Indicators
On Unit is powered on.
On Normal operation.
Remote Green (traffic status) Off No traffic is passing over the remote
Blinking Normal operation. Indicates the presence
Local Yellow (link status) Off Loss of signal on the local interface.
On Normal operation.
Local Green (traffic status) Off No traffic is passing over the local
Blinking Normal operation; there is traffic on the
Alarm (red) Off Normal operation.
Blinking System initialization is in progress. When
Failure (red) Off Unit is initialized and operational.
On One of these problems was detected:
interface port.
of traffic on the remote interface.
interface port.
local interface.
the boot process completes, the LED
state changes to Off.
• Hardware error
• IPSec configuration error
• Security policy failure to load
• Other boot process failure.
Sample Deployments
The HA4000 device is deployed on either side of a WAN-routed interface, between
a switch and a router, securing the data transmitted across the untrusted WAN.
Data is sent from a web server through a Layer 2/3 switch. It is then encrypted by
an HA4000 for secure transfer over the WAN, where a second HA4000 decrypts
the data at its destination. The HA4000 forwards the clear data to the Layer 2/3
switch at the destination.
Chapter 1. Product Overview 9
In a branch-to-central office application, data is secured between each branch and
the central office. Additionally, a secure tunnel is established between the two
branch sites. This configuration can be used to transfer sensitive data between
remote sites or to back up remote servers to central storage devices.
Tunnels
A security tunnel is the network path inside which data is encrypted. Tunnels can
begin and terminate at various points in the network:
z Client workstation, either the desktop or remote access, such as dial-in
z Edge device, such as a router or an edge switch
z Switch or router inside the service provider network, typically at the
The HA4000 can be deployed in a variety of locations and topologies, depending
on the application. Several examples are a geographically remote Storage Area
Network (SAN) environment, a site-to-site VPN, a gigabit Ethernet Metropolitan
Area Network (MAN), or a campus building-to-building environment.
In an IPSec deployment, identify the communication endpoints and the secure
tunnel endpoints. A communication endpoint is the entity that is being protected
by the HA4000. This can be a host, a server, or a subnet. The secure tunnel
endpoints are the HA4000 gateways or other IPSec peer.
Management
point-of-presence (POP)
Management
The HA4000 gateway is managed from the SafeEnterprise Security Management
Center (SMC). It also has a command line interface (CLI) to configure the HA4000
operating parameters. CLI sessions are managed through a direct serial link to the
HA4000.
For information on configuring and working with the HA4000 from the SMC, refer
to the SafeEnterprise Security Management Center User’s Guide.
Software Requirements
Make sure that these customer-provided software products are installed on the
management workstation:
z VT-100 terminal emulation utility, such as HyperTerminal, to connect to the CLI
through a serial link.
z Optional. Telnet client to remotely configure the HA4000 through the
gateway’s 10/100 Ethernet management port.
FIPS 140-2 Level 2 Operation
The National Institute of Standards and Technology (NIST) validated the HA4000
gateway as FIPS 140-2 Level 2 compliant. To meet FIPS 140-2 Level 2
requirements, configure the HA4000 using these guidelines:
z DES, 3DES, or AES encryption
Chapter 1. Product Overview 10
FIPS 140-2 Level 2 Operation
z HMAC-SHA1-06 authentication
z Manual keys or IKE key management
Caution
MD5 is not a FIPS-approved authentication algorithm. Therefore, using MD5
authentication in a security policy removes the HA4000 from FIPS-compliant
operation.
Note:
Chapter 1. Product Overview 11
Installation
Perform the tasks in this chapter in the sequence they are presented.
Unpack the Shipping Carton
Remove all product components from the shipping carton and compare the
contents to the packing list. Keep all packaging in case it is necessary to return
the unit. The HA4000 is packaged with these items:
z HA4000 chassis
The HA4000 firmware and software is preinstalled on the unit.
z Accessory Kit:
Rack mount kit containing two mounting brackets and eight screws
Power supply cable (US or European)
Shielded DB-9 null modem cable (female to male)
Shielded Category 5 cable with RJ-45 connector (STP)
Chapter 2
CD-ROM containing this user’s guide, MIBs, and a backup copy of the
HA4000 software
z Options:
GBIC-MM Kit: Contains two multimode Gigabit Ethernet Interface
transceivers and two 3-meter multimode fiber cables.
GBIC-SM Kit: Contains two single mode Gigabit Ethernet Interface
transceivers and two 3-meter single mode fiber cables.
Location Considerations
The HA4000 can be mounted in a standard 19-inch rack using the mounting kit, or
placed on a rack shelf or solid surface.
Before installing the HA4000 in a 19-inch rack, consider these rack-mounting
guidelines:
z Ambient temperature
Install the HA4000 in an environment compatible with the 40ºC maximum
recommended ambient temperature. Extra clearance above or below the unit
on the rack is not required; however, be aware that equipment placed in the
rack beneath the HA4000 can add to the heat load. Therefore, avoid installing
the device in an overly congested rack. Air flowing to or from other equipment
in the rack can interfere with the normal flow of cooling air through the
HA4000, increasing the potential for overheating.
Chapter 2. Installation 12
Required Hardware
z Air flow
Make sure that there is sufficient flow of air around the HA4000 so that safe
operation is not compromised. Maintain a clearance of at least three
inches (7.62 cm) on each side of the HA4000 gateway to ensure adequate air
intake and exhaust. If installing the device in an enclosed rack, make sure that
the rack has adequate ventilation or an exhaust fan.
Note: An enclosed rack with a ventilation system that is too powerful can
prevent proper cooling by creating negative air pressure around the HA4000.
z Mechanical loading
Keep the center of gravity in the rack as low as possible. This ensures that the
weight of the HA4000 will not make the rack unstable. Make sure that the rack
is secured; use the proper mounting hardware to secure the HA4000 to the
rack.
z Circuit loading
Consider the connection of an HA4000 to the supply circuit and the effect that
overloading of circuits could have on overcurrent protection and supply wiring.
Consult the voltage and amperage ratings on the UL label affixed to the unit’s
rear panel when addressing this concern.
z Grounding
Maintain reliable grounding of a rack-mounted HA4000 gateway. Pay particular
attention to supply connections other than direct connections to the branch
circuit, such as the use of power strips.
z Maintenance
Allow at least 19 inches (48.3 cm) of clearance at the front of the rack for
maintenance. Use a cable management system to help keep cables organized,
out of the way, and free from kinks or bends that degrade cable performance.
Required Hardware
To mount the HA4000 in a standard 19-inch equipment rack, have these tools and
materials available:
z Two mounting brackets, supplied in the Accessory Kit
z Four small screws and four large screws, supplied in the Accessory Kit
z #1 Phillips and #2 Phillips screwdrivers (user-supplied)
Mount the HA4000 in a Rack
1. With the four small screws (#1 Phillips) provided in the Accessory Kit, attach
one mounting bracket to each front side of the HA4000 unit.
2. With the four large screws (#2 Phillips), attach the unit to the rack’s front
supports.
Chapter 2. Installation 13
Connect the Cables
Before beginning, make sure that the necessary cables are available. For more
information on cabling requirements and specifications, see Appendix C, "Cable
Specifications."
1. Connect the HA4000 RS-232 craft port directly to a PC or workstation using a
DB-9 null modem cable.
2. Connect the HA4000 management port to a LAN or directly to a PC using a
Category 5 STP cable with an RJ-45 connector.
3. When connecting the device directly to a PC, use a shielded Category 5
crossover cable, and make sure that the PC and management port IP
addresses are on the same subnet.
4. After taking the necessary precautions to prevent damage from electrostatic
discharge (ESD), plug a GBIC module into the HA4000 gateway’s remote port,
and then connect it to the WAN. For more information on ESD protection, see
Appendix D, "Electrostatic Discharge."
5. Plug a second GBIC module into the HA4000 gateway’s local port, and then
connect it to the local device, such as a server or switch.
Mount the HA4000 in a Rack
Warning:
Warning
WarningWarning
When the dust covers are removed and no cable is connected, radiation can be
emitted from aperture ports of single- or multi-mode interfaces. Avoid exposure,
and do not stare into the open apertures.
Note:
Power On the HA4000
Applying power to the HA4000 initializes the system, which includes these actions:
z Initializes the components.
z Performs hardware diagnostics.
z Loads the software. The software is preinstalled on the HA4000; it can,
however, be reinstalled if it is corrupted or accidentally deleted.
z Verify power supply voltage.
To power on the HA4000, take these steps:
1. Connect the unit’s power adapter on the HA4000 rear panel.
2. Apply power to the unit.
The power LED illuminates when the unit is powered up.
About a minute after power up, the alarm LED begins blinking and
continues to blink for several minutes until the boot process is complete.
The green power LED remains lit until the unit is powered off.
If the boot process fails, the failure LED illuminates, and the HA4000
gateway generates a “critical error” trap.
Chapter 2. Installation 14
Mount the HA4000 in a Rack
Notes:
z If you experience a problem during system initialization, go to Chapter 5,
"Troubleshooting."
z Until you configure your security policies, the HA4000 gateway’s default mode
of operation passes all packets in the clear.
Chapter 2. Installation 15
Configuration
HA4000 management is performed out of band. Use the management interface to
configure the device remotely through the command line interface (CLI) and
monitor SNMP-based performance.
This chapter describes the tasks required to configure the HA4000’s management
interface and prepare the device for operation. Administrative configuration tasks
are also included.
Before You Start
This section provides general information on using the HA4000 CLI commands
that are used to configure the HA4000’s management interfaces. For details on
each command, go to Chapter 6, "CLI Command Reference."
Save Configurations
z When you change configuration settings on the HA4000—after you complete
all the configuration commands or after each individual command—make sure
that you save the settings. If the HA4000 device is rebooted or the power is
recycled, unsaved configurations are lost.
Chapter 3
z To save the running configuration, enter this command:
copy system:running nvram:config
z Some commands don’t take effect until the HA4000 is rebooted with the
reboot command. Refer to the specific command in Chapter 6, "CLI Command
Reference," for this information.
CLI Hierarchy
z Command mode is the logon hierarchy level. The command line prompt
indicates the hierarchy level. The copy and show commands and most
maintenance commands are accessed at this level.
z Configuration mode is where commands are entered to configure the
HA4000. To go into command mode, enter this command:
configure terminal
z Interface configuration mode, where the local, remote, and management
interfaces are configured, is entered from configuration mode. To go into this
mode from configuration mode, enter this command:
interface {local | remote | management}
The exit command leaves the current CLI mode and returns to the previous
hierarchy level.
Chapter 3. Configuration 16
Command Shortcuts
Some CLI commands have specific shortcuts. For a list, go to Table 6-1 on
page 65. Shortcuts are also included in the detailed information available on each
CLI command in Chapter 6, "CLI Command Reference."
For other commands, type enough letters to uniquely identify an HA4000 CLI
command, and then press Tab. For more information, refer to the aforementioned
“Command Shortcuts” on page 65.
User Types
The HA4000 has two levels of logon privileges, identified by user type:
z The Network Manager configures the HA4000. The Network Manager’s
username is admin.
z The Administrator sets passwords and logon restrictions. The Administrator’s
username is super.
Configure the Management Port
Configure the Management Port
The HA4000 management interface port must be configured to connect the device
to the SMC.
Log On to the CLI
The HA4000 gateway’s CLI is accessible through a serial link connected to the
HA4000 RS-232 craft port. Typically, the craft port is used only to set the
management port IP address. The rest of the configuration is performed using the
10/100 Ethernet between the management port and the SMC. You can, however,
perform all configuration tasks through the serial port.
1. Connect the HA4000 RS-232 craft port directly to the terminal’s serial port
using a DB-9 null modem cable. For cable specifications, see Appendix C,
"Cable Specifications."
2. Open a terminal session through a VT-100 terminal emulation program, such
as HyperTerminal.
3. Enter the connection name, the appropriate serial port (usually COM1 or
COM2), and these communication parameters:
115,200 bps
No parity
8 data bits
1 stop bit
No flow control
4. Press Enter. The CLI username prompt displays:
User Access Verification
Username:
5. Enter the Network Manager’s username, admin.
Chapter 3. Configuration 17
Note: Usernames and passwords are case-sensitive.
6. At the password prompt, enter the default password, safenet. The password
you type does not display.
Note: Change the default password when you configure the HA4000 gateway.
7. When you are successfully logged on, the command line prompt displays:
Username: admin
Password:
admin>
Assign IP Addresses
The 10/100 Ethernet management interface is the communication channel
between the HA4000 and SMC. To securely manage the HA4000, its management
interface must be correctly configured.
There are potentially three IP addresses to configure, using the ip address
command, on the management port:
z The 10/100 Ethernet management port IP address identifies the HA4000
gateway to SMC. This is used for remote configuration of the HA4000 and
SNMP-based performance monitoring.
Configure the Management Port
z The subnet mask is the portion of the IP address that identifies the network
or subnetwork for routing purposes.
z The default gateway, assigned only when the HA4000 and SMC are on
different subnets, identifies the local router port on the same subnet as the
HA4000 gateway’s management port. The HA4000 sends all packets to the
specified router to be forwarded to SMC.
Note: If the HA4000 gateway’s management port is directly connected to SMC,
the host’s IP address and the management port IP address must be on the same
subnet.
Configure the Management Port Default Gateway
When the HA4000 and SMC are on different subnets, the HA4000 uses a default
gateway to route packets to SMC.
In Figure 3-1, Network Management Host #1’s IP address is 192.168.1.10. The
HA4000 #1’s management port (192.168.10.10) is not on the same subnet as the
management host. To successfully route packets between HA4000 #1 and
Network Management Host #1, the local port on Router #1 is its default
gateway (192.168.10.1).
Chapter 3. Configuration 18
Example
Prepare the Device for Operation
Figure 3-1 Management Port and Network Management Station on Different Subnets
This example configures the default gateway for Router #1 in Figure 3-1. The
example enters configuration mode for the management interface, assigns a
default gateway IP address, and saves the configuration. In this example, the
management interface is configured through the RS-232 craft port.
admin> configure terminal
config> interface management
config-ifMan> ip address 192.168.10.1 255.255.255.0 192.168.10.1
config-ifMan> exit
config> exit
admin> copy system:running nvram:config
Prepare the Device for Operation
Configure the Remote Interface
Follow the procedures described in this section to configure the HA4000 for
operation. The HA4000 can be configured through the CLI, which can be accessed
through the serial port or through the management port.
Save configuration settings when you complete configuring the HA4000 or after
entering each command. When the HA4000 is rebooted or the power is recycled,
unsaved configurations are lost.
Configure these components on the remote interface:
z Remote port IP address and subnet mask
z Auto-negotiation and flow control
z Default gateway for IKE negotiation traffic
Chapter 3. Configuration 19
Assign the Remote Port IP Address
The remote port IP address identifies the HA4000 to the untrusted network,
typically a WAN, campus LAN, or MAN. Changing the remote port IP address
directly affects the HA4000 gateway’s IPSec policies, including the default policies
that ship with the HA4000.
Previously configured policies will not recognize a new remote port IP address until
the HA4000 is rebooted or reloaded. After you finish configuring the HA4000, save
the configuration, and then reboot the unit to activate the new settings, as
described in “Reboot the HA4000” on page 38. Or, if the remote port IP address is
the only parameter that you changed, you can enter the reload policies
command, as described on page 80.
1. Log on as Network Manager.
2. Enter configuration mode; enter this command:
configure terminal
3. At the config> prompt, enter this command:
interface remote
4. At the config-ifRemote> prompt, enter this command:
ip address <ipAddress> [<subnet_mask>]
For parameter descriptions, go to “ip address” on page 74.
Prepare the Device for Operation
Example
This example sets the remote port IP address during initial HA4000 configuration:
admin> config terminal
config> interface remote
config-ifRemote> ip address 192.168.144.125 255.255.255.0
Set the Remote Port Auto-Negotiation and Flow
Control
Auto-negotiation and flow control is configured on a per port basis. If the device
that the HA4000 is connected to on the remote, untrusted network side does not
support auto-negotiation or flow control, disable one or both of these functions on
the HA4000 gateway’s remote port.
This command requires a reboot to take effect. Reboot the HA4000 after you
complete configuring the device; for instructions, go to “Reboot the HA4000” on
page 38.
z At the config-ifRemote> prompt, enter this command:
autoNegotiateFlowControl enable | {disable {enable | disable}}
The first parameter specifies whether the HA4000 negotiates flow control
settings. To have the HA4000 negotiate flow control settings, specify enable.
When auto-negotiation is enabled, the second parameter is unnecessary.If you
disable auto-negotiation, however, specify whether to enable flow control. To
have the HA4000 use flow control, specify enable; otherwise, specify disable.
Chapter 3. Configuration 20
Examples
z Enable auto-negotiation and flow control on the remote port:
z Disable auto-negotiation and flow control on the remote port, exit
Prepare the Device for Operation
These are some possible configurations and the associated command:
Auto-negotiation Flow Control Command
enabled value negotiated auto enable
disabled value negotiated auto disable enable
disabled disabled auto disable disable
config-ifRemote> auto enable
configuration mode, save the configuration, and then reboot the HA4000.
config-ifRemote> auto disable disable
config-ifRemote> exit
config> exit
admin> copy system:running nvram:config
admin> reboot
Assign IKE Default Gateway
When both of the conditions listed below are true, configure the default gateway
on the HA4000 gateway’s remote port:
z Negotiated IPSec (IKE) policies will be used.
z The HA4000 gateways (IPSec peers) are in a routed network.
Where the gateways are deployed—on a single subnet or in a routed network—
determines how to configure the IKE default gateway.
Remote Ports on the Same Subnet
In Figure 3-2, the remote ports of the two HA4000 gateways are on the same
subnet, with no routers between them. HA4000 #1, which is the IKE negotiation
initiator, is able to send packets directly to HA4000 #2 to start the IKE
negotiation. This scenario is assumed by default; no configuration is required.
Chapter 3. Configuration 21
Routed Network
Prepare the Device for Operation
Figure 3-2 Two Remote Ports on the Same Subnet
In a routed network, a router is placed between the initiating HA4000 #1 and the
WAN. Use the ikeDefaultGateway command on HA4000 #1 (see Figure 3-3) to
specify Router R2’s local router port IP address, 192.168.144.100. HA4000 #1
uses the router network to forward packets to its peer, HA4000 #2. At the
opposite end of the tunnel, HA4000 #2 specifies the Router R3 local access
port, 192.168.154.100, as the default gateway to use to forward packets to
HA4000 #1.
Figure 3-3 Router Between Two HA4000 Gateways
Chapter 3. Configuration 22
Prepare the Device for Operation
Assign Default Gateway for IKE Negotiation on Remote
Interface
1. At the config-ifRemote> prompt, enter this command:
ikeDefaultGateway {none | <ipAddress>}
For parameter descriptions, go to “ikeDefaultGateway” on page 72.
2. Return to configuration mode; enter the exit command.
Example
This example enters remote interface configuration mode on HA4000 #1 in
Figure 3-3, identifies a default gateway, and then returns to configuration mode:
config> interface remote
config-ifRemote> ikeDefaultGateway 192.168.144.100
config-ifRemote> exit
config>
IKE ID Validation for Certificates
The HA4000 relies on manually installed external certificates to validate peers. To
augment the HA4000’s ability to interact with other High Assurance devices, the
IKE ID sent from the peer during phase 1 IKE negotiation can be used as an
enhanced level of certificate validation. You may also control which IKE ID is sent
to the peer gateway by setting the IKE ID type used for the remote port. Both of
these commands affect the remote port (data path) and do not affect the
management port (HA4000 10/100 ethernet port).
Enable/Disable IKE ID Validation
The ikeIdValidation command designates if the HA4000 will or will not check
that the IKE ID is contained in the peer certificate. The default mode for this
command is enabled. When disabled, phase 1 IKE negotiation is allowed to
proceed when the IKE ID does not match the certificate.
1. At the admin> prompt, enter this command:
config t
2. At the config> prompt, enter this command:
interface remote
3. At the config-ifRemote> prompt, enter this command:
To disable IKE ID validation, enter: ikeIdValidation disable
To enable IKE ID validation, enter: ikeIdValidation enable
4. At the config-ifRemote> prompt, enter this command:
exit
5. At the config> prompt, enter this command:
exit
6. At the admin> prompt, enter this command:
copy s n
This setting takes effect immediately.
Chapter 3. Configuration 23
Example
This example enters remote interface configuration mode on the HA4000, disables
IKE ID validation, exits configuration mode, and saves the configuration.
admin> config t
config> interface remote
config-ifRemote> ikeIdValidation disable
config-ifRemote> exit
config> exit
admin> copy s n
Designate IKE ID Type
The ikeIdTypeToSend command allows you to control the IKE ID that is sent
from the peer during phase 1 IKE negotiation by designating the IKE ID type to be
used for the remote port. The peer may send one of three IKE ID’s—IP Address
stored in the Subject Alt Name field of the certificate, Subject Distinguished
Name, or Default (the default setting), a field whose type is dependant on the
contents of the gateway certificate. More specifically, when using the Default
command, if the Subject Alt Name exists in the certificate, then the first field in
the Subject Alt Name is used for the IKE ID. If the Subject Alt Name does not
exist, the Subject Distinguished Name is used. The Default setting allows the
HA4000 to send an IKE ID of type other than IP Address by installing a gateway
certificate containing the required IKE ID in the Subject Alt Name field.
Prepare the Device for Operation
1. At the admin> prompt, enter this command:
config t
2. At the config> prompt, enter this command:
interface remote
3. At the config-ifRemote> prompt, enter this command:
To set the IKE ID to IP Address, enter: ikeTypeToSend ipAddress
To set the IKE ID to Subject Distinguished Name, enter:
ikeTypeToSend sdn
To set the IKE ID to Default, enter: ikeTypeToSend default
4. At the config-ifRemote> prompt, enter this command:
exit
5. At the config> prompt, enter this command:
exit
6. At the admin> prompt, enter this command:
copy s n
This setting becomes effective on the next reload of policies.
Chapter 3. Configuration 24
Example
This example enters remote interface configuration mode on the HA4000, sets the
IKE ID type to Subject Distinguished Name, exits configuration mode, and saves
the configuration.
admin> config t
config> interface remote
config-ifRemote> ikeIdTypeToSend sdn
config-ifRemote> exit
config> exit
admin> copy s n
Configure the Local Interface
Configure these items on the local interface:
z Local port IP address and subnet mask
z Auto-negotiation and flow control
z MAC address resolution (default gateway)
Local Port IP Address
Prepare the Device for Operation
Example
The local port IP address identifies the HA4000 to the device on the local side of
the network, such as a server or switch. If the HA4000 is connected to the LAN
through a switch, the local port IP address is the address the server uses to
identify the HA4000.
Previously configured policies will not recognize a new local port IP address until
the HA4000 is rebooted or reloaded. After you complete configuring the HA4000,
to save the configuration, reboot the unit; go to “Reboot the HA4000” on page 38.
Or, if the local port IP address is the only parameter that you changed, enter the
reload policies command.
1. At the config> prompt, enter this command:
interface local
2. At the config-ifLocal> prompt, enter this command:
ip address <ipAddress> [<subnet_mask>]
For parameter descriptions, go to “ip address” on page 74.
Note: If the local and remote port IP addresses are on the same subnet, the
local port IP address must have a 32-bit subnet mask (255.255.255.255).
This example sets the local port IP address:
config> interface local
config-ifLocal> ip address 192.168.10.150 255.255.255.255
Chapter 3. Configuration 25
Prepare the Device for Operation
Local Port Auto-negotiation and Flow Control
Auto-negotiation and flow control is configured on a per port basis. If the device
that the HA4000 is connected to on the local network side does not support
auto-negotiation or flow control, disable one or both of these functions on the
HA4000 gateway’s local port.
1. At the config> prompt, enter configuration mode for the interface you want to
configure:
interface {local | remote}
2. At the config-ifLocal> prompt, enter this command:
autoNegotiateFlowControl enable | {disable {enable | disable}}
The first parameter specifies whether the HA4000 negotiates flow control
settings. To have the HA4000 negotiate flow control settings, specify enable.
When auto-negotiation is enabled, the second parameter is unnecessary.
If you disable auto-negotiation, specify whether to enable flow control. To have
the HA4000 to use flow control, specify enable; otherwise, specify disable.
These are the possible configurations and the associated command:
Auto-negotiation Flow Control Command
3. Go to the admin prompt; enter the exit command twice.
4. Save the configuration: enter this command:
5. Reboot the device: enter the reboot command.
Examples
z This command disables auto-negotiation and flow control on the local port:
z These commands disable auto-negotiation and enable flow control on the local
enabled value negotiated autoNegotiateFlowControl enable
disabled value negotiated autoNegotiateFlowControl disable
enable
disabled disabled autoNegotiateFlowControl disable
disable
copy system:running nvram:config
config-ifLocal> autoNegotiateFlowControl disable disable
port, exit configuration mode, save the configuration, and then reboot the
HA4000:
config-ifLocal> autoNegotiateFlowControl disable enable
config-ifLocal> exit
config> exit
admin> copy system:running nvram:config
admin> reboot
Chapter 3. Configuration 26
Layer 2 MAC Address Resolution
The method that the HA4000 uses to resolve Layer 2 MAC addresses depends on
your network configuration. Here are three typical scenarios:
z Transparent – Two HA4000 gateways are connected back-to-back, with no
router between them.
z ARP – The HA4000 gateway’s local port is connected to a Layer 2 switch.
z Gateway – The HA4000 gateway’s local port is connected to a router.
Transparent
In Figure 3-4, two HA4000 gateways (#1 and #2) are connected back-to-back,
with no routers between them. The HA4000 remote ports are on the same subnet.
The routers are able to resolve the Layer 2 MAC address of the destination
stations, and traffic flows through the HA4000 gateways. In this scenario, use the
macAddressResolution command with the none attribute.
Figure 3-4 HA4000 Gateways Connected Back-to-Back (Transparent)
Prepare the Device for Operation
ARP
In Figure 3-5, packets are encrypted by HA4000 #1 and sent through a WAN
router. The packets are decrypted on the destination side by HA4000 #2, which is
connected to a switch. The switch is on the same subnet as the HA4000 #2’s local
port. Because the switch and the HA4000 #2’s local port are on the same subnet,
HA4000 #2 can send an Address Resolution Protocol (ARP) request to resolve the
MAC address of Station S2. In this scenario, use the macAddressResolution
command with the arp attribute.
Chapter 3. Configuration 27
Gateway
Prepare the Device for Operation
Figure 3-5 ARP Used to Resolve Layer 2 MAC Addresses
In Figure 3-6, the HA4000 #2’s local port is connected to Router R4. The
destination station S2 is on a different subnet than HA4000 #2’s local port. To
send packets to Station S2, HA4000 #2 uses the
macAddrResolutionMechanism command with the gateway attribute to
identify the IP address of the default gateway (Router R4’s WAN
port, 192.168.154.175). HA4000 #2 sends all packets to the specified gateway,
which then forwards the packets to their destination.
Figure 3-6 Packets Forwarded to a Gateway
Chapter 3. Configuration 28
Prepare the Device for Operation
Set Layer 2 MAC Address Resolution on the Local Interface
1. At the config-ifLocal> prompt, enter this command:
macAddrResolutionMechanism {none | arp | {gateway <ipAddress>}}
For parameter descriptions, go to “macAddrResolutionMechanism” on page 77.
2. Return to configuration mode: enter the exit command.
Example
In this example, a local interface configuration on SG2, the HA4000 enters local
interface configuration mode, identifies the default gateway, and then exits local
interface configuration mode.
config> interface local
config-ifLocal> macAddrResolutionMechanism gateway 192.168.154.175
config-ifLocal> exit
config>
Configure the PMTU
The path maximum transmission unit (PMTU) is the end-to-end MTU from target
to destination. Valid PMTU values on the HA4000 range from 128 through 12,160
bytes. The default PMTU size is 3072 bytes.
In these cases, adjust the PMTU size:
z If jumbo frame processing capabilities are needed (2944-12,160 bytes),
z If the local side devices has DF bit set, the PMTU size must be set to a number
smaller than the smallest MTU in the path
Older Layer 2 devices are more likely to require frames of a certain size than are
newer, Layer 3 devices. Check with your network administrator about the
configuration of the devices connected to the HA4000 on the local interface. If the
device on the WAN side of the HA4000 is dropping packets, it is an indication that
the PMTU size needs to be adjusted.
HA4000-MTU Interactions
z When you set an MTU size, the HA4000 detects LAN packets that have the DF
bit set (see “Configure DF Bit Handling” on page 30) and exceed the MTU size
(minus encryption overhead).
When this condition is detected, the HA4000 drops the packet and issues an
MTU discovery packet to the source host, informing it to reduce its MTU. The
HA4000 suggests an MTU value of the actual MTU size minus the encryption
overhead.
z When you specify the total MTU size, the HA4000 subtracts the IPSec header
overhead from the specified PMTU value to calculate the actual PMTU size that
it asks the device to send.
For example, if an HA4000 MTU size of 1500 is specified and the encryption
overhead is 40 bytes, the adjusted MTU, from the HA4000 gateway’s
perspective, is 1460 bytes (1500 minus 40).
Chapter 3. Configuration 29
When the HA4000 detects an IP payload that exceeds 1460 bytes, the HA4000
notifies the local device of the required MTU size. Note that the PMTU is a
Layer 3-based number, and, therefore, does not include Layer 2 Ethernet
header overhead.
PMTU Modes
The HA4000 has two PMTU modes:
z Normal mode PMTU is 128 through 2944 bytes.
z Jumbo mode PMTU is 2945 through 12,160 bytes.
When the PMTU is changed from a normal mode value to a jumbo mode value or
vice versa, reboot the HA4000 for the pmtu command to take effect.
Changing the PMTU in the normal mode or jumbo mode range does not require a
reboot. Save the configuration prior to rebooting.
Note: Jumbo frame processing decreases performance by approximately five
percent. To maximize performance and jumbo frame handling is not required, set
the PMTU to 2944 or less.
Prepare the Device for Operation
Configure the PMTU
At the config> prompt, enter this command:
pmtu <size_in_bytes>
For size-in-bytes, type a number from 128 through 12,160 bytes.
Example
These commands set the total PMTU size to 1500, save the configuration, and
reboot the HA4000.
config> pmtu 1500
config> exit
admin> copy system:running nvram:config
admin> reboot
Configure DF Bit Handling
The Don’t Fragment (DF) bit command determines whether packet fragmentation
is allowed over a particular network link. By default, the DF bit is copied from the
original packet to the encapsulating header, and ICMP PMTU messages are
processed.
In most cases, copying the DF bit is appropriate. When fragmenting is desirable,
such as when sending packets over a network with a very small MTU, enter the
dfbit-handling command with the clear attribute. Use the set attribute to
prevent fragmentation and obtain feedback from downstream routers about PMTU
constraints that require fragmentation.
Chapter 3. Configuration 30
Loading...