nokia ip vpn gateway command-line summary, …...about this guide 10 nokia ip vpn gateway...

Part No. N451733001 Rev A

Published June 2005

Nokia IP VPN GatewayCommand-Line Summary

Version 6.3

COPYRIGHT©2005 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.

RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.

Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.

Nokia reserves the right to make changes without further notice to any products herein.

TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.

050110

2 Nokia IP VPN Gateway Command-Line Summary v6.3

Nokia Contact InformationCorporate Headquarters

Regional Contact Information

Nokia Customer Support

Web Site http://www.nokia.com

Telephone 1-888-477-4566 or 1-650-625-2000

Fax 1-650-691-2170

Mail Address

Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA

Americas Nokia Inc.313 Fairchild DriveMountain View, CA 94043-2215USA

Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]

Europe, Middle East, and Africa

Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK

Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]

Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968

Tel: +65 6588 3364email: [email protected]

Web Site: https://support.nokia.com/

Email: [email protected]

Americas Europe

Voice: 1-888-361-5030 or 1-613-271-6721

Voice: +44 (0) 125-286-8900

Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666

Asia-Pacific

Voice: +65-67232999

Fax: +65-67232897

050602

Nokia IP VPN Gateway Command-Line Summary v6.3 3

http://www.nokia.com

mailto:[email protected]



https://support.nokia.com/


Contents

About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10

Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12IP Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13

1 Introducing the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Connecting to the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16

Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Public Key Infrastructure Configuration Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Policy Configuration System Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Firewall Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18

Navigating Between CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Saving Changes Made in CLI Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19configure wizard command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20General CLI Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20

Execute Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Command Recall and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Command-Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21

Flash Memory Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Common Flash Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Saving Configuration Changes to Flash Memory . . . . . . . . . . . . . . . . . . . . . . . . . 23

Using Network File System, Trivial File TransferProtocol and Secure Copy with Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . 25Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

2 Configuring the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring Gateway Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28

Configuring Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring WAN Backup Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35


Configuring PPPoE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44

Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Static Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47

Configuring Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50

Configuring Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54

3 Managing the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Gateway Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73

Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150

Managing Files and Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155

Logging and Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168

Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184

4 Configuring Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Entering and Exiting PKI Configuration Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Committing PKI Configuration Commands to Memory . . . . . . . . . . . . . . . . . . . . . 191

Saving Changes to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191PKI Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Viewing Your PKI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192

show configuration pki . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193show key info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Differences Between configuration PKI and show key

Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195PKI Configuration Mode Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196

block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208


crl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210keypair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211pkcs12 device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211public-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211uuid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

Integrating with Third-Party CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212

5 Configuring Policy Configuration System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Entering and Exiting PCS Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Saving Crypto Policy Configuration to Flash Memory . . . . . . . . . . . . . . . . . . . . . . 220PCS Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Common PCS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220

apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222save. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223unload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224

Specific PCS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225IKE Policy Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225IPSec Policy Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228VPN Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236

IPSec Configuration with PCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Other PCS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Requirements and Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250

6 Configuring Firewall and Network Address Translation . . . . . . . . . . . . . . . . . 255Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Managing the Firewall Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Default Firewall Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259

Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Firewall Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261


Rule Definition Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269NAT Before IPSec Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287LOG Clauses in Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Firewall Rule Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289

A PCS and Crypto Command Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291IPSec CLI Configuration Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Policy Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Crypto Command Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294

B Dynamic Gateway Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Configuring the Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296

Topology of the Deployed Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Configuring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297

Creating and Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Generating the Internal CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300

Setting Gateway Selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Configuring IKE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Configuring IPSec Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310

Dynamic Hello . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315deployment_hub. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315

C List of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317

Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339


About This Guide

This guide provides information about how to use the command-line interface (CLI) to configure, monitor, and manage Nokia IP VPN Gateway. It also provides a reference of the commands you can enter from the Nokia IP VPN Gateway CLI.This guide is written for system administrators and network engineers who need to configure or monitor Nokia IP VPN Gateway by using the CLI.You can also configure all of the features of Nokia IP VPN Gateway through the Nokia VPN Manager software (the GUI-based interface). For more information about the Nokia VPN Manager software, see the Nokia IP VPN Gateway Configuration Guide v6.3.

CautionYou must use either the CLI or VPN Manager for configuration, but not both. When you apply changes by using VPN Manager, configuration changes you made by using the CLI are overwritten in the configuration files.

Only experienced technicians or Nokia approved service providers should perform installation and maintenance of Nokia IP VPN Gateways. For more information about how to install Nokia IP VPN Gateway hardware, see the relevant Nokia IP VPN Gateway Installation Guide.This preface provides the following information:

In This GuideConventions This Guide UsesRelated Documentation

In This GuideThis guide is organized into the following chapters and appendixes:

Chapter 1, “Introducing the Command-Line Interface” presents an introduction to using the Nokia IP VPN Gateway CLI.Chapter 2, “Configuring the Gateway” describes the commands you can enter from the CLI command mode and the configuration mode to perform initial gateway configuration, and configure routing, clustering, and network settings for the gateway.


About This Guide

Chapter 3, “Managing the Gateway” describes the commands you can enter from the CLI command mode and configuration mode to manage the gateway, validate network and gateway parameters, disable and enable subsystems, and configure network access and services.Chapter 4, “Configuring Public Key Infrastructure” describes the commands you can enter from the CLI Public Key Infrastructure (PKI) mode.Chapter 5, “Configuring Policy Configuration System” describes the commands you can enter from the CLI Policy Configuration System (PCS) mode.Chapter 6, “Configuring Firewall and Network Address Translation” describes how you can configure Firewall and Network Address Translation from the CLI Firewall mode.Appendix A, “PCS and Crypto Command Diagrams” presents diagrams that summarize the PCS commands and subcommands, and the crypto command diagram.Appendix B, “Dynamic Gateway Deployment” describes how to configure a simple dynamic gateway deployment, when two dynamic (spoke) gateways and a hub pass traffic among one another.Appendix C, “List of Commands” lists the CLI commands. Use this appendix as a quick reference to locate specific commands.

Conventions This Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.

Notices

CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.

NoteNotes provide information of special interest or recommendations.

Command-Line ConventionsThis section defines the elements of commands that are available in Nokia Internet Communications products. You might encounter one or more of the following elements on a command-line path.


Conventions This Guide Uses

Table 1 Command-Line Conventions

Convention Description

command This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Nokia product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.

Italics Indicates a variable in a command that you must supply. For example:delete interface if_name

Supply an interface name in place of the variable. For example:delete interface nic1

angle brackets < > Indicates arguments for which you must supply a value:retry-limit <1–100>

Supply a value. For example:retry-limit 60

Square brackets [ ] Indicates optional arguments.delete [slot slot_num]

For example:delete slot 3

Vertical bars, also called a pipe (|)

Separates alternative, mutually exclusive elements. framing <sonet | sdh>

To complete the command, supply the value. For example:framing sonet

orframing sdh

-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.


About This Guide

Text ConventionsTable 2 describes the text conventions this guide uses.

IP Address NotationNokia IP VPN Gateway uses standard notation to identify IP addresses. The subnet mask is represented in the hexadecimal format.Example: 192.168.1.1 with subnet mask 0xFFFFFF00.In this example, 192.168.1.1 is a Class C address, so the first three octets (bytes) represent the network address, and the last octet represents the host address. 192.168.1.1 is the host IP address with the subnet mask 255.255.255.0.

.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.

( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.

' ' Single quotation marks are literal symbols that you must enter as shown.

Table 1 Command-Line Conventions (continued)


Table 2 Text Conventions


monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453

bold monospace font Indicates text you enter or type, for example:# configure nat

Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.

The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.


Related Documentation

To specify the network address of the given IP address, the host section of the IP address is set to zeros. In this example, 192.168.1.0 specifies the network address with the subnet mask 255.255.255.0. The IP address range in this network can vary from 192.168.1.1 to 192.168.1.254. Table 3 lists the mapping of the subnet mask to the notation.

Table 3 Mapping Subnet Mask to Notation

Related Documentation In addition to this guide, documentation for this product includes the following:

Nokia IP VPN Gateway Getting Started Guide v6.3Nokia 5i and 10i Installation GuideNokia 50i Installation GuideNokia 100i Installation GuideNokia 500i Installation Guide Nokia IP VPN Gateway Configuration Guide v6.3Nokia IP VPN Gateway Routing Administration Guide v6.3

Subnet mask Notation

0xff000000 255.0.0.0

0xffff0000 255.255.0.0

0xffffff00 255.255.255.0


About This Guide


1 Introducing the Command-Line Interface

This chapter details the information you need to access and use the Nokia IP VPN Gateway CLI. It also describes the administration tasks you can perform by using the Nokia IP VPN Gateway CLI. This chapter contains the following sections:

Connecting to the CLICLI ModesNavigating Between CLI ModesSaving Changes Made in CLI Modesconfigure wizard commandGeneral CLI FeaturesFlash Memory FilesUsing Network File System, Trivial File Transfer Protocol and Secure Copy with Configuration FilesTroubleshooting

Connecting to the CLIYou can access the CLI by using any of the three following methods:

Console port—connect a terminal directly to the console port of Nokia IP VPN Gateway.Use the following settings for the hyperterminal:

COM port (to which the gateway is connected)9600 bps8 data bitsParity - None1 stop bitFlow control - None



NoteYou must use the console port the first time you connect to the gateway. For more information about how to connect to the console port of the gateway, see the relevant Nokia IP VPN Gateway Installation Guide.

Telnet—use Telnet to connect to the CLI.SSH—use Secure Shell (SSH) compliant with V2 of the SSH protocol. To set up SSH, use the sshd command. For more information about the sshd command, see “sshd” on page 186.

NoteYou can enable or disable the access methods through the Config# login source command. For more information about the Config# login source command, see “login” on page 184.

CLI ModesCLI commands are specific to a CLI mode. Each CLI mode allows you to perform specific functions by using relevant commands. The CLI modes are:

Command ModeConfiguration ModePublic Key Infrastructure Configuration ModePolicy Configuration System ModeFirewall Configuration Mode

NoteAppendix C, “List of Commands” lists the CLI commands. Use this appendix as a quick reference to locate specific commands.

Command ModeUse command mode to enter system-wide or cluster-wide configuration and monitoring commands. The default command mode prompt is the greater-than sign (>).

NoteTo display the host name as the command mode prompt, use the Config# hostname command. For example, if the host name is gateway, the system prompt appears as gateway>. For more information about the hostname command, see “hostname” on page 130.


CLI Modes

Configuration Mode Use configuration mode to modify the running system configuration. Commands issued in configuration mode take effect as soon as the command is entered. The configuration mode prompt is: Config#.

Entering and Exiting Configuration ModeUse the following commands to enter or exit configuration mode:

To enter configuration mode, enter one of the following commands from the command mode prompt:> config

> configure

The prompt changes to: Config#. To exit configuration mode and return to command mode, enter the exit command at the prompt:Config# exit

Saving Configuration Commands to Flash MemoryCommands that you enter from configuration mode take effect immediately. To write settings from memory to flash memory; from the command mode, enter the following command:> config save

Saving Changes to a ClusterTo save changes made to a cluster, from the master node, switch to command mode, and enter the following command: > config save cluster

This command causes the master node of the cluster to write its configuration to flash memory, and commands all the nodes in the cluster to copy and apply the new flash configuration version.All configuration commands relate to changing or viewing the parameters on the local node. Some commands also allow you to change the configuration of other nodes within the cluster. To apply changes throughout a cluster, you must reboot the other nodes. Nokia recommends that all configuration take place on the master node of the cluster.

CautionBecause of the nature of a clustered environment IP addressing, routing information and other configuration settings must be consistent across all nodes.



NotePKI and PCS configuration is clustered.

Public Key Infrastructure Configuration ModeUse the Public Key Infrastructure (PKI) configuration mode to configure and view PKI, and the public- and private-keys for Nokia IP VPN Gateway.Commands issued in PKI configuration mode take effect as soon as the commands are entered. The PKI mode prompt is: config_pki#. For more information about the PKI mode, see “Configuring Public Key Infrastructure” on page 191.

Policy Configuration System ModeUse the Policy Configuration System (PCS) mode to create, modify, and delete policies from the command-line interface. PCS supports IKE protection suites, IKE policy groups, gateway policies, IPSec policies, IPSec clients, and Selectors. The PCS mode prompt is: config_policy#.For more information about the PCS mode, see “Configuring Policy Configuration System” on page 219.

Firewall Configuration ModeUse the Firewall Configuration mode to add, remove, and modify lists that contain packet filtering rules. The firewall mode prompt is: config_firewall#.For more information about the firewall mode, see “Configuring Firewall and Network Address Translation” on page 255.

Navigating Between CLI ModesBy default, the console displays the command mode (>). Use the commands described in Table 4 to navigate between modes.

NotePress Return or Enter to execute the command.


Saving Changes Made in CLI Modes

End Current SessionTo end the current session, enter the exit command from the command mode.

Saving Changes Made in CLI ModesChanges made in each of the four modes are not saved across system reboots unless you explicitly save the changes. For information about saving changes, see “Saving Configuration Changes to Flash Memory” on page 23.

Table 4 Navigation Between Modes

Switch to mode From modes Enter command Notes

command (>) • config or• PKIor• PCS

exit The default is the command mode.

configuration (Config#) command mode • config or• configure

• PKIor• PCS

• exit (The mode changes to the command mode.)From the command mode, enter one of the following commands: • config or• configure

You cannot directly switch to the configuration mode from the:• PKI mode• PCS mode or• firewall modeYou must switch to the command mode and enter the relevant commands.

PKI (config_pki#) command • configure pki or• config pki

You can switch to the PKI mode only from the command mode.

PCS (config_policy#) command • configure policy or• config policy

You can switch to the PCS mode only from the command mode.

firewall (config_firewall#) command • configure firewall or• config firewall

You can switch to the firewall mode only from the command mode.



configure wizard commandThe configure wizard command initializes the gateway and allows you to configure the gateway. For more information about the configure wizard command, see the wizard command in “configure” on page 77.

CautionWhen you initialize the gateway by using the configure wizard command, all configuration data is erased from flash memory.

General CLI FeaturesThis section describes general CLI features that you can use with any command in any mode.

Execute CommandsPress Return or Enter to execute the completed command string. The cursor does not have to be at the end of the line when you press Return or Enter.

Command Recall and EditingYou can recall and edit previously issued commands by using command-line editing.

NoteUse the Up arrow to recall commands. You can recall a maximum of 32 commands.

Editing Styles for emacs and VMSCLI supports limited line editing that lets you recall previously entered commands and edit them without having to retype the entire line. You can choose between two styles of line editing: emacs and VMS.To select a style of line editing, from the command mode, enter the terminal editing style command followed by the required style (emacs or VMS), as shown in the following example:> terminal editing-style VMS


General CLI Features

Table 5 lists the differences between the emacs and VMS editing styles.

Table 6 lists keys common to emacs and VMS.

Command-Line Help You can use command-line help to:

Table 5 Editing Styles

Control character behavior emacs VMS

Beginning of line Ctrl + A Ctrl + K

Exit Ctrl + Z Ctrl + D

Toggle Insert or overstrike Ctrl + A

Back one character Ctrl + B Ctrl + D

Delete previous word Ctrl + W Ctrl + J

Delete current character Ctrl + D

Delete from current character to end of line Ctrl + K

Line terminator Return key or NL Return key

Previous line Ctrl + P orUp arrow

Ctrl + B orUp arrow

Table 6 Keys Common to emacs and VMS

Control character behavior Keys

End of line Ctrl + E

Next line Ctrl + N orDown arrow

Abort line Ctrl + C

Forward one character Ctrl + F

Redraw line Ctrl + L or Ctrl + R

Erase to beginning of line Ctrl + U

Exit (at beginning of line only) Ctrl + Z



View the list of commands available from the current prompt—type a question mark (?) at the prompt.View available options for a command—from the current mode, type the command, then press Space bar followed by a question mark (?) as shown in the following example:Config# arp ?

add Add an ARP entry

change Change an ARP entry

delete Delete an ARP entry

View commands or command options that begin with a particular character—from the current mode, type the character followed by a question mark (?) as shown in the following examples:config_pki# c?

ca certificate crl

> show s?

schedule snmp statistics subsystem syslog

Execute automatic command-line completion—abbreviate the command to the smallest number of nonambiguous characters and press the Tab key. In the following example, when the user types exa and presses the Tab key, the command-line utility displays the complete command:> exa

> examine

Flash Memory FilesThis section:

Lists the common flash memory files.Describes how to save to flash memory configuration changes made through the CLI.

NoteFlash memory is of two types: internal and external. You can install external flash memory cards only on the gateways that support external flash. For more information about flash memory and gateways that support external flash memory cards, see the relevant Nokia IP VPN Gateway Installation Guide.

Common Flash FilesWhen you enter CLI commands and save your changes, the information is written to the appropriate file on flash memory.


Flash Memory Files

NoteFor more information about manipulating files on flash memory, see “Managing Files and Directories” on page 151.

The following files are found on flash memory during normal operation:

Saving Configuration Changes to Flash MemoryChanges you enter by using the CLI remain in memory until the system is rebooted. To save changes permanently, you must save the commands to flash memory.

• boot.config Contains configuration version information, boot kernel information and boot kernel flags. Also used during kernel upgrades.

• cluster_config_<version>.txt Contains cluster-wide configuration information.

• node_config_<version>.txt Contains node-specific configuration information.

• ipsrd_<version>.txt Contains the IPSRD configuration file.

• gen_info.txt Contains general configuration information, including schedules.

• keys_<version>.txt Contains cryptographic keys that must be kept confidential. Stored in ASCII text.

• pki_<version>.txt Contains PKI data. If PKI configuration is saved with the config save pki-test command, the extension for this file is .DAT, but the file is actually readable.

• ipsec_policy_<version>.dat Contains the IPSec security policy. Stored in binary mode.

• boot-authorization Contains authorization parameters required to authorize the gateway.

• aos-v[version number]-[build number].[arch]

The Nokia AOS Ver 6.3 kernel.



Table 7 lists the CLI modes and the respective save commands.

Saving Configuration Changes Made to a ClusterTo change or save configuration information in a cluster, you must:

Ensure that all the nodes in the cluster have the same configuration.Execute all CLI configuration commands from the master node.Reboot each node to apply the command (to all the nodes in the cluster).

NoteUse the schedule stagreboot command to automatically reboot each node in sequence. For more information about the stagreboot command, see “schedule” on page 103.

For configurations other than PCS, you must reboot the other nodes to cause the configuration to be copied. When you save configuration information from the master node, it increments the version number of the configuration. When you reboot a node in the cluster, it connects to the master node and is automatically updated with the current configuration information.


Table 7 Save Commands

Mode Enter save commands from Save command Notes

Command command mode Commands cannot be saved.

Configuration command mode • config save or• config save

cluster

To save changes made on a cluster, enter the config save cluster command from the master node.

PKI configuration command mode config save

PCS PCS mode • apply and • save

These commands automatically update changes to the cluster.

Firewall configuration firewall configuration mode save


Using Network File System, Trivial File Transfer Protocol and Secure Copy with Configuration Files

Using Network File System, Trivial File TransferProtocol and Secure Copy with Configuration Files

You can use Network File System (NFS) and Trivial File Transfer Protocol (TFTP) servers to copy, back up, and restore configuration files. When you use NFS, you must configure the mountd command to allow the mounting of individual files. This is the default in Solaris and requires the -r flag option to the mountd command on a BSD-based NFS implementation.If you use TFTP, the target file must exist in the specified location and must be configured with world write permissions. You can identify files and directories by using the following syntax:<NFS | TFTP>://<hostname>/<pathname>/<bkup_file | directory>

The following are examples of the correct syntax to access the myfile.txt file on the NFS server Nokia_nfs and the TFTP server Nokia_tftp.nfs://Nokia_nfs/home/Nokia_files/myfile.txttftp://Nokia_tftp/tftproot/myfile.txt

You can use the TFTP default server and NFS default server configuration mode commands to shorten filenames. For example, if the TFTP default server Nokia_tftp command is in effect, the filename might shorten to tftp:/tftproot/myfile.txt.You can use Secure Copy (SCP) to securely copy files to and from an SSH server. The version of SSH supported is OpenSSH. You must define the user on the SSH server. SCP uses public key authentication, so the gateway's host key must be pasted in the authorized_keys file in the .ssh directory, under the user's home directory on the SSH server. The host key can be copied by using the following command:Config# ssh host-key show

NoteThere should be no carriage returns in the host key when it is pasted into the authorized_keys file.

SCP Syntax:scp://<user>@<hostname | IP Address>/<absolute path name of the file> <local file name>

You can use SCP with copy, backup and restore.Examplescopy scp://[email protected]//root/aos-v6.3-58.kl aos-v6.3-58.kl

backup save flash: scp://[email protected]//home/administrator

backup restore scp://[email protected]//home/administrator/<file name> flash:



TroubleshootingFor information about how to troubleshoot Nokia IP VPN Gateways, see the Nokia IP VPN Gateway Configuration Guide v6.3.


2 Configuring the Gateway

This chapter describes the commands required to perform initial gateway configuration and configure routing, clustering, and network settings for the gateway.

NoteThis chapter assumes that you are familiar with the command mode and the configuration mode, and navigation between them. For more information about CLI modes and navigating between them, see “Introducing the Command-Line Interface” on page 15.

You can configure Nokia IP VPN Gateway through the CLI, or through VPN Manager. For more information about how to configure the gateway through VPN Manager, see the Nokia IP VPN Gateway Configuration Guide v6.3.


To configure Nokia IP VPN Gateway 1. Connect the system to the console port of Nokia IP VPN Gateway.

NoteFor more information about how to connect to the console port of the gateway, see the relevant Nokia IP VPN Gateway Installation Guide.

2. Press Enter or Return.3. The initial configuration setup appears.

The initial configuration setup lists the interfaces available on the gateway, syntax for interface, default route, and host name configurations.

4. Enter the security token at the security token prompt.



You can configure the gateway directly through the CLI by entering exit or void, or you can copy-and-paste the security token and other information that VPN Manager generates to manage the gateway through VPN Manager.

To configure Nokia IP VPN Gateway by using the CLIAt the security token prompt, enter:

exit—to exit the configuration. The command mode prompt (>) appears.orvoid—to enter the wizard mode. The wizard# prompt appears. You can configure internal and external interfaces, the default route, and the host name from this mode. For more information about interface, default route, and host name configurations, see “Configuring Interface Settings” on page 29, “Static Routing” on page 46, and “hostname” on page 130.To exit the wizard mode, at the wizard# prompt, enter the following command: wizard# exit

The command mode prompt (>) appears.

NoteTo permanently save changes made to the configuration, you must write the commands to flash memory. For more information about saving configuration changes, see “Saving Configuration Changes to Flash Memory” on page 23.

To configure Nokia IP VPN Gateway with VPN Manager InformationAt the security token prompt, enter the security token number and other details that VPN Manager generates. For more information about generating the security token number and other details, see the Nokia IP VPN Gateway Configuration Guide v6.3.

NoteVPN Manager generates the security token and other details. You can copy-and-paste this information from VPN Manager to Nokia IP VPN Gateway.

Configuring Gateway InterfacesThe number of interfaces that you can configure on the gateway is dependent on the type of gateway. For more information about the number of interfaces on the gateway and interface naming conventions, see the relevant Nokia IP VPN Gateway Installation Guide. Interfaces can be designated internal or external:

Internal interfaces—by default, all interfaces are internal. You can configure multiple internal interfaces by using the interface command. For more information about the interface command, see “Configuring Interface Settings” on page 29.


Configuring Gateway Interfaces

External interfaces—you can configure only one external interface, except when configuring for wanbackup. For more information about the interface and wanbackup commands, see “Configuring Interface Settings” on page 29 and “Configuring WAN Backup Settings” on page 35.

NoteYou must manually configure an external interface.

Configuring Interface SettingsUse the interface command to configure the internal and external interfaces, and configure interface-specific parameters for the gateway.

Ethernet Autonegotiation Nokia recommends the use of Ethernet autonegotiation to configure the speed and duplex settings of an Ethernet interface. Any manual action to disable autonegotiation on either end of a link can result in mismatched speed and duplex settings that might prevent or degrade communication. A mismatch in the speed setting prevents communication. A mismatch in the duplex setting causes spurious collisions, cyclic redundancy check (CRC) errors, short packets, lost packets, and a general degradation in performance.If you enable autonegotiation on the gateway Ethernet interface, then you should enable autonegotiation on the Ethernet hub or switch. If you disable autonegotiation on one side (either the gateway Ethernet interface, or the Ethernet hub or switch), then you should disable autonegotiation on the other side, and both sides must be set to the same speed (10/100) and duplex (half/full). The default setting for the gateway Ethernet interface is autonegotiation enabled.

CautionIf you enable autonegotiation on one side and disable it on the other, HalfDuplex is assumed on the enabled side. Therefore, if you disable autonegotiation on one side then you must set it to HalfDuplex, unless you disable autonegotiation on the other side also, and both sides are manually set to FullDuplex.

Most older 10-MBps Ethernet hubs do not support autonegotiation and some newer equipment does not provide a way to disable autonegotiation. In these cases, set the Nokia IP VPN Gateway Ethernet interface to autonegotiate.To determine if the gateway is autonegotiating the Ethernet connection, set the console logging severity level to debug. For more information about this command, see the console logging level debug command in “Config# [no] console” on page 169.The following is an example of an autonegotiated connection:eth-1: link UP 100BaseTX-HalfDuplex (auto-negotiated) eth-1:



peer offered: 10BaseT 100BaseTX

If you enable autonegotiation on the gateway Ethernet interface, but do not support it on the other side, the link UP message reports the speed detected and assumes HalfDuplex: eth-1: link UP 10BaseT-HalfDuplex (peer not autonegotiating, half duplex assumed).If you disable autonegotiation on the gateway Ethernet interface, the link UP message reports the manual settings:eth-1: link UP 100BaseTX-HalfDuplex (manual)

Nokia recommends that both sides use autonegotiation. If you do not use auto negotiation, both sides must be set to the same speed (10/100) and duplex (half or full).

Cluster Configuration and Common Switch Configuration

Cisco switches implement the Spanning Tree Protocol (STP). The spanning tree protocol is used to discover and mitigate switching loops.When a link is first established on a Cisco switch port, the switch blocks all traffic except for the STP. It blocks traffic to attempt to communicate with other switches and to learn the topology of those switches. The traffic delay is about 30 seconds. This delay can cause clustering problems when a cluster node tries to join a cluster.To disable STP on a Cisco switch port, turn on the portfast option for that port. For more information, see the following Cisco document: http://www.cisco.com/warp/public/473/12.html.Some switches attempt to negotiate trunking and fast Ether channel on their ports. If this takes longer than a few seconds, it needs to be disabled. An example of this is on the Cisco Catalyst 6500 switch.To disable trunking or fast Ether channel, use the following commands:set port channel <module>/<port> mode off

set trunk <module> /<port> off

A delay also occurs in port initialization when STP starts. This delay can also cause problems in cluster booting. Rather than disabling STP, Nokia recommends that you use the PortFast feature.Examples of some common switches:

Catalyst 5000 or 6500set spantree port fast <module_num> / <port_nums> enable

where <module_num> is the card or module number and <port_nums> are the port numbers of the Catalyst 5000 ports into which any Nokia IP VPN Gateway devices are plugged.Catalyst 2900Config# interface FastEthernet <module_num> / <port_nums> (con fig- if)#spantree port fast

where <module_num> is the card or module number and <port_nums> are the port numbers of the ports into which Nokia IP VPN Gateway devices are plugged.



Switches and Cluster Multicast Mode

When a cluster is running in multicast mode, a virtual multicast MAC address is mapped to the cluster IP address and all nodes in the cluster expect to receive packets sent to this address. Catalyst 5000 switches do not advertise this address automatically. To make this mode work from a Catalyst 5000, you must create a static CAM entry for each port that an inside interface of your cluster is attached to.The format of the multicast MAC address is: 01:50:5A:00:<X>:<Y>—here X and Y are the last two numbers in the IP address of the cluster inside interface (in hexadecimal). For example:10.0.32.4 is 01.50.5A.00.20.04

If you have a two-node cluster, with the inside interfaces attached to Catalyst ports 10 and 11, where 10 and 11 are in vlan3, to set the static CAM entry for those ports, issue the following command:

> enable set cam static 01-50-5a-0-20-4 3/10,3/11

Static multi cast entry added to CAM table.

> enable show cam static

VLAN Destination MAC Destination Ports or VCs ---- ------------------ ------------------------

4 01-50-5a-00-20-043/10-11

Matching CAM Entries = 1

Cisco Routers and Cluster Multicast Mode

Cisco routers do not automatically detect multicast addresses. For the router to detect a multicast address, create a static ARP entry on the router for the interface on the same LAN.If you have a cluster with the cluster address of 10.0.32.4, issue the following command on the router:router(config)#arp 10.0.32.4 0150.5a00.2004 arpa

DHCP ClientDHCP dynamically assigns networking configuration to participating hosts in the network. A DHCP client requests its networking configuration from the network by using a broadcast message. A DHCP server on the network responds with the appropriate information to the host. The server also ensures that each host gets a unique IP address, so as to avoid misconfiguration on the network.You can configure gateway interfaces to use DHCP to obtain an IP address dynamically. Other configuration options obtained with DHCP are netmask, default route, and DNS servers.When DHCP is enabled for an interface, the gateway tries to contact a DHCP server and obtain configuration information. If no server response is received within four seconds, the gateway follows a randomized (range -2 to +2) exponential backoff retransmission strategy with a cutoff of 120 seconds. If no server responds, the gateway waits for two minutes before retransmitting DHCP discover packets and the process is repeated until an offer from some server is received,



or DHCP is disabled on the interface. If the interface flag is inactive or the link on the interface is inactive, the client waits for the link to become active before starting discovery. When DHCP is disabled on an interface, any address acquired for the interface is released. The DHCP client does not save lease information.If DHCP is enabled on an interface and an address is acquired, and later DHCP is disabled followed by enabling it at some future time, a different address can be acquired.

Syntax

Config# interface <eth-1 | eth-2 | eth-3 | eth-4 | loop-0>

[-alias][-backup][-dhcp][-external][-primary][address <A.B.C.D>][alias][backup priority <value>][broadcast <A.B.C.D>][clear][destination <A.B.C.D>][dhcp][down][external][family <inet>][flowcontrol <active | default | none | passive>][media <autoselect | 10 | 10-Full-Duplex | 100 | 100-Full-Duplex>]

[mtu <72-16366>][netmask <A.B.C.D>][primary][up]

Arguments

<eth-1 | eth-2 | eth-3 | eth-4 | loop-0>

Configure an interface:• eth-1—name of the interface to configure.• eth-2—name of the interface to configure.• eth-3—name of the interface to configure.• eth-4—name of the interface to configure.• loop-0—name of the interface to configure.

-alias Remove address as an IP alias to the interface.

-backup Designate the interface as primary.

-dhcp Disable dhcp-client functionality on the interface.



-external Designate the interface as internal.

-primary Unset the interface as primary.

address <A.B.C.D> Set the interface address.

alias Add address as an IP alias to the interface.

backup priority <value> Designate the interface as external interface:• priority—set backup priority value.• value—priority value for this backup

external interface.

broadcast <A.B.C.D> Set the broadcast address (for broadcast media).

clear Clear the interface.

destination <A.B.C.D> Set the destination address (for point-to-point media).

dhcp Configure the interface as dhcp client.

down Turn interface off.

external Designate the interface as external.

family <inet> Set the address family:• inet—interface address family.

flowcontrol <active | default | none | passive>

Set the interface flow control.• active—set active interface flow control

(transmit and receive).• default—set the interface flow control to the

default setting.• none—set no interface flow control.• passive—set passive interface flow control

(receive only).

media <autoselect | 10 | 10-Full-Duplex | 100 | 100-Full-Duplex>

Set the interface media type (broadcast interfaces only):• autoselect—set the interface media to

autoselect.• 10—set the interface media to10 Mbit.• 10-Full-Duplex—set the interface media to

10 Mbit/Full Duplex.• 100—set the interface media to 100baseTX

Mbit.• 100-Full-Duplex—set the interface media to

100baseTX Mbit/Full Duplex.

Arguments



Related CommandsSee the show dhcp-client command in “show” on page 105.

Configuring a Serial InterfaceUse the dialup module to configure a dialup interface to dial out. The dialup interface can be a primary external interface, or a backup to another external interface.

NoteTo configure dialup, you must enable dialup by using the Config# enable dialup command. You can disable dialup by using the Config# disable dialup command.

Syntax

Config# dialupdisconnectmode <dynamic | independent | wan-backup back-up priority <priority>>

profile <1-5>auth <any | chap | none | pap>dns1 <A.B.C.D>dns2 <A.B.C.D>mtu <56-1500>preferred_address <A.B.C.D>username <XXXXXX> password <XXXXXX> phone_number <XXXXXX>

mtu <72-16366> Set the interface MTU:• 72-16366—MTU in bytes (maximum 1500

for 10/100, 16366 for Gigabit Ethernet).

netmask <A.B.C.D> Set the subnet mask for the address.

primary Designate the interface as primary.

up Turn interface on.

Arguments

Arguments

disconnect Disconnect the active dialup connection.



Configuring WAN Backup SettingsThe wanbackup module activates the backup interface if the following events occur:

Primary (external) physical interface is deactivated.A logical interface like PPPoE is deactivated.An IP address is not allocated to a DHCP-enabled interface.

To enable WAN backup1. Set the wanbackup mode to simple or dialup.2. Configure an external backup interface by using the interface backup command.

mode <dynamic | independent | wan-backup back-up priority <priority>>

Configure the mode:• dynamic—configure mode when using with

VRRP.• independent—configure mode to use the

dialup as the primary external interface.• wan-backup—configure mode to use dialup

as the backup interface.• wan-backup backup priority <priority>—

backup priority number (1 to 255).

profile <1-5>auth <any | chap | none | pap>dns1 <A.B.C.D>dns2 <A.B.C.D>mtu <56-1500>preferred_address <A.B.C.D>username <XXXXXX> password <XXXXXX> phone_number <XXXXXX>

Configure a dialup profile:• profile <1-5>—index of this profile in profile

list.• auth—configure authentication.• auth any—configure any authentication.• auth chap—configure chap authentication.• auth none—configure for no authentication.• auth pap—configure pap authentication.• dns1—configure a primary DNS server.• dns1 <A.B.C.D>—set the IP address of the

primary DNS server.• dns2—configure a secondary DNS server.• dns2 <A.B.C.D>—set the IP address of the

secondary DNS server.• mtu—configure the Maximum Transmission

Unit (MTU).• mtu <56-1500>—set the MTU value.Default: 1500• preferred_address—configure a preferred

address.• preferred_address <A.B.C.D>—preferred

local IP address.• username—set username.• password—set password.• phone_number—set phone number.

Arguments



You must assign an external interface as a backup interface. You can configure multiple backup interfaces (Ethernet interfaces with static IP addresses, DHCP, PPPoE, and a dialup interface). For more information about the interface backup command, see “Configuring Interface Settings” on page 29.

NoteThe wanbackup module allows you to configure a tcp-check to ensure effective WAN backup. The tcp-check option checks whether the specified IP address can be reached. If the IP address is unreachable for any reason, the wanbackup module causes a failover to the backup interface. tcp-check uses TCP SYN ping.

The wanbackup module allows you to specify:Failover time limit (the time lapse, in seconds, after which to activate the backup interface after the primary interface is deactivated).Fall-back time limit (the time lapse, in seconds, after which to deactivate the backup interface after the primary interface is activated).

Syntax

Config# wanbackupbackup_interface <eth-1 | eth-2 | eth-3 | eth-4> default_route <A.B.C.D>

failover-timeout <timeout>fallback-timeout <timeout>mode <dialup | none | simple>tcp-check <A.B.C.D> port <value> interval <interval>

Arguments

backup_interface <eth-1 | eth-2 | eth-3 | eth-4> default_route <A.B.C.D>

Configure a backup interface:• eth-1—backup interface name.• eth-2—backup interface name.• eth-3—backup interface name.• eth-4—backup interface name.• default_route <A.B.C.D>—IP address of

the default route.

NoteYou must configure the default route to redirect traffic through the backup interface when it is activated.

failover-timeout <timeout>

Failover timeout:• timeout—timeout value (5 to 3600

seconds).Default: 5 seconds



Related CommandsSee the interface backup command in “Config# interface” on page 32.See the interface up command in “Config# interface” on page 32.See the interface down command in “Config# interface” on page 32.

Configuring PPPoE SettingsUse the pppoe command to create multiple PPPoE interfaces in the system. You can also use this command to show, delete, and activate or deactivate a PPPoE client interface. The PPPoE client interfaces are listed as pppoe0, pppoe1, and so on.

NoteThe cluster works on multiple access media while PPPoE works on point-to-point, therefore the cluster functionality cannot be achieved on the PPPoE interface.

You can specify the following characteristics for the PPPoE client:Interface type—can be set to static or dynamic. The static interface option allows you to assign the IP address when negotiating IP Control Protocol (IPCP) with a peer. The dynamic interface option allows the peer to specify the IP address.Interface mode—the PPPoE interface works in two modes: the demand mode and the keepalive mode. In the demand mode the PPPoE interface is activated when traffic is sent. If

fallback-timeout <timeout>

Fallback timeout:• timeout—timeout value (5 to 3600

seconds).Default: 5 seconds

mode <dialup | none | simple>

Configure mode:• dialup—configure the WAN backup mode

to include one or both dialup and Ethernet interfaces.

• none—disable WAN backup.• simple—configure the WAN backup mode

to include only Ethernet interfaces as backup interfaces.

tcp-check <A.B.C.D> port <value> interval <interval>

Configure the tcp-check option:• <A.B.C.D>—tcp-check target address.• port <value>—configure the port value to

use for the tcp-check. Enter a value between 1 to 65535.

• interval <interval>—configure the interval time to use between checks. Enter a value between 5 to 60 seconds.

Arguments



no traffic occurs for a specified time limit (idle timeout), the interface is made inactive. When traffic is sent, the interface is activated once again.

NoteYou must specify the destination interface IP address for the system to create an interface route. The interface route is created because the PPPoE client cannot identify the IP address of the peer until it connects to the peer. It then initiates the connection and sends packets on the interface.

In the keepalive mode the PPPoE interface is always active regardless of the traffic flow. If the PPPoE connection fails, the interface is activated by connecting to the peer again.Authentication method—the PPPoE client autodetects the authentication method that the peer uses.You can set the authentication method to pap, mschap, chap, or noauth.

To create a PPPoE client interface1. Select an Ethernet interface (external) on which to create the virtual PPPoE interface.2. Ensure that the Ethernet interface is connected to the network and is active.

NoteUse the Config# interface <ethernet-interface> up command to activate the interface.

3. Create a PPPoE profile by using the pppoe profile command.

NoteUse the show pppoe profile <all | profile-name> command to confirm the creation of a PPPoE profile with all correct values set.

4. Create a PPPoE interface by using the Config# pppoe interface profilename <profile-name> command.

NoteUse the show pppoe interface command to confirm the pppoe interface creation.



Syntax

Config# pppoe profile <name> eth-interface <eth-1 | eth-2 | eth-3 | eth-4> user <user name> passwd <<passwd> | <CR>>

[acname <name>][auth <chap | mschap | noauth | pap>][debug <all | info>][dns <primarydns | secondarydns>][external][ifroute <ip_address/masklen>][mode <demand | keepalive>][mtu <number>][nodefaultroute][nonstandard <0xABCD:0xABCD>][service <name>][timeout <number>][type <static srcaddr <source-ip-address/masklen> dstaddr <pppoe-peer-ip-address/masklen>> | <dynamic>]

[wins <primarywins | secondarywins>][<CR>]

Config# [no] pppoe profile <name>

Config# pppoe interface profilename <profile>

Config# [no] pppoe interface <name>

Arguments

profile <name> eth <eth-1 | eth-2 | eth-3 | eth-4> user <user name> passwd <<passwd> | <CR>>

Create a new profile:• name—profile name.• eth-1—Ethernet interface name.• eth-2—Ethernet interface name.• eth-3—Ethernet interface name.• eth-4—Ethernet interface name.• user name—user name.• passwd—password.• CR—end.

acname <name> ISPs Access Concentrator name (PPPoE server):• name—ISP Access Concentrator name.



auth <chap | mschap | noauth | pap>

The PPPoE client negotiates authentication as proposed by the PPPoE server:• chap—Challenge Handshake

Authentication Protocol.• mschap—Microsoft Challenge Handshake

Authentication Protocol.• noauth—no authentication.• pap—Password Authentication Protocol.Default: autodetect

debug <all | info> • View debug messages:• all—all debug messages about connection

details.• info—useful information about connection

details.

NoteThe debug option is not saved in the PPPoE profile across reboots.

dns <primarydns | secondarydns>

DNS options (if provided by the ISP):• primarydns—primary DNS server only.• secondarydns—both primary and

secondary DNS servers.

external Use this option to make the PPPoE interface an external interface.

ifroute <ip_address/masklen>

Interface route for dynamic interface:• ipaddress—IP address for interface route.• masklen—mask for interface route.

NoteYou must specify the destination interface IP address for the system to create an interface route. The interface route (ifroute) is created as the PPPoE client cannot identify the IP address of the peer until it connects to the peer. The PPPoE client then initiates the connection and sends packets on the interface.

mode <demand | keepalive>

PPPoE connection mode:• demand—PPPoE connection mode.• keepalive—PPPoE connection mode.Default mode: keepalive

Arguments



mtu <number> MTU for PPPoE Interface:• number—MTU value in bytes. MTU value range: 136 to 1492

nodefaultroute Use this option to enable the system to use the manually added default route.

NoteBy default if nodefaultroute option is not used in the profile settings, the system automatically adds the default route after the PPPoE session is activated, using the pppoe peer IP address as the next hop IP address. It also overwrites any existing default-route. If the PPPoE session is deactivated, the system deletes the default route. To prevent the system from adding a default route (using the peer-IP address) automatically (whenever the PPPoE session becomes active), use the nodefaultroute option in the profile and manually add a default route by using the following command: Config# route 0.0.0.0 0.0.0.0 <next-hop-ipaddress>.

nonstandard <0xABCD:0xABCD> Note

Use this option only if your ISP supports it, or if you connect to a 3COM PPPoE server that processes ethertypes requests with non-standard ethertypes: 0x3c12 & 0x3c13 only.

Ethertypes other than 0x8863 0x8864:• hexadecimal_number—ethertype value for

discovery phase.• hexadecimal_number—ethertype value for

session phase.For more information on discovery and session phase, see RFC 2516.

service <name>

NoteUse this option if your ISP supports it.

ISP service name:• name—ISP service name.

Arguments



timeout <number> Idle or connection check timeout:• number—timeout in seconds.Default: 60 secondsTimeout value range: 30 to 11800

type <static srcaddr <source-ip-address/masklen> dstaddr <pppoe-peer-ip-address/masklen>> | <dynamic>

PPPoE interface type:• static—PPPoE interface type.• dynamic—PPPoE interface type.Default type: dynamic

NoteThe ifroute <ip address/masklen value> must be entered if a dynamic type PPPoE profile is selected. The masklen value must be 32. The system automatically creates the interface route for the IP address pointing to the PPPoE interface as the next hop.

wins <primarywins | secondarywins> Note

Use this option if your ISP supports it.

WINS and NBNS option:• primarywins—primary WINS/NBNS server

only.• secondarywins—both primary and

secondary WINS/NBNS servers.

<CR> End.

[no] pppoe profile <name>

Delete an existing profile:• name—profile name.

interface profilename <profile>

You can create only one PPPoE interface per PPPoE profile. Multiple pppoe interfaces are created automatically in sequential order (pppoe-0, pppoe-1, pppoe-2, and so on).

NoteYou can create multiple pppoe profiles by using the same Ethernet interface if the values for the command options used in the profiles are not duplicated.

Create a PPPoE interface by using the profile name:• profile—name of the profile.

Arguments



Modify a PPPoE ProfileTo modify individual values of any option in an existing PPPoE profile, retype the PPPoE profile command and the profile name. Change the value of the relevant option.For the new profile values to come into effect, either reboot the system, or deactivate and then activate the pppoe-interface.

Examples Create a PPPoE interface with dynamic-IP type and demand mode, and authentication CHAP on the eth-2 external interface with a remote destination gateway IP address of 100.1.1.1.Config# int eth-2 up

Config# pppoe profile prof1 eth eth-2 user <username> passwd <password> auth chap type dynamic ifroute 100.1.1.1/32 mode demand timeout 120 debug info

Config# pppoe interface profilename prof1Config# exit

show pppoe profile prof1

show pppoe interface

Create a PPPoE interface with static-IP type and demand mode, and authentication PAP on the eth-3 interface with the following inputs:

Source IP address: 200.5.6.27/24PPPoE peer IP address: 192.168.10.1/24

Config# int eth-3 UP

Config# pppoe profile prof2 eth eth-3 user <username> passwd <password> auth pap type static srcaddr 200.5.6.27/24 dstaddr 192.168.10.1/24 mode demand timeout 300

Config# pppoe interface profilename prof2

Config# exitshow pppoe profile prof2


[no] pppoe interface <name>

Delete a PPPoE interface:• name—interface name.

NoteYou cannot delete a PPPoE profile if an existing PPPoE interface is bound to the profile. You must first delete the PPPoE interface associated with the profile.

Arguments



Create a PPPoE interface with dynamic type and keepalive mode with 3COM as the PPPoE server:Config# int eth-2 upConfig# pppoe profile 3com eth eth-2 user <username> passwd <password> type dynamic ifroute 192.168.1.1/32 nonstandard 0x3c12:0x3c13

Config# pppoe interface profilename 3com

Config# exit

show pppoe profile 3com


NoteIn the preceding example, the default mode is keepalive and the authentication type is autodetect.

Related CommandsSee the Config# interface <pppoe-n> down command in “Config# interface” on page 32.See the Config# interface <pppoe-n> up command in “Config# interface” on page 32.See the “mss-clamp” command on page 63.

Configuring VRRPUse the vrrp command to configure VRRP. VRRP provides a simple way to have a standby gateway take over an IP address if the primary gateway fails. VRRP is not supported on a clustered environment.

NoteTo enable or disable VRRP, from the command mode (>) use the vrrp enable or vrrp disable commands. To enable the VRRP daemon, use the vrrp interface command.

Syntax

Config# [no] vrrp interface

Config# vrrp interface <eth-1 | eth-2 | eth-3 | eth-4> <address> <priority <backup | master | <1-255>>> vrid <1-255>

Config# [no] vrrp[advertisement-interval <1-255>][auth-passwd][no-preempt][while-backup <allow-forwarding | allow-ipsec | call-dialup>]



NoteTo check if a device is acting as the VRRP master, use the show vrrp command to view the current state of the device.

Arguments

no Negate the command.

interface <eth-1 | eth-2| eth-3 |eth-4> address <priority [backup | master | <1-255>]vrid <1-255>>

Select the interface on which VRRP is to be enabled.

NoteYou can enable VRRP on only one interface at a time.

• address—IP address of the virtual router. Set the priority to one of the following:• priority backup• priority master

NoteIf the priority is set to master, the IP address of the virtual router must be the same as the IP of the device interface.

• a specific priority value.• vrid—virtual router ID value.

advertisement-interval <1-255>

Overrides the default advertisement interval value. Default: one second.

auth-passwd Enable the simple text password authentication between peers. You must enter an eight character password string.

no-preempt Configure the virtual router to prohibit preemption. Default: set to preempt.

no vrrp interface Deletes the VRRP configuration.

while-backup <allow-forwarding | allow-ipsec | call-dialup>

Options when vrrp is in back up state:• allow-forwarding—allow forwarding in back

up state.• allow-ipsec—allow IPSec in backup state.• call-dialup—on becoming master call

dialup.



Enable or Disable VRRPUse the vrrp command (from the command mode (>)) to enable or disable VRRP.

Syntax

vrrp[disable][enable]

Related CommandsSee the show vrrp command in “show” on page 106.See the debug vrrp command in “[no] debug” on page 157.See the Config# [no] debug vrrp command in “Config# [no] debug” on page 171.

Configuring RoutingYou can configure one of the following types of routing for Nokia IP VPN Gateway:

Static RoutingDynamic Routing

RIPv1 and RIPv2OSPFv2BGPv4Routing over IPSec

Static RoutingUse the route command to configure a static route. With a static route entry, packets for a specified destination address are directed to the interface associated with the next-hop address.

Syntax

Config# [no] route <ADDR> <NETMASK> <ADDR> <[blackhole | cloning | expire <decimal> | genmask <ADDR> | inet | mtu <decimal> | nostatic | static]>

Arguments

disable Temporarily disable VRRP.

enable Enable VRRP.


Configuring Routing

ExamplesConfig# route 10.0.0.0 255.0.0.0 10.2.2.2

Routes traffic to the network 10.0.0.0/8 through the interface associated with next-hop address 10.2.2.2.Config# route default 0.0.0.0 10.3.3.3

Directs all packets for unknown destinations to next-hop address 10.3.3.3. Config# no route 10.10.0.0 255.0.0.0 10.2.2.2

Deletes the route to network 10.10.0.0/8.

Dynamic RoutingUse the IPSRD command to manage the IPSRD process if it is enabled.For more information about IPSRD, RIPv1 and RIPv2, OSPFv2, and BGP4, see the Nokia IP VPN Gateway Routing Administration Guide v6.3.

Arguments


<ADDR> <NETMASK> <ADDR> <[blackhole | cloning | expire <decimal> | genmask <ADDR> | inet | mtu <decimal> | nostatic | static]>

Configure a route:• ADDR—destination address (or default: the

address 0.0.0.0, used to direct traffic with an unknown address).

• NETMASK—route destination netmask.• ADDR—route gateway address.• blackhole—silently discard packets during

updates.• cloning—generate new route on use.• expire—set route expiration.• expire decimal—route expiration.• genmask—set route genmask address.• genmask ADDR—route GENMASK

address.• inet—set the address family for this route to

Internet.• mtu—set the MTU for this route.• mtu decimal—route MTU.• nostatic—clear the static route flag on this

route.• static—set state route flag for this route.



NoteTo start IPSRD use the command Config# enable ipsrd. To stop IPSRD use the command Config# disable ipsrd. For more information about the enable and disable commands, see “enable” on page 129 and “disable” on page 128.

Syntax

ipsrd[dump] [reconfigure][restart]

Routing over IPSecIPSec routing reduces user configuration by connecting routing to dynamic IPSec policy entries. A domain can grow or change without having to reconfigure the IPSec configuration every time a network is added or deleted.

Arguments

dump <NAME> Dump IPSRD state into a specified file:• NAME—name of dump file.

NoteThis command effects only the node on which the command is run.

reconfigure Reconfigure IPSRD. IPSRD re-reads the IPSRD configuration file, and incorporates the changes into the running protocols.

NoteReconfiguring IPSRD on any node of a cluster, automatically reconfigures IPSRD on all the nodes of the cluster.

restart IPSRD process is killed and then restarted.

NoteIPSRD restarts only the node on which the command is run.


Configuring Clustering

NoteFor more information about Routing over IPSec, see the Nokia IP VPN Gateway Routing Administration Guide v6.3.

Configuring ClusteringUse the cluster commands to set or modify cluster information.

Command Mode CommandsUse the following command mode command to set or modify cluster information.

clusterUse the cluster command to reboot all the nodes in a cluster.

Syntax

cluster reboot <now>reset <now>

Related CommandsSee the debug cluster command in “debug” on page 156.See the “reboot” command on page 103.See the “schedule” command on on page 103.

Arguments

reboot <now> Perform a reboot of each node in the cluster:• now—reboot or reset all nodes in the

cluster immediately.

NoteDuring a staggered reboot, the system takes 120 seconds for the last node to reboot. During this sequence, security tunnels load balance to each remaining node. After approximately 30 minutes, the load evenly rebalances across the rebooted nodes.

reset <now> Reset each node in the cluster:• now—reboot or reset all the nodes

immediately.



See the show cluster command in “show” on page 105.

Configuration Mode CommandsUse the following configuration mode command to set or modify cluster information.

clusterUse the cluster command to change cluster information. Clusters share internal and external IP addresses and referees, cluster names, and cluster modes. All nodes in a cluster must have the same cluster parameters. The clustered gateway uses the cluster internal and external IP addresses for communication.All clusters must have referees for proper operation. Referees are set on the internal and external sides separately, and one referee is required on each side. A cluster without referees on the internal interface and the external interface does not operate reliably.Cluster IP addresses must be in the same subnet as the individual addresses on each node for each side. For example, all of the external interface addresses, including the cluster address, must have the same subnet mask. For more information about cluster modes, see the Nokia IP VPN Gateway Configuration Guide v6.3.

NoteWhen you change cluster-specific information, you must save changes to every node in the cluster and reboot them before the changes can take effect.

Syntax

Config# [no] cluster external

address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>

[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]

internaladdress <A.B.C.D> | family inet address <A.B.C.D>

<interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>

[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]

mode <forward | unicast | multicast>name <STRING>


Configuring Clustering

Arguments


external address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>> | netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>

Configure the cluster external address or specify the address family:• external address <A.B.C.D>—cluster IP

address.• family inet address <A.B.C.D>—cluster IP

address.• interface—configure the associated cluster

interface.• eth-1—name of interface to bind to cluster

address.• eth-2—name of interface to bind to cluster



address.• referee <A.B.C.D>—configure IP address

of a referee for checking connectivity.

internal address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4> <referee <A.B.C.D>> | netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>

Configure the cluster internal address or specify the address family:• internal address <A.B.C.D>—cluster IP

address.• family inet address <A.B.C.D>—cluster IP

address.• interface—configure the associated cluster

interface.• eth-1—name of interface to bind to cluster




address.• referee <A.B.C.D>—configure IP address

of a referee for checking connectivity.

mode <forward | unicast | multicast>

Configure cluster communication mode:• forward—master forwarding. This is the

default mode.• unicast—unicast packet forwarding.• multicast—multicast packet forwarding.

name <string> Configure cluster name:• string—cluster name (a maximum of 15

alphanumeric characters).



ExamplesConfig# cluster internal address 10.10.10.10 netmask 255.0.0.0 interface eth-1 referee 10.10.10.20

Assigns the IP address 10.10.10.10 to the internal cluster address.Config# cluster name mycluster

Changes the name of the cluster to mycluster.Config# cluster mode unicast

Changes the cluster communication mode to unicast.

Related Commands

See the “pin” command on page 102.

Configuring Network SettingsUse the following command mode and configuration mode commands to configure network settings.

Command Mode CommandsUse the following command mode commands to configure network settings.

arpThe arp command displays, and allows you to modify, the IP address-to-Ethernet address translation tables that the Address Resolution Protocol (ARP) uses.

Syntax

arp -a-f-n-<options><HOST>

Command Description

arp Utility to display or clear ARP cache.

firewall Firewall commands.


Configuring Network Settings

Related CommandsSee the clear arp command in “clear” on page 76.See the show arp command in “show” on page 105.See the “Config# [no] arp” command on page 55.

firewallUse the firewall command to clear stateful entries, disable, or enable firewall commands. For more information about configuring firewall and NAT, see Configuring Firewall and Network Address Translation on page 255.

Syntax

firewallclear-global-logclear-statedisableenable <policy-manager <ADDR> | <CR>>global-lograte-limit <<NUMBER> | <CR>>

Arguments

-a Display all ARP entries.

NoteThe arp -a command displays the same information as the show arp command.

-f Flush ARP table.

-n Do not lookup symbolic host names.

-<options> Combination of ARP options.

<HOST> Host name or the dotted-decimal IP address.

Arguments

clear-global-log Removes the global log option for the firewall rules. This command is clustered aware and is not be persistent on reboots.

clear-state Clear the stateful packet entries.

disable Disable firewall processing.



Configuration Mode CommandsUse the following configuration mode commands to configure network settings.

enable <policy-manager <ADDR> | <CR>>

Enable firewall features:• policy-manager—allow firewall to pass local

policy manager traffic.• policy-manager ADDR—peer dotted-

decimal address.• CR—enable firewall processing.

global-log Enables the global log for all firewall rules. This log is enabled only for the rules which do not have any log option in the rule.Log level for this global log is Notice. This command is clustered aware and is not persistent on reboots.

rate-limit <<NUMBER> | <CR>>

Limit rate of new state entries:• NUMBER—maximum new states per

second (0 = no limit).• CR—show current rate limit.

Arguments

Command Description

arp Configure an ARP table entry.

bootp-forwarder Configure the BootP forwarder.

DHCP Server Configure the DHCP server.

diff-serv Configure general diff-serv marking properties.

dns Configure the DNS client options.

ip-address-pool Configure the IP address pools.

lns Configure the LNS values.

mss-clamp Configure TCP maximum segment size clamping.

ntp Configure the NTP client.

pns Configure the PPTP PNS values.

ppp Configure PPP values.

snmp Configure the SNMP agent.



arpUse the arp command to add, delete, and change ARP entries in the node ARP table.

Syntax

Config# [no] arpadd <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>change <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>delete <ADDR> <proxy>

Arguments


add <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>

Add an ARP entry to the node ARP table:• ADDR—ARP host name or dotted-decimal

address.• auto—determine MAC address from the

local interface on network for host.• auto publish—set the publish flag on this

ARP entry.• auto temporary—set the temporary flag on

this ARP entry.• proxy—create a proxy entry. The publish

and temporary flags can also be specified, which causes the gateway to respond to ARP requests with its own MAC address.

• proxy publish—set the publish flag on this ARP entry.

• proxy temporary—set the temporary flag on this ARP entry.

• MAC ADDR—specify the ARP MAC address (for example, A0:B1:C2:D3:E4:F5).

• MAC ADDR publish—set the publish flag on this ARP entry.

• MAC ADDR temporary—set the temporary flag on this ARP entry.



bootp-forwarder or dhcp relayUse the bootp-forwarder command to forward BOOTP and DHCP requests to a BOOTP or DHCP server on another network segment.

Syntax

Config# [no] bootp-forwarder[interface <eth-1 | eth-2 | eth-3 | eth-4> servers <ADDR> <ADDR>]

change <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>

Change an ARP entry in the node ARP table:• ADDR—ARP host name or dotted-decimal

address.• auto—determine MAC address from local

interface on network for host.• auto publish—set the publish flag on this

ARP entry.• auto temporary—set the temporary flag on

this ARP entry.• proxy—change to a proxy entry. The

publish and temporary flags are also available.

• proxy publish—set the publish flag on this ARP entry.

• proxy temporary—set the temporary flag on this ARP entry.

• MAC ADDR—specify the ARP MAC address (for example, A0:B1:C2:D3:E4:F5).

• MAC ADDR publish—set the publish flag on this ARP entry.

• MAC ADDR temporary—set the temporary flag on this ARP entry.

delete <ADDR> <proxy> Delete an ARP entry from the node ARP table:• ADDR—ARP host name or dotted-decimal

address.• proxy—delete proxy ARP entry.

Arguments


Arguments



ExamplesConfig# bootp-forwarder interface eth-1 servers 10.23.44.5 10.23.44.6

Enables the forwarding of BOOTP requests on eth-1 to 10.23.44.5 and 10.23.44.6

dhcp-serverUse the dhcp-server command to configure the following elements:

IP address pool for dynamic assignmentsStatic entries (map IP addresses to Ethernet addresses)NetmaskDefault routeDNS serversDomain nameLease timeMicrosoft networking options (NetBIOS)

NoteThe DHCP server, and bootp-forwarder or dhcp-relay commands are mutually exclusive features. If you enable the BOOTP forwarder, the DHCP server feature is automatically disabled, and the reverse.

interface <eth-1 | eth-2 | eth-3 | eth-4>

Interface option for the BOOTP forwarder. Interface on which BOOTP requests are received:• eth-1—interface name for this BOOTP

forwarder server list.• eth-2—interface name for this BOOTP



forwarder server list.

servers <ADDR> Identify the BOOTP server:• ADDR—host name or IP address of the

BOOTP server.

Arguments



Syntax

Config# [no] dhcp-server <eth-1 | eth-2 |eth-3 | eth-4>[default-route <A.B.C.D>][dns-servers <A.B.C.D>][domain-name <domainname>] dynamic <A.B.C.D> <A.B.C.D>[exclude <A.B.C.D>][ignore-ras][lease <number-of-seconds>][nbt-dd-servers <A.B.C.D>][nbt-name-servers <A.B.C.D>][nbt-node-type <broadcast | hybrid | mixed | peer>][nbt-scope <scope>][netmask <A.B.C.D>][non-authoritative]static <A.B.C.D> <client-id <Client ID> | <MAC ADDR>>

NoteTo enable the DHCP server, you must use the static or dynamic commands.

Arguments


default-route <A.B.C.D>

Overrides the default route for this interface:• <A.B.C.D>—default route for hosts on this

subnet. The default value assigned is the IP address of the gateway interface.

dns-servers <A.B.C.D> Overrides the DNS servers for this interface:• <A.B.C.D>—IP address of the DNS servers

to be provided to the DHCP clients.

domain-name <domainname>

Override the domain name for this interface:• domainname—domain name that is to be

provided to the DHCP clients.

dynamic <A.B.C.D> <A.B.C.D>

Configure an IP address pool for this interface:• <A.B.C.D>—starting IP addresses of the

DHCP clients.• <A.B.C.D>—ending IP addresses of the

DHCP clients.Pool range is 1 to 256 addresses only.

exclude <A.B.C.D> The IP address that must be excluded from the dynamic range:• <A.B.C.D>—list of individual IP addresses

that must be excluded from the dynamic range.



ignore-ras Ignore RAS servers on this interface. Default value: respond to RAS requests.

lease <number-of-seconds>

Set the DHCP lease duration for this interface:• number-of-seconds—time (in seconds) that

a lease should be granted. Default lease duration: 3600 seconds.

nbt-dd-servers <A.B.C.D>

Configure NetBIOS Datagram Distribution servers to set on the DHCP clients for this interface:• <A.B.C.D>—IP address of NetBIOS

Datagram servers that must be provided to the DHCP clients.

NoteYou can configure only two servers for each interface.

nbt-name-servers <A.B.C.D>

Configure NetBIOS name servers (WINS) to set on the DHCP clients for this interface. The name server translates NetBIOS names to IP addresses.

NoteYou can configure only two servers for each interface.

• <A.B.C.D>—IP address of NetBIOS name servers that must be provided to the DHCP clients.

nbt-node-type <broadcast | hybrid | mixed | peer>

Configure the NetBIOS node type to set on DHCP clients for this interface:• broadcast—clients broadcast for NetBIOS

lookups. • hybrid—clients use WINS before broadcast

for NetBIOS lookups. • mixed—clients use broadcast before WINS

for NetBIOS lookups. • peer—clients connect to WINS for NetBIOS

lookups.

nbt-scope <scope> Configure NetBIOS scopeID to set on DHCP clients for this interface:• scope—NetBIOS scope to give to the

DHCP clients. Maximum of 32 characters.

Arguments



Related Commands

See the debug dhcp server command in “debug” on page 156.

Example

In the following examples, the client_id value is represented by a string and as a hexadecimal:dhcp-server eth-1 static 123.121.222.126 client_id AAAAAAThe DHCP server reserves the IP address 123.121.222.126 for the dhcp-client whose client ID is AAAAAA. dhcp-server eth-1 static 123.121.222.126 client_id 40:40:40:40:40:40The DHCP server reserves the IP address 123.121.222.126 for the DHCP client whose client ID is 40:40:40:40:40:40.

diff-servUse the diff-serv command to configure diff-serv marking properties.

netmask <A.B.C.D> Override the netmask value for this interface:• <A.B.C.D>—netmask for hosts on this

subnet. The default value assigned is the netmask of the gateway interface.

non-authoritative Run in the nonauthoritative mode. The default value assigned is to be authoritative (in the authoritative mode the DHCP server issues DHCP NAKs).

NoteYou might need to run in the nonauthoritative mode (disable the NAKs) when the LAN has multiple IP subnets on the same broadcast segment.

static <A.B.C.D> <client-id <Client ID> | <MAC ADDR>>

Configure a static IP address entry: • <A.B.C.D>—IP address of the static DHCP

client.• Client ID—client identifier value can be

entered as a string or a hexadecimal value (for example XX:XX:XX:XX:XX:XX:XX:XX). This value can have a maximum of 255 characters.

• MAC ADDR—MAC address (XX:XX:XX:XX:XX:XX) of the static DHCP client.

Arguments



Syntax

Config# diff-serv codepoint

[assured <AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43>]

[best-effort][expedited][pass-through][<NUMBER>]

ExamplesConfig# diff-serv codepoint assured AF13

Sets the default diff-serv marking codepoint value to the AF13 value defined in the RFC#2597.Config# diff-serv codepoint pass-through

Sets the default diff-serv marking behavior to not alter the DS filed in packets flowing through the gateway.

dnsUse the dns command to define DNS parameters for the cluster. You can configure:

DNS server IP addresses for the clusterThe domain name

Arguments

assured <AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43>

Set default codepoint to assured:• AF11—set default codepoint to AF11.• AF12—set default codepoint to AF12.• AF13—set default codepoint to AF13.• AF21—set default codepoint to AF21.• AF22—set default codepoint to AF22.• AF23—set default codepoint to AF23.• AF31—set default codepoint to AF31.• AF32—set default codepoint to AF32.• AF33—set default codepoint to AF33.• AF41—set default codepoint to AF41.• AF42—set default codepoint to AF42.• AF43—set default codepoint to AF43.

best-effort Set default codepoint to best-effort.

expedited Set default codepoint to expedited.

pass-through Set default codepoint to pass-through.

<NUMBER> Set default codepoint to value between 0 to 63.



Retransmission and retry timeouts

Syntax

Config# [no] dns [domain-name <domain name>][retrans <1-60 (seconds)>][retry <1-10>] [servers <A.B.C.D>]

ip-address-pool Use the ip-address-pool command to create IP address pools for address allocation to dial-up PPP users. The IP addresses that this pool identifies must be consecutive. Because no sanity checking exists for broadcast or subnet addresses, you must assign these address carefully.Nokia IP VPN Gateway uses the IPSecIPPool pool for internal addressing of IPSec clients. If you use internal addressing, you must define the IPSecIPPool first.

Syntax

Config# [no] ip-address-pool <name> <A.B.C.D> <A.B.C.D>

Arguments


domain-name <domain name>

Local default domain that the DNS client uses:• domain name—domain name for the DNS.

retrans <1-60 (seconds)>

DNS client retransmission timeout:• 1 to 60 (seconds)—DNS resolver

retransmission timeout in seconds.

retry <1-10> DNS client retry count:• 1 to 10—DNS resolver retry count. Default: two retries

servers <A.B.C.D> List of DNS servers that the DNS client uses:• <A.B.C.D>—one or more (space

separated) IP addresses of DNS servers that the DNS client or resolver queries. These IP addresses are also specified to PPTP and L2TP clients.

Arguments


<name> Name of the IP address pool.



ExamplesConfig# ip-address-pool ppp 10.10.10.1 10.10.20.254

Configures an IP address pool named ppp with the range of IP addresses from 10.10.10.1 through 10.10.20.254.

lnsUse the lns command to configure lns values.

Syntax

Config# [no] lns<client name>

<authentication <chap | mschap | pap>> <basic <local name> <secret> <decimal number>><require <ipsec | mppe40 | none>>

mss-clamp Use the mss-clamp command to set the TCP maximum segment size. This command addresses the following data and packet transmission issues:

<A.B.C.D> • <A.B.C.D>—IP address of first entry in the pool.

<A.B.C.D> • <A.B.C.D>—IP address of last entry in the pool.

Arguments

<client name> LNS remote client name.

<authentication <chap | mschap | pap>>

Authentication options:• chap—Challenge Handshake


Authentication Protocol.• pap—Password Authentication Protocol.

<basic <local name> <secret> <decimal number>>

Basic configuration options:• local name—LNS local name.• secret—LNS secret.• decimal number—LNS window size.

<require <ipsec | mppe40 | none>>

MPPE minimum required encryption strength:• ipsec—require IPSec encapsulation.• mppe40—require 40-bit MPPE minimum.• none—do not require anything.

Arguments



PPPoE—PPPoE is a dynamic IP addressing mechanism used by dynamic gateways to connect to the Internet. PPPoE has a lower MTU value when compared to Ethernet (MTU 1500), due to PPPoE encapsulation (overhead of 8 bytes). Therefore, communication between hosts behind dynamic gateways, with hosts in the Internet experience difficulties in network services (like WEB, FTP and E-mail); especially when data transfers are maximum in size. TCP—TCP negotiates MSS (maximum segment size). Because end-hosts have Ethernet interfaces connected, and Ethernet accommodates 1500 size of data, TCP utilizes 1500-40 = 1460 as MSS. After establishing a connection, TCP uses MSS to transmit data, if there is additional data to transmit. When gateways use interfaces like PPPoE, with MTU less than 1500, or use different encapsulation (for example: IPSec), the same MSS is applied at the end-hosts, because they are not informed. As a result when a packet arrives at the gateway with a segment size greater than it can transmit, the gateway drops the packet. Gateways then generate relevant ICMP error messages. The problem with the ICMP error is two-fold. First, the ICMP error is generated on a per connection basis. Therefore, generation of ICMP errors is repeated for every connection between hosts several times. This affects performance. Secondly, though the gateway encounters problems, it may not generate ICMP errors. Hosts also may not process ICMP errors. Such scenarios affect communication.

IPSec—data packet sizes increase significantly due to IPSec encapsulation (encapsulation for tunnel mode is 28), and encryption overhead (due to blocked ciphers and padding).When a packet arrives at a gateway from an internal host with a segment size based on the host's local Ethernet interface (1460 bytes), and if this packet has to be processed by IPSec, the size of the packet increases because of the additional overheads. The size of the packet becomes greater than the MTU of the gateway's interface. If the DF bit in the IP header is set, this packet cannot be fragmented and is dropped. If IPSec encounters these packets, it generates relevant ICMP errors. The sender of the data packet adjusts to the proposed size. ICMP errors are generated for a particular TCP connection only. But TCP still uses the original MSS for new connections. Further packets may encounter similar problems. Access is slow and performance is reduced, due to repeated errors.

Clamping TCP MSS

Clamping TCP MSS solves the PPPoE, TCP and IPSec issues. When the MSS option is set in both directions at connect time, MSS option is adjusted to a configured value. By default a value of 1460 is used in SYN packet of TCP. Clamping reduces the size to 1452 (in case of PPPoE), so that the receiver of the data packet sends only 1452 only instead of 1460. TCP utilizes the lower value of the two (proposed 1460 and suggested 1452) to send the data. MSS is not adjusted if the original MSS is less than or equal to the configured value.

Syntax

Config# [no] mss-clamp<val>



NoteNokia recommends that you use this command in:- Dynamic gateways where PPPoE is enabled.- Spokes, only if hub-and-spoke connectivity is used and all the traffic through the hub is opted, irrespective of whether PPPoE is enabled or not.

MSS Values (bytes) used with IPSec Encryption Algorithms

Nokia recommends the following MSS values be used with IPSec Encryption Algorithms:

Arguments

ntpUse the ntp command to select an NTP server for the cluster to synchronize its internal clock with. You can specify a version of NTP that is running on your network, a polling interval, and configure a key for the MD5 hash.

NoteThe NTP command does not enable a true NTP client. Nokia IP VPN Gateway queries the NTP server for the time only; it does not implement a full NTP client. All times on the Nokia IP VPN Gateway are in Universal Coordinated Time (UTC).

Syntax

Config# [no] ntp [auth-key md5 <md5-key>][interval <seconds>][servers <ADDR> <ADDR>][version <1 | 2 | 3>]

AES 128, AES192, AES 256 3DES 168 CAST 128 BLOWFISH 448

With PPPoE 1370 1386 1386 1386

Without PPPoE 1378 1394 1394 1394

no Disable the clamping MSS option.

<val> TCP maximum segment size clamping value.MSS range: 512 to 1459

Arguments




pnsUse the pns command to configure the PPTP PNS values.

Syntax

Config# [no] pnsauthentication <chap | mschap | pap>require <ipsec | mppe40 | none>

pppUse the ppp command to configure the PPP parameters for L2TP and PPTP.

NoteIf you configure either L2TP or PPTP, you also need to configure PPP. PPP configuration commands are used to define both PPP users and groups.

auth-key md5 <md5-key> Specify an MD5 key for NTP authentication:• md5-key—MD5 key.

interval <seconds> The NTP polling interval:• seconds—polling interval in seconds for the

NTP client.

servers <ADDR> The NTP server to communicate with:• ADDR—IP name or address of an NTP

server.

version <1|2|3> The NTP version to use:• 1—use NTP version 1.• 2—use NTP version 2.• 3—use NTP version 3.

Arguments

authentication <chap | mschap | pap>

Authentication options:• chap—Challenge Handshake


Authentication Protocol.• pap—Password Authentication Protocol.

require <ipsec | mppe40 | none>

MPPE minimum required encryption strength:• ipsec—require IPSec encapsulation.• mppe40—require 40-bit MPPE minimum.• none—do not require anything.

Arguments



PPP allows users who are connecting through layer-2 PPP tunnel protocols to be authenticated and are given an IP address to use.

Syntax

Config# [no] pppuser <username> <[<address <allow-selection> | <A.B.C.D>> | group <group> | password <passwd>]>

Config# pppgroup <PPP group name> <[address pool <address pool name> | dns <A.B.C.D> <A.B.C.D> | wins <A.B.C.D> <A.B.C.D>]>

Related CommandsSee the Config# login source ppp command in “login” on page 184.See the “Config# [no] ip-address-pool” command on page 62.

Arguments


user <username> <[<address <allow-selection> | <A.B.C.D>> | group <group> | password <passwd>]>

Configure a PPP user:• username—PPP user name.• address—configure user IP addressing

options.• address allow-selection—allow the user to

specify an IP address during PPP negotiation.

• address <A.B.C.D>—assign a specific IP address to this user.

• group—PPP group to which the user belongs.

• passwd—PPP user's password or secret (a maximum of 63 characters).

group <PPP group name> <[address pool <address pool name> | dns <A.B.C.D> <A.B.C.D>| wins <A.B.C.D> <A.B.C.D>]>

Configure a PPP group:• ppp group name—name of a PPP group.• address pool name—IP address pool used

for address assignment of the PPP users.• dns—specify group DNS options.• dns <A.B.C.D>—IP address of primary

DNS server.• dns <A.B.C.D>—IP address of secondary

DNS server (optional).• wins—specify group WINS servers.• wins <A.B.C.D>—IP address of primary

WINS server.• wins <A.B.C.D>—IP address of secondary

WINS server (optional).



snmpUse the snmp command to configure the SNMP agent.

Syntax

Config# [no] snmpaccess <<address/netmask> <community string>>authentrapsbindtointernalcpuutil <percentage>group <NAME> <usm> <User Name>ioload <pkts/sec>ipdrop <percentage>logtrapsmemusage <percentage>pollrate <seconds>syscontact <sysContact value>syslocation <sysLocation value>trap2sink <A.B.C.D> <community_string>trapdelay <seconds>trapsink <A.B.C.D> <community_string>udpdrop <percentage>user <NAME> <MD5 | SHA> <<encode type> <encoded password> <DES> | <cleartext passphrase> <DES>>

v3access <<groupName> <usm> <<authnopriv> | <authpriv> | <noauthnopriv>> <readView> <writeView> <notifyView>>

view <NAME> included <OID> [<mask>]



Arguments


access <<address/netmask> <community string>>

Configure SNMPv1 and SNMPv2 access for the SNMP Agent:• address—IP address of the SNMP

manager or SNMP manager network. To grant access to any network, specify the value default.

• netmask—netmask allowed to access the SNMP agent.

• community—community name of the SNMP agent.

authentraps Send SNMP authentication failure traps.

bindtointernal Bind source address to internal interface address for SNMP traps.

cpuutil <percentage> Set CPU use trap limit:• percentage—send trap when CPU load

exceeds this limit.

group <NAME> <usm> <User Name>

Creates a group with the supported security model:

NoteUSM is the only supported security model.

• NAME—group name.• usm—security model. The only supported

security model is USM.• User Name—user name assigned to this

group.

ioload <pkts/sec> Set IO load trap limit:• pkts/sec—send trap when five minute

average load in packets per second exceeds this limit.

ipdrop <percentage> Set IP drop rate trap limit:• percentage—send trap when IP pack drop

rate exceeds this percentage.



logtraps Send a copy of SNMP traps to the configured syslog server:

NoteThe syslog server clusters identical messages. This might cause a delay if multiple traps arrive in quick succession.

memusage <percentage> Set memory usage trap limit:• percentage—send trap when memory

usage exceeds this percentage.

pollrate <seconds> Set overload detection poll rate:• seconds—polling rate in seconds.

syscontact <sysContact value>

Sets the MIB-II SysContact string to the value specified. If the string contains special characters, such as a space, enclose the string within quotation marks:• sysContact value—contact for the system.

syslocation <sysLocation value>

Sets the MIB-II SysLocation string to the value specified. If the string contains special characters, such as space, enclose the string within quotation marks:• sysLocation value—location of the system.

trap2sink <A.B.C.D> <community_string>

Configures an IP address to send SNMP version 2 trap messages to, and the community string to use:• <A.B.C.D>—IP address of the trap sink.• community_string—community string to

use for this trap.

trapdelay <seconds> Delay sending traps for the specified number of seconds:• seconds—trap sending rate in seconds.

trapsink <A.B.C.D> <community_string>

Configure an IP address to send SNMP trap messages to, and the community string to use:• <A.B.C.D>—IP address of the destination

to which the SNMP v1 trap is sent.• community_string—community string to

use for this trap.

udpdrop <percentage> Set UDP drop rate trap limit:• percentage—send trap when UDP packet

drop exceeds the specified percentage.

Arguments



user <NAME> <MD5 | SHA> <<encode type> <encoded password> <DES> | <cleartext passphrase> <DES>>

Create an SNMPv3 user. The user name must be unique. If the user name exists in the database, an error message appears:• NAME—SNMPv3 user name.• MD5—MD5 authentication type.• SHA—SHA authentication type.• encode type—authpass encoding version

number.• cleartext passphrase—passphrase

(minimum of 8 characters) for authentication.

• encoded password—encoded password.• DES—DES privacy protocol.

v3access <<groupName> | <model> | <<noauthnopriv | <authnopriv> | <authpriv>> | <readView> <writeView> <notifyView>>

• groupName—existing group name.• usm—security model. Only the USM

security model is supported.• noauthnopriv—does not require

authentication and privacy.

NoteNokia recommends that the SNMPv3 not be accessed through the noauthnopriv level.

• authnopriv—requires authentication but not privacy.

NoteTo access the SNMP agent through this level, the SNMP manager must use the same authentication type and parse phrase as the SNMP user in the specified group name.

• authpriv—requires both authentication and privacy.

NoteTo access the SNMP agent through this level the SNMP manager must use the same authentication type and parse phrase, privacy type and parse phrase, as the SNMP user in the specified group name.

• readView—existing view to support SNMP read operations.

• writeView—existing view to support SNMP write operations.

• notifyView—existing view to support SNMP notify operations.

Arguments



ExamplesConfig# snmp access 10.0.4.0/255.255.255.0 public

Allows only hosts from the 10.0.4.0 network to access the gateway by using the public community string.Config# snmp syscontact “The System Administrators”

Sets the sysContact MIB variable value to The System Administrators. Config# snmp trapsink 10.0.4.55 trapperjohn

Informs the SNMP agent to send SNMPv1 traps to 10.0.4.55 by using the community string trapperjohn. Config# snmp trap2sink 10.0.4.56 newandimproved

Informs the SNMP agent to send SNMPv2 traps to 10.0.4.56 by using the community string newandimproved.Config# snmp view read included .1.3.6.1.2.1.2.2.1.1.2 ff:a0 .1.3.6.1.2.1.2.2.1.1.2 equals interfaces.ifTable.ifEntry.ifIndex.2 and ff:a0 equals 11111111:10100000. This command allows access to external interface information only if the external interface index is 2.

view <NAME> included <OID> [<mask>]

Create a view with the specified access type of the OID and the mask:• NAME—SNMP view name.• included—allow the SNMP manager to

access the OID.• OID—OID. The OID can have a maximum

length of 32 bytes.• mask—mask to be applied on the specified

OID. A mask can have a maximum length of 32 bytes. Each hex value in the mask must be separated by either a period (.) or a colon (:).

Arguments


3 Managing the Gateway

This chapter details the commands required to manage the gateway, validate network and gateway parameters, disable and enable subsystems, and configure network access and services.

NoteThis chapter assumes that you are familiar with the command mode and the configuration mode, and navigation between them. For more information about CLI modes and navigating between them, see “CLI Modes” on page 16.

Gateway AdministrationGateway administration commands allow you perform routine administration tasks on the gateway, and validate network and gateway parameters.

Command Mode CommandsUse the following command mode commands to perform gateway administration.

Command Description

aosinfo Snapshot of run-time configuration.

backup Back up or restore contents of flash memory.

clear Clear tables and counters.

configure Enter configuration mode.

crypto IKE and IPSec administration.

date Set or display the date and time.

examine Evaluate IPSec per-packet policy.

flash Flash memory administration.



aosinfoUse the aosinfo command to obtain a snapshot of run-time configuration.

Syntax

aosinfo-h<filename><CR>

backupUse the backup command to:

Back up the contents of flash file system to a file. Restore the contents of a backup file to flash file.

The backup command creates a single file called a saveset, which is in a Nokia proprietary format. You can perform backup and restore operations by using NFS or TFTP. If you use NFS, you must configure the mountd settings to allow mounting of the individual files. This is the default

kernel Operating system kernel administration.

nat Network Address Translation (NAT) administration.

pin PIN administration.

reboot Reboot local node only.

schedule Display and modify scheduled event list.

show Show information about the system.

tcpdump Native tcpdump and tcpdump client-server administration.

terminal Terminal configuration (current session).

validate Validate IPSec per-packet policy.

Arguments

-h HTML output qualifier for console.

<filename> Name of Output File.

<CR> Display on Console.

Command Description


Gateway Administration

in Solaris and requires the -r flag option to mountd on BSD-based NFS implementation. If you use TFTP, ensure that write permissions are configured on the target directory (directory in which the backup is saved).

Syntax

backup [list <NAME>][restore <NAME> <NAME>][save <NAME> <NAME>]

CautionThe backup restore command (in the following table) formats flash files before restoring files. You must save necessary files to flash memory before you perform a restore operation.

Examplesbackup list nfs://Nokia_nfs/home/current_files/my_file

Displays the contents of a backup file on the Nokia_nfs NFS server.backup restore nfs://Nokia_nfs/home/current_files/my_file

Restores to the flash memory the contents of a backup file on the Nokia_nfs NFS server.backup save pccard1: nfs://Nokia_nfs/home/current_files/my_file

Saves the contents of pccard1 flash memory into backup.

Arguments

list <NAME> List the files in a saveset:• NAME—name of the saveset file.

restore <NAME> <NAME> Restore the contents of the flash file system from a specified saveset file by using the following syntax: <NFS |TFTP>://<hostname>/<pathname>/<bkup_file>.• NAME—name of the saveset file.• NAME—name of flash memory.

save <NAME> <NAME> Save the contents of the flash file system to a specified saveset file by using the following syntax: <NFS | TFTP>://<hostname>/<pathname>/<bkup_file>.All the files on flash memory are saved.• NAME—name of the flash memory.• NAME—name of the saveset file.



Related CommandsSee the “flash” command on page 99.See the “schedule” command on page 103.

clearUse the clear command to clear entries and tables for the specified subsystems.

Syntax

clear [arp][dns-resolver][ike][ipsec][nat <link-id>][queue][route <all | dynamic | static>][vpdn <all | tunnel <NUMBER>>]<CR>

Arguments

arp Flush ARP table.

NotePerforms the same function as the arp -f command.

dns-resolver Flush DNS resolver cache.

ike Clear IKE security associations.

ipsec Clear IPSec security associations.

nat <link-id> Clear NAT entries:• link-id—name assigned to the NAT link.

queue Clear IPSec packet sequencing queue.

route <all | dynamic | static>

Clear route entries: • all—flush static and dynamic routes.• dynamic—flush only dynamically learned

routes.• static—flush only statically set routes.



configureUse the configure command to:

Save the current configuration.Delete the current configuration and reboot the gateway.Change to a different mode.

Syntax

configure [firewall][pki][policy][save <cluster | <CR>>][wizard][<CR>]

CautionThe configure wizard command (in the following table) erases configurations from flash memory and requires a complete reinstallation.

vpdn <all | tunnel <NUMBER>>

Clear tunnels and sessions:• all—clear all tunnels and sessions.

NoteThe clear vpdn all command affects all nodes in a cluster.

• tunnel NUMBER—clear the specified tunnel.

<CR> Exit. At least one option must be specified.

Arguments

Arguments

firewall Enter the firewall configuration mode to configure packet filtering rules.

pki Enter PKI configuration mode.

policy Enter PCS configuration mode.



Related CommandsSee the debug cfg_server command in “debug” on page 156.See the show config command in “show” on page 105.

cryptoUse the crypto command to manage the IPSec configuration for all of the nodes in a cluster. For a graphical representation of the crypto command, see “Crypto Command Diagram” on page 294.

save <cluster | <CR>> Saves the running configuration to the flash file system on the local gateway:• cluster—save configuration to all nodes.

This command must be run from the master node only.

• CR—save the running configuration.

wizard Erases all files on the flash file system, clears the hardware PIN, reboots the gateway.

<CR> Enter configuration mode.

Arguments



.

Arguments

clear <ike | ipsec | <CR>>

Clear all IKE and IPSec security associations. All current IPSec tunnels are deleted. This command affects all nodes in a cluster.

NoteOn a system with a large number of security associations (SAs) the crypto clear command can create a temporary performance slowdown, because all IPSec connections need to renegotiate IKE and IPSec security associations to re-establish traffic flow.

• ike—clear IKE security associations.• ipsec—clear IPSec security associations.• CR—clear all IKE and IPSec security

associations.

disable Disable IPSec processing. This command affects all nodes in a cluster.

disable <copy-df> Disable copying of don't fragment (DF) bit to outer header.



disable <dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>

Disable Dead Peer Detection:• all—all events.• attribute—ISAKMP attribute processing

(IKE).• basic—basic events.• cluster—cluster processing.• cookie—ISAKMP cookie processing (IKE)• death—SA deletion events.• download—management software

download (IKE).• event—general event logging.• header—ISAKMP header processing (IKE).• id—ISAKMP ID payload processing (IKE).• io—send or receive message logging (IKE).• isadb—database operations (IKE).• locking—locking operations (IKE).• mapping—IPSEC SA mapping creation or

deletion.• notify—ISAKMP notify payload processing.• option—ISAKMP options processing.• payload—ISAKMP payload processing.• pending—pending entry creation or

deletion (IPSEC).• policy—policy operations (IKE).• rekey—rekey operations.• ring—public- or private-key ring operations

(IKE).• route—routing updates (PF_ROUTE).• saapi—kernel operations (IKE).• selector—miscellaneous selector logging

(IPSEC).• state—state machine changes (IKE).• CR—all events, if no other options are

specified.

Arguments



disable <deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>

Disable deferred main mode deletions:• deferred-delete automagic—automatically

generated selectors.• deferred-delete cluster—IKE or IPSec

cluster messaging statistics.• deferred-delete dead—dead security

associations.• deferred-delete option—IKE negotiation

options.• deferred-delete pending—pending security

association requests.• deferred-delete replay—IPSec replay

detection information.• deferred-delete selector—IPSec traffic

selector information.• deferred-delete uuid—policy and selector

identifiers.• deferred-delete <CR>—set full display

mode, if no other options are specified.

disable <diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>

Disable differentiated services market:• diff-serv all—all events.• diff-serv attribute—Internet Security

Association Key Management Protocol (ISAKMP) attribute processing (IKE).

• diff-serv basic—basic events.• diff-serv cluster—cluster processing.• diff-serv cookie—ISAKMP cookie

processing (IKE).• diff-serv death—SA deletion events.• diff-serv download—management software

download (IKE).• diff-serv event—general event logging.• diff-serv header—ISAKMP header

processing (IKE).• diff-serv id—ISAKMP ID payload

processing (IKE).

Arguments



• diff-serv io—send or receive message logging (IKE).

• diff-serv isadb—database operations (IKE).• diff-serv locking—locking operations (IKE).• diff-serv mapping—IPSec SA mapping

creation or deletion.• diff-serv notify—ISAKMP notify payload

processing.• diff-serv option—ISAKMP options

processing.• diff-serv payload—ISAKMP payload

processing.• diff-serv pending—pending entry creation

or deletion (IPSec).• diff-serv policy—policy operations (IKE).• diff-serv rekey—rekey operations.• diff-serv ring—public- or private-key ring

operations (IKE).• diff-serv route—routing updates

(PF_ROUTE).• diff-serv saapi—kernel operations (IKE).• diff-serv selector—miscellaneous selector

logging (IPSec).• diff-serv state—state machine changes

(IKE).• diff-serv <CR>—all events, if no other

options are specified.

disable <display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>

• display—disable display information.• display automagic—automatically

generated selectors.• display cluster—IKE or IPSec cluster

messaging statistics.• display dead—dead security associations.• display option—IKE negotiation options.• display pending—pending security

association requests.

• display replay—IPSec replay detection information.

• display selector—IPSec traffic selector information.

• display uuid—policy and selector identifiers.

• display <CR>—set full display mode, if no other options are specified.

disable <host-icmp> Do not forward host-generated Internet Control Message Protocol (ICMP) errors.

disable <inline> Disable inline processing on resource allocation failures.

Arguments



disable <nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>

Disable NAT traversal encapsulation:• nat-traversal all—all events.• nat-traversal attribute—ISAKMP attribute

processing (IKE).• nat-traversal basic—basic events.• nat-traversal cluster—cluster processing.• nat-traversal cookie—ISAKMP cookie

processing (IKE).• nat-traversal death—SA deletion events.• nat-traversal download—management

software download (IKE).• nat-traversal event—general event logging.• nat-traversal header—ISAKMP header

processing (IKE).• nat-traversal id—ISAKMP ID payload

processing (IKE).• nat-traversal io—send or receive message

logging (IKE).• nat-traversal isadb—database operations

(IKE).• nat-traversal locking—locking operations

(IKE).

• nat-traversal mapping—IPSec SA mapping creation or deletion.

• nat-traversal notify—ISAKMP notify payload processing.

• nat-traversal option—ISAKMP options processing.

• nat-traversal payload—ISAKMP payload processing.

• nat-traversal pending—pending entry creation or deletion (IPSec).

• nat-traversal policy—policy operations (IKE).

• nat-traversal rekey—rekey operations.• nat-traversal ring—public- or private-key

ring operations (IKE).• nat-traversal route—routing updates

(PF_ROUTE).• nat-traversal saapi—kernel operations

(IKE).• nat-traversal selector—miscellaneous

selector logging (IPSec).• nat-traversal state—state machine changes

(IKE).• nat-traversal <CR>—all events, if no other


disable <replay> Disable replay detection in IPSec security associations.

Arguments



disable <sa-cache> Disable last-used SA cache.

disable <sec-proc> Disable security processors.

disable <server <ah | esp | input | output | queue>>

Disable multiprocessor server processing:• server ah—secondary processing for

aunthentication header (AH).• server esp—secondary processing for

encapsulation security payload (ESP).• server input—input sequencing queue.• server output—output sequencing queue.• server queue—input and output

sequencing queue.

disable <spd-sorting> Disables sorting of IPSec selectors in the security policy database (SPD). SPD selectors are not sorted based on number of specified parameters.

NoteSelectors in SPD are always arranged in the order of most-specific selectors at the beginning of the list, and less-specific selectors at the end of the list. The disable spd-sorting command maintains the selectors in the order they are created regardless of the number of parameters specified in the selector. If this option is not selected, the selectors are sorted based on number of parameters specified in the selector.

disable <stable> Disable stable download processing.

disable <CR> Disable IPSec processing.

enable Enable IPSec processing.

enable <brief> Set default display mode to brief.

enable <copy-df> Enable copying of don't fragment (DF) bit to outer header.

Arguments



enable <dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>

Enable Dead Peer Detection:• all—all events.• attribute—ISAKMP attribute processing

(IKE).• basic—basic events.• cluster—cluster processing.• cookie—ISAKMP cookie processing (IKE).• death—SA deletion events.• download—management software

download (IKE).• event—general event logging.• header—ISAKMP header processing (IKE).• id—ISAKMP ID payload processing (IKE).• io—send or receive message logging (IKE).• isadb—database operations (IKE).• locking—locking operations (IKE).• mapping—IPSEC SA mapping creation or

deletion.• notify—ISAKMP notify payload processing.• option—ISAKMP options processing.• payload—ISAKMP payload processing.• pending—pending entry creation or

deletion (IPSEC).• policy—policy operations (IKE).• rekey—rekey operations.• ring—public- or private-key ring operations

(IKE).• route—routing updates (PF_ROUTE).• saapi—kernel operations (IKE).• selector—miscellaneous selector logging

(IPSEC).• state—state machine changes (IKE).• CR—all events, if no other options are

specified.

Arguments



enable <deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>

Enable deferred main mode deletions:• deferred-delete automagic—automatically

generated selectors.• deferred-delete cluster—IKE or IPSec

cluster messaging statistics.• deferred-delete dead—dead security

associations.• deferred-delete option—IKE negotiation

options.• deferred-delete pending—pending security

association requests.• deferred-delete replay—IPSec replay

detection information.• deferred-delete selector—IPSec traffic

selector information.• deferred-delete uuid—policy and selector

identifiers.• deferred-delete <CR>—set full display

mode, if no other options are specified.

enable <diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>

Enable differentiated services market:• diff-serv all—all events.• diff-serv attribute—ISAKMP attribute

processing (IKE).• diff-serv basic—basic events.• diff-serv cluster—cluster processing.• diff-serv cookie—ISAKMP cookie

processing (IKE).• diff-serv death—SA deletion events.• diff-serv download—management software

download (IKE).• diff-serv event—general event logging.• diff-serv header—ISAKMP header

processing (IKE).• diff-serv id—ISAKMP ID payload

processing (IKE).• diff-serv io—send or receive message

logging (IKE).• diff-serv isadb—database operations (IKE).• diff-serv locking—locking operations (IKE).• diff-serv mapping—IPSec SA mapping

creation and deletion.• diff-serv notify—ISAKMP notify payload

processing.• diff-serv option—ISAKMP options

processing.• diff-serv payload—ISAKMP payload

processing.• diff-serv pending—pending entry creation

or deletion (IPSec).

Arguments



• diff-serv policy—policy operations (IKE).• diff-serv rekey—rekey operations.• diff-serv ring—public- or private-key ring

operations (IKE).• diff-serv route—routing updates

(PF_ROUTE).• diff-serv saapi—kernel operations (IKE).• diff-serv selector—miscellaneous selector

logging (IPSec).• diff-serv state—state machine changes

(IKE).• diff-serv <CR>—all events, if no other


enable <display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>

Enable display information:• display automagic—automatically

generated selectors.• display cluster—IKE or IPSec cluster

messaging statistics.• display dead—dead security associations.• display option—IKE negotiation options.• display pending—pending security

association requests.• display replay—IPSec replay detection

information.• display selector—IPSec traffic selector

information.• display uuid—policy and selector

identifiers.• display <CR>—set full display mode, if no

other options are specified.

enable <full> Set default display mode to full.

enable <host-icmp> Forward host-generated ICMP errors.

enable <inline> Enable inline processing on resource allocation failures.

Arguments



enable <nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>

Enable NAT traversal encapsulation:• nat-traversal all—all events.• nat-traversal attribute—ISAKMP attribute

processing (IKE).• nat-traversal basic—basic events.• nat-traversal cluster—cluster processing.• nat-traversal cookie—ISAKMP cookie

processing (IKE).• nat-traversal death—SA deletion events.• nat-traversal download—management

software download (IKE).• nat-traversal event—general event logging.• nat-traversal header—ISAKMP header

processing (IKE).• nat-traversal id—ISAKMP ID payload

processing (IKE).• nat-traversal io—send or receive message

logging (IKE).• nat-traversal isadb—database operations

(IKE).• nat-traversal locking—locking operations

(IKE).• nat-traversal mapping—IPSec SA mapping

creation and deletion.• nat-traversal notify—ISAKMP notify

payload processing.• nat-traversal option—ISAKMP options

processing.• nat-traversal payload—ISAKMP payload

processing.• nat-traversal pending—pending entry

creation or deletion (IPSec).• nat-traversal policy—policy operations

(IKE).• nat-traversal rekey—rekey operations.

• nat-traversal ring—public- or private-key ring operations (IKE).

• nat-traversal route—routing updates (PF_ROUTE).

• nat-traversal saapi—kernel operations (IKE).

• nat-traversal selector—miscellaneous selector logging (IPSec).

• nat-traversal state—state machine changes (IKE).

• nat-traversal <CR>—all events, if no other options are specified.

enable <replay> Enable replay detection.

Arguments



enable <sa-cache> Enable last-used SA cache.

enable <sec-proc> Enable security processors.

enable <server <ah | esp | input | output | queue>

Enable multiprocessor server parameters:• server ah—secondary processing for AH.• server esp—secondary processing for ESP.• server input—input sequencing queue.• server output—output sequencing queue.• server queue—input and output

sequencing queue.

enable <spd-sorting> Enables sorting of IPSec selectors in SPD This is the default setting.

enable <stable> Enable stable download processing.

enable <CR> Enable IPSec processing.

flush <ike | ipsec |CR> Clear IKE and IPSec security associations:• ike—clear IKE security associations.• ipsec—clear IPSec security associations.• CR—clear all.

NoteThe flush command performs the same function as the crypto clear command.

ike <delete <NUMBER>> | lifetime <NUMBER>>]

Set IKE parameters:• delete—delete IKE security association.• delete NUMBER—sequence number.

NoteDeletes the tunnel that the IKE security association indexes with the indicated sequence number. IKE and IPSec security associations are created again to reestablish traffic flow. This command affects all nodes in the cluster.

• lifetime—set default IKE lifetime.• lifetime NUMBER—lifetime value.

ipsec <delete <NUMBER> <ADDR> <ah | esp>> | lifetime <NUMBER> | rekey <NUMBER> <ADDR> <ah | esp>

Set IPSec parameters:• delete—delete IPSec security association. • delete NUMBER—SPI.

Arguments



NoteDeletes the IPSec security association indexed by the indicated SPI number. The IKE security association remains unchanged, but a new IPSec security association is created to reestablish traffic flow. This command affects all nodes in a cluster.

• delete ADDR—dotted-decimal address of a peer.

• delete ah—AH IPSec protocol.• delete esp—ESP IPSec protocol.• lifetime—set default IPSec lifetime.• lifetime NUMBER—lifetime value.• rekey—initiate IPSec rekey.• rekey NUMBER—SPI.• rekey ADDR—dotted-decimal address of a

peer.• rekey ah—AH IPSec protocol.• rekey esp—ESP IPSec protocol.

policy <reload <NAME>> Reload crypto policy: • NAME—security policy database name.

show Show security associations.

show <active <brief | full | <SPI> | <CR>>>

Show active security associations:• active brief—show active SAs in brief.• active full—show active SAs in full.• active <SPI>—show active SA by security

parameter index (SPI).• active <CR>—show all active SAs.

show address-cache Show cached internal addresses.

show all <brief | full> Show all security associations.

NoteThe crypto show all command performs the same function as the crypto show ike and crypto show ipsec commands.

• all brief—show all SAs.• all full—show all SAs in full.

Arguments



show cached <all <brief | full>> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>

Show IKE cached keying material:• cached all—show all cached keying

materials.• cached all brief—show all cached keying

materials.• cached all full—show all cached keying

materials in full.• cached chains—show cached certificate

chains.• cached chains local—show cached local

certificate chains.• cached chains remote—show cached

remote certificate chains.• cached chains brief—show cached local

certificate chains.• cached chains full—show cached local

certificate chains in full.• cached identities—show cached certificate

identities.• cached identities local—show cached local

identities.• cached identities remote—show cached

remote identities.• cached identities brief—show cached local

certificate identities.• cached identities full—show cached local

certificate identities in full.

• cached names—show cached certificate subject names.

• cached names brief—show cached certificate subject names.

• cached names full—show cached certificate subject names in full.

• cached public—show cached uncertified public keys.

• cached public local—show cached local uncertified public keys.

• cached public remote—show cached remote uncertified public keys.

• cached public brief—show cached remote identities

• cached public full—show cached remote identities in full.

show cluster Show IKE cluster state.

show dead <brief | full>

Show dead security associations:• dead brief—show dead SAs.• dead full—show dead SAs in full.

Arguments



show expired <brief | full>

Show expired security associations:• expired brief—show expired SAs.• expired full—show expired SAs in full.

show ike <-n | brief | full | statistics | <SEQ> | <ADDR> | <fqdn> | <rfc822> | <CR>>

Show IKE security associations:• ike -n—don't lookup symbolic host names.• ike brief—show IKE information in brief.• ike full—show IKE information in full.• ike statistics—show IKE statistics.• ike <SEQ>—show IKE information by

sequence number (SEQ).• ike <ADDR>—show IKE information by IP

address.• ike <fqdn>—show IKE information by fully

qualified domain name.• ike <rfc822>—show IKE information by rfc

reference.• ike <CR>—show IKE information in default

display mode.

show ipsec <brief | full | <SPI> | <CR>>

Show all active, inactive, expired, and pending IPSec security associations:• ipsec brief—show active SAs in brief.• ipsec full—show active SAs in full.• ipsec <SPI>—show active SA by security

parameter index (SPI).• ipsec <CR>—show all active SAs.

show keys <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root> <brief | full>

Show PKI database:• keys all—show all keys.• keys all brief—show all keys.• keys all full—show all keys in full.• keys blocked—show blocked certified

public keys.• keys blocked brief—show blocked certified

public keys.• keys blocked full—show blocked certified

public keys in full.

Arguments



• keys certified—show local certified public keys.

• keys certified brief—show certified public keys.

• keys certified full—show certified public keys in full.

• keys preshared—show preshared keys.• keys preshared brief—show preshared

keys.• keys preshared full—show preshared keys

in full.• keys public—show uncertified public keys.• keys public local—show local uncertified

public keys.• keys public remote—show remote

uncertified public keys.• keys public brief—show local uncertified

public keys.• keys public full—show local uncertified

public keys in full.• keys trusted-root—show trusted

certification authority root keys.• keys trusted-root brief—show trusted

certification authority root keys.• keys trusted-root full—show trusted

certification authority root keys in full.

show options Show policy options.

show pending <brief | full>

Show pending associations:• pending brief—show pending SAs.• pending full—show pending SAs in full.

Arguments



show policy <-n | brief | client <brief | full | matched | <CR>> | full | gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>

Show policy database:• policy -n—do not look up symbolic host

names.• policy brief—show all policies in brief.• policy client—show client access control

list.• policy client brief—show all client policies in

brief.• policy client full—show all client policies in

full.• policy client matched—show only matched

client access entries.• policy client <CR>—show policy client.• policy full—show all policies in full.• policy gateway—show gateway

associations.• policy ike—show IKE policy records.• policy ipsec—show IPSec policy records.• policy matched—show only matched

selectors and client access.• policy protnet—show protected networks

database.• policy spd—show security policy database.• policy spd brief—show all policies in brief.• policy spd dynamic—show only dynamic

selectors.• policy spd full—show all policies in full.• policy spd matched—show only matched

selectors.• policy spd routing—show only routing

selectors.• policy spd static—show only static

selectors.• policy spd <CR>—show policy spd.• policy <CR>—show crypto policy in brief.

Arguments



NoteIn the display, the items with the id tags (such as ipsec policy id) are database record numbers used for internal policy indexing.

Examplescrypto enable display automagic

Enables display of autogenerated selectors when used with crypto show policy commands.crypto show keys all

Displays certificates and keys.crypto show all

Displays current security associations that have been established across the cluster. crypto policy reload

Reloads IPSec policy database on the current node from the ipsec_policy_<version>.dat file on flash memory.

Related Commands

See the “show” command on page 105.

dateUse the date command to set or view the current system date and time. All Nokia IP VPN Gateway time is expressed in VTC/GMT.

show statistics <ah | esp | ike | random | replay | sa | sec-proc | <CR>>

Shows current activity counters for the node: • statistics ah—show Authentication Header

(AH) statistics.• statistics esp—show Encapsulating

Security Payload (ESP) statistics.• statistics ike—show IKE statistics.• statistics random—show random number

generator statistics.• statistics replay—show IPSec replay

detection statistics.• statistics sa—show security association

statistics.• statistics sec-proc—show security

processor statistics.• statistics <CR>—show all statistics.

Arguments



Syntax

date[[[yyyy]mm]dd]HH]MM[.ss]] [<CR>]

Exampledate 200207202315.25

Sets the date to July 20, 2002 and the time to 23:15:25.

examineUse the examine command to determine the action taken when a packet is sent or received on the cluster. This command:

Inspects the selectors.Determines the filter that applies to the packet.Determines if the cluster will drop, pass in the clear, or protect the packet by using IPSec.

Syntax

examineany | gre | icmp | ipinip | tcp | udp | <NUMBER>

<SRC-ADDR> <any | SRC-PORT> <DST-ADDR> <any | DST-PORT>

Arguments

date[[[[yyyy]mm]dd]HH]MM[.ss]]

Set system date and time.

<CR> Display system date and time.

Arguments

any Any protocol.

gre Select Generic Routing Encapsulation (GRE) protocol.

icmp Select ICMP.

ipinip Select IPINIP protocol.

tcp Select Transmission Control Protocol (TCP).

udp Select User Datagram Protocol (UDP).

<NUMBER> IP protocol number.

<SRC-ADDR> Source dotted-decimal address.



Examplesexamine tcp 172.16.32.12 any 10.134.66.5 23

Inspects gateway filters for the traffic from 172.16.32.12 (from any port) to the Telnet server port on 10.134.66.5.

Related CommandsSee the clear ike command in “clear” on page 76.See the clear ipsec command in “clear” on page 76.See the “crypto” command on page 78.See the show crypto command in “crypto” on page 78.See the show ike command in “show” on page 105.See the show ipsec command in “show” on page 105.See the show pending command in “show” on page 105.See the show policy command in “show” on page 105.

flashUse the flash command to manage the contents of the flash memory and the files it contains.

Syntax

flash [duplicate <<NAME> | <CR>> <<NAME> | <CR>>][format <-d <<NAME> | <CR>> | <NAME>>]

<any | SRC-PORT> • any—any port.• SRC-PORT—source port.

<DST-ADDR> Destination dotted-decimal address.

<any | DST-PORT> • any—any port.• DST-PORT—destination port.

Arguments



Examplesflash format flash:

Erases the contents and formats the primary flash memory, creating an empty flash file system.flash duplicate cfcard1: pccard1:

Copies the contents of the flash memory in the internal CompactFlash slot to the flash memory in the PC-Card slot 1.

Related CommandsSee the “type” command on page 155.See the “copy” command on page 151.See the “differences” command on page 153.See the “backup” command on page 74.

kernelUse the kernel command to manage the kernel file.

Syntax

kernel [check <filename>][commit][upgrade <filename>]

Arguments

duplicate <<NAME> | <CR>> <<NAME> | <CR>>

Copy all the files from one flash memory to another.

NoteSupported only for Nokia IP VPN Gateways that have more than one flash memory.

• NAME—name of flash memory to be copied.

• CR—copy flash memory by default.• NAME—name of flash memory to be

copied to.• CR—copy to flash1 memory by default.

format <-d <<NAME> | <CR>> | <NAME>>

Format flash memory:• -d—delete all files from flash memory, but

do not call process to format flash memory.• -d NAME—name of flash memory.• -d <CR>—delete files in the current flash

memory by default.• NAME—name of flash memory.



natUse the nat command to delete all NAT entries in the NAT table. For more information about the nat command, see “Configuring Firewall and Network Address Translation” on page 255.

Syntax

nat clear-state

Arguments

check <filename> Displays information about the image, such as kernel architecture, version, clustering version, signature, and flags. Check a kernel image:• filename—name of kernel file.

commit Commit the upgraded kernel image.

NoteYou can commit the image only if the image is acceptable when you reboot after you apply the kernel upgrade command. Committing the image selects it to boot on the next reboot. The kernel must be booted by using the kernel upgrade command, for the kernel commit command to perform any actions. If you boot a new kernel by using the kernel upgrade command but do not apply the kernel commit command (or if the reboot fails), the node reverts to the original kernel image the next time it boots.

upgrade <filename> Upgrade the kernel boot image:• filename—name of kernel file.

NoteNotifies the node to boot the image you select. You must enter the kernel commit command after the node reboots, to use the upgraded kernel on the next reboot.

Arguments

clear-state Flush all active NAT table entries.



pinUse the pin command to encrypt and secure keying material, and to secure intracluster communication. The keying material is used for authentication from the gateway to VPN Manager during initial download before it generates an SSL certificate. A PIN is created during initial installation of the gateway. All nodes in a cluster must share the same PIN.

CautionUsing the pin command incorrectly can render the gateway configuration unusable. The only recovery might be to reinstall and reconfigure the gateway.

Syntax

pin [set <generate | none | <HEX>>][show][update <none | <HEX>>][zero]

CautionThe pin update command is not supported in clustered configurations. To change the PIN in a cluster, you must change the PIN on each node individually without other nodes booted.

Arguments

set <generate | none | <HEX>>

Restore PIN and allow the node to be added to the cluster:• generate—generate a new PIN.• HEX—PIN.• none—disable use of the PIN.

NoteUse this command only when a new node is added to an existing cluster, or to restore a PIN on a computer on which the PIN was cleared.

show Show the PIN.

update <none | <HEX>> Change the PIN:• none—disable use of the PIN.• HEX—PIN.

zero Clear the PIN from NVRAM.



Examplespin update bcbea45fd841f7b0b9805b94563c0b86

Changes the current PIN value to a named PIN on the cluster node: Reads the current PIN from hardware (NVRAM).Decrypts the keying material by using the current PIN.Encrypts the keying material under the new PIN.Stores the new PIN in NVRAM.

pin update none

Similar to the pin update <HEX> command. Clears the PIN, leaving keying material unencrypted and intracluster communication unprotected. This applies to all nodes in a cluster.pin set bcbea45fd841f7b0b9805b94563c0b86

Sets the PIN to the PIN number specified in NVRAM.

rebootUse the reboot command to restart the gateway.

Syntax

reboot

Related CommandsSee the “date” command on page 97.See the “finger” command on page 140.See the “schedule” command on page 103.See the “show” command on page 105.

scheduleUse the schedule command to schedule backup and other administrative tasks.



Syntax

schedule[backup <<date/time> <PATH> <seconds>>][bump][cancel][commit <date/time> <version>][kernel <kernel_filename>][list][reboot <date/time>][resume][rollupgrade <date/time> <#nodes>][session <date/time>][stagreboot <date/time>][suspend][upgrade <date/time> <#nodes>]

Arguments

backup <<date/time> <PATH> <seconds>>

The schedule command performs the same function as the back up save command.Back up flash files:• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.• PATH—path to a system.• seconds—interval in seconds between

backups.

bump Version of schedule commitment.

cancel Cancel all scheduled events.

commit <date/time> <version> Note

Performs the same function as the kernel commit command.

Commit to new configuration files:• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.• version—version number of configuration.

kernel <kernel_filename> Note

Performs the same function as the kernel upgrade command.

Set filename of kernel for next upgrade:• kernel_filename—name of kernel file for

upgrade.



Examplesschedule backup 27/08/2004-18:40:00 nfs://192.168.17.212/usr/local/fbackup 86400

The schedule command backs up the flash configuration files to the given file on an NFS server with the IP address 192.168.17.212 every 24 hours (86,400 seconds).

Related CommandsSee the “backup” command on page 74.See the “terminal” command on page 100.See the “reboot” command on page 103.

showUse the show command to display information about gateway modes and configuration settings.

list List scheduled events.

reboot <date/time>

NotePerforms the same function as the reboot command.

Reboot all nodes in a cluster:• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.

resume Resume event schedule handler.

rollupgrade <date/time> <#nodes>

Rolling upgrade of all nodes in the cluster:• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.• #nodes—number of nodes in the cluster.

session <date/time> Session interval:• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.

stagreboot <date/time> Reboot all nodes in sequence:• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.

suspend Suspend event schedule handler.

upgrade <date/time> <#nodes>

Upgrade all nodes in the cluster.• date/time—schedule time in the form dd/

mm/yyyy-HH:MM:SS.• #nodes—number of nodes in the cluster.

Arguments



Arguments

address-pool Show address pool information.

arp <-a | -n | -<options> | <HOST>>

Show ARP tables:• -a—display all ARP entries.• -n—show addresses as numbers (valid

only with -a or HOST).• -<options>—combination of ARP options.• HOST—host name or dotted-decimal

address.

bootp-forwarder Show bootp-forwarder information.

cluster <-n | aggregation | keepalive | workspace>

Show cluster information:• -n—do not look up symbolic host names.• keepalive—show cluster keepalive

statistics.• aggregation—show cluster aggregation

statistics.• workspace—show cluster workspace

assignments.

configuration <active | pki <active | private | startup | <CR>> | startup | <CR>>

Show active or startup configurations:• active—show active configuration.• pki—show PKI configuration.• pki active—show active configuration.• pki private—show private PKI configuration.• pki startup—show startup configuration.• pki <CR>—show active configuration.• startup—show startup configuration.• CR—show active configuration.

crypto Show IKE or IPSec run-time options.

date Show date and time.

debug Show current debug settings.

dhcp-client Show DHCP client information.

dhcp-server <client <A.B.C.D> | full | <CR>>

Show DHCP server status:• client <A.B.C.D>—show DHCP information

associated with client at the specified IP address.

• full—show detailed DHCP server status.• CR—show summary report.

dialup Show dialup information.



fastpath <-n | <CR>> Show diagnostic IP fastpath information:• -n—do not look up symbolic host names.• CR—look up symbolic host names.

filter-cache Show packet-filter cache information.

firewall <full | state | statistics | <CR>>

Show firewall information:• full—show active firewall rules in detail.• state—show firewall state.• statistics—show firewall statistics.• CR—show active firewall rules.

flash Show flash memory information.

fru Show various FRU values from EEPROM.

hardware Show hardware information.

ike <-n | brief | full | statistics | <SEQ> | <ADDR> <brief | full <CR>> | <fqdn> | <rfc822> | <CR>>

NotePerforms the same function as the crypto show ike command.

Show IKE security associations:• -n—do not look up symbolic host name.• brief—show IKE information in brief.• full—show IKE information in full.• statistics—show IKE statistics.• SEQ—show IKE information by sequence

number (SEQ).• ADDR—show IKE information by IP

address.• ADDR brief—show IKE information in brief.• ADDR full—show IKE information in full.• ADDR CR—show IKE information in default

display mode.• fqdn—show IKE information by fully

qualified domain name (FQDN).• rfc822—show IKE information by RFC

reference.• CR—show IKE information in default

display mode.

interface <statistics <eth-1 | eth-2 | eth-3 | eth-4 | loop-0> | status <eth-1 | eth-2 | eth-3 | eth-4 | loop-0> >

Show interface information:• statistics—show interface network statistics

for eth-1, eth-2, eth-3, eth-4 or loop-0.• status—show interface status for eth-1, eth-

2, eth-3, eth-4 or loop-0.

Arguments



ip <anti-spoofing | connections | forwarding | icmp | nat <all |<CR>> | routes <<ADDR> | <CR>>

Show IP information:• anti-spoofing—IP anti-spoofing (source

address spoofing protection). Show if anti-spoofing is enabled or disabled.

• connections—show IP connection information.

• forwarding—IP forwarding information.• icmp—ICMP information.• nat—NAT information.• nat all—show all subsystem active NAT

table entries.• nat <CR>—show active IP NAT table

entries.• routes—IP route information.• routes ADDR—dotted-decimal address.• routes <CR>—show all routing entries.

ipsec <brief | full | <SPI> | <CR>> Note

Performs the same function as the crypto show ipsec command.

Show IPSec security associations:• brief—show active SAs in brief.• full—show active SAs in full.• SPI—show active SA by security parameter

index (SPI).• CR—show all active SAs.

ipsrd Show routing process state.

ipsrd <bgp <errors | groups | memory | paths | peers <detailed | <A.B.C.D> <advertised | detailed | received> | <CR>> | statistics | <CR>>

Show BGP state information:• errors—show BGP errors.• groups—show BGP groups.• memory—show BGP memory usage.• paths—show BGP AS paths.• peers—show BGP peers summary.• peers advertised—show routes advertised

to BGP.• peers detailed—show BGP peer

information in detail.• peers received—show routes received from

BGP.• statistics—show BGP statistics.• CR—show BGP summary.

ipsrd <configuration> Show IPSRD configuration file.

Arguments



ipsrd <ipsec-peer <not-allowed-networks | peers <<A.B.C.D> <received> <CR> | <CR>> | protected-networks | <CR>>

Show IPSec-peer state information:• not-allowed-networks—show networks not

advertised by this peer.• peers—show IPSec-peer peers.• peers <A.B.C.D>—IPSec-peer IP address.• peers <A.B.C.D> received—show networks

received from peer.• peers <A.B.C.D> <CR>—show information

about peer.• peers <CR>—show IPSec peers summary.• protected-networks—show networks

protected and advertised by this peer.• CR—show IPSec-peer summary.

ipsrd <memory> Show memory usage.

Arguments



ipsrd ospf <database <area | asbr-summary | checksum | database-summary | external | network | router | summary | type | <CR>> | errors <brief | dd | hello | ip | lsack | lsr | lsu |proto | <CR>> | events | interface <detail | <CR>> | neighbor <detail | <A.B.C.D> | <CR>> | packets | <CR>>

Show OSPF summary:• database—show OSPF database.• database area—show OSPF database

area.• database asbr-summary—show OSPF

database asbr-summary-lsa.• database checksum—show OSPF

database checksum.• database database-summary—show OSPF

database summary.• database external—show OSPF database

external-lsa.• database network—show OSPF database

network-lsa.• database router—show OSPF database

router-lsa.• database summary—show OSPF database

summary-lsa.• database type—show OSPF database lsa

type.• database <CR>—show OSPF database.• errors—show OSPF errors.• errors brief—show OSPF errors brief.• errors dd—show OSPF errors dd.• errors hello—show OSPF errors hello.• errors ip—show OSPF errors ip.• errors lsack—show OSPF errors lsack.• errors lsr—show OSPF errors lsr.• errors lsu—show OSPF errors lsu.• errors proto—show OSPF errors proto.• errors <CR>—show OSPF errors.• events—show OSPF events.• interface—show OSPF interfaces.• interface detail—show OSPF interface

detail.• interface <CR>—show OSPF interface.• neighbor—show OSPF neighbors.• neighbor detail—show OSPF neighbor

detail.• neighbor <A.B.C.D>—show OSPF

neighbor <A.B.C.D>.• neighbor <CR>—show OSPF neighbor.• packets—show OSPF packets.• CR—show OSPF summary.

Arguments



ipsrd <rip <errors | interfaces | neighbors | packets | <CR>>

Show RIP state information:• errors—show RIP errors.• interfaces—show RIP interfaces.• neighbors—show RIP neighbors.• packets—show RIP packets.• CR—show RIP summary.

ipsrd <route <aggregate | all <aggregate | bgp | direct | ipsec-peer | ospf | rip | static | <CR>> | bgp <aspath | communities | detailed | metrics | suppressed | <CR>> | destination <A.B.C.D> | direct | exact-match <A.B.C.D> | inactive <aggregate | bgp | direct | ospf | rip | static | <CR>> | ipsec-peer | less-specific <A.B.C.D> | more-specific <A.B.C.D> | ospf | rip | static | summary | <CR>><CR>>

Show active routes:• aggregate—show active aggregate routes.• all—show all routes.• all aggregate—show all aggregate routes.• all bgp—show all BGP routes.• all direct—show all direct routes.• all ipsec-peer—show all IPSec-peer routes.• all ospf—show all OSPF routes.• all rip—show all RIP routes.• all static—show all static routes.• all <CR>—show all routes.• bgp—show active BGP routes.• bgp aspath—show routes along with AS

paths.• bgp communities—show route along with

communities.• bgp detailed—show routes in detail.• bgp metrics—show routes along with

metrics.• bgp suppressed—show suppressed routes.• bgp <CR>—show active BGP routes.• destination—show the route to a given

destination.• destination <A.B.C.D>—show route to

destination address.• direct—show active direct routes.• exact-match—show a specific route.• exact-match <A.B.C.D>—masklen route in

the form address or masklen.• inactive—show inactive routes.• inactive aggregate—show inactive

aggregate routes.• inactive bgp—show inactive BGP routes.• inactive direct—show inactive direct routes.• inactive ospf—show inactive OSPF routes.• inactive rip—show inactive rip routes.• inactive static—show inactive static routes.• inactive <CR>—show inactive routes.

Arguments



• ipsec-peer—show active IPSec-peer routes.

• less-specific—show routes that are less-specific than a given route.

• less-specific <A.B.C.D>—masklen route in the form address or masklen.

• more-specific—show routes that are more-specific than a given route.

• more-specific <A.B.C.D>—masklen route in the form address or masklen.

• ospf—show active OSPF routes.• rip—show active RIP routes.• static—show active static routes.• summary—show route summary.

ipsrd <CR>> Show IPSRD summary.

key <cache <all <full |brief> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>

Show keying material information:• cache—show cached keying material.• cache all—show all cached keying

materials.• cache all full—show all cached keying

materials in full.• cache all brief—show all cached keying

materials.• cache chains—show cached certificate

chains.• cache chains local—show cached local

certificate chains.• cache chains remote—show cached

remote certificate chains.• cache chains brief—show cached remote

certificate chains.• cache chains full—show cached remote

certificate chains in full.• cache identities—show cached certificate

identities.• cache identities local—show cached local

identities.• cache identities remote—show cached

remote identities.• cache identities brief—show cached local

certificate identities.• cache identities full—show cached local

certificate identities in full.

Arguments



• cache names—show cached certificate subject names.

• cache names brief—show cached certificate subject names.

• cache names full—show cached certificate subject names in full.

• cache public—show cached uncertified public keys.

• cache public local—show cached local uncertified public keys.

• cache public remote—show cached remote uncertified public keys.

• cache public brief—show cached local identities.

• cache public full—show cached local identities in full.

key <info <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root <brief | full>>>

Show keying material information:• all—show all keys.• all brief—show all keys.• all full—show all keys in full.• blocked—show certificates that are moved

to the blocked certificate list.• blocked brief—show blocked certified

public keys.• blocked full—show blocked certified public

keys in full.• certified—show certificates for public keys

that are certified:• certified brief—show certified public keys.• certified full—show certified public keys in

full.• preshared—show preshared secrets used

for IKE authentication.• preshared brief—show preshared keys.• preshared full—show preshared keys in

full.• public—show public- or private-key pairs

that are not certified.• public local—show local uncertified public

keys.• public local brief—show local uncertified

public keys.• public local full—show local uncertified

public keys in full detail.

Arguments



• public remote—show remote uncertified public keys.

• public remote brief—show remote uncertified public keys.

• public remote full—show remote uncertified public keys in full detail.

• trusted-root—show certificates of certification authorities known as trusted roots.

• trusted-root brief—show trusted certification authority root keys.

• trusted-root full—show trusted certification authority root keys in full.

locks Show lock information.

logger Show logger statistics.

memory Show memory statistics.

modem Show modem information.

nat <arp | state | statistics>

Show nat information:• arp—show arp.• state—show active NAT table entries.• statistics—show NAT statistics.

ntpdate Show ntpdate statistics.

oob Show oob information.

packet-trace Show packet trace information.

pending <brief | full> Show pending security associations (SAs):• brief—show pending SAs in brief.• full—show pending SAs in full.

Arguments



policy <-n | brief | client <brief | full | matched | <CR>> | full |gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>

Show security policy database:• -n—do not look up symbolic host names.• brief—show all policies in brief.• client—show client access control list.• client brief—show all client policies in brief.• client full—show all client policies in full.• client matched—show only matched client

access entries.• client <CR>—show policy client.• full—show all policies in full.• gateway—show gateway associations.• ike—show IKE policy records.• ipsec—show IPSec policy records.• matched—show only matched selectors

and client access.• protnet—show protected networks

database.• spd—show security policy database.• spd brief—show all policies in brief.• spd dynamic—show only dynamic

selectors.• spd full—show all policies in full.• spd matched—show only matched

selectors.• spd routing—show only routing selectors.• spd static—show only static selectors.• spd <CR>—show policy spd.• CR—show crypto policy in brief.

pppoe <interface <CR> | profile <CR>>

Show Point-to-Point Protocol over Ethernet (PPPoE) information:• interface—PPPoE interface information.• interface <CR>—existing PPPoE

interfaces.• profile—PPPoE profile Information.• profile <CR>—all existing profiles.

processes Show process status.

schedule Lists currently scheduled events.

sensor <all | fan | ps | temp | volt>

Show sensor values:• all—show all sensor values.• fan—show only fan sensor values.• ps—show only power supply sensor values.• temp—show only temperature sensor

values.• volt—show only voltage sensor values.

snmp Show SNMP information.

Arguments



ssh <config | public-key auth>

The ssh command displays SSH active configuration including ciphers supported, connection per period, SSH enabled interface name, login grace time and SSH port:• config—display SSH active configuration.• public-key auth—display the user name

and MD5 hash (finger print) of public key.

statistics <ah | esp | icmp | igmp | ike | ip | ipsec | nat | queue | random | replay | sa | sec-proc | tcp | udp | <CR>>

Show protocol statistics:• ah—show authentication header (AH)

statistics.• esp—show encapsulating security payload

(ESP) statistics.• icmp—show ICMP statistics.• igmp—show IGMP statistics.• ike—show IKE statistics.• ip—show IP statistics.• ipsec—show IPSec statistics.• nat—show NAT statistics.• queue—show sequencing queue statistics.• random—show random number generator

statistics.• replay—show IPSec replay detection

statistics.• sa—show security association statistics.• sec-proc—show security processor

statistics.• tcp—show TCP statistics.• udp—show UDP statistics.• CR—show all statistics.

subsystem Show subsystem information.

syslog Show syslog information.

terminal Show terminal information.

version Show version information.

Arguments



tcpdumpUse the tcpdump command to control the operations of both the native tcpdump application and the tcpdump client-server application.

NoteIn Nokia AOS Ver 6.3, tcpdump is available both as a native application and as a client-server application.

Syntax

Use the tcpdump command to invoke: Native tcpdump application—you execute the native tcpdump application when you enter one of the following commands: tcpdump <tcpdump options> or tcpdump <CR>. For the native tcpdump application additional software is not required. The application runs in the same manner from the console window, Telnet, or SSH window. The following tcpdump command options: tcpdump <tcpdump options> and tcpdump <CR> are available only for the native tcpdump application. These commands run continuously until a key is pressed. Once a key is pressed the native tcpdump application exits. (For the command tcpdump -h, or an error condition the application exits automatically.)The native tcpdump application is overloaded with the tcpdump server commands and is based on tcpdump 3.8.3.

vpdn <all | brief | ip-address <HOST> | username | <CR>>

Show L2TP and PPTP (VPDN) information:• all—show all L2TP and PPTP (VPDN)

information.• brief—show summary L2TP and PPTP

(VPDN) information.• ip-address—show L2TP and PPTP (VPDN)

information for the specified IP address.• ip-address <HOST>—host name or dotted-

decimal address.• username—show L2TP and PPTP (VPDN)

information for the specified username.• CR—show all L2TP and PPTP (VPDN)

information.

vrrp Show virtual router information.

wanbackup Show WANBACKUP information.

Arguments



NoteThe following tcpdump 3.8.3 options are not supported in the current version of Nokia AOS Ver 6.3: -y, - m, -U, -D and -E.

tcpdump client-server—to execute the client-server tcpdump application, you must activate the tcpdump server on the Nokia AOS Ver 6.3 platform by entering the following command: tcpdump enable.The tcpdump client is run on other platforms, for example a FreeBSD platform. The application runs in the same manner from the console window, Telnet, or SSH window.The following command options are available for the TCP server option only: tcpdump disable, tcpdump enable, tcpdump port <port>, tcpdump secret <secret>.

CautionUse the tcpdump server to tap traffic travelling through the security gateway. Enable the tcpdump server under controlled and secure circumstances.

tcpdump <tcpdump options> tcpdump [-aAdeflLnNOpqRStuvxX] [-c count] [-C filesize] [-F file] [-i interface] [-r file] [-s snaplen] [-T type] [-w file] [expression]

Can also type 'tcpdump -h' for usage.Visit http://www.tcpdump.org/tcpdump_man.html, or consult product documents for more information.

[disable][enable <<A.B.C.D> | <CR>>][port <port>][secret <secret>]<CR>

NoteUse the command: tcpdump -h, to list the native tcpdump command options.



Arguments

<tcpdump options> tcpdump[-aAdeflLnNOpqRStuvxX] [-c count][-C filesize] [-F file] [-i interface][-r file][-s snaplen][-T type] [-w file] [expression]

NoteEnter the command tcpdump -h to view all available options.

• -a—backward compatibility• -A—print the packet in ASCII• -d—print the filter code.• -e—print Ethernet header.• -f—don't translate foreign IP address.• -l—make stdout linebuffered.• -L—list available data link types and exit.• -n—leave addresses as numbers.• -N—remove domains from printed host

names.• -O—filter code optimization (default).• -p—promiscuous mode (default).• -q—quick (shorter) output (default).• -R—print sequence # field in AH/ESP.• -S—print raw TCP sequence numbers.• -t—print packet arrival time (default).• -u—print undecoded NFS handles.• -v—verbose.• -x—print packet in hex.• -X—print packet in ascii and hex.

• [-c count]—print 'count' number of packets.• [-C file_size]—rotate dump files after this

many bytes.• [-F file]—provide the infile for filter

expression.• [-i interface]—provide the interface in

Ethernet<num> or eth-<num> format.• [-r file]—read packets from file.• [-s snaplen]—show snaplen bytes from

each packet.• [-T type]—force packets selected by

expression to be inter-preted the specified type. Currently known types are: Remote Procedure Call (rpc), Real-Time Applications protocol (rtp), Real-Time Applications control protocol (rtcp), Visual Audio Tool (vat), and distributed White Board (wb).

• [-w file]—write raw packets to file.



• [expression]—filter which can be provided to select the packets. For example host 172.19.184.25 and port 22 picks ssh traffic for 172.19.184.25.

Expression consists of one or more primitives. Primitives consist of an ID (name or number) preceded by one or more qualifiers. The following are the three types of qualifiers:• type—defines what the id name or number

refers to. Possible types are: host, net and port. For example, host foo, net 128.3, port 20. If there is no type qualifier, host is assumed.

• dir—specifies a particular transfer direction to or from id. Possible directions are: src, dst, src or dst and src and dst. For example, src foo, dst net 128.3, src or dst port ftp-data. If there is no dir qualifier, src or dst is assumed. For null link layers (like point-to-point protocols such as slip) the inbound and out-bound qualifiers may be used to specify a desired direction.

• proto—restricts the match to a particular protocol. Possible protocols are: ether, fddi, ip, arp, decnet, lat, sca, moprc, mopdl, iso, esis, isis, tcp and udp. For example, ether src foo, arp net 128.3, tcp port 21. If there is no proto qualifier, all protocols consistent with the type are assumed. For example, src foo denotes (ip or arp or rarp) src foo (except the latter is not legal syntax), net bar denotes (ip or arp or rarp) net bar and port 53 denotes (tcp or udp) port 53.

Primitives may be combined using the following: • Negation (! or not). • Concatenation (&& or and).• Alternation (|| or or). Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right.

disable Disable tcpdump server.

enable <<A.B.C.D> | <CR>>

Enable tcpdump server:• <A.B.C.D>—IP address to which tcpdump

service is restricted. • CR—allow any IP address.

port <port> TCP port to listen on:• port—TCP port number to use.Default: 4000

Arguments



Related CommandsSee the “netstat” command on page 142.See the “ping” command on page 144.See the show interface command in “show” on page 105.See the “traceroute” command on page 148.See the “telnet” command on page 147.

terminalUse the terminal command to set the terminal characteristics for the current console session.

Syntax

terminal[editing-style <emacs | vms>][idle-timeout <seconds>][length <0-512>][more <enable | disable>][width <0-512>]

secret <secret> Set tcpdump server SSL authentication secret:• secret—secret used to authenticate the

incoming SSL connection.

<CR> Start tcpdump.

Arguments

editing-style <emacs | vms>

Set terminal editing style:• emacs—set the editing style to emacs. Default editor: emacs• vms—set the editing style to vms.

idle-timeout <seconds> The timeout in seconds for idle sessions. If set to zero, no timeout occurs:• seconds—time in seconds for the idle

session timeout (0 to 10000000).Default: 60 seconds

length <0-512> Set terminal page length in lines:• 0 to 512—terminal page length. Default: 24 lines

Arguments



Related CommandsSee the “telnet” command on page 147.See the show terminal command in “show” on page 105.See the “log” command on page 166.

validateUse the validate command to ascertain the action taken when a packet is sent or received. This command:

Inspects the selectors.Determines that the filter applies to the packet.Determines if the cluster will drop, pass in the clear, or protect the packet by using IPSec.

When the preceding actions are completed, this command actively tries to activate IKE and IPSec security associations if protect selectors match.

Syntax

validate any | gre | icmp | ipinip | tcp | udp | <NUMBER>

<SRC-ADDR> <any | <SRC-PORT>> <DST-ADDR> <any | <DST-PORT>>

more <enable | disable> When auto-more is enabled, the CLI pauses output of commands that are longer than the terminal page length, and prompts you to press the spacebar to view the next page of output, or to press the q key to quit scrolling output.When auto-more is disabled, the terminal page length is ignored.Set auto-more value:• enable—enable auto-more.• disable—disable auto-more.Default: enable

width <0-512> Set the terminal line width in characters:• <0 to 512>—terminal width. Default: 80 characters

Arguments

any Any protocol.

gre Select GRE protocol.

icmp Select ICMP protocol.

Arguments



Examplesvalidate tcp 172.16.32.12 any 10.134.66.5 23

Inspects and tries gateway filters for the traffic from 172.16.32.12 (from any port) to the Telnet server port on 10.134.66.5.

Configuration Mode CommandsUse the following configuration mode commands to perform gateway administration.

ipinip Select IPINIP protocol.

tcp Select TCP protocol.

udp Select UDP protocol.

<NUMBER> IP protocol number.

<SRC-ADDR> Dotted-decimal address of source.

<any | <SRC-PORT>> • any—any port.• SRC-PORT—port number of source.

<DST-ADDR> Dotted-decimal address of destination.

<any | <DST-PORT>> • any—any port.• DST-PORT—port number of destination.

Arguments

Command Description

crypto Configure IPSec processing options.

deployment_hub Configure the deployment hub for this gateway.

disable Disable subsystems.

enable Enable subsystems.

hostname Configure the system host name.

icmp Configure ICMP processing.

ipsec-client Specify WINS information given to the IPSec clients.

ldap-server Configure LDAP-server parameters.

modem Configure modem settings.

oob Configure out-of-band management settings.



cryptoUse the crypto command to:

Configure the behavior of IPSec processing on the node. Enable or disable the copying of the don’t fragment (DF) bit in an IP packet header when encapsulating it in an IPSec tunnel header. This option is disabled by default. Enable or disable replay detection for an IPSec SA. You can select whether or not to forward host-generated ICMP errors for transport mode SAs. For more information about host-generated ICMP address, see RFC 2401. For a comprehensive list of IPSec configuration commands, see “Configuring Policy Configuration System” on page 219.

Syntax

Config# [no] crypto [copy-df][dead-peer-detection][deferred-delete][diff-serv][dpd-interval <seconds>][dpd-retries <count>][host-icmp][ike-retries <count>][nat-traversal][replay][spd-sorting][stable][<CR>]

panic Set the behavior of the panic call.

radius Configure RADIUS values.

terminal Configure the default terminal parameters.

uuid Configure the configuration version UUID.

Arguments


copy-df IPSec encapsulation copies the DF to outer header. Default: off

dead-peer-detection Do Dead Peer Detection.

Command Description



deferred-delete Defer main mode SA deletion if all underlying IPSec SAs are deleted. Default: on

diff-serv Perform differentiated services marking. For more information about diff-serv, see “diff-serv” on page 60.Default: on

dpd-interval <seconds> DPD liveness check interval (worry metric):• seconds—time (in seconds).Valid Time Range (in seconds): 2 to 3600Default: 30 seconds

dpd-retries <count> DPD message retry count:• count—number of DPD messages to send

before giving up.Valid Range: 2 to 10Default retries: 3

host-icmp Forward host-generated ICMP errors for transport mode SAs. Default: on

ike-retries <count> IKE message retry count:• count—number of IKE messages to send

before giving up.Valid Range: 2 to 10Default retries: 5

nat-traversal Perform Nokia-proprietary IPSec over UPD when NAT or PAT is detected. Valid for client-server only. Default: off

replay Perform replay detection when negotiated. Default: off

spd-sorting Allows or disallows sorting of IPSec selectors in SPD.Default: sort IPSec selectors in SPD.

stable Policy reload assumes stable policy database indices. Default: off


Arguments



deployment_hubUse the deployment_hub command to generate Hello packets to maintain an IPSec connection with the hub, thereby informing the hub of the current external IP address of the dynamic gateway and maintaining continuous management and VPN connectivity.

Syntax

Config# [no] deployment_hubhellointerval <minutes>source <A.B.C.D> destination <A.B.C.D>timeout <seconds>

disableUse the disable command to disable the specified subsystem.

Arguments


hellointerval <minutes>

Deployment proxy hello-packet frequency setting:• minutes—number of minutes to wait

between hello packets.

source <A.B.C.D> destination <A.B.C.D>

Source IP address when sending packets to deployment hub:• <A.B.C.D>—address for sourcing packets

sent to the deployment. Destination IP addresses that are deployment hubs.• <A.B.C.D>—address for the deployment

hub.

NoteThis command attempts to initiate communication between the dynamic gateway and the hub. As a result, an IPSec tunnel is established.

timeout <seconds> Deployment proxy timeout settings:• seconds—number of seconds of an idle

connection to a dynamic gateway.Default: 60 seconds



Syntax

Config# disable[dhcp][dialup][firewall][ipsec][ipsrd][l2tp][oob][pptp][sshd]<CR>

enableUse the enable command to enable the specified subsystem.

Syntax

Config# enable [dhcp][dialup]

Arguments

dhcp Disable dhcp server.

dialup Disable dialup PPP.

firewall Disable firewall processing.

ipsec Disable IKE and IPSec processing.

ipsrd Disable IPSRD processing.

NoteDisabling IPSRD on any node of a cluster, automatically disables IPSRD on all the nodes of the cluster.

l2tp Disable L2TP processing.

oob Disable out-of-band management.

pptp Disable PPTP processing.

sshd Disable SSH server.




[firewall][ipsec] [ipsrd][l2tp][oob][pptp] [sshd]<CR>

hostnameUse the hostname command to configure the system host name. In a nonclustered environment, the host name is used as part of the FQDN in certificate signing requests. The host name is also displayed as the CLI command mode prompt.

Arguments

dhcp Enable DHCP processing.

dialup Enable dialup PPP.

firewall Enable firewall processing.

ipsec Enable IKE and IPSec processing.

ipsrd Enable IPSRD processing.

NoteEnabling IPSRD on any node of a cluster, automatically enables IPSRD on all the nodes of the cluster.

l2tp Enable L2TP processing.

oob Enable out-of-band management.

pptp Enable PPTP processing.

sshd Enable SSH server.

NoteTo enable password authentication between the SSH server and the SSH client, you must set the login source ssh local command.




Syntax

Config# [no] hostname<hostname>

ExamplesConfig# hostname server-1

Changes the system host name to server-1.

Related Commands

See the Config# cluster name command in “cluster” on page 50.

icmpUse the icmp command to alter the behavior of ICMP packets generated and received by the node.

Syntax

Config# [no] icmp [allow][bmcast][bypass][ignore][prohibit][rate-limit <rate-limit>][redirects][source-filter][stealth][unreach <filter | host | net>][CR]

Arguments


hostname <hostname> • hostname—system host name. You can specify a maximum of 63 characters.

Arguments


allow Control the processing of inbound ICMP redirects to the cluster. Default: off

bmcast Control processing of ICMP responses to broadcast and multicast ICMP requests.



bypass Control the sending of locally generated ICMP errors, even if a drop filter would normally apply to these packets. Default: on

ignore Cause the cluster to ignore all inbound ICMP errors, with the exception of packet too big. Default: on

prohibit Control the sending of ICMP errors that indicate that traffic cannot traverse the filtering cluster. Default: off

rate-limit <rate-limit>

ICMP responses are sent according to the rate-limit specified:• rate-limit—the ICMP rate limit in messages

per second.

redirects Allow for the sending of ICMP redirects by the cluster. Default: off

source-filter Control source-address filtering of ICMP packets.

stealth Enable or disable stealth mode on the external interface. If stealth mode is enabled, ICMP errors and TCP resets are not generated on the internal interface.

NoteThis option is useful for hiding from port scanners.

unreach <filter | host | net>

Allow for setting the ICMP errors generated because of a filter that requires IPSec protection or that drops the packet (default filter). • filter—set the ICMP destination

unreachable code to FILTER-PROHIBIT [13].

• host—set the ICMP destination unreachable code to HOST-PROHIBIT [10].

• net—set the ICMP destination unreachable code to NET-PROHIBIT [9].


Arguments



ipsec-clientUse the ipsec-client command to specify WINS information that is provided to IPSec clients that request internal addressing from the gateway.

Syntax

Config# [no] ipsec-clientwins <A.B.C.D> [<A.B.C.D>] [<A.B.C.D>] | <CR>

ldap-serverUse the ldap-server command to configure the LDAP server parameters.

NoteThe LDAP server is used to authorize users, and to store Certificate Revocation List (CRL) and device certificates that the internal CA issues.

Syntax

Config# [no] ldap-server<server name | id> <LDAP server address> <LDAP server port> <as_active_directory | as_openldap> <LDAP search timeout> <LDAP base DN> <base | onelevel | tree> <initial bind DN> <<0|1|2|3> <encoded bind password> | <bind password in clear text>> <<attribute> | <CR>>

Arguments


wins <A.B.C.D> <A.B.C.D> <A.B.C.D> | <CR>

Specify WINS information:• <A.B.C.D>—IP address. You can specify a

maximum of three WINS servers.• CR—exit. At least one WINS server must

be specified.

Arguments

<server name | id> Any ASCII string that identifies the LDAP server:• server name | id—server name or ID

(maximum of 30 characters).

<LDAP server address> IP address of the system on which the LDAP server is running: • LDAP server address—dotted-decimal

address.

<LDAP server port> Port number for LDAP server to listen on.



<as_active_directory | as_openldap>

• as_active_directory—server behaves like an active directory server.

• as_openldap—server behaves like a general openldap server.

<LDAP search timeout> The search timeout value after which the LDAP server times out if the search is not complete:• LDAP search timeout—number of seconds.

<LDAP base DN> DN string.

NoteYou must specify the base DN within quotation marks.

<base | onelevel | tree>

The LDAP directory search scope:• base—search the base entry only.• onelevel—search all entries one level

below base entry.• tree—search an entire tree.

<initial bind DN> Bind DN of a user with LDAP search privileges.

NoteYou must specify the bind DN within quotation marks.

<0|1|2|3> <encoded bind password> | <bind password in clear text>

• 0|1|2|3—password encoding type (0 = none, 1 = des, 2 = md5, 3 = md5 network).

• encoded bind password—bind password of a user with LDAP search privileges.

• bind password in clear text—bind password of a user with LDAP search privileges.

<attribute> | <CR> The attribute must be specified when LDAP is used to authenticate users. The value of the attribute specified must be a user name. The LDAP server searches directory entries for the specified attribute, and matches the user name with the name stored in the LDAP attribute.Default attribute: uid• attribute—attribute to be used in search

filter.• CR—default attribute (uid).

Arguments



ExamplesConfig# ldap_server corporateLDAPserver 10.0.4.35 389 30 "o=Nokia,c=US" tree "CN=Admin,ou=Engineer,ou=AmericasDevision,o=Nokia,c=US" secretPW123 uid

Configure an LDAP server.Config# ldap_server remote-site-server 132.239.4.35 389 45 "o=WesternCo,c=US" base "CN=Admin,ou=Management,o=WesternCo,c=US" super-123-secret

Configure an LDAP server.

modemUse the modem command to configure a serial interface and modem settings.

Syntax

Config# modemdialmode <pulse | tone>initstring <XXX...XXX>speed <9600 | 19200 | 38400 | 57600 | 115200 | 230400 | 460800>type <standard | custom>

oobUse the oob module to manage out-of-band (OOB) devices. The oob module allows you to connect to and manage a device in a remote location when you cannot connect to the device. For example if the Ethernet interface fails, or the external interface fails.

Arguments

dialmode <pulse | tone> Configure the dialmode:• pulse—configure dialmode to pulse.• tone—configure dialmode to tone.

initstring <XXX...XXX> Configure an initialization string:• <XXX...XXX>—initialization string.

speed <9600 | 19200 | 38400 | 57600 | 115200 | 230400 | 460800>

Override the modem default speed (57600):• 115200—configure speed to 115200 baud.• 19200—configure speed to 19200 baud.• 230400—configure speed to 230400 baud.• 38400—configure speed to 38400 baud.• 460800—configure speed to 460800 baud.• 57600—configure speed to 57600 baud.• 9600—configure speed to 9600 baud.

type <standard | custom>

Override the default modem type (standard):• custom—configure type to custom.• standard—configure type to standard.



NoteTo configure oob, you must enable oob by using the Config# enable oob command. You can disable oob by using the Config# disable oob command.

NoteThe oob dial in username and password must already exist as a PPP user.

Syntax

Config# oob localip <A.B.C.D> remoteip <A.B.C.D> idletimeout <value> vjcomp <yes | no>

panicUse the panic command to set the behavior of the panic function call. This setting determines the behavior of Nokia IP VPN Gateway when the operating system detects an unrecoverable error. The default is to reboot.

Syntax

Config# [no] panic haltreboot

Arguments

localip <A.B.C.D> Configure the local IP address:• <A.B.C.D>—local IP address used for

out-of-band management.

remoteip <A.B.C.D> Configure the remote IP address:• <A.B.C.D>—remote IP address used for

out-of-band management.

idletimeout <value> Configure the timeout value:• value—number of minutes for idle timeout.

vjcomp <yes | no> Configure the vjcomp value:• yes—enable vjcomp.• no—disable vjcomp.

Arguments


reboot Reboot option for panic operation. This is the default option.



radiusUse the radius command to identify the RADIUS server used for authentication and to provide the shared secret. When used with a text secret, this command encrypts the text secret. When used with an encrypted secret, this command enables communications with the specified RADIUS server.

NoteNokia IP VPN Gateway uses RADIUS only for authentication. RADIUS accounting records are not written.

Syntax

Config# [no] radius <radius server address> <<encode type> <encoded secret>> | <<secret> <port number>>

ExamplesConfig# radius-server 10.2.3.4 secret

halt Halt option for panic operation.

Arguments

Arguments


<radius server address> IP address of the RADIUS server.

<encode type> <encoded secret>

• encode type—currently only the value 0 (zero) is used.

NoteYou must enter the value 0 (zero). Other values are reserved for future use to allow different methods of encrypting the shared secret.

• encoded secret—the RADIUS encoded secret.

<secret> <port number> • A text string of more than three characters used as a shared secret with the RADIUS server for authentication.

• Define an alternative port number that the RADIUS server can listen on.

Default: 1812



Encrypts the clear text secret secret. Config# radius-server 10.2.3.4 0 Zm9V

Saves the encrypted value Zm9V as the shared secret to use to authenticate the gateway to a RADIUS server.

terminalUse the terminal command to configure the default terminal parameters.

Syntax

Config# [no] terminal editing-style <emacs | vms>idle-timeout <1-10000000>length <number-of-rows>logging <level <none | emergency | alert | critical | error | warning | notice | info | debug> | <timestamp <microsecond> | <CR>> | <CR>>

moretype <terminal-type>width <number-of-columns>

Arguments


editing-style <emacs | vms>

Set the command-line control key behavior:• emacs—set the default editing style to

emacs.• vms—set the default editing style to VMS.Default: emacs

idle-timeout <1-10000000>

Sets timeout in seconds for idle session. Default: 600. If set to zero, idle timeout does not occur.

length <number-of-rows>

Set the terminal output line length:• number-of-rows—default terminal length.Default: 24

logging <level <none | emergency | alert | critical | error | warning | notice | info | debug> | <timestamp <microsecond> | <CR>> | <CR>>

Set default terminal logging characteristics:• level—set minimum level for logging. For a

list of log levels, see “syslog” on page 182.• timestamp—control whether time stamps

are presented on the local messages.• timestamp microsecond—add time stamp

to syslog messages sent to the terminal. • timestamp CR—enable or disable terminal

microsecond time stamp. • CR—enable or disable terminal logging.


Network Utilities

ExamplesConfig# terminal idle-timeout 0

Disables the idle terminal timeout for all future shell sessions.Config# no terminal more

Disables the auto-more function for all future shell sessions.

uuidUse the uuid command to configure the configuration version Universal Unique Identifier (UUID).

Syntax

Config# [no] uuid <uuid>

Network UtilitiesNetwork utility commands allow you to perform network tasks.

more Enable or disable default auto-more mode Default: enableUse the no terminal more command to disable auto-more mode.

type <terminal-type> Set the terminal type value:• terminal-type—default terminal type.Default: VT100

NoteWhen you Telnet out of Nokia IP VPN Gateway, the Telnet client uses the terminal type to negotiate the terminal type with a remote Telnet server.

width <number-of-columns>

number-of-columns—default terminal width. Default: 80

Arguments


uuid <uuid> Configure the configuration version UUID:• uuid—configuration version's UUID.

Arguments



Command Mode CommandsUse the following command mode commands to perform network administration.

fingerUse the finger command to display all running processes.

Syntax

finger

flowbeeUse the flowbee command to test connectivity to a specific system. The flowbee command is an extension of the ping command as it adds the option to specify the packet rate, in addition to the options that the ping command provides.This utility is provided as an unsupported tool. Nokia does not guarantee that the results using the flowbee command are accurate. Because you can specify the packet rate, you can select a packet rate that is faster than the remote host or the network can handle. This can result in lost packets. You cannot always use the results obtained by using the flowbee command to determine a connectivity problem. Select the packet rate carefully, considering the remote host, and type and speed of the connection.For more information about the flowbee command, contact Nokia technical support.

Syntax

flowbee [-I <ADDR> | -L | -P <number> | -Q | -R | -T <number> | -a | -c <number> | -d | -f | -i <number> | -l <number> | -n | -p <pad> | -q | -r | -s <number> | -v | <HOST>]

Command Description

finger Show system status.

flowbee Packet flow check utility.

netstat UNIX-style netstat utility.

ping Ping utility.

telnet Remote login utility.

traceroute Traceroute utility.


Network Utilities

Related CommandsSee the “ping” command on page 144.See the “traceroute” command on page 148.

Arguments

-I <ADDR> Interface for sourcing multicast packets:• ADDR—interface IP address.

-L Suppress loopback on multicast packets.

-P <number> Set a packet rate flow:• number—number of packets per second.

-Q Set quiet output.

-R Record route.

-T <number> Set TTL for multicast packets:• number—number of hops.

-a Set bell ON.

-c <number> Set number of ECHO_RESPONSE packets:• number—number of packets.

-d Set SO_DEBUG.

-f Flood flowbee.

-i <number> Set time interval between packet sent:• number—number of seconds.

-l <number> Set preload size:• number—number of packets.

-n Set numerical output only.

-p <pad> Set pattern to fill flowbee buffer:• pad—pattern.

-q Set output to be quiet.

-r Bypass routing tables.

-s <number> Set size of a flowbee buffer:• number—number of bytes.

-v Verbose output.

<HOST> Host name or dotted-decimal address.



netstatThe netstat command displays the contents of network-related data structures, protocol statistics, active network connections, routing tables, and interface statistics. The output formats depend on the options used with the command.

Syntax

netstat [-A | -I <eth-1 | eth-2 | eth-3 | eth-4> | -a | -b | -d | -f <INET> | -g | -i | -m | -n | -o | -p <ICMP | IGMP | IP | LOCAL | RAW | TCP | UDP> | -r | -s | -t | -u | -w <seconds> | <-options>]

Arguments

-A With the default display, displays the address of any protocol control blocks associated with sockets.

-I <eth-1 | eth-2 | eth-3 | eth-4>

Display information about the specified interface:• <eth-1 | eth-2 | eth-3 | eth-4>—any internal

interface, or the external interface.• interface -b—shows the number of bytes in

and out.• interface -d—shows the number of dropped

packets.• interface-t—shows watchdog timers.

NoteFor information about the in and out bytes on all the interfaces, use the -t option with the -i option.

-a With the default display, displays the state of all sockets; normally sockets that the server processes use are not shown.

-b Shows the number of in and out bytes

NoteFor information about the in and out bytes on all the interfaces, use the -b option with the -i option.


Network Utilities

-d Shows the number of dropped packets.

NoteYou can use the -d option with the -i and -w options.

-f INET Limit statistics or address control block reports to those of the specified address family. The only address family recognized is inet, for AF_INET.

-g Display information related to multicast (group address) routing. By default, this flag displays the IP multicast virtual-interface and routing tables. With the -s option, displays multicast routing statistics.

-i Display the state of interfaces that are automatically configured (interfaces statically configured into a system, but not located at boot time are not displayed).Used with the -a option, the multicast addresses currently in use are displayed for each Ethernet interface and for each IP interface address. Multicast addresses are displayed on separate lines following the interface address with which they are associated.

-m Display statistics recorded by the memory management routines (the network manages a private pool of memory buffers).

-n Display network addresses as numbers. You can use this option with any of the other netstat arguments.

-o Display interface counters, including collision statistics.

-p <ICMP | IGMP | IP | LOCAL | RAW | TCP | UDP>

Display protocol statistics:• ICMP—ICMP protocol.• IGMP—IGMP protocol.• IP—IP protocol.• LOCAL—LOCAL protocol.• RAW—RAW protocol.• TCP—TCP protocol.• UDP—UDP protocol.

Arguments



Examplesnetstat -n -r

Shows the routing table and does not use DNS to resolve the names. This command could be abbreviated as follows: netstat -nr.

Related CommandsSee the “ping” command on page 144.See the show interface command in “show” on page 105.See the “telnet” command on page 147.See the “traceroute” command on page 148.See the “tcpdump” command on page 119.

pingUse the ping command to test connectivity between the gateway and the specified network.

Syntax

ping [-I <ADDR>][-L][-Q][-R][-T <NUMBER>][-a][-c <NUMBER>][-d][-f][-i <NUMBER>]

-r Display routing tables. Used with the -s option, shows routing statistics.

-s Display per-protocol statistics. If this option is repeated, counters with a value of zero are suppressed.

-t Show watchdog timers. Can be used with the with -i option.

-u Set address family to AF_UNIX.

-w <seconds> Display network statistics at intervals of wait seconds.

-<options> Combination of netstat options.

Arguments


Network Utilities

[-l <NUMBER>][-n][-p <PAD>][-q][-r][-s <NUMBER>][-v] <HOST>

Arguments

-I <ADDR> Source multicast packets with the given interface address. This flag applies only if the ping destination is a multicast address.

-L Suppress loopback of multicast packets. This flag applies only if the ping destination is a multicast address.

-Q Somewhat quiet output. Do not display ICMP error messages that are in response to query messages.Without the -Q flag, the ping command prints any ICMP error messages that its own ECHO_REQUEST messages cause.

-R Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets.

NoteThe IP header is large enough for nine such routes; the traceroute command is usually better at determining the route that packets take to a particular destination.

If more routes come back than should (because of an illegal spoofed packet) the ping command prints the route list and truncates it at the correct spot.Many hosts and gateways ignore or discard the RECORD_ROUTE option.

-T <NUMBER> Set the IP time to live for multicasted packets. This flag applies only if the ping destination is a multicast address.

-a Audible. Include a bell character (ASCII 0x07) in the output when any packet is received. This option is ignored if other format options are present.



-c <NUMBER> Stop after sending (and receiving) count ECHO_RESPONSE packets.

-d Set the SO_DEBUG option on the socket being used.

-f Flood ping. Outputs packets as fast as they return, or one hundred times per second, whichever is more. For every ECHO_REQUEST sent, a period (.) is printed, while for every ECHO_REPLY received, a backslash (/) is printed. This convention provides a rapid display of how many packets are being dropped.

CautionUse the -f option with care. Flood pinging a system might overload it or the intervening network.

-i <NUMBER> Wait (number of seconds) between sending each packet. The default is one second. This option is incompatible with the -f option.

-l <number> If a number is specified with the -l option, preload behavior occurs. When preload behavior occurs, the ping command sends <number> packets as quickly as possible, then returns to its normal mode of behavior.

-n Numeric output only. No attempt is made to look up symbolic names for host addresses.

-p <PAD> Specify up to 16 pad bytes to fill out the packet sent. This pad is useful to diagnose data-dependent problems in a network. For example, -p ff causes the sent packet to be filled with all ones.

-q Quiet output. Nothing is displayed except the summary lines at startup time and when completed.

Arguments


Network Utilities

Examplesping -n -c 1 10.10.10.10

Pings the specified IP address with 1 packet (-c 1), and does not use DNS to resolve host names.

Related CommandsSee the “netstat” command on page 142.See the show interface command in “show” on page 105.See the “traceroute” command on page 148.

telnetUse the telnet command to create a Telnet connection to the specified host. The Telnet escape character is exit or CTRL+ Z. The Telnet client sends terminal options to the host.

Syntax telnet <HOST> <<PORT> | <CR>>

Related CommandsSee the “terminal” command on page 123.

-r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. You can use the -r option to ping a local host through an interface that has no route through it.

-s <NUMBER> Specify the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.

-v Verbose output. ICMP packets other than ECHO_RESPONSE that are received are listed.

<HOST> Host name or IP address.

Arguments

<HOST> <<PORT> | <CR>> Remote login utility:• HOST—host name or IP address of the

destination Telnet server.• PORT—port number to connect to. Default Telnet port: 23• CR—connect to a default Telnet port.

Arguments



See the show terminal command in “show” on page 105.

tracerouteUse the traceroute command to examine the path between the source and the destination host.

Syntax

traceroute [-F][-I][-d][-f <NUMBER>][-g <HOST>][-i <eth-1 | eth-2 | eth-3 | eth-4>][-m <NUMBER>][-n][-p <NUMBER>][-q <NUMBER>][-r][-s <HOST>][-t <NUMBER>][-v][-w <NUMBER>][-x][<HOST>]

Arguments

-F Set the don't fragment (DF) bit in all IP packets. This setting helps debug fragmentation problems that noncompliant routers and firewalls cause along the path.

-I Set ICMP protocol. This is the default.

-d Set the SO_DEBUG option on the socket being used.

-f <NUMBER> Set the initial TTL value. This skips <number> of gateways.

-g <HOST> Specify one or more loose source route gateways by name or IP address. You can specify a maximum of eight gateways.

-i <eth-1 | eth-2 | eth-3 | eth-4>

Specify the interface name to source packets.


Network Utilities

-m <NUMBER> Set the maximum time to live (maximum number of hops) used in outgoing probe packets. Default: 30 hops (the same default used for TCP connections).

-n Print hop addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup for each gateway found on the path).

-p <NUMBER> Set the base UDP port number used in probes.Default: 33434Traceroute expects that no other application is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message is returned to terminate the route tracing). If another application is listening on a port in the default range, you can use the -p option to pick an unused port range.

-q <NUMBER> Set the number of UDP packets to be sent towards the destination host at each hop. Default: 3

-r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. You can use the -r option to ping a local host through an interface that has no route through it.

-s <HOST> Use the IP address (which must be given as an IP number, not a host name) as the source address in outgoing probe packets.Use this option to force the source address to be any other IP address, other than the IP address of the interface that the probe packet is sent on.If the IP address is not one of the interface addresses for this security gateway, an error is returned and nothing is sent. This command performs the same function as the -i option.

Arguments



Related CommandsSee the “netstat” command on page 142.See the “ping” command on page 144.See the show interface command in “show” on page 105.

Configuration Mode CommandsUse the following configuration mode command to perform network administration.

tftpUse the tftp command to configure a default TFTP server for the CLI.

Syntax

Config# [no] tftp default server <ADDR>

-t <NUMBER> Set the type of service (TOS) in probe packets to <number>, which must be a decimal integer in the range 0 to 255. This option is used to check if different types of service result in different paths. Not all values of TOS are legal or meaningful.

NoteFor more information about definitions, see RFC 791. Useful values are -t 16 (low delay) and -t 8 (high throughput).

-v Verbose output. Lists ICMP packets other than TIME_EXCEEDED and unreachable that are received.

-w <NUMBER> Set the time (in seconds) to wait for a response to a probe. Default: 5

-x Disable checksum computations.

<HOST> Host name or dotted-decimal address.

Arguments

Command Description

tftp Configure the TFTP client.


Managing Files and Directories

ExamplesConfig# tftp default server 1.1.1.1

Configures a default TFTP server for the cluster to use.

Managing Files and DirectoriesThe file and directory commands allow you to manage files and directories.

Command Mode CommandsUse the following command mode commands to manage files and directories from the command mode.

copyUse the copy command to copy files locally on the gateway, or to a remote location through TFTP or NFS.

Arguments


default Set the default TFTP client options.

server <ADDR> Set the default server for the TFTP client:• ADDR—IP address of the TFTP server.

Command Function

copy Copy a file.

create Create a file.

delete Delete a file.

differences Compare files.

directory List directory contents.

rename Rename a file.

source Process a file of shell commands.

type Type out the contents of a file.



Syntax

copy [<NAME> <NAME>]

Examplescopy nfs://192.168.202.154/home/c-v1.2-86.kl.kz flash:cc-v1.2-86.kl

Copies the c-v1.2-86.kl.kz files from an NFS file system to the cc-v1.2-86.k1 file on the flash memory in the primary slot.

createUse the create command to create a new file on the local flash file system, on a TFTP, or an NFS server. To terminate the file, type Ctrl + z or a line with a period (.) as its only character.

Syntax

create<NAME>

deleteUse the delete command to delete a file.

NoteThe delete command works only on the local flash file system.

Syntax

delete<NAME>

Arguments

copy <NAME> <NAME> Copy a file:• NAME—name of the source file to be

copied.• NAME—name of the destination file into

which the source file is to be copied.

Arguments

create <NAME> Create a new file:• NAME—name of the file to be created.

Arguments

delete <NAME> Delete the specified file:• NAME—name of the file to be deleted.



Examplesdelete myfile.txt

Deletes the myfile.txt file.delete pccard1:boot-config

Deletes the boot-config file on pccard1.

differencesUse the differences command to compare the contents of two files. When comparing:

Text files, the differences between the files are listed. Binary files, the result returned indicates if the files are the same or different.

Syntax

differences <NAME> <NAME>

Examplesdifferences myfile1.txt myfile2.txt

Compares the contents of myfile1.txt and myfile2.txt and lists the differences.differences cc-v4.0-90.sr tftp://Nokia_files.com/cc-v4.0-90.sr

Compares the contents of cc-v4.0-90.sr and tftp://Nokia_files.com/cc-v4.0-90.sr and indicates whether they are the same or different.

directoryUse the directory command to display files in flash memory or the specified directory.

Syntax

directory <NAME> | <CR>

Arguments

differences <NAME> <NAME>

Compare two files:• NAME—name of the file to be compared.• NAME—name of the file to be compared

with.

Arguments

directory <NAME> | <CR> Display the specified directory:• NAME—name of the directory to display.• CR—displays the contents of flash memory.



Examplesdirectory pccard1:

Displays the contents of pccard1 flash memory.

renameUse the rename command to rename a file in the flash file system.

NoteFiles cannot be renamed across different flash memory.

Syntax

rename <NAME> <NAME>

Examplesrename oldfile.txt newfile.txt

Replaces the file name oldfile.txt with a new file name, newfile.txt.

sourceUse the source command to run a script from a file that contains command mode CLI commands.

NoteThis file must not contain configuration mode commands.

Syntax

source<filename>

Arguments

rename <NAME> <NAME> Rename a file:• NAME—name of the file to be renamed.• NAME—name of the new file.

Arguments

source <filename> Process a file of shell commands: • filename—name of a file with shell

commands.



Examplesource tftp://Nokia_tftp/setdelay.scp

Executes a set of commands from a TFTP server.

typeUse the type command to view the contents of a specified file. You can view flash files, TFTP, or NFS files.

Syntax

type <NAME>

Exampletype flash:cluster_config_1.txt

Displays the contents of the named file on the flash memory in the primary slot.

Related Commands

See the “terminal” command on page 123.

Configuration Mode CommandsUse the nfs configuration mode command to manage files and directories from the configuration mode.

nfsUse the nfs command to define a default NFS server for the cluster. You can also set default UID and GID values. If a default NFS server is set, you can omit the NFS server name option. For example, you can shorten the file system specification nfs://nfs.Nokia_files.com/boot-config to nfs:boot-config.

Syntax

Config# [no] nfs default <[gid <NFS GID> | server <ADDR> | uid <NFS UID>]>

Arguments

type <NAME> Type out the contents of a file:• NAME—name of a file to be displayed.

Command Function

nfs Configure the NFS client.



ExamplesConfig# nfs default server 10.3.4.5Config# nfs default uid 106Config# nfs default gid 10

Related Commands

See the Config# “tftp” command on page 150.

Logging and Debugging The logging and debugging commands allow you to set debug activities and the log server configuration.

Command Mode CommandsUse the following command mode commands to set debug activities and the log server configuration.

debugUse the debug command to enable or disable event logging at different levels for different gateway subsystems. To view debug messages on a Telnet or SSH session, you must have logging enabled through configuration or by using the log enable command.

Arguments


default <[gid <NFS GID> | server <ADDR> | uid <NFS UID>]>

The default keyword for the NFS client:• gid—GID keyword for the NFS client.• gid NFS GID—default GID or the NFS

client.• server—server keyword for the NFS client.• server ADDR—IP address of NFS server.• uid—UID keyword for the NFS client.• uid NFS UID—default UID for the NFS

client.

Command Function

debug Set debug activities.

log Log server configuration.



Arguments


anti-spoofing Enable or disable anti-spoofing debug messages.

app-clustering <debug | error | info | none>

Configure the cluster app-server debug level:• debug—enable cluster app-sever debug

level event logging.• error—enable cluster app-sever error level

event logging.• info—enable cluster app-sever info level

event logging.• none—stop cluster app-sever event

logging.

cluster <all | connectivity | default | event | load-balancing | membership | workspace>

Configure the cluster debug level:• all—all event logging.• connectivity—cluster connectivity logging.• default—default event logging.• event—cluster event logging.• load-balancing—cluster load-balancing

logging.• membership—cluster membership logging.• workspace—cluster workspace assignment

logging.

dhcp-server <all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras>

Select Dynamic Host Configuration Protocol (DHCP) server debugging classes:• all—enable all event logging.• bootp-forwarder—BOOTP forwarding

processing.• client-db—client database processing.• communications—communications

processing.• packets—packet tracing processing.• parse—packet parsing.• ping-check—ping-check processing.• ras—ignore-ras processing.



ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify | options | payload | policy | rekey | ring | route | saapi | state>

Select IKE debugging classes:• all—all event logging.• attribute—IKE attribute negotiation events.• basic—basic event logging.• cluster—IKE cluster processing.• cookie—ISAKMP cookie processing.• death—SA deletion events.• default—default event logging.• download—management software

download logging.• event—general event logging.• header—ISAKMP header processing.• id—ISAKMP ID payload processing.• io—send or receive message logging.• isadb—database operation events.• locking—locking operations.notify—

ISAKMP notify payload processing.• options—ISAKMP options processing.• payload—ISAKMP payload processing.• policy—policy operations.• rekey—rekey operations.• ring—public- or private-key ring operations.• route—routing updates (PF_ROUTE).• saapi—kernel operations.• state—state machine changes.

ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>

Select IPSec debugging classes:• all—enable all event logging.• basic—enable basic event logging.• cluster—IPSec cluster processing.• death—SA deletion events.• default—enable default event logging.• event—general event logging.• mapping—IPSec SA mapping creation or

deletion events.• pending—pending entry creation or

deletion events.• rekey—IPSec rekey events.• selector—miscellaneous selector logging.

ipsrd Configure IPSRD debug activities.

Arguments



ipsrd <bgp <cluster | keepalive | open | update | <CR>>

• bgp—trace BGP state.• bgp cluster—trace BGP clustering

messages.• bgp keepalive—trace BGP KEEPALIVE

messages.• bgp open—trace BGP OPEN messages.• bgp update—trace BGP UPDATE

messages.• bgp <CR>—trace all BGP messages.

ipsrd <global <cluster | normal | policy | route | state | task | timer |<CR>>>

• global—trace IPSRD state.• global cluster—trace clustering.• global normal—trace normal events.• global policy—trace policy decisions.• global route—trace routing table changes.• global state—trace state machine

transitions.• global task—trace tasks and jobs.• global timer—trace timer functions.• global <CR>—set all of above.

ipsrd <ipsec-peer <cluster | packet <<peer-id> | <CR>>| proxy | route | <CR>>

• ipsec-peer—trace IPSec-peering state.• ipsec-peer cluster—trace IPSec-peer

cluster messages.• ipsec-peer packet—trace IPSec-peer

packets.• ipsec-peer packet <peer-id>—trace IPSec-

peer packets to and from the peer.• ipsec-peer packet <CR>—trace all IPSec-

peer messages.• ipsec-peer proxy—trace IPSec-peer proxy

operations.• ipsec-peer route—trace IPSec-peer routes.• ipsec-peer <CR>—trace all IPSec-peer

messages.

ipsrd ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>>

• ospf—trace OSPF state.• ospf ack—trace link state ack packets.• ospf cluster—trace OSPF clustering.• ospf dd—trace database descriptor

packets.• ospf drelect—trace designated router

election.• ospf hello—trace hello packets.• ospf lsa—trace link state ack packets.• ospf lsr—trace link state request packets.• ospf lsu—trace link state update packets.• ospf spf—set SPF debugging.• ospf <CR>—all of above.

Arguments



ipsrd rip <request | response | <CR>>

• rip—trace RIP state.• rip request—trace RIP request messages.• rip response—trace RIP response

messages.• rip <CR>—trace all RIP messages.

monitor <debug | default | error | info | <CR>>

Configure the monitor server debug level:• debug—enable monitor server debug level

event logging.• default—enable monitor server event

logging to the default level.• error—enable monitor server error level

event logging.• info—enable monitor server info level event

logging.• CR—enable monitor server event logging

to the default level.

nat Configure NAT debug activities.

ntp <debug | default | error | info | none>

Configure the Network Time Protocol (NTP) debug level:• debug—enable NTP debug level event

logging.• default—enable NTP event logging to the

default level.• error—enable NTP error level event

logging.• info—enable NTP info level event logging.• none—stop NTP event logging.

ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>

Configure the PPP debugging classes:• all—all event logging.• authentication—PPP authentication.• ccp—CCP events.• detailed—detailed information.• ipcp—IPCP events.• lcp—LCP events.• negotiations—PPP negotiations.• protocol—PPP protocol.

Arguments



radius <accounting | all | attributes| authentication | authorization | cluster | packets>

Configure the RADIUS debugging classes:• accounting—RADIUS accounting event

logging.• all—all RADIUS event logging.• attributes—RADIUS attribute event logging.• authentication—RADIUS authentication

event logging.• authorization—RADIUS authorization event

logging.• cluster—RADIUS cluster event logging.• packets—RADIUS packet event logging.

vpdn <all | cluster | detailed | l2tp | pptp>

Configure the Layer Two Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) (VPDN) debugging classes:• all—all event logging.• cluster—L2TP or PPTP (VPDN) cluster

events.• detailed—detailed information.• l2tp—L2TP events.• pptp—PPTP events.

cfg_server <all | boot |commands |communication | events | files | flow | geninfo>

Configures server help classes:• all—enables all facility groups.• boot—boot related logging.• commands—command logging.• communication—communicate specific

logging.• events—log events.• files—file access logging.• flow—information flow logging.• geninfo—gen_info.txt specific logging.

chat <all | chat> Modem chat debugging classes:• all—enable all facility groups.• chat—modem CHAT debug information.

dgwp <all | cluster | communication | server | <CR>>

DGW Proxy debugging classes• all—enable all facility groups.• cluster—cluster debug information.• communication—communication events

debug information.• server—server debug information.

Arguments



dhcp-client <all | misc | packet | packet-dump | parse | state>

DHCP client debugging classes:• all—enable all facility groups.• misc—DHCP client miscellaneous.• packet—DHCP client packet debug.• packet-dump—DHCP client packet dump.• parse—DHCP client parse packet.• state—DHCP client states.

dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>

Dialup stm debugging classes:• all—enable all facility groups.• chat—dialup chat debug information.• dialup—dialup debug information.• err—dialup error debug information.• gen—dialup general debug information.• ipc—dialup ipc debug information.• ppp—dialup ppp debug information.• stm—dialup state machine debug

information.

dialupoob <all | cfg | dlpool | err | gen | ipc | stm>

Dialup OOB stm debugging classes:• all—enable all facility groups.• cfg—dialupOOB configuration debug

information.• dlpoob—dialupOOB debug information.• err—dialupOOB error debug information.• gen—dialupOOB general debug

information.• ipc—dialupOOB ipc debug information.• stm—dialupOOB state machine debug

information.

Arguments



ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>

Light Weight Directory Access Protocol (LDAP) application help classes:• acl—debug ACLs.• all—debug traces.• any—other debugging.• args—debug args.• ber—debug BER.• config—debug configuration.• conns—debug connections.• daemon—LDAP daemon internal debug.• deprecated—debug deprecated.• filter—debug filters.• ipc—daemon IPC debug.• none—non-listed debug.• packets—debug packets.• parse—debug parsing.• shell—shell debug.• stats—statistics debug.• stats2—more statistic debug.• trace—debug trace.

oob <all | chat | err | gen | ipc | oob | ppp | stm | <CR>>

OOB stm debugging classes:• all—enable all facility groups.• chat—OOB chat debug information.• err—OOB error debug information.• gen—OOB general debug information.• ipc—OOB ipc debug information.• oob—OOB debug information.• ppp—OOB ppp debug information.• stm—OOB state machine debug

information.

pkid <all | misc> PKID application help classes:• all—enable all facility groups.• misc—miscellaneous debug information.

scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>

Configure Simple Certificate Enrollment Protocol (SCEP) application help classes:• all—enables all facility groups.• bio—BIO debug information.• ca—certificate authority debug information.• cmds—commands debug information.• http—HTTP debug information.• keys—keys debug information.• misc—miscellaneous debug information.• nvdt—Nokia VPN Deployment Tool debug

information. • pkcs—PCKCS management debug

information.

Arguments



Examplesdebug cluster event

schedule <all | command | execution | management | startup>

Scheduler application help classes:• all—enable all facility groups.• command—specific debug information.• execution—execution debug information.• management—schedule management

debug information.• startup—startup debug information.

sshd <all | config | events | original | scp>

Configure secure shell daemon debugging classes:• all—enable all facility groups.• config—configuration details of the server.• events—event logging information.• original—original SSH debug output.• scp—secure copy (SCP) related debug

output.

ssl <all | misc> Configure SSL debugging classes:• all—enable all facility groups.• misc—miscellaneous debug information.

userauth <all | common |ldap |local>

Configure user authentication debugging classes.• all—enable all facility groups.• common—common authentication events.• ldap—LDAP authentication events.• local—local authentication events.

vrrp <all | event | misc | packet | state>

Virtual router debugging classes:• all—enable all facility groups.• event—virtual router events.• misc—miscellaneous information.• packet—dropped incoming VRRP packets.• state—virtual router state change.

wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>

WAN backup debugging classes:• all—enable all facility groups.• cfg—WB configuration debug information.• err—WB error debug information.• gen—WB general debug information.• ipc—WB ipc debug information.• rt—WB routing debug information.• stm—WB state machine debug information.• wb—WAN backup debug information.

Arguments



Sets debugging activities on cluster events. debug ipsrd ospf spf state

Turns on debugging in the IPSRD OSPF subsystem for calculating the shortest path first (SPF) tree, and traces state transitions.

Related Commands

See the show debug command in “show” on page 105.

logUse the log command to control the display of debug and audit messages.

Syntax

log [audit <enable <nobacklog | <CR>> | disable>][backlog <audit | <CR>>][disable][duplicate <enable | disable>][enable <nobacklog | <CR>>][flush <audit | <CR>>][level <none | emergency | alert | critical | error | warning | notice | info | debug>]

[timestamps <enable <microsecond> | disable>]

Arguments

audit <enable <nobacklog | <CR>> | disable>

Control the display of audit type log messages:• enable—enable audit terminal logging.• enable nobacklog—no backlog messages

logging.• enable CR—backlog messages logging.• disable—disable audit terminal logging.

backlog <audit | <CR>> Display the last n messages stored in the log:• audit—display only audit type messages.• CR—display all messages.

disable Disable the logging of messages on the terminal.



duplicate <enable | disable>

If the duplicate option is disabled, all duplicate messages are displayed. If the duplicate option is enabled, only the first message in a series of duplicate messages is displayed until a nonduplicate message arrives.A summary of the count of duplicate messages received is displayed when a set number is received, or a timeout occurs.Control how duplicate log message messages are handled:• enable—suppress duplicate log message

printing.• disable—print duplicate log messages.

enable <nobacklog | <CR>>

Enable terminal logging:• nobacklog—no backlog messages logging.• CR—backlog messages logging.

flush <audit |<CR>> Delete the log history buffers for the terminal:• audit—flush only audit type messages.• CR—flush all messages.

level <none | emergency | alert | critical | error | warning | notice | info | debug>

Control the display of log messages based on priority:• none—do not display any messages.• emergency—set the minimum log severity

level to emergency.• alert—set the minimum log severity level to

alert.• critical—set the minimum log severity level

to critical.• error—set the minimum log severity level to

error.• warning—set the minimum log severity

level to warning.• notice—set the minimum log severity level

to notice.• info—set the minimum log severity level to

info.• debug—set the minimum log severity level

to debug.

timestamps <enable <microsecond> | disable>

Enable or disable time stamps on terminal logging:• enable—enable time stamp.• enable microsecond—enable microsecond

time stamps.• disable—disable time stamp.

Arguments



Related CommandsSee the “debug” command on page 156.See the “terminal” command on page 123.

Configuration Mode CommandsUse the following configuration mode commands to set audit options, configure the console, and debug events.

auditUse the audit command to alter the number of buffers allocated for the audit log history.Audit messages are stored in audit buffers. To ensure that messages are not lost, forward messages to a syslog server, or monitor them by using Nokia IP VPN Gateway. The default audit buffer size is 20 messages.

Syntax

Config# [no] audit buffers <number>

ExamplesConfig# audit buffers 50

Changes the number of buffers allocated for audit history to 50.

Command Function

audit Configure audit options.

console Configure the default console parameters.

debug Configure debug events.

log Configure logging options.

pkttrace Enable packet trace and configure triggers.

syslog Configure the syslog client.

Arguments


buffers <number> The number of audit history buffers:• number—number of audit history buffers.Default audit buffer size: 20



Related CommandsSee the log buffers command in “Config# [no] log” on page 180.See the “Config# [no] syslog” command on page 182.

consoleUse the console command to set the level of logging to appear on the system console (serial port marked console on each Nokia IP VPN Gateway). The console audit command displays audit messages on the console. You cannot disable auditing, although you can disable the display of audit messages on the console by using the console login command. By default, console audit is enabled and the console logging command is disabled.You can enable or disable console logging from the command mode by using the log enable and log disable commands. You can also set log levels and log time stamp settings from the command mode by using the log command.

Syntax

Config# [no] console audit

Config# [no] console logging

[<level <none | emergency | alert | critical | error | warning | notice | info | debug>]

[<timestamp <microsecond> | <CR>>][<CR>]

Arguments


audit Enable or disable console auditing. Default: enabled



Related CommandsSee the audit buffers command in Config# “audit” on page 168.See the log buffers command in Config# “log” on page 179.See the log enable command in “log” on page 166.See the log disable command in “log” on page 166.See the log level command in “log” on page 166.See the log timestamps enable microsecond command in “log” on page 166.

debugUse the debug command to enable or disable event logging at different levels for different gateway subsystems.

logging <level <none | emergency | alert | critical | error | warning| notice | info | debug>

Set the default minimum severity level for console logging. The audit and logging levels are similar to syslog and UNIX logging levels:• none—filter out all logging messages.• emergency—set the minimum log-severity

level to emergency.• alert—set the minimum log-severity level to

alert.• critical—set the minimum log-severity level

to critical.• error—set the minimum log-severity level to

error.• warning—set the minimum log-severity

level to warning.• notice—set the minimum log-severity level

to notice.• info—set the minimum log-severity level to

info.• debug—set the minimum log-severity level

to debug.

logging <timestamp <microsecond> | <CR>>

Control whether time stamps are presented on the local messages. • microsecond—add microsecond reporting

to time stamps.• CR—enable or disable console logging

time stamps.Default: disabled

logging <CR> Enable or disable console logging. Default: disabled

Arguments



ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify | options | payload | policy | rekey | ring | route | saapi | state>

Select IKE debugging classes:• all—all event logging.• attribute—IKE attribute negotiation events.• basic—basic event logging.• cluster—IKE cluster processing.• cookie—ISAKMP cookie processing.• death—SA deletion events.• default—default event logging.• download—management software

download logging.• event—general event logging.• header—ISAKMP header processing.• id—ISAKMP ID payload processing.• io—send or receive message logging.• isadb—database operation events.• locking—locking operations.• notify—ISAKMP notify payload processing.• options—ISAKMP options processing.• payload—ISAKMP payload processing.• policy—policy operations.• rekey—rekey operations.• ring—public- and private-key ring

operations.• route—routing updates (PF_ROUTE).• saapi—kernel operations.• state—state machine changes.

ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>

Select IPSec debugging classes:• all—enable all event logging.• basic—enable basic event logging.• cluster—IPSec cluster processing.• death—SA deletion events.• default—enable default event logging.• event—general event logging.• mapping—IPSec SA mapping creation and

deletion events.• pending—pending entry creation and

deletion events.• rekey—IPSec rekey events.• selector—miscellaneous selector logging.

ipsrd Configure IPSRD debug activities.

Arguments



ipsrd <bgp <cluster | keepalive | open | update | <CR>>

• bgp—trace BGP state.• bgp cluster—trace BGP clustering

messages.• bgp keepalive—trace BGP KEEPALIVE

messages.• bgp open—trace BGP OPEN messages.• bgp update—trace BGP UPDATE packets.• bgp <CR>—trace all BGP messages.

ipsrd <global <cluster | normal | policy | route | state | task | timer | <CR>>

• global—trace IPSRD state.• global cluster—trace clustering.• global normal—trace normal events.• global policy—trace policy decisions.• global route—trace routing table changes.• global state—trace state machine

transitions.• global task—trace tasks and jobs.• global timer—trace timer functions.• global <CR>—set all of above.

ipsrd ipsec-peer <cluster | packets <<peer-id> | <CR>> | proxy | route | <CR>>

• ipsec-peer—trace IPSec-peering state.• ipsec-peer cluster—trace IPSec-peer

cluster messages.• ipsec-peer packet—trace IPSec-peer

packets.• ipsec-peer packet <peer-id>—trace IPSec-

peer packets to and from the peer.• ipsec-peer packet <CR>—trace IPSec-peer

packets to and from all peers.• ipsec proxy—trace IPSec-peer proxy

routes.• ipsec route—trace IPSec-peer route routes.• ipsec <CR>—trace all IPSec-peer

messages.

ipsrd <ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>>

• ospf—trace OSPF state.• ospg ack—trace link state ack packets.• ospf cluster—trace clustering.• ospf dd—trace database descriptor

packets.• ospf drelect—trace designated router

election.• ospf hello—trace hello packets.• ospf lsa—trace link-state ACK packets.• ospf lsr—trace link-state request packets.• ospf lsu—trace link-state update packets.• ospf spf—set SPF debugging.• ospf <CR>—set all of above.

Arguments



ipsrd rip <request | response | <CR>>

• rip—trace RIP state.• rip request—set RIP request debugging.• rip response—set RIP response

debugging.

monitor <debug | default | error | info |<CR>>

Configure the monitor server debug level:• debug—enable monitor server debug-level

event logging.• default—enable monitor server event

logging to the default level.• error—enable monitor server error-level

event logging.• info—enable monitor server info-level event

logging• CR—enable monitor server event logging

to the default level.

nat Configure NAT debug activities.

ntp <debug | default | error | info | none>

Configure the NTP debug level:• debug—enable NTP debug-level event

logging.• default—enable NTP default-level event

logging.• error—enable NTP error-level event

logging.• info—enable NTP info-level event logging.• none—stop NTP event logging.

ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>

Configure the PPP debugging classes:• all—all event logging.• authentication—PPP authentication.• ccp—CCP events.• detailed—detailed information.• ipcp—IPCP events.• lcp—LCP events.• negotiations—PPP negotiations.• protocol—PPP protocol.

radius <accounting | all | attributes | authentication | authorization | | cluster | packets>

Configure the RADIUS debugging classes:• accounting—RADIUS accounting event

logging.• all—all RADIUS event logging.• attributes—RADIUS attribute event logging.• authentication—RADIUS authentication

event logging.• authorization—RADIUS authorization event

logging.• cluster—RADIUS cluster-event logging.• packets—RADIUS packet-event logging.

Arguments



vpdn <all | cluster | detailed | l2tp | pptp>

Configure the L2TP and PPTP (VPDN) debugging classes:• all—all event logging.• cluster—L2TP and PPTP (VPDN) cluster

events.• detailed—detailed information.• l2tp—L2TP events.• pptp—PPTP events.

cfg_server <all | boot | commands | communication | events | files | flow | geninfo>

Configure server help classes:• all—enable all facility groups• boot—boot related logging.• commands—command logging.• communication—communicate specific

logging.• events—log events.• files—file-access logging.• flow—information-flow logging.• geninfo—gen_info.txt specific logging.

chat <all | chat> Modem chat debugging classes.• all—enable all facility groups.• chat—modem CHAT debug information.

dgwp <all | cluster <communication | server> | communication <cluster | server> | server <cluster | communication>>

DGW Proxy debugging classes:• all—enable all facility groups.• cluster—cluster debug information.• cluster communication—communication

events debug information.• cluster server—server debug information.• communication—communication events

debug information.• communication cluster—cluster debug

information.• communication server—server debug

information.• server—server debug information.• server cluster—cluster debug information.• server communication—communication

events debug information.

dhcp-client <all | misc | packet | packet-dump | parse | state>

DHCP client debugging classes:• all—enable all facility groups.• misc—DHCP client miscellaneous.• packet—DHCP client packet debug.• packet-dump—DHCP client packet dump.• parse—DHCP client parse packet.• state—DHCP client states.

Arguments



dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>

Dialup stm debugging classes:• all—enable all facility groups.• chat—dialup chat debug information.• dialup—dialup debug information.• err—dialup error debug information.• gen—dialup general debug information.• ipc—dialup IPC debug information.• ppp—dialup PPP debug information.• stm—dialup state machine debug

information.

dialupoob <all | cfg | dlpoob | err | gen | ipc | stm>

DialupOOB stm debugging classes:• all—enable all facility groups.• cfg—dialupOOB configuration debug

information.• dlpoob—dialupOOB debug information.• err—dialupOOB error debug information.• gen—dialupOOB general debug

information.• ipc—dialupOOB IPC debug information.• stm—dialupOOB state machine debug

information.

ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>

LDAP application help classes:• acl—debug ACLs.• all—debug traces.• any—other debugging.• args—debug ARGS.• ber—debug BER.• config—debug config.• conns—debug connections.• daemon—LDAP daemon internal debug.• deprecated—debug deprecated.• filter—debug filters.• ipc—IPC daemon debug.• none—nonlisted debug.• packets—debug packets.• parse—debug parsing.• shell—shell debug.• stats—statistics debug.• stats2—more statistic debug.• trace—debug trace.

Arguments



oob <all | chat | err | gen | ipc | oob | ppp | stm>

OOB stm debugging classes:• all—enable all facility groups.• chat—OOB chat debug information.• err—OOB error debug information.• gen—OOB general debug information.• ipc—OOB IPC debug information.• oob—OOB debug information.• ppp—OOB PPP debug information.• stm—OOB state machine debug

information.

pkid <all | misc> PKID application help classes:• all—enables all facility groups.• misc—miscellaneous debug information.

scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>

SCEP application help classes.• all—enables all facility groups.• bio—BIO debug information.• ca—certificate authority debug information.• cmds—commands debug information.• http—HTTP debug information.• keys—keys debug information.• misc—miscellaneous debug information.• nvdt—Nokia VPN Deployment Tool debug

information.• pkcs—PKCS management debug

information.

schedule <all | command | execution | management | startup>

Scheduler application help classes:• all—enable all facility groups.• command—specific debug information.• execution—execution debug information.• management—schedule management

debug information.• startup—startup debug information.

sshd <all | config | events | original | scp>

SSH commands:• all—enable all facility groups.• config—configuration details of the server.• events—event logging information• original—original SSH debug output• scp—secure copy (SCP) related debug

output.

ssl <all | misc> Configure SSL debugging classes:• all—enable all facility groups.• misc—miscellaneous SSL debug

information.

Arguments



ExamplesConfig# debug cluster event

Sets debugging activities on cluster events. Config# debug ipsrd ospf spf state

Turns on debugging in IPSRD OSPF subsystem for calculating the shortest path first (SPF) tree, and traces state transitions.

Related Commands

See the show debug command in “show” on page 105.

logUse the log command to configure logging options. Log messages are stored in log buffers. The buffers are used in a ring, so new messages overwrite older messages. Nokia recommends that you configure the syslog server to ensure that log messages are not lost. To display the log buffers on the terminal, enter the log enable command from the command mode.

userauth <all | common | ldap | local>

Configure user authentication debugging classes:• all—enable all facility groups.• common—common authentication events.• ldap—LDAP authentication events.• local—local authentication events.

vrrp <all | event | misc | packet | state>

Virtual router debugging classes:• all—enable all facility groups.• event—virtual router events.• misc—miscellaneous information.• packet—dropped incomming vrrp packets.• state—virtual router state change.

wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>

WAN backup debugging classes:• all—enable all facility groups.• cfg—WB configuration debug information.• err—WB error debug information.• gen—WB general debug information.• ipc—WB IPC debug information.• rt—WB routing debug information.• stm—WB state machine debug information.• wb—wanbackup debug information.

Arguments



enable <trigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>

Enable packet tracing:• trigger—configure triggers.

NoteIf trigger is not configured then packets are not logged. The trigger cannot be modified, the complete command has to be entered each time.

• trigger ip <A.B.C.D>—source or destination IP address.

• trigger srcip <A.B.C.D>—source IP address.

• trigger dstip <A.B.C.D>—destination IP address.

• trigger proto—protocol type field in IP packet.

• trigger proto icmp—ICMP protocol.• trigger proto udp—UDP protocol.• trigger proto udp port —source or

destination port.• trigger proto udp srcport—source port.• trigger proto udp dstport—destination port.• trigger proto tcp—TCP protocol.• trigger proto tcp port —source or

destination port.• trigger proto tcp srcport—source port.• trigger proto tcp dstport—destination port.• trigger proto <NUMBER>—specify protocol

number.

disable Disable packet processing.

trigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>

Configure triggers:• ip—source or destination IP address.• srcip—source IP address.• dstip—destination IP address.• proto—protocol type field in IP packet.• proto icmp—ICMP protocol.• proto udp—UDP protocol.• proto udp port —source or destination port.• proto udp srcport—source port.• proto udp dstport—destination port.• proto tcp—TCP protocol.• proto tcp port —source or destination port.• proto tcp srcport—source port.• proto tcp dstport—destination port.• proto <NUMBER>—specify protocol

number.

Arguments



syslogUse the syslog command to configure the syslog client. Syslog messages can be bound to the internal address to force them through a tunnel.

Syntax

Config# [no] syslog add-server <ADDR> <all | audit | syslog>

<default | internal>delete-servers <ADDR | <CR>>facilities <enable | disable>level <none | emergency | alert | critical | error | warning | notice | info | debug>

timestamp <disable | enable>

Arguments


add-server <ADDR> <all | audit | syslog><default | internal>

Add or modify a syslog server:• ADDR—address of the syslog server to add

or modify.• all—send both types of logs.• all default—originate audit and log

messages from whichever interface is closest to the syslog server.

• all internal—originate audit and log messages from the internal interface only.

• audit—send audit log only.• audit default—originate syslog messages

from whichever interface is closest to the syslog server.

• audit internal—originate syslog messages from the internal interface only.

• syslog—send only syslog messages to this server.

• syslog default—originate syslog messages from whichever interface is closest to the syslog server.

• syslog internal—originate syslog messages from the internal interface only.

delete-servers <ADDR | <CR>>

Delete syslog servers:• ADDR—address of syslog server to delete. • CR—delete all syslog servers.



ExamplesConfig# syslog add-server 1.1.1.1 all internal

Sends both log and audit messages to the syslog server at 1.1.1.1 from the internal interface IP address.Config# syslog timestamp enable

Attaches a local time stamp to the syslog message.Config# syslog facilities enable

Attaches a local facility string to the syslog message.

facilities <enable | disable>

Enable and disable local facility text in syslog messages:• enable—enable sending local facilities

names to syslog servers.• disable—disable sending local facility

names to syslog servers. Default: disable

level <none | emergency | alert | critical | error | warning | notice | info | debug>

Set the minimum log severity level for the syslog client:• none—disable sending syslog messages.• emergency—set the minimum log severity

level to emergency.• alert—set the minimum log-severity level to

alert.• critical—set the minimum log-severity level

to critical.• error—set the minimum log-severity level to

error.• warning—set the minimum log-severity

level to warning.• notice—set the minimum log-severity level

to notice.• info—set the minimum log-severity level to

info.• debug—set the minimum log-severity level

to debug.

timestamp <disable | enable>

Enable or disable local time stamp in syslog message:• disable—disable sending local time stamp

to syslog servers.• enable—enable sending local time stamp to

syslog servers.Default: disable

Arguments



Configuring User AccountsUser account configuration commands allow you to configure user accounts on a gateway so that users and clients (like PPP, L2TP, vpn-client) can login to the gateway.

Configuration Mode CommandsUse the following configuration mode commands to configure user accounts on the gateway.

loginUse the login command to configure user authentication and to identify privileges for users who are allowed to obtain a shell on the cluster. The login command configures individual users, their authentication mechanism, and their privileges.When you use RADIUS to authenticate PPP users, you need to identify the login source. One login option identifies how to authenticate various types of users and the other login option manages the local user database.You can configure the parameters for login from the console, Telnet, TTY, SSH, and PPP. For each of these access types you can disallow access altogether or require no authentication at all. Alternatively, you can configure an authentication database location to check for a user's username and password. When you use a RADIUS authentication method, include a second authentication method in the local database in case the RADIUS server is unavailable or times out. This is particularly important for console access.

Syntax

Config# [no] login user <username> <<encode type> <encoded password> | <cleartext password>> [<nfs <NFS uid> | privileges <admin | challenge-response | none>]

Config# login source <challenge-response <disallowed | ldap | local | radius | none> | console | ppp | ssh | telnet | tty> <disallowed | local | radius | none>

CautionThe login source none command (in the following table) allows anyone to connect to Nokia IP VPN Gateway or network without authentication.

Command Function

login Configure user authentication entries.

sshd Configure SSH.


Configuring User Accounts

Arguments


login Configure user authentication entries.

user <username> [<encode type> <encoded password> | <cleartext password>] [<nfs <NFS uid> | privileges <admin | challenge-response | none>

Configure a user login record:• username—username for this

authentication record.• encode type—password encoding version

number.• encoded password—encoded password.• cleartext password—cleartext password.

NotePasswords configured at the command-line must be at least three characters long. If the password contains special characters such as a space, the password must be enclosed in quotation marks.

• nfs—enter the NFS UID and GID for this user.

• nfs NFS uid—NFS user ID of this user.• privileges—enter the login privileges for this

user.• privileges admin—administrative privileges.• privileges challenge-response—challenge-

response privileges.• privileges none—no privileges.

source <challenge-response <disallowed | ldap | local | radius | none> | console | ppp | ssh | telnet | tty> <disallowed | local | radius | none>

Configure a source login record:• challenge-response—source for challenge-

response authentication access.• console—console source.• ppp—PPTP or L2TP source.• ssh—SSH source.• telnet—Telnet source.• tty—TTY source.• disallowed—disallow all logins from this

source.• ldap—logins from this source are

authenticated by LDAP server.• local—logins from this source are

authenticated by local database.• radius—logins from this source are

authenticated by RADIUS server.• none—no authentication is required from

this source.



ExamplesConfig# login source ppp radius local

The cluster first tries to authenticate the user through a configured RADIUS server or servers. Should that fail, the cluster examines a local database to allow emergency access:Config# login user fred secret privileges admin

This command configures a user named fred with a password of secret and allows administrative privileges on the cluster.

sshdUse the sshd command to configure SSH. First use the ssh host-key generate command to generate a host-key pair for Nokia IP VPN Gateway. You can use the sshd command only in a CLI environment. To start the SSH daemon, enter the enable sshd command.

NoteIf you use VPN Manager to manage Nokia IP VPN Gateway, the SSH host key is generated at system installation time.

Syntax

Config# [no] sshdciphers <3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | blowfish-cbc>

[connectionsperperiod <num-connections> <seconds>][deny-password-auth <user | <CR>>][interface <eth-1 | eth-2 | eth-3 | eth-4 | all>][logingracetime <seconds>]port <port-num>public-key user <user_name> <tftp <tftp_path>> | <CR>>

Config# sshd[host-key <generate-SSL |show>]

Arguments

ciphers <3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc |blowfish-cbc>

Set cipher names for the SSH server. You can enter more than one cipher at a time. By default, all ciphers are enabled:• 3des-cbc—use 3des cipher.• aes128-cbc—use aes128 cipher.• aes192-cbc—use aes192 cipher.• aes256-cbc—use aes256 cipher.• blowfish-cbc—use blowfish cipher.

NoteYou must specify at least one cipher.



no sshd ciphers Removes the active cipher list and enables all of the default ciphers.

connectionsperperiod <num-connections> <seconds>

Sets the rate limit on SSH connections and configures the SSH server to allow a specified number of connections in the specified time. Default: rate limit is not applied.• num-connections—connections per

interval.• seconds—number of seconds.

NoteThis command protects the SSH server from denial of service attacks.

no sshd connectionsperperiod

Sets the number of connections and seconds parameters to zero (0).

deny-password-auth <user | <CR>>

Disable the password authentication:• user—user name to disable password

authentication.• CR—disable password authentication for

all SSH users.

no sshd deny-password-auth [<username>]

Enable password authentication for the given user. If the user name is not configured, this command enables password authentication in the SSH server.• username—user name to enable password

authentication.Default: allow password authentication for all users.

host-key <generate-SSL |show>

Options for the SSHD host identification DSA key:• generate-SSL—generate the SSL DSA key

for use with SSH.• show—show the public host DSA key.

NoteYou cannot generate the host key by using this command, if the host key was generated by using VPN Manager.

Arguments



interface <eth-1 | eth-2 | eth-3 | eth-4 | all>

Enable SSH on the specified interface. • eth-1—name of the interface.• eth-2—name of the interface.• eth-3—name of the interface.• eth-4—name of the interface.• all—enable all interfaces.Default: SSH runs on all interfaces.

no sshd interface Disables SSHD on the specified interface and enables SSHD on all of the other interfaces.

logingracetime <seconds>

Sets the login grace time when performing the user authentication process. If the user is not authenticated within the number of seconds specified, the connection is terminated.• seconds—timeout for authentication.Default login grace time: 600 seconds

no sshd logingracetime Resets the login grace time to 600 seconds.

port <port-num> Sets the port number for SSHD to listen on:• port-num—port number. The port number

range must be between 1 and 65535.Default port number: 22

public-key user <user_name> <tftp <tftp_path>> | <CR>

Takes the user name for public key authentication.

NoteEnsure that a valid user account exists before you use this command.

• user_name—name of the user.• tftp_path—TFTP path for the public key of

the user.• CR—give the public key.

NoteTo terminate public key configuration, give the newline .newline command at the end of the configuration. The public key supplied can be in the OpenSSH or SECSH format.

no shhd public-key user Removes the specified user from the public key authentication database.

Arguments



ExamplesConfig# ssh ciphers blowfish-cbc

Sets SSH to use Blowfish-CBC.Config# ssh connectionsperperiod 10 20

Allows 10 connections every 20 seconds.Config# ssh host-key generate-SSL

Generates the DSA key used to secure connections. Normally a key generated for VPN Manager connection is used, but if VPN Manager is not running, a key must be generated from the command-line.Config# ssh interface eth-1

Sets SSH to accept connections on eth-1 only.Config# ssh logingrace 10

Sets 10 seconds before login timeout (must restart login).Config# ssh port 500

Sets SSH to wait on port 500 rather than standard port 22.

Related CommandsSee the login user command in Config# “login” on page 184.See the enable sshd command in Config# “enable” on page 129.


4 Configuring Public Key Infrastructure

This chapter describes how to use the Public Key Infrastructure (PKI) configuration mode, the PKI configuration mode commands, and the tasks that you can accomplish by using this mode. PKI configuration mode allows you to configure and view PKI, and public- and private-keys for Nokia IP VPN Gateway.

Entering and Exiting PKI Configuration ModeUse the following commands to enter or exit PKI configuration mode:

To enter PKI configuration mode, enter one of the following commands from the command mode prompt:

> config pki > configure pki

The prompt changes to config_pki#. To exit PKI configuration mode and return to command mode, enter the exit command at the PKI configuration the prompt. config_pki# exit

Committing PKI Configuration Commands to MemoryChanges made in the PKI configuration mode are effected immediately and remain in memory until the system is rebooted. To commit PKI configuration commands to flash memory, from the command mode, you must enter the following command: > config save

Saving Changes to a ClusterTo save changes made to a cluster, from the master node, switch to the command mode, and enter the following command:> config save cluster.



CautionAll PKI configuration to a cluster must be performed only on the master node of the cluster.

PKI Configuration TasksTable 8 lists the tasks you can accomplish from the PKI configuration mode, and the relevant commands.

Installing CertificatesTo use public certificates to establish secure communications between Nokia IP VPN Gateway and other devices, you must:1. Generate a Certificate Signing Request (CSR) for the gateway.2. Obtain the certificate from an internal or public Certificate Authority (CA). You can

establish an internal CA on the gateway and issue your own certificate, or send the CSR to an external CA.

3. Use the certificate command to install the certificate on the gateway. For more information about the certificate command, see certificate on page 208.

You must also install certificates on the gateway to identify CAs that you trust to sign certificates. To allow remote management of the gateway, you must install another certificate to establish a remote SSL session between the gateway and VPN Manager. You can install a raw public key to establish a secure session between the gateway and another device when you do not need a public certificate to identify the owner of the public key.

Viewing Your PKI ConfigurationYou can view the current PKI configuration by using the following command mode commands:

Table 8 PKI Configuration Mode Commands

Command Task

ca Generate a public- or private-key pair and a certificate signing request (CSR), or create an internal certificate authority. This command also manages services available to the CA including CRL retrieval and management of device certificates.

certificate Install a device certificate, a trusted root certificate, a CryptoConsole management certificate, or an intermediary CA certificate.

public-key Install a raw public key.


Viewing Your PKI Configuration

show configuration pki

show key info

show configuration pkiUse the show configuration pki command to display the current running configuration, or the configuration as stored on flash memory.

Syntax

show configuration pkiactiveprivatestartup<CR>

Arguments

active Shows the current running PKI configuration including certification authority enrollment commands, certificates for devices or trusted roots, and local public keys.

NoteThe information displayed is identical to the data saved to the pki_version.dat file, if you use the configuration save command.

This command does not:• Display the private part of the public- or

private-key pair. • Parse certificates. To view PKI certificates

parsed for readability, use the show key info commands.

private Shows the:• Public- or private-key pairs known and used

by this device.• Management certificates that VPN

Manager uses to secure communications with Nokia IP VPN Gateway.

startup Shows the:• PKI configuration that is used at the next

system startup. • Contents of the pki_version.dat file,

formatted for readability.

<CR> Show the active configuration.



show key infoThe show key info command parses the information from the digital certificates and then displays it.

Syntax

show key infoall <brief | full>blocked <brief | full>certified <brief | full>preshared <brief | full>public <local | remote> <brief | full>trusted-root <brief | full>

Arguments

all<brief | full> Show all keys:• brief—show all keys.• full—show all keys in full.

blocked <brief | full> Show certificates that are moved to the blocked certificate list:• brief—show blocked certified public keys.• full—show blocked certified public keys in

full.

certified <brief | full>

Show certificates for public keys that are certified:• brief—show certified public keys.• full—show certified public keys in full.

preshared <brief | full>

Show preshared secrets used for IKE authentication:• brief—show preshared keys.• full—show preshared keys in full.

public <local | remote> <brief | full>

Show public- or private-key pairs that are not certified:• local—show local uncertified public keys.• local brief—show local uncertified public

keys.• local full—show local uncertified public

keys in full detail.• remote—show remote uncertified public

keys.• remote brief—show remote uncertified

public keys.• remote full—show remote uncertified public

keys in full detail.


Viewing Your PKI Configuration

Differences Between configuration PKI and show keyCommands

You can show a digital certificate suitable for cut-and-paste in PKCS #10 or #12 format by using the show configuration pki active command, and show the same certificate in human-readable form by using the show key info command.To view the difference between the show configuration pki and show key info commands, consider the following partial output on a gateway called Nokia_Gateway.

show configuration pki activeCertificate as displayed by using the show configuration pki active command:Nokia_Gateway> show configuration pki active

#

# PKI configuration written at Mon Apr 22 20:36:48 2002 GMT by *Unknown*

#

version 1.1

certificate device 6febe0e0-80c8d562-ccb21bdc-80fd7959

-----BEGIN CERTIFICATE-----

MIIEHTCCA8egAwIBAgIKAwO88QABAAAAUzANBgkqhkiG9w0BAQUFADCBlzEpMCcGCSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb20xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEPMA0GA1UEBxMGVHVjc29uMREwDwYDVQQKEwhPcHVzIE9uZTERMA8GA1UECxMIVGVzdCBMYWIxGTAXBgNVBAMTEFBzeWxsYSBDQSAwMDAxMTgwHhcNMDIwMzI5MTk0OTA0WhcNMDMwMzI5MTk1OTA0WjAfMQswCQYDVQQGEwJBQTEQMA4GA1UEAxMHTWNNdXJkbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvK3wbrqwfT7xTxyTTHUWdQQFa7TVqKQKKesLv5oU66M1VlxsQHyIVpKlQeXSuWDd8nR2iCrjYPohkDONZENNjhNWXvMLn4JPVFHcaoveOGeFXUZtoT5nupkHcb4zHgDttU8zm8ntnj7zMMdcfLW7+qwI3odOWPe+OML6RkCAwEAAaOCAiYwggIiMAsGA1UdDwQEAwIFoDAoBgNVHREEITAfghFtY211cmRvLm9wdXMxLmNvbYcEx0+YAYcEz7YjkjAdBgNVHQ4EFgQULA3SpTje4LzhTGZ+yfna5XXoaYYwgdMGA1UdIwSByzCByIAUYiIsOyKFNtQp8d5IgcFSqkZnR2WhgZ2kgZowgZcxKTAnBgkqhkiG9w0BCQEWGnBzeWxsYS1jYUBwc3lsbGEub3B1czEuY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQVoxDzANBgNVBAcTBlR1Y3NvbjERMA8GA1UEChMIT3B1cyBPbmUxETAPBgNVBAsTCFRlc3QgTGFiMRkwFwYDVQQDExBQc3lsbGEgQ0EgMDAwMTE4ghAHW3GHy4ExuETH8YZSrmouMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jYS52cG5kYXkuY29tL0NlcnRFbnJvbGwvUHN5bGxhJTIwQ0ElMjAwMDAxMTguY3JsMIGoBggrBgEFBQcBAQSBmzCBmDBLBggrBgEFBQcwAoYaHR0cDovL2NhLnZwbmRheS5jb20vQ2VydEVucm9sbC9wc3lsbGFfUHN5bGxhJTIwQ0ElMjAwMDAxMTguY3J0MEkGCCsGAQUFBzAChj1maWxlOi8vXFxwc3lsbGFcQ2VydEVucm9sbFxwc3lsbGFfUHN5bGxhJTIwQ0ElMjAwMDAxMTgoMSkuY3J0MA0GCSqGSIb3DQEBBQUAA0EAiPxMj1CDAVlh

trusted-root <brief | full>

Show certificates of certification authorities known as trusted roots:• brief—show trusted certification authority

root keys.• full—show trusted certification authority

root keys in full.

Arguments



1IOvYyTakmDJopsmLtMQkGfHLqj807i3t01RwRLs8a+u4AbBgFjJlhQJ4cIIvf7IPEiqFLZ jg==

-----END CERTIFICATE-----

show key infoThe same certificate displayed by using the show key info command:Nokia_Gateway> show key info certified full

Certified Public Keys:

certificate id: 6febe0e0-80c8d562-ccb21bdc-80fd7959

subject name: CN=Nokia_Gateway

C=AA

issuer name: CN=Psylla CA 000118

OU=Test Lab

O=NOKIA

L=Tucson

ST=AZ

C=US

[email protected]

serial number: 0303bcf1000100000053

alternative name: Nokia_Gateway.NOKIA.com

alternative name: 199.79.152.1


not valid before: Fri Mar 29 19:49:04 2002 GMT

not valid after: Sat Mar 29 19:59:04 2003 GMT

PKI Configuration Mode CommandsTable 9 lists PKI configuration commands.Table 9 PKI Configuration Commands

Command Description

block Add or remove a certificate from the block list.

ca Certification authority commands.

certificate Add or remove a certificate.

crl Add or remove a CRL.

exit Exit configuration mode.

keypair Add, remove, or generate a public- or private-key pair.


PKI Configuration Mode Commands

blockUse the block command to block a certificate. The certificate is not accepted by the gateway or the cluster to which the gateway belongs. This command prevents the use of a certificate to establish a session with a specific gateway or cluster without relying on a Certificate Revocation List (CRL). If the certificate is already known to the gateway, it can be blocked by using the block <string> or block <UUID> commands. If the certificate is not installed on the gateway, then in order to block it, you must paste in the PEM encoded blob of that certificate.

Syntax

config_pki# block <string><UUID><CR>

Examplesconfig_pki# block 876b19b8-34e9a216-351d7778-5eaf329b

Blocks the certificate known by this UUID.config_pki# block

? -----BEGIN CERTIFICATE-----

? IIDxzCCAq+gAwIBAgIqMjAwMTAzMTUyMjMwNDFaLWdhdGUtMS5uZXR

? 2hlbXkuY29tMA0GCSqGSIb3DQEBBAUAMIGJMQswCQYDVQQGEwJV

? ARBgNVBAcTClNhbnRhIENydXoxFDASBgNVBAoTC05va2lhLCBJbmMu

? MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEsMCoGA1UEAxMjQWxjaGVteSB

no Negate a command.

pkcs12 Add a certificate key pair from pkcs12.

public-key Add or remove a public key.

uuid Specify the configuration version UUID.

Table 9 PKI Configuration Commands

Command Description

Arguments

<string> A description of the certificate.

<UUID> The UUID of the certificate.

<CR> Paste in the certificate.



? Y2F0aW9uIEF1dGhvcml0eSAtIDIwHhcNMDEwMzE0MDAwMDAwWhcNMj

? OTU5WjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQ

? YSBDcnV6MRQwEgYDVQQKEwtOb2tpYSwgSW5jLjEUMBIGA1UECxMLRW

? bmcxLDAqBgNVBAMTI0FsY2hlbXkgQ2VydGlmaWNhdGlvbiBBdXRob

? MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyWjXO0fqFs

? gC68wmLYMT5NxgLedFFo3PrlRd1zUzgS7MtNCgBU0tuBawrzrpSmV

? Is37flJX2IAfy4tBrdG7Z2aaOJst7D4817D0lHBDVYxUP6aGwMgI

? o3j5UgvXT3qBYLzBdw7Nq5EkomoOepStbOb+dCRGokjMc/rVFtj

? 0disiAGeNiBqzquvUGkWoHL/gTMIqdTNuKl6JPbwVpiwGCKr122icdw

? JkyGeKXVYNQS2OXSxeRZoWmJPoytGVso7rxSkmnagnfwLhdQnquj

? iQIDAQABow8wDTALBgNVHQ8EBAMCAoQwDQYJKoZIhvcNAQEEBQAD

? /TvVLjl1ROJ0a8ON8PenKVbh9h7IdULWq0dsd9q+c+ZvT2UMMsIxI

? Zk9W2caD+IugPsoDfW2yo4sTT15PDJBfSE1hhE4hl44CZWvxUkQH

? Ykn+jrPaqPTxw76xcJtud838vwaxy4Z1wK8sZpNMFqRYF5J/JS27B

? Noij1k6ROvqLadUDk0KX77MNltwigd30Q0xIUdBa2GTbvQUV3t1

? 5TG+tpnp5ywlbJLw7J/kAlDNeLnAb+yzWlCvYvGVbPDYLde9X78AQjI

? 09uUOPifhZUo2sIAAAAAAAAAAAAAAAAAAAAAAAA=

? -----END CERTIFICATE-----

? config_pki#

Blocks the certificate that is not otherwise stored in the configuration.

caThe ca command allows you to:

Generate a public- or private-key pair and a Certificate Signing Request (CSR).Establish an internal certificate authority (CA).

Syntax

config_pki# [no] ca<string>

[crl-query <crl_dp_in_child | force | password <password> | period <minutes> | protocol <http | ldap> | url <URL> |username <username>>]

[enroll <string>][enrollment certificate]

[rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>][subject-alt-name <cluster-interface <eth-1 | eth-2| eth-3 | eth-4 | loop-0> | email | fqdn <string | <CR>> | eth-1 | eth-2| eth-3 | eth-4 | loop-0>]

[subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> |



crl-query <crl_dp_in_child | force | password <password> | period <minutes> | protocol <http | ldap> | url <URL> |username <username>>

Enable retrieval of Certificate Revocation List (CRL) for an external CA:• crl_dp_in_child—CRLDP can be located

either in the CA certificate, or within one of the subordinate certificates that CA issues. If the CRLDP is present within a subordinate certificate. This option must be set before you issue the force command. If certificate chains are used, this option must be set at the root CA. In addition, each CA (including intermediary CAs) certificate has their CRLDP, or each CA must have been placed in a certificate that the CA issues. A mixed scenario is not supported.

• force—retrieves the CRL for the CA.This option collects the data using the other options in this command (if any other options are set) and informs the gateway to retrieve the CRL for the specified CA. If the URL that retrieves the CRL is within the certificate, no overrides are necessary. By default, the CRL Distribution Point (CRLDP—the URL where the CRL can be found), is assumed to be in the CA certificate. If the CRLDP is placed in the subordinate certificate, see the crl_dp_in_child option. If the PKI is set up by using certificate chains, and CRL checking is desired, the force command must be issued for the trusted root certificate as well as subordinate CA certificates. If not, CRL checking is not enabled (if the force command is not being issued for the top level CA) or certificates are not valid during IKE resulting in an error message (if the CRL has not been retrieved or specified for a subordinate CA).

• password—set password for LDAP login.• period <n>—override retry period where

<n> is in minutes.• protocol—indicate the protocol being used

to retrieve the CRL. This option is used if the url option is set. The URL must match the protocol type.

• protocol http—HTTP.• protocol ldap—LDAP.• url—URL where the CRL can be found.

Can be LDAP or HTTP.• username—set username for LDAP login.

Arguments



enroll <string> Generate a CSR according to the options set by using the enrollment subcommand.

enrollment certificate <rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>>

Use this subcommand to specify the options to use for generating the CSR:• rsa-with-sha1—RSA key with SHA-1 hash.• rsa-with-sha1 512—use a 512-bit RSA

modulus.• rsa-with-sha1 768—use a 768-bit RSA




modulus.

NoteFQDN includes the FQDN for the node, not for the cluster.

Arguments



enrollment certificate <subject-alt-name <cluster-interface <eth-1 | eth-2| eth-3 | eth-4 | loop-0> | email | fqdn | eth-1 | eth-2| eth-3 | eth-4 | loop-0>>

NoteUse the following keywords with the enrollment certificate or internal certificate subcommands to identify information for a CSR or CA certificate.

Identifies optional information for a CSR or CA certificate:• cluster interface <eth-1 | eth-2| eth-3 | eth-4

| loop-0>—include a cluster interface address in subject -alt -name.

• email <string>—email address to include in the certificate.

NoteThis command is only used with device certificates.

• fqdn—FQDN currently assigned to the gateway.

• fqdn <string>—string for the FQDN.• fqdn CR—use default string.• eth-1—IP address assigned to this

interface.• eth-2—IP address currently assigned to

this interface.• eth-3—IP address currently assigned to

this interface.• eth-4—IP address currently assigned to

this interface.• loop-0—name of interface to configure.

Arguments



enrollment certificate <subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>>

Identifies required information for a CSR or CA certificate:• common-name <string>—common name to

include in the DN for the certificate.

NoteYou must enter the common name.

• organizational-unit-name <string>—organization unit name (department) to include in the DN for the certificate.

• organization-name <string>—organization name to include in the DN for the certificate.

• city-or-locality <string>—city or locality to include in the DN for the certificate.

• state-or-province <string>—state or province to include in the DN for the certificate.

• country <string>—country to include in the DN for the certificate.

enrollment challenge <string>

Configure the behavior of the enroll command:• challenge <string>—enrollment challenge

phrase for SCEP.

enrollment entity <string>

SCEP entity name.

enrollment protocol <pkcs10 | scep>

Configure the enrollment protocol:• protocol pkcs10—generate CSR by using

PKCS10 certificate signing request.• protocol scep—enroll by using online

enrollment.

enrollment retry-count <count>

Maximum number of times to poll for SCEP certificate enrollment.

enrollment retry-period <minutes>

SCEP enrollment retry frequency in minutes.

enrollment url <URL> SCEP enrollment URL.

internal certificate lifetime <decimal>

Configure the certificate validity period (in months).

Arguments



internal certificate <rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>>

Use this command to identify the options to use when generating an internal CA with the internal generate subcommand:• rsa-with-sha1—RSA key with SHA-1 hash.• rsa-with-sha1 512—use a 512-bit RSA





modulus.

internal certificate <subject-alt-name <email <string> | fqdn>>

Configure the certificate subject alternative name.• email <string>—email address to include in

the certificate.

NoteThis command is only used with device certificates.

• fqdn—FQDN currently assigned to the gateway.

internal certificate <subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>>

Configure the certificate subject name.• common-name <string>—common name to

include in the DN for the certificate.

NoteYou must enter the common name.

• organization-name <string>—organization name to include in the DN for the certificate.

• organizational-unit-name <string>—organization unit name (department) to include in the DN for the certificate.

• city-or-locality <string>—city or locality to include in the DN for the certificate.

• state-or-province <string>—state or province to include in the DN for the certificate.

• country <string>—country to include in the DN for the certificate.

Arguments



internal crl <enable | http_url <url> | ldap_url <url> | update_interval <decimal>>

Modify CRL publishing options:• enable—enable generation of CRL.• http_url <url>—set the HTTP URL for

retrieving the CRL.• ldap_url <url>—set the LDAP URL for

retrieving the CRL.• update_interval <decimal>—set the CRL

update interval.

internal csr <issue | lifetime>

Options and commands for generating device certificates issued by the Internal CA:• issue—issue a certificate. Paste in the CSR

generated on the destination gateway and a certificate is issued.

• lifetime—follow this keyword with the number of months before the CA certificate expires.

internal generate Use this command to generate an internal CA according to the options set by using the internal certificate subcommand.

internal ldap <enable | server <name>

Modify LDAP options:• enable—enable publishing of issued

certificates to LDAP server.• server—set the LDAP server to use for

publishing.• server name—name of the LDAP server set

up for storage.

internal list_certs List certificates that the CA issues and the cert status.

Arguments



Command Usage ScenariosTo generate a CSR, use the following command:config_pki# ca <string> enroll

To set the options used when generating the CSR, use the following command:config_pki# ca <string> enrollment certificate [rsa-with-shal <number of bits>] subject-name <entry> [subject-alt-name <entry>]

internal set_cert_status <uuid> <active|deleted |granted| pending|revoked_aa_compromise|revoked_affiliation_changed|revoked_ca_compromise|revoked_certificate_hold|revoked_cesation_of_operation|revoked_key_compromise|revoked_priviledge_withdrawn|revoked_remove_from_crl|revoked_superseded|revoked_unspecified>]

Set the status of a device certificate that this CA issues:• <uuid>—UUID of the device certificate.• active—certificate is active.• deleted—certificate is deleted.• granted—certificate is granted but not yet

retrieved.• pending—certificate is pending.• revoked_aa_compromise—certificate is

revoked because of AA compromise.• revoked_affiliation_changed—certificate is

revoked because of an affiliation change.• revoked_ca_compromise—certificate is

revoked because of the CA being compromised.

• revoked_certificate_hold—certificate is on hold.

• revoked_cesation_of_operation—certificate is revoked because of a cessation of operation.

• revoked_key_compromise—certificate is revoked because of a key compromise.

• revoked_priviledge_withdrawn—certificate is revoked because of privilege being withdrawn.

• revoked_remove_from_crl—certificate is revoked and removed from CRL.

• revoked_superseded—certificate is revoked because it is superseded.

• revoked_unspecified—certificate is revoked because of unspecified reasons.

option crl-optional CRL processing not absolutely required for this CA. If the CRL was requested, but is not available for some reason, certificate processing can continue if this option is enabled, otherwise an error occurs.

uuid <string> The unique identifier for the certificate to be associated with an internal CA.

Arguments



To set the options for CA enrollment, including SCEP parameters, use the following command:config_pki# ca <string> enrollment [challenge <phrase> | entity <scep-entity> | protocol [<scep> | <pkcs 10>] | retry-count <number> | retry-period <minutes> | url <url>]

To generate an internal CA, use the following command:config_pki# ca <string> internal generate

To set the options used when generating an internal CA, use the following command:config_pki# ca <string> internal certificate subject-name <entry> [subject-alt-name <entry>]> | lifetime <number of months>> | rsa-with-shal <number-of-bits>

To associate the UUID of a certificate with an internal CA, use the following command:config_pki# ca <string> uuid <UUID>

To set options for CRL usage with CA, use the following commands:config_pki# ca <string> option crl-optional

config_pki# ca <string> crl-query [crl-dp-in-child | force | password <pw> | period <minutes> [protocol <http | ldap> | url <url | username <username>

To sign a certificate with the internal CA, use the following command:config_pki# ca <string> internal csr issue

ExamplesThe following commands generate a CSR, identified as Baltimore, for the device Baltimore EE, with a key size of 1024. The IP addresses of both gateway interfaces are included in the subject-alt-name attribute. You can deliver the CSR generated with these commands to a public CA, or use the CSR to generate your own certificate if you are using an internal CA.The following commands generate a CSR:config_pki# ca baltimore enrollment certificate rsa-with-sha7 1024config_pki# ca baltimore enrollment certificate subject-name common-name “Baltimore EE”config_pki# ca baltimore enrollment certificate subject-alt-name eth-1config_pki# ca baltimore enrollment certificate subject-alt-name eth-2config_pki# ca baltimore enrollment protocol pkcs10config_pki# ca baltimore enroll <string>



The following commands establish the internal CA, Baltimore CA. config_pki# ca “Baltimore CA” internal certificate rsa-with-sha7 1024config_pki# ca “Baltimore CA” internal certificate lifetime 12config_pki# ca Baltimore internal certificate sha1-with-rsa 1024config_pki# ca “Baltimore CA” internal certificate subject-name common-name Baltimoreconfig_pki# ca “Baltimore CA” internal certificate subject-name organization-name mycompanyconfig_pki# ca “Baltimore CA” internal certificate subject-name organizational-unit-name engineeringconfig_pki# ca “Baltimore CA” internal certificate subject-name city-or-locality Baltimoreconfig_pki# ca “Baltimore CA” internal certificate subject-name state-or-province MDconfig_pki# ca “Baltimore CA” internal certificate subject-name country USconfig_pki# ca “Baltimore CA” internal certificate subject-alt-name fqdn

certificateUse the certificate command to add or remove a certificate used to establish secure communications between the gateway and other devices.

Syntax

config_pki# certificate[device <<string> | <UUID>>][intermediary-ca <<string> | <UUID>>][management <device <string> | trusted-root <string>>][other <<string> | <UUID>>][trusted-root <<string> | <UUID>>]

Arguments

device <<string> | <UUID>>

Install a device certificate to enable secure communications between the gateway and other devices:• string—description of the certificate.• UUID—UUID of the certificate.



ExamplesThe following command installs a device certificate to allow the gateway to establish secure communications with other devices.config_pki# certificate device “Baltimore”


MIICvjCCAaagAwIBAgIEOH6J+jANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEfMB0GA1UEChMWQmFsdGltb3JlIFRlY2hub2xvZ2llczEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxHDAaBgNVBAMTE1ZQTiBJbnRlcm9wIFJvb3QgQ0EwHhcNMDAwMTE0MDIyOTE0WhcNMDEwMTEzMDIyOTE0WjAXMRUwEwYDVQQDEwxCYWx0aW1vcmUgRUUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOxtkLT2yoRhe8DbCXQxMdVEkJfCmIIymgo6EpD6ufTrKJ3k3mAjHiMd7

intermediary-ca <<string> | <UUID>>

Inserts an intermediary CA certificate. This is a certificate that might be part of a certificate chain, or can issue other CA certificates as well as device certificates. However, it is not a trusted root.Intermediary CAs are used when a certificate chain is needed to provide a chain from the device certificate to a trusted root.• string—description of the certificate.• UUID—UUID of the certificate.

management <device <string> | trusted-root <string>>

Install a certificate to enable an SSL session between the the gateway and the management console:• device—install a certificate to use when

establishing a remote management connection.

• device string—description of the certificate.• trusted-root—install a certificate that allows

the gateway to accept certificates signed by a specific CA when establishing a remote management connection.

• trusted-root string—description of the certificate.

other <<string> | <UUID>>

Other certificates (that is, certificates that are not of type device, intermediary-ca, management, or trusted-root) and that do not belong to those mentioned in the other categories in the section:• string—description of the certificate.• UUID—UUID of the certificate.

trusted-root <<string> | <UUID>>

Install a trusted root certificate:• string—description of the certificate.• UUID—UUID of the certificate.

Arguments



k45Jfwb1MRhhELvT6aAJh6IZlOiKoP8TuFzaPSAgP+qC7NimWKMKKydWw2ATDKNIzoXILHpuD44oUVflrBEUIZXU1+8Gug3gh50NpX5IcQwbo8uJpzAgMBAAGjSzBJMA4GA1UdDwEBIEkDAPBgNVHREECDAGhwTOr6B6MBMGA1UdIwQMMAqACEHh1ErR7lJaMBEGA1UdDgQKBAhCaK10/xIp4zAN BgkqhkiG9w0BAQUFAAOCAQEAQEsGBJVIQw9BLNHXZuoVCwzsaFzJY6secmqPXS4xT41udZXhOAV9e9YkuAon3JTFeUhBKeANemy8a2wRotJrYxt6IZX6BtlbsjKcOljKZwrN1zgvieC9EkUs3f2yiNMdbooHI8JnI4D715dovIWnGx1SeyXQPdm5qV+owbDZOZn1hzc4A3PAjzaa6RwmgYzbmo+w5xwtGnyxEMosqKZG3b7THNJWO51+bszJAz5GRxHPPjqsBUinLDLgMyrXZYbdCyHx4UBtLVI0Y+vlsQI7YVEkEgUuFVGp2CLRtmi8buFewossGxA3TJ4mVTjzKaG7Gyd58ZINiFgZA==


crlUse the crl command to add or remove a Certificate Revocation List (CRL) to or from the gateway. CRLs, which are issued and maintained by a Certificate Authority (CA), identify certificates that are not valid and cannot be accepted for establishing secure communications. For information about dynamic CRL retrieval, see ca on page 198.

Syntax

config_pki# crl <string> <UUID>

exitUse the exit command to exit PKI configuration mode.

keypairUse the keypair command to add, remove, or generate a public- or private-key pair.

Syntax

config_pki# keypair generate rsa [<512 <string> | 768 <string> | 1024 <string> | 1536 <string> | 2048 <string>>]

pin <string> |<UUID>

Arguments

<string> Description of the CRL.

<UUID> UUID of the CRL.



ExamplesThe following command generates a key pair with a length of 1024 bits and the name secret.config_pki# keypair generate rsa 1024 <string>

noUse the no command to negate a command.

pkcs12 deviceUse the pkcs12 device command to add a certificate key pair from pkcs12.

Syntax

config_pki# pkcs12 device <<string> | <UUID>>

public-keyUse the public-key command to install or remove a public key where a raw public key is needed to establish secure communications between devices.

Arguments

generate rsa <512 <string>| 768 <string> | 1024 <string> | 1536 <string> | 2048 <string>>

• Generate or replace a key pair:• 512—generate an RSA key with a length of

512 bits.• 768—generate an RSA key with a length of

768 bits.• 1024—generate an RSA key with a length

of 1024 bits.• 1536—generate an RSA key with a length

of 1536 bits.• 2048—generate an RSA key with a length

of 2048 bits.• string—description of the key pair.

pin <<string> | <UUID>> The pin used to encrypt the key pair:• string—description of the key pair.• UUID—UUID of the key pair.

Arguments

device <<string> | <UUID>>

• string—description of the pkcs12 certificate.• UUID—UUID of the certificate.



Syntax

config_pki# public-key default <UUID>local <string> | <UUID>remote <string> | <UUID>

uuidUse the uuid command to assign a unique identifier to any certificate.

Syntax

config_pki# uuid<uuid>

Examplesconfig_pki# uuid 000000de-9bf140c5-c690c9c4-00000edeconfig_pki# uuid d4fc7441-8211d411-af720050-5a01100e

Integrating with Third-Party CAs To request a certificate from a third-party CA1. Make the trusted CA known to Nokia IP VPN Gateway.2. Match the trusted CA certificate with a UUID.3. Define parameters for the local gateway enrollment.

Arguments

default <UUID> Set the default public key:• UUID—UUID of the public key to use as

default.

local <string> | <UUID> The public key is a local device key.• string—description of the public key.• UUID—UUID of the public key.

remote <string> | <UUID>

The public key is a remote device key.• string—description of the public key.• UUID—UUID of the public key.

Arguments

uuid <uuid> Configure the configuration version UUID:• UUID—UUID of the configuration version.


Integrating with Third-Party CAs

4. Generate the public- or private-key pair, and the Certificate Signing Request (CSR).5. Have your CA sign the CSR.6. Store the signed certificate in Nokia IP VPN Gateway.

To issue a third-party CA certificate with cut-and-paste1. Make the trusted CA known to Nokia IP VPN Gateway.

Retrieve the certificate for the CA. The format supported by Nokia IP VPN Gateway is a Base-64 encoded PKCS binary large object.

2. Using cut-and-paste, and the certificate trusted-root command, name the CA and enter the certificate into Nokia IP VPN Gateway. In the following example, the CA is named Nokia_CA:Nokia_Gateway> config pki

config_pki# certificate trusted-root Nokia_CA


? MIIDizCCAzWgAwIBAgIQB1txh8uBMbhEx/GUq5qLjANBgkqhkiG9w0BAQUFADCBlzEpMCcGCSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb20xCzAJ?BgNVBAYTAlVTMQswCQYDVQQIEwJBWjEPMA0GA1UEBxMGVHVjc29uMREwDwYDVQQK?EwhPcHVzIE9uZTERMA8GA1UECxMIVGVzdCBMYWIxGTAXBgNVBAMTEFBzeWxsYSBD?QSAwMDAxMTgwHhcNMDEwMTE4MjIwOTA2WhcNMDQwMzE5MjI0MDU4WjCBlzEpCcG?CSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb20xCzAJBgVBAYT?JTIwQ0ElMjAwMDAxMTguQ1JMMD6gPKA6hjhodHRwOi8vY2EudnBuZGF5LmNvbS9D?ZXJ0RW5yb2xsL1BzeWxsYSUyMENBJTIwMDAwMTE4LmNybDA3oDWgM4YxLWZpbGU6Ly9cXHBzeWxsYVxDZXJ0RW5yb2xsXFBzeWxsYSBDQSAwMDAxMTguY3JsLzAQBgkr?BgEEAYI3FQEEAwIBATANBgkqhkiG9w0BAQUFAANBAHfDL1GlvKfy52Dh3aasWnbG?UYaMHviehTiFyKjXZTOFhPOnUa2rYPcRv/xh5XdDPnvnyCxzTPPlgmsDgYxtzo=


config_pki# exit

Nokia_Gateway>

3. Match the trusted CA certificate with a UUID.The trusted certificate is in the certificate store, but must be mapped to a UUID. Internally to the PKI configuration mode UUIDs are used rather than text labels.



Use the show key info trusted brief command to view the CA certificate and capture the UUID there. Then, re-enter the PKI configuration mode to match that UUID to the Nokia_CA certification authority:Nokia_Gateway> show key info trusted-root brief

Trusted Certification Authority Root Keys:

trusted root id: f0b36979-b0f8d02a-37245ffa-f677e634

subject name: Psylla CA 000118

NOKIA

Tucson

AZ

US

[email protected]

Nokia_Gateway> config pki

config_pki# ca NOKIA uuid f0b36979-b0f8d02a-37245ffa-f677e634

config_pki#

4. Define parameters for the local gateway enrollment.The certification authority was matched to its certificate and can be used in the ca commands to define enrollment parameters. You can now define all of the parameters you require in the CSR for this local gateway. This means, at a minimum, a common name in the subject (as required by X.509) and one or more subject-alternative-name fields, which Nokia IP VPN Gateway uses as part of the IKE authentication process. Nokia_Gateway> config pki

config_pki# ca Nokia enrollment certificate rsa-with-sha1 1024

config_pki#

config_pki# ca Nokia enrollment certificate subject-name country AA

config_pki# ca Nokia enrollm ce subject-n organization-name “Nokia”

config_pki# ca Nokia enrollm ce subject-n city McMurdo

config_pki# ca Nokia enrollm ce subject-n common-name Nokia_Gateway.Nokia.com

config_pki#

config_pki# ca Nokia enrollm ce subject-alt-name eth-1

config_pki# ca Nokia enrollm ce subject-alt-name eth-2

config_pki#

NoteThe ca enrollment certificate subject-alt-name command does not include the real IP address of the gateway in the configure pki command, but refers to the address symbolically. The PKI configuration extracts the appropriate IP addresses from the system configuration. For a clustered gateway, you must use the symbols cluster-interface <interface name>. If you change the cluster or node address, the certificate needs to be re-enrolled and resigned by the CA.



5. Generate the public- or private-key pair, and the CSR.Use the ca command to generate a public- or private-key pair and the CSR. This CSR is then sent by cut-and-paste (PKCS #10 format, Base64 encoded) to the CA for signing:config_pki# ca Nokia enrollment protocol pkcs10

config_pki# ca Nokia enroll Nokia_Gateway-Nokia

-----BEGIN CERTIFICATE REQUEST-----

MIIB1jCCAT8CAQAwTjELMAkGA1UEBhMCYWExEDAOBgNVBAcTB01jTXVyZG8xETAPBgNVBAoTCE9wdXMgT25lMRowGAYDVQQDExFtY211cmRvLm9wdXMxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn5re9LWhIdK1NErWV3DolOiMVoJDFLhkyaXw9bWJDF2WgOtzz9lcuWKlSe/Uewuek70NBfc5dH5kONkgT62Pye9lc1Zbr8wXQC5b/cuzgxIqevgDQHO6lVy8eeeXUWxJTn3bBA15pCVoinYhhVi8VwPEe+WJAUElOn1SXCSPksUCAwEAAaBIMEYGCSqGSIb3dQEJDjE5MDcwKAYDVR0RBCEwH4IRbWNtdXJkby5vcHVzMS5jb22HBMdPmAGHBM+2I5IwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBABWkPHvGIEwwMtxcZJYBNWgjO9FqjSyuLeINGxgJE5A0hv0PhcMu77lN9LwC9B+uShQxba22IVDJlIB+nklfXNaTgAB4J7AwPm8mwjtlN86yM6rtP3VeNn+DGKoq6F8haQ8STPPa3AX4nlTpfi/IX1xGXF64uwrAmQ5O6Eniz

-----END CERTIFICATE REQUEST-----

config_pki#

6. Have your CA sign the CSR.Consult the manager of your certification authority for the correct procedure.

7. Store the signed certificate in Nokia IP VPN Gateway.When the CSR is signed by the CA, return it to Nokia IP VPN Gateway by using cut-and-paste, and store it in the local certificate store. The format is PKCS, BASE64 encoded. Save the local certificate by using the following command: certificate device, which stores certificates for the local gateway.When the certificate is stored, you must save the PKI configuration to flash memory so that the public- or private-keys are not lost. If a significant delay occurs between the certificate enrollment generation and the actual signing, perform an intermediate configure save or



config save cluster command in case the system is rebooted for any reason before the certificate can be signed.config_pki# certificate device Nokia_Gateway-Nokia


? MIIETDCCAagAwIBAgIKESmy7gABAAAATjANBgkqhkiG9w0BAQUF

? CSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb

? AlVTMQswCQYDVQQIEwJBWjEPMA0GA1UEBxMGVHVjc29uMREw

? IE9uZTERMA8GA1UECxMIVGVzdCBMYWIxGTAXBgNVBAMTEFBz

? MTgwHhcNMDIwMzI5MDMyODA1WhcNMDMwMzI5MDMzCQYDVQQGEwJh

? YTEQMANNdXJkbzERMA8GA1UEChMIT3B1cyBPbmUxGjAYBgNVBAMT

? EW1jbXVyZ29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf

? b2xsL3BzeWxsYV9Qc3lsbGElMjBDOC5jcnQwSQYIKwYBBQUHMAKG

? PWZpbGU6Ly9cXHBzeW5yb2xsXHBzeWxsYV9Qc3lsbGElMjBDQSUy

? MDAwMDExOCgxKS5jcJKoZIhvcBbg9oE+ag5YVnRoqPb/hsO

? E6/2ZaeFDAHzkmjA6AmXG7KnRhyB6WQPUbCqY0lt+CQbXw


?

config_pki# exit

Nokia_Gateway> config save

Nokia_Gateway>

The simple certificate enrollment protocol (SCEP) process automates the process of retrieving a new device certificate.This process is similar to the cut-and-paste process. The only differences are that an enrollment protocol of SCEP is set instead of PKCS10 just before the public- or private-key pair is generated.

To use SCEP to issue a third-party CA certificate1. Follow steps 1 through 3 of To issue a third-party CA certificate with cut-and-paste on

page 213.2. Generate the public- or private-key pair, and the CSR.

Use the ca command to generate a public- or private-key pair and the CSR. This CSR is then sent by SCEP to the CA for signing. The following example lists the Microsoft Windows 2000 CA and its SCEP configuration.

NoteCertification authorities have different enrollment URL and query URL values, as well as IP addresses.

The following example is for a gateway named Nokia_GatewayOne and a CA named NOK:config_pki# ca NOK enrollment entity NOK-SCEPconfig_pki# ca NOK enrollm protocol scep



config_pki# ca NOK enrollm url http://10.24.12.34/certsrv/mscep/mscep.dll

http://10.24.12.34/certsrv/mscep/mscep.dll

config_pki# ca NOK enroll NOKIA-NOK

config_pki# 3. Store the signed certificate in Nokia IP VPN Gateway.

After the CA signs the CSR, it is returned to Nokia IP VPN Gateway by using the SCEP protocol and stored in the local certificate store. Use the show key info certified full command to check if the certificate is available. If the certificate is not immediately signed by the CA, Nokia IP VPN Gateway polls for it periodically. You can use the ca <> enrollment retry-count and ca <> enrollment retry-period commands to control this behavior.After the certificate is retrieved, you must save the PKI configuration to flash memory so that the public- or private-keys are not lost. If a significant delay occurs between the certificate enrollment generation and the actual signing, you must perform an intermediate configure save command in case the system is rebooted for any reason before the certificate can be signed.For example:Nokia_GatewayOne> show key info cert full

Certified Public Keys:

certificate id: ee60b819-a17ddc56-db44b6be-512beb33

subject name: CN=Nokia_GatewayOne

L=Nokia_GatewayOne

ST=NOKIA_HYD

C=UR

issuer name: CN=NOK W2K CA

O=Nokia

L=Eloy

ST=AZ

C=US

serial number: 610a3a73000100000666



not valid before: Fri Mar 29 05:57:18 2002 GMT

not valid after: Sat Mar 29 06:07:18 2003 GMT

Nokia_GatewayOne> config save

Nokia_GatewayOne>


5 Configuring Policy Configuration System

This chapter describes how to use the Policy Configuration System (PCS) configuration mode, the PCS configuration mode commands, and the tasks that you can accomplish by using this mode.PCS mode allows you to create, modify, and delete policies from the command-line interface. PCS supports IKE protection suites, IKE policy groups, gateway policies, IPSec policies, IPSec clients, and Selectors.

Entering and Exiting PCS Configuration ModeUse the commands in this section to enter or exit PCS configuration mode.

To enter PCS configuration mode, enter one of the following commands from the command mode prompt:

> config policy > configure policy

The prompt changes to config_policy#. All policies from the running system and all selectors from the security policy database (SPD) are mapped to internal PCS structures-policy templates. You can use these templates to create or modify policies.

> configure policy -map

The prompt changes to config_policy#. Selectors from the running system are not loaded into internal PCS structures and policy templates. Use this option to add a few policies or selectors to a system in which many policies and selectors are running, as this option does not use unnecessary memory allocation.

CautionPCS cannot check policy coherence. You must ensure that the selectors added by using this option have unique names and do not conflict with names of existing selectors.

To exit PCS configuration mode and return to command mode, enter the exit command at the prompt:config_policy# exit



Saving Crypto Policy Configuration to Flash MemoryUse “save” on page 222 to commit changes to flash memory.

PCS Configuration Mode Commands

PCS commands are grouped into two categories: Common PCS CommandsSpecific PCS Commands

Common PCS CommandsUse the following commands to perform an individual action.

applyUse the apply command to save newly created and modified policies to the system. Newly created or modified policies are not saved to the system automatically; they are only stored in PCS templates. You must use the apply command to propagate policies into the system.

Syntax

config_policy# apply

Command Function

apply Propagate newly created and modified policies into the system.

clear Clear internal PCS policy templates.

exit Exit PCS mode.

load Load policies from the specified ASCII file.

map Map existing system policies into internal PCS templates.

save Save IKE and IPSec policies, gateway and client records, and selectors from the system into a file on flash memory.

show View internal PCS templates.

unload Store running policies and selectors to an ASCII file in the form of a commands list.


Common PCS Commands

clearUse the clear command to clear internal PCS policy templates.

Syntax

config_policy# clearipsec-mapvpn-schema<CR>

exitUse the exit command to exit PCS mode. All PCS internal templates are erased, and all temporarily used memory is released.

Syntax

config_policy# exit

loadUse the load command to load policies from a specified ASCII file. The ASCII file must be in the form of a commands list and must contain only those commands that are acceptable by PCS. You can access the files locally on flash memory or remotely from NFS or TFTP-ASCII.

Syntax

config_policy# load<filename>

Arguments

ipsec-map Clear IPSec maps.

vpn-schema Clear VPN schemas.

<CR> Clear all policies.

Arguments

<filename> Load crypto policies from the file:• filename—name of a file with crypto policy

templates.



mapUse the map command to map existing system policies to internal PCS templates.

Syntax

config_policy# map[all][client][ike][ipsec][selector]

saveAll policies created during configuration remain in system memory only. Use the save command to save IKE and IPSec policies, gateway and client records, and selectors from the system into a file on a flash memory.The save command creates a new policy download file: ipsec_policy_NNN.dat (where NNN is the next version of the configuration file).

CautionThe next time you use VPN Manager to apply changes to a Nokia AOS Ver 6.3 gateway, you will lose any PCS policies that you configured using the CLI.

Syntax

config_policy# save<NAME><CR>

Arguments

all Map all system policies.

client Map IPSec client policy.

ike Map IKE policy.

ipsec Map IPSec policy.

selector Map SPD selectors.

Arguments

<NAME> File name on the NFS or TFTP site.


Common PCS Commands

showUse the show command to view internal PCS templates. To select templates for viewing, specify a pattern. The pattern must be in the form of a regular expression applied to the name, user FQDN, or IP address, depending on the template.

Syntax

config_policy# show[all][ike-gateway <ip <pattern>>| <CR>][ike-group][ike-suite][ipsec-client <name <pattern>> | user_fqdn <pattern> | <CR>][ipsec-gateway <ip <pattern>> | name <pattern> | <CR>][ipsec-selector <ip <pattern>> | name <pattern> | <CR>][ipsec-transform][vpn-node <ip <pattern>> | name <pattern>> | user_fqdn <pattern> | <CR>]

[vpn-schema]

<CR> Save policy on flash memory.

Arguments

Arguments

all Show all templates.

ike-gateway <ip <pattern>>| <CR>

Show IKE gateway.• ip—view IKE gateways by IP address.• pattern—regular expression.• CR—view all IKE gateways.

ike-group Show IKE group.

ike-suite Show IKE protection suites.

ipsec-client <name <pattern>> | user_fqdn <pattern> | <CR>

Show IPSec client policy:• name—view IPSec clients by policy name.• name pattern—regular expression.• user_fqdn—view IPSec clients by user

FQDN.• user_fqdn pattern—regular expression.• CR—view all IPSec clients.



unloadThe unload command stores running policies and selectors to an ASCII file in the form of a commands list. This list can then be used with the load command. The file can be a local file on flash memory, or a remote file you access by using NFS or TFTP-ASCII.

NoteUse TFTP-ASCII to ensure that the file is not read in binary format.

Syntax

config_policy# unload<filename>

ipsec-gateway <ip <pattern>> | name <pattern> | <CR>

IPSec gateway policy:• ip—view IPSec gateways by IP address.• ip pattern—regular expression.• name—view IPSec gateways by policy

name.• name pattern—regular expression.• CR—view all IPSec gateways.

ipsec-selector <ip <pattern>> | name <pattern> | <CR>

IPSec selectors:• ip—view IPSec selectors by IP address.• ip pattern—regular expression.• name—view IPSec selectors by policy

name.• name pattern—regular expression.• CR—view all IPSec selectors.

ipsec-transform Show IPSec transform.

vpn-node <ip <pattern>> | name <pattern>> | user_fqdn <pattern> | <CR>

VPN nodes:• ip—view VPN nodes by IP address.• ip pattern—regular expression.• name—view VPN nodes by node name.• name pattern—regular expression.• user_fqdn—view VPN nodes by user

FQDN.• user_fqdn pattern—regular expression.• CR—view all VPN nodes.

vpn-schema Show VPN schemas.

Arguments


Specific PCS Commands

Specific PCS CommandsUse the commands in Table 10 to enter a specific configuration mode for a particular category.

Table 10 Specific PCS Commands

The IKE, IPSec, and VPN commands, subcommands, and configuration modes are described in detail in the following sections.

IKE Policy Configuration CommandsThe following are the IKE policy configuration commands:

gatewaygroupsuite

Syntax

config_policy# [no] ikegateway <<ADDR> <ike_suite> [ipsec_transform] | <CR>>group <group_policy_name> <ike_policy_name> [<ike_policy_name>]suite <NAME>

Arguments

<filename> Unload PCS templates to a file in ASCII format:• filename—name of a file with crypto policy

templates.

Table 11

Specific PCS Command Description

ike Allow creation, modification, and deletion of IKE templates.

ipsec Allow creation, modification, and deletion of IPSec templates.

vpn Allow creation, modification, and deletion of VPN schema and nodes, and link them together.

Arguments




IKE Protection Suite Configuration CommandsUse the IKE suite configuration commands to set and modify any of the following:

Authentication methodEncryption algorithmOakley groupHash algorithmIKE lifetimeFlags

Syntax

ike-suite#authentication <challenge-response | pre-shared <key> <key> | rsa-encrypt | rsa-encrypt-compat | rsa-signature>

cipher <3des | aes <<128 | 192 | 256> | <CR>> | blowfish <<40-448> | <CR>> | cast <<40-128> |<CR>> |des>

flags <check-dns | deferred-delete | dynamic-peer | fqdn | initial-contact | internal-address | nomadic | vendor-id>

hash <md5 | sha>lifetime <number>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048>exit

gateway <<ADDR> <ike_suite> [ipsec_transform] | <CR>>

Assign or unassign a specific policy to a gateway:• ADDR—peer dotted-decimal address.• ike_suite—policy name.• ipsec_transform—available IPSec transform.• CR—exit.

group <NAME> <ike_policy_name> [<ike_policy_name>]

Create or delete IKE groups. • NAME—group policy name.• ike_policy_name—IKE policy name.• ike_policy_name—IKE policy name.

suite <NAME> Create, modify, or delete IKE protection suites.

NoteWhen you use the IKE suite command, PCS enters a special configuration mode and responds with the ike-suite# prompt. This mode allows you to set or modify IKE protection suite parameters.

Arguments



Arguments

authentication <challenge-response | pre-shared <key> <key>| rsa-encrypt | rsa-encrypt-compat | rsa-signature>

Set or modify an authentication method:• challenge-response—set challenge

response.• pre-shared—set preshared key.• pre-shared key—preshared key.• pre-shared key key—repeat preshared key.• rsa-encrypt—set RSA encrypt.• rsa-encrypt-compat—set RSA encrypt

compatibility mode.• rsa-signature—set digital signature.

cipher <3des | aes <<128 | 192 | 256> | <CR>> | blowfish <<40-448> | <CR>> | cast <<40-128> | <CR>> |des>

Set or modify an encryption algorithm:• 3des—set 3DES encryption algorithm.• aes <128 | 192 | 256>—set AES encryption

algorithm.• aes <CR>— use default key length (128 bits).• blowfish <40-448>—set AES encryption

algorithm.• blowfish <CR>—use default key length (128

bits).• cast <40-128>—set CAST encryption

algorithm.• cast <CR>—use default key length (128 bits).• des—set DES encryption algorithm.

flags <check-dns | deferred-delete | dynamic-peer | fqdn | initial-contact | internal-address | nomadic | vendor-id>

Set or modify IKE flags:• check-dns—do a DNS lookup on FQDN

certificates.• deferred-delete—defer the QM delete until

rekey.• dynamic-peer—mark as valid a dynamic

policy.• fqdn—use FQDN for phase 1 identity.• initial-contact—send initial-contact ISAKMP

notification. • internal-address—request an internal

address from the gateway.• nomadic—mark a client policy as valid.• vendor-id—send vendor ID payload.

hash <md5 | sha> Set a hash algorithm:• md5—set MD5 hash algorithm.• sha—set SHA hash algorithm.

lifetime <number> Set a lifetime for an IKE policy:• number—lifetime in hours.



IPSec Policy Configuration CommandsThe following are the IPSec configuration commands:

cl-selectorclientgatewaygw-selectortransform

Syntax

config_policy# [no] ipseccl-selector <NAME>client <NAME>gateway <NAME>gw-selector <NAME>transform <NAME>

oakley-group <modp-768 | modp-1024 | modp-1536 |modp-2048>

Set an Oakley group:• modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.

exit Exit IKE suite configuration policy mode.

Arguments

Arguments


cl-selector <NAME> Set or modify an IPSec selector for a client:• NAME—IPSec client selector name.

client <NAME> Set or modify a client policy:• NAME—IPSec policy name.

gateway <NAME> Set or modify a gateway policy:• NAME—IPSec policy name.

gw-selector <NAME> Set or modify an IPSec selector for a gateway: • NAME—IPSec gateway selector name.

transform <NAME> Set or modify an IPSec transform:• NAME—IPSec transform name.



IPSec Client Configuration CommandUse the ipsec-client command to set a client policy. At the config_policy# prompt, enter the following command:config_policy# ipsec client <NAME>

PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-client#.

Syntax

ipsec-client#ca-idid <dn <key=value[,key=value...]> <user fqdn <user@domain_name>>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>selectortransformexit

IPSec Gateway Configuration CommandsUse the ipsec-gateway command to set gateway policy. At the config_policy# prompt, enter the following command: config_policy# ipsec gateway <NAME>

PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-gateway#.

Arguments

ca-id Specify CA ID.

id <dn <key=value[,key=value...]> <user fqdn <user@domain_name>>

Specify a client user FQDN or domain name. • dn key=value—DN value.• user fqdn <user@domain_name>—domain

name.

oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>

Select a pfs-group:• modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.• none—unset Oakley group.

selector Specify a selector for a client.

transform Specify an IPSec transform for a client.

exit Exit IPSec client configuration policy mode.



Syntax

ipsec-gateway#dst-addr <ADDR> <ADDR>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>selectorsrc-addr <ADDR> <ADDR>transformidentity <FQDN> | <CR>exit

Arguments

dst-addr <ADDR> <ADDR> IP address of a remote gateway:• <ADDR>—dotted decimal address of primary

endpoint. • <ADDR>—dotted decimal address of backup

endpoint.

oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>

Select an Oakley group:• modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.• none—unset Oakley group.

selector Selector for a gateway. The node autosorts selectors to move the most specific (those with the fewest wildcard values) to the top of the list and the default filter to the bottom of the list. The node searches for port numbers, then IP addresses and subnet masks.

src-addr <ADDR> <ADDR> IP address of a local gateway:• <ADDR>—dotted decimal address of primary

endpoint. • <ADDR>—dotted decimal address of backup

endpoint.

transform IPSec transform for a gateway.

identity <FQDN> | <CR> • FQDN—identity of a dynamic peer in FQDN form.

NoteIf identity is defined, dst-addr must not be defined.

• CR—clear identity.

exit Exit IPSec gateway configuration policy mode.



IPSec CL-Selector Configuration CommandUse the ipsec cl-selector command to set a selector for a client. At the config_policy# prompt, enter the following command:config_policy# ipsec cl-selector <NAME>

PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-client-selector#.

Syntax

ipsec-client-selector#action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst| | unique-protocol | unique-sport | unique-src>

mask <NETMASK>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>exit

Arguments

action <bypass | drop | protect>

Specify an action on a packet. One of three actions can be selected:• bypass—set action to pass packets.• drop—set action to drop packets.• protect—set action to protect packets.

addr <ADDR> IP address of a protected network:• ADDR—dotted-decimal address.

flags <asymmetric |dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst| | unique-protocol | unique-sport | unique-src>

Allow the user to set selector-specific flags:• asymmetric—marks selector to be

asymmetric.• dynamic-gw—support communication to a

dynamic gateway.• local-broadcast—matches any local

broadcast (valid with local-dst or local-src).• local-dst—matches any local destination

address.• local-src—matches any local source address.• unique-dport—destination port must be

unique.• unique-dst—destination address must be

unique.• unique-protocol—protocol must be unique.• unique-sport—source port must be unique.• unique-src—source address must be unique.



IPSec GW-Selector Configuration CommandUse the ipsec gw-selector command to set a selector for a gateway. At the config_policy# prompt, enter the following command:config_policy# ipsec gw-selector <NAME>PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-gateway-selector#.

Syntax

ipsec-gateway-selector#action <bypass | drop | protect>diff-serv <from-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>> <to-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>>

dst-addr <ADDR>dst-mask <NETMASK>dst-port <NUMBER>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>

protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>src-addr <ADDR>src-port <NUMBER>exit

:

mask <NETMASK> Set the netmask for a protected network:• NETMASK—dotted-decimal netmask.

port <NUMBER> Specify a port for a protected network:• NUMBER—port number.

protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>

Specify an IP protocol for a protected network:• GRE—select GRE IP protocol.• ICMP—select ICMP protocol.• IPINIP—select IPINIP protocol.• TCP—select TCP protocol.• UPD—select UPD protocol.• NUMBER—IP protocol number.

exit Exit selector-cl configuration policy mode.

Arguments


Specify an action on packets:• bypass—set action to pass packets.• drop—set action to drop packets.• protect—set action to protect packets.

Arguments



diff-serv <from-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>> <to-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>>

Set differentiated services codepoints. The following options can be set:• from-dst—set differentiated services

codepoints from destination.• from-dst assured—set codepoint to assured.• from-dst best-effort—set codepoint to best-

effort.• from-dst default—set codepoint to default.• from-dst expedited—set codepoint to

expedited. • from-dst pass-through—set codepoint to

pass-through. • from-dst <NUMBER>—set codepoint to a

value between 0 to 63. • to-dst—set differentiated services codepoints

to destination.• to-dst assured—set codepoint to assured.• to-dst best-effort—set codepoint to best-

effort.• to-dst default—set codepoint to default.• to-dst expedited—set codepoint to expedited. • to-dst pass-through—set codepoint to pass-

through. • to-dst <NUMBER>—set codepoint to a value

between 0 to 63.

dst-addr <ADDR> Specify an IP address of a remote protected network:• ADDR—dotted-decimal address.

dst-mask <NETMASK> Set a netmask for a remote protected network: NETMASK—dotted-decimal netmask.

dst-port <NUMBER> Specify a port for a remote protected network: • NUMBER—port number.

Arguments



IPSec Transform Configuration CommandUse the ipsec transform command to set an IPSec transform. At the config_policy# prompt, enter the following command:config_policy# ipsec-transform <NAME>PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-transform#.

flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>

Set specific flags: • asymmetric—marks selector to be

asymmetric.• dynamic-gw—support communication to a


broadcast (valid with local-dst/src).• local-dst—matches any local destination

address.• local-src—matches any local source address.• unique-dport—destination port must be

unique. • unique-dst—destination address must be

unique.• unique-protocol—protocol must be unique.• unique-sport—source port must be unique.• unique-src—source address must be unique.

protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>

Specify an IP protocol for a selector:• GRE—select GRE IP protocol.• ICMP—select ICMP protocol.• IPINIP—select IPINIP protocol.• TCP—select TCP protocol.• UPD—select UPD protocol.• <NUMBER>—IP protocol number.

src-addr <ADDR> Specify an IP address of a local protected network:• ADDR—dotted-decimal address.

src-mask <NETMASK> Set a netmask for a local protected network: • NETMASK—dotted-decimal netmask.

src-port <NUMBER> Specify a port for a local protected network:• NUMBER—port number.

exit Exit selector-gw policy configuration mode.

Arguments



Syntax

ipsec-transform#authenticator <hmac-md5 | hmac-ripemd | hmac-sha | null>cipher <3des | aes <128 | 192 | 256> | blowfish <40-448> | cast <40-128> | des | null>

flags <commit-bit | replay-status | responder-lifetime>lifetime <kbyte <NUMBER> | minutes <NUMBER>>mode <transport | tunnel>protocol <ah | ah-esp | esp>exit

Arguments

authenticator <hmac-md5 | hmac-ripemd | hmac-sha | null>

Select an authenticator: • hmac-md5—set hmac-md5.• hmac-ripemd—set hmac-ripemd.• hmac-sha—set hmac-sha.• null—no authentication is required.

cipher <3des | aes <128 | 192 | 256> | blowfish <40-448> | cast <40-128> | des | null>

Select a secrecy algorithm. Set this parameter only if the IPSec protocol is set to ESP. • 3des—set 3DES encryption algorithm.• aes <128 | 192 | 256>—set AES encryption

algorithm.• blowfish <40-448>—set Blowfish encryption

algorithm.• cast <40-128>—set CAST encryption

algorithm.• des—set DES encryption algorithm.• null—set a null encryption algorithm.

flags <commit-bit | replay-status | responder-lifetime>

Specify IPSec flags:• commit-bit—use commit bit when

responding. • replay-status—send replay status in QM.• responder-lifetime—send responder lifetime

in QM.

lifetime <kbyte <NUMBER> | minutes <NUMBER>>

Set an IPSec lifetime:• kbyte <NUMBER>—set lifetime in kilobytes.• minutes <NUMBER>—set lifetime in

minutes.

mode <transport | tunnel>

Set the IPSec mode:• Transport—set transport mode.• Tunnel—set tunnel mode.

protocol <ah | esp | ah-esp>

Select an IPSec protocol:• ah—select AH protocol.• esp—select ESP protocol.• ah-esp—select both AH and ESP.



VPN Configuration CommandsTo simplify the configuration of many peering relationships with similar policy elements, VPN commands are used to create a template. First, create a schema, which identifies all elements of the local side of the policy, as well as IPSec transforms, IKE suite, and selector for the local net. Second, configure nodes where the only information you need to insert is the node name and the remote subnets it protects.The following are VPN configuration commands:

linknodeschema

These commands support negation when no proceeds a VPN command.

Syntax

config_policy# vpnlinknodeschema

VPN Link CommandUse link command to link VPN nodes to VPN schema. When the command is negated, the specified nodes are unlinked from VPN.

link

Links designed VPN nodes with VPN schema.

vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>]

no vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>]

exit Exit IPSec transform configuration policy mode.

Arguments

Arguments

link Links designed VPN nodes with VPN schema.

node Designs VPN nodes.

schema Designs VPN schema.



VPN Node Configuration CommandsUse the vpn_node command to design a VPN node. Enter the following command from the config_policy# prompt:config_policy# vpn_node <NAME>

PCS goes into a specific configuration mode and responds with the appropriate prompt: vpn_node#.

Syntax

vpn_node#addr <ADDR>ca-idgw-addr <ADDR>mask <NETMASK>port <NUMBER>id <dn | user-fqdn>exit

:

VPN Schema Configuration CommandsUse the vpn schema <name> command to design a VPN schema. Enter the following command from the config_policy# prompt: config_policy# vpn schema <NAME>

PCS goes into a specific configuration mode and responds with the appropriate prompt: vpn-schema#.

Arguments

addr <ADDR> IP address of a remote protected network for gateway nodes.

ca-id CA ID (only for client).

gw-addr <ADDR> IP address of a remote gateway.

mask <NETMASK> Netmask for a remote protected network for gateway nodes.

port <NUMBER> Port for a remote protected network for gateway nodes.

id <dn <key=value[,key=value...]> | user-fqdn <user@domain_name>>

Client user FQDN or domain name for client nodes.• dn <key=value[,key=value...]>—DN.• id user-fqdn <user@domain_name>—user

FQDN.

exit Exit VPN node configuration policy mode.



Syntax

vpn-schema#action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>

gw-addr <ADDR>ike-suitemask <NETMASK>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UDP | <NUMBER>>transformexit

Arguments


Specify an action on packets:• bypass—set action to pass packets.• drop—set action to drop packets.• protect—set action to protect packets.

addr <ADDR> IP address of a local protected network.

flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>

Allow user to set specific flags. The following flags can be set:• asymmetric—set asymmetric flag.• dynamic-gw—support communication to a


broadcast (valid with local-dst/src).• local-dst—matches any local destination

address. • local-src—matches any local source address. • unique-dport—destination port must be

unique. • unique-dst—destination address must be

unique. • unique-protocol—protocol must be unique. • unique-sport—source port must be unique. • unique-src—source address must be unique.

gw-addr <ADDR> IP address of a local gateway.

ike-suite IKE suites for a VPN.

mask <NETMASK> Netmask for the local protected network.


IPSec Configuration with PCS

IPSec Configuration with PCSThe following sections provide an introduction to configuring Internet Protocol Security (IPSec) and Internet Key Exchange (IKE) policy by using the CLI, and presents an example of the commands required to configure a typical scenario.PCS separates policy configuration into units, and these units must be designed and combined in a specific order to complete IPSec configuration. The units of configuration follow:

IKE protection suites—a policy statement that denotes acceptable policies for an IKE SA. These policies are negotiated with the peer.A group of IKE protection suites—a compound of singular IKE protection suites. Each suite defines the policy for an SA, while a group defines all possible policies to negotiate. For example: group = (suite1, or suite2, or suite3).IKE policy to a gateway—IKE is a point-to-point protocol and a remote peer must be defined. This construct combines an IKE protection suite or group of protection suites with the IP address of the remote peer.IPSec selectors—a policy statement that defines a particular flow of traffic and the action to perform on packets that belong to that flow. For example, TCP packets from A.B.C.D to W.X.Y.Z should be dropped.IPSec transforms—a definition of how to protect packets in a particular flow.A group of IPSec transforms—a compound of IPSec transforms that denote all the possible transforms that can be negotiated to protect a particular flow.

oakley_group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>

Select a pfs-group: • modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.• none—unset Oakley group.

port <NUMBER> Port for the local protected network.

protocol <GRE | ICMP | IPINIP | TCP | UDP | <NUMBER>>

Specify an IP protocol for a VPN:• GRE—select GRE IP protocol.• ICMP—select ICMP protocol.• IPINIP—select IPINIP protocol.• TCP—select TCP protocol.• UPD—select UPD protocol.• <NUMBER>—IP protocol number.

transform IPSec transformations for a VPN.

exit Exit VPN schema configuration policy mode.

Arguments



IPSec policy to a gateway—a construct that combines the following: Selector—whose action is protect.What to protect—with a transform or group of transforms.How to protect it—the remote IP address of a peer.To whom the protected packets are sent.Local IP address of the device—from whom the protected packets are sent.

Before you enter PCS mode, break up the desired configuration into parts that correspond to the units in the preceding lists. The two systems to configure are IKE and IPSec, and each system is configured independently. A policy to an IKE peer does not depend on the policy configured for IPSec, and vice versa. IPSec policy defines how to protect (or drop, or pass) IP packets; IKE policy defines how the two peers communicate the IKE protocol, the authentication method to use, the Diffie-Hellman group to use for key generation, and so on.You enter PCS mode by using the config policy command from the command mode prompt. This command enters a mode and the prompt changes to config_policy#. The PCS mode maintains a template of configuration units. You can transfer the template into the system by applying changes and save the template to flash memory by using the save command. Only policies that can be applied or saved, are applied or saved. You can create certain units that by themselves do not consist of a complete policy representation. For more information, see “Requirements and Limitations” on page 249. The template is not shared.Each entry into the PCS system creates a new template. If two users simultaneously attempt to configure IPSec by using PCS, they cannot access each other’s configuration until one of them uses an apply command. Simultaneous configuration should not be attempted as each side would overrule the other.

IKE PolicyBefore you define the IKE gateway, you must define an IKE protection suite. The protection suite defines how to perform IKE, while the gateway defines to whom and which protection suites to use.You define IKE protection suites by using the ike suite command:config_policy# ike suite <suite-name>

Set the following options: ike-suite# authentication <pre-shared | rsa-encrypt | rsa-signature | challenge-response>

Arguments

pre-shared Specify preshared key authentication with the specific preshared key following the command.

rsa-encrypt Specify encrypted nonce authentication.



NoteThis is for clients only.

ike-suite# cipher <3des | aes |blowfish | cast | des>

ike-suite# flags <initial-contact | nomadic | vendor-id>

ike-suite# hash <md5 | sha>

ike-suite# lifetime <number of hours>

rsa-signature Specify authentication with digital signatures.

challenge-response Specify challenge response authentication.

Arguments

Arguments

3des Use the 3DES cipher.

aes Use the AES cipher.

blowfish Use the Blowfish cipher.

cast Use the CAST cipher.

des Use the DES cipher.

Arguments

initial-contact Specify that the initial-contact notice should be sent to peers the first time communication is attempted.

nomadic Specify that the policy is for a client coming from an unspecified IP address.

vendor-id Specify that a vendor ID payload identifying a Nokia IP VPN Gateway should be sent upon completion of IKE.

Arguments

md5 Use the MD5 hash algorithm.

sha Use the SHA hash algorithm.



ike-suite# oakley-group <modp-768 | modp-1024 | modp-1536>

NoteAll the groups are defined in RFC2409.

You can form groups of IKE policies by combining multiple IKE protection suites into a group using the IKE group command:config_policy# ike group <name> <suite1> <suite2> [<suite3> ...]

Once you define the how of IKE policy, you can define the to whom. Use the ike gateway command:config_policy# ike gateway <name> <suite | group-of-suites>

NoteOnly one policy parameter is allowed, either a singular protection suite or the single name of a group of protection suites.

IPSec PolicyIPSec policy defines the packets that should be:

IPSec-protectedDroppedAllowed to pass in the clear

For example, you can write a policy with rules that allow HTTP traffic to 10.0.1/24 in the clear, protect all other TCP traffic between 10.0.1/24 and 10.1.1/24, and drop all UDP traffic between 10.0.1/24 and 10.1.1/24.These rules form selectors. A selector is an abstraction that identifies a particular flow of traffic (for example, TCP between 10.0.1/24 and 10.1.1/24) and how to handle that particular flow (for

Arguments

<number of hours> Define the maximum life of the SA.

Arguments

modp-768 IKE group 1.





example, protect it by using IPSec). Selectors identify traffic by specifying source and destination addressing and optionally an upper-layer protocol and port.Selectors are specified as either gateway selectors or client selectors. The difference is that with gateway selectors, the local and remote addressing is known, while with client selectors, the remote portion of the addressing is unknown (the client usually obtains random DHCP addresses, which make it impossible to assign policy to them).

Defining Gateway SelectorsYou can define gateway selectors by using the ipsec gw-selector command:

config_policy# ipsec gw-selector <name>

Specifying Selector Components

You can specify the components of a selector by using the following commands:ipsec-gateway-selector# action <bypass | drop | protect>

ipsec-gateway-selector# protocol <protocol name or number>

ipsec-gateway-selector# dst-addr <dotted decimal address>ipsec-gateway-selector# dst-mask <dotted decimal netmask>ipsec-gateway-selector# dst-port <port number>

Define the destination of the packets by using an address and netmask (for a particular host the netmask is 255.255.255.255) and port (if it exists in the protocol).ipsec-gateway-selector# src-addr <dotted decimal address>ipsec-gateway-selector# src-mask <dotted decimal netmask>ipsec-gateway-selector# src-port <port number>

Define the source of the packets by using an address and netmask (for a particular host the netmask is 255.255.255.255) and port (if it exists in the protocol).

Arguments

name Name that identifies the selector.

Arguments

bypass Allow specified traffic to pass in the clear.

drop Drop specified traffic.

protect Protect specified traffic with IPSec.

Arguments

<protocol name or number>

Select protocol or define it by using its IANA-assigned number.



Creating Client Selectors

Create client selectors:config_policy# ipsec cl-selector <name>

Specifying the Components of a Selector You can specify the components of a selector by using the following steps. Because the client originates from an unknown IP address, you can configure the local side of the selector. The other side of a selector is a wildcard.

ipsec-client-selector# action <bypass | drop | protect>

ipsec-client-selector# protocol <protocol name or number>

ipsec-client-selector# addr <dotted decimal address>ipsec-client-selector# mask <dotted decimal netmask>ipsec-client-selector# port <port number>

Define the locally protected network by using an address and netmask (for a particular local host the netmask is 255.255.255.255) and port (if it exists in the protocol).

When a selector is either bypass or drop, the action ends. But when the action is protect, some manner of protection is needed and a definition of the remote gateway (when using gateway selectors) is needed. The selector defines what to protect, a transform defines how to protect it, and a gateway defines with whom the traffic should be protected. When using a client selector, the to whom is a little different than when using a gateway selector.

Defining IPSec Transforms

IPSec transforms are defined by using the ipsec transform command:config_policy# ipsec transform <name>

Arguments

name Name that identifies the selector.

Arguments

bypass Allow specified traffic to pass in the clear.

drop Drop specified traffic.

protect Protect specified traffic with IPSec.

Arguments

<protocol name or number>

Select protocol or define it by using its IANA-assigned number.



Specifying Components of the Transform

Use the following commands to specify the components of the transform:ipsec-transform# authentication <hmac-sha | hmac-md5 | hmac-md5>

ipsec-transform# cipher <3des | aes | blowfish | cast | des>

ipsec-transform# flags <commit-bit | replay-status | responder-lifetime>

ipsec-transform# lifetime <kbyte | minutes>

Arguments

name Name that identifies the transform.

Arguments

hmac-sha Select the HMAC-SHA authentication algorithm.

hmac-md5 Select the HMAC-MD5 authentication algorithm.

hmac-md5 Select the HMAC-MD5 authentication algorithm.

Arguments

3des Select the 3DES encryption algorithm.

aes Select the AES encryption algorithm.

blowfish Select the Blowfish encryption algorithm.

cast Select the CAST encryption algorithm.

des Select the DES encryption algorithm.

Arguments

commit-bit Ensure SAs are in place before being used.

replay-status Sends a notification to the remote peer that replay detection is used.

responder-lifetime A notification of the locally configured lifetime is sent to the peer if the peer’s SA offer contains a lifetime greater than the configured lifetime.



ipsec-transform# mode <transport | tunnel>

ipsec-transform# protocol <esp | ah | ah-esp>

As what to protect is defined with selectors and how to protect it is defined with transforms, the to whom can be defined, which incorporates both selectors and transforms. IPSec policy to a known gateway protecting a known network, where the selector is a gateway selector, is specified by using the ipsec gateway command:

config_policy# ipsec gateway <name>

Use the following commands to specify the components of the policy mapping:ipsec-gateway# dst-addr <dotted decimal address>

ipsec-gateway# src-addr <dotted decimal address>

Arguments

kbyte Denote an SA lifetime in kilobytes of protected traffic.

minutes Denote an SA lifetime in time.

Arguments

transport Indicate transport mode IPSec.

tunnel Indicate tunnel mode IPSec.

Arguments

esp Denote that the ESP protocol is used to protect traffic.

ah Denote that the AH protocol is used to protect traffic (note that a cipher cannot be defined for this type of protocol).

ah-esp Denote that both protocols is used to protect traffic.

Arguments

name Name of the policy mapping.

Arguments

dotted decimal address IP address of the remote peer.



ipsec-gateway# oakley-group <modp-768 | modp-1024 | modp-1536 | none>

NoteSpecifying a group enables Perfect Forward Secrecy for the negotiated SAs.

ipsec-gateway# selector <name>

ipsec-gateway# transform <name>

IPSec policy for unknown clients, where the selector is a client selector, is specified by using the ipsec client command:config_policy# ipsec client <name>

Use the following commands to specify policy mapping:ipsec-client# user-fqdn <user@domain_name>

Arguments

dotted decimal address Local IP address.

Arguments

modp-768 Denote IKE group 1.



Arguments

name Name assigned to the selector when it was created.

Arguments

name Name assigned to the transform when it was created.

Arguments

name Name of the policy mapping.



ipsec-client# oakley-group <modp-768 | modp-1024 | modp-1536>

NoteSpecifying a group enables Perfect Forward Secrecy for the negotiated SAs.

ipsec-client# selector <name>

ipsec-client# transform <name>

When IKE and IPSec policies are completely configured, you can apply these changes to the running configuration and save them to the flash file system. If you apply changes but do not save them, the policies are not saved if you reboot.You can apply a policy using the apply command:config_policy# apply

Policy is saved on flash memory using the save command:config_policy# save

Arguments

user@domain_name Describe the client’s identity. This information is extracted from the client’s certificate during the IKE exchange.

Arguments




Arguments

name Name assigned to the selector when it was created.

Arguments

name Name assigned to the transform when it was created.



Other PCS CommandsDefine policies off line by using any standard editor and saving to an ASCII file. You can copy this file to the system flash memory and load it into the system by using the load command:config_policy# load <filename>

Use the clear command to clear everything from the virtual template that is not applied. To remove selected configuration units from the template, apply the no option to the unit specification. For example, the following command creates an IKE gateway to 198.81.129.99 by using the protection suite named suite_1:config_policy# ike gateway 198.81.129.99 suite_1The following command removes the gateway:config_policy# no ike gateway 198.81.129.99 suite_1

If you use the apply command before you attempt to remove the IKE gateway specification, the specification is not removed as it has left the template and become part of the system.

Requirements and LimitationsPCS templates names (such as IKE and IPSec policy names and selector names) must be fewer than 32 characters (a maximum of 31 characters).An orphan protect selector (one that is not bound to an IPSec gateway) is not saved or applied.The name of a protect selector that is bound to an IPSec gateway inherits the name of that gateway when you use an apply command.You cannot save changes performed in the PCS unless you first use an apply command.Changes to the configuration by using PCS do not become part of the system unless you use an apply command. Even then those changes are lost after a reboot if you do not use a save command.

SummaryIPSec and IKE configuration must be performed in a logical sequence. By following the steps described, in the order described, you can avoid problems. IKE policy is defined in two steps. First define the policy that governs an IKE SA with any peer. Then, define a map of the policy to a particular peer.IPSec policy is defined in three steps. First define what to protect with a selector. If the selector is protect, define how to protect it with a transform. Finally, (and also if the selector is protect) define a map for the appropriate selector: gateway or client. This map combines the selector and

Arguments

file Name of the file on flash memory.



transform, and information about the local peer and remote peer. This information includes the address (if a gateway) or the fully qualified domain name identity (if a client).

ExampleIn this example, the device has an internal protected network of 172.21.14/24, the internal interface is 172.21.14.1, and the external interface is 10.1.1.1. One remote peer is 10.2.87.1 and the internal protected network is 172.16.8/24. A remote peer at 10.47.1.1 with protected network is 172.16.10/24, and a remote client policy [email protected] is also present. It is assumed that the user is familiar with specifics of the policy (the algorithm, Diffie-Hellman group, and so on).First, define the IKE protection suites and then IKE gateways to the peers by using these protection suites. Then, define IPSec selectors and IPSec transforms, and combine them all into gateway and client maps. # the first IKE protection suite

ike suite first

auth RSA-SIG

cipher cast 128

oakley-group modp-1536

hash sha

lifetime 180

exit

# the second IKE protection suite

ike suite second

auth pre-shared mnbvcxz mnbvcxz

cipher 3des


hash sha

lifetime 180

exit

#the third IKE protection suite

ike suite third

cipher blowfish 448


hash md5

lifetime 360

auth pre-shared 1234567 1234567

exit



# an IKE group that is “first OR second OR third”

ike group bunch second third

# IKE gateways for two VPNs and one for the client

ike gateway 10.2.87.1 bunch

ike gateway 10.47.1.1 second

# 0.0.0.0 denotes “all” since the client IP address is unknown

# This becomes the “default” client

# policy

ike gateway 0.0.0.0 first

# IPSec transform of AH by using hmac-md5 and ESP by using Blowfish

ipsec transform blow_md5

authenticator hmac-md5

cipher blowfish 128

mode tunnel

protocol ah-esp

lifetime kbyte 50

lifetime min 600

exit

# IPSec transform of ESP by using HMAC-SHA and CAST

ipsec transform cast_sha

authenticator hmac-sha

cipher cast 64

protocol esp

lifetime kbyte 10

exit

# IPSec transform of ESP by using hmac_md5 and 3DES

ipsec transform 3des_md5_esp

authenticator hmac-md5

cipher 3des

mode tunnel

protocol esp

exit



# selector for the first VPN from Santa Cruz to Seattle

# protect TCP from 172.21.14/24 to 172.16.8/24

ipsec gw-selector scz-to-seattle

src-addr 172.21.14.0

src-mask 255.255.255.0

dst-addr 172.16.8.0

dst-mask 255.255.255.0

action protect

protocol TCP

exit

# selector for the second VPN from Santa Cruz to Minneapolis

# protect all traffic from 172.21.14/24 to 172.16.10/24

ipsec gw-selector scz-to-minneapolis

src-addr 172.21.14.0

src-mask 255.255.255.0

dst-addr 172.16.10.0

dst-mask 255.255.255.0

action protect

exit

# client selector for someone from an unknown IP address

# protect TCP from anywhere to 172.21.14/24

ipsec cl-selector to-bob

addr 172.21.14.0

mask 255.255.255.0

action protect

protocol TCP

exit

# client policy map for Bob ([email protected]). Combine

# his client selector and a transform described above.

ipsec client bob

selector to-bob

transform blow_md5


user-fqdn [email protected]

exit



# gateway policy map for the VPN to Seattle. Combine the

# seattle selector with a transform and specify the VPN endpoints.

ipsec gateway seattle

selector scz-to-seattle

transform cast_sha

dst-addr 10.2.87.1

src-addr 10.1.1.1


exit

# gateway policy map for the VPN to Minneapolis. Similar

# to the preceding Seattle policy map.

ipsec gateway minneapolis

selector scz-to-minneapolis

transform cast_sha 3des_md5_esp

src-addr 10.1.1.1

dst-addr 10.47.1.1


exit

# propogate these policies to the system

apply

# if you like how it works, save it to flash memory

save


6 Configuring Firewall and Network Address Translation

This chapter describes the firewall and Network Address Translation (NAT) subsystem in the Nokia IP VPN Gateway, and provides a summary of the command-line interface (CLI) commands that you can use to configure and control the behavior of the firewall. The firewall configuration mode allows you to control some of the timeouts associated with the firewall as well as define the firewall rules.

NoteTo view the current state of the firewall and NAT subsystems, and to clear and reset the firewall and NAT state tables, from the command mode (>), use the following commands: show firewall and nat.

When you configure the firewall by using the Nokia VPN Manager software, you can define the Advanced Mode firewall rules by using the same syntax for rules as in the CLI. For more information about defining Advanced Mode firewall rules from VPN Manager, see the Nokia IP VPN Gateway Configuration Guide v6.3.

OverviewThe firewall and NAT subsystem in the Nokia IP VPN Gateway:

Provide a stateful firewall with a limited set of application layer gateways and full NAT capabilities. Is fully cluster-aware, providing a very high-availability solution by sharing firewall and NAT state information across all nodes in a cluster.

From VPN Manager, you can define firewall and NAT rules by using Basic, Intermediate, and Advanced modes. The Advanced mode of VPN Manager gives you the same power and flexibility for firewall and NAT behavior as is available in the CLI. The Basic and Intermediate modes provide less flexibility, but are designed to handle the majority of firewall configuration environments.You can use the CLI to:

Monitor and control the state of the firewall and NAT subsystem.



Display the firewall state table and rules, along with statistics and other performance information. Clear the firewall and NAT state tables from the command line for debugging purposes.

In an environment that uses the CLI entirely for configuration and does not use VPN Manager, you can also use the CLI to define firewall rules and manage the firewall rule sets.Figure 1 presents a simplified version of the flow of a new session packet through the VPN gateway, and shows the relationship between the firewall and NAT function and the VPN function.

Figure 1 Packet Flow for VPN Designers

The firewall and NAT capabilities of VPN gateway are fully integrated into an ordered, rule-based configuration. When the firewall and NAT subsystem is enabled, each IP datagram is inspected by the firewall and NAT subsystem. A set of ordered rules, evaluated from first to last, match against the IP datagrams. When a rule matches a datagram, the action of the rule is taken. Available actions are:

pass—allow the datagram throughdrop—do not allow the datagram to passtranslate—allow the datagram through, also applying NAT

The VPN firewall is a first match firewall, that is, the first rule that matches a datagram determines the action that the firewall and NAT subsystem take on that datagram.Because the firewall and NAT subsystem is fully stateful, the firewall and NAT state tables are consulted before the rule base and will pass or translate datagrams that match existing flows through the firewall. The firewall and NAT subsystem is stateful for TCP connections, as well as for UDP and ICMP traffic. Non-IP traffic (such as Novell IPX or DECnet) is not recognized or passed by the firewall.


Managing the Firewall Using the CLI

Managing the Firewall Using the CLIYou can use the CLI to manage and monitor the firewall and NAT subsystem, and to provide configuration information for the firewall and NAT subsystem.

NoteYou must use either the CLI or VPN Manager for configuration, but not both. When you apply changes by using VPN Manager, configuration changes you made by using the CLI are overwritten in the configuration files. If you change the configuration of the firewall and NAT subsystem by using the CLI, the next time you apply changes from VPN Manager, changes made by using the CLI are lost, and the configuration of the firewall and NAT subsystem is determined by VPN Manager.

However, you can use the CLI for certain basic firewall debugging and management even when VPN Manager handles the configuration. You might not use the CLI for daily operations, but the CLI commands are useful for debugging and monitoring the operation of the firewall and the NAT subsystem.Table 12 lists the CLI commands that you can use to manage the firewall and NAT subsystem.

Default Firewall BehaviorWhen a VPN gateway is first booted, and before it is configured, the firewall and NAT subsystem is enabled. A set of automatic rules are applied when the firewall is enabled and

Table 12 Firewall and NAT Subsystem Commands

Command Description

clear nat <link-id> For more information about this command, see nat clear-state <link-id>.

firewall clear-state Clears all firewall and NAT state table entries.

firewall disable Disables the firewall and NAT subsystem.

firewall enable Enables the firewall and NAT subsystem.

firewall rate-limit Enables or displays firewall rate-limiting features.

nat clear-state <link-id> Clears a single NAT state table entry.

show firewall Shows the state of the firewall, statistics about the firewall, and the firewall rule set and configuration.

show nat Shows the NAT state table, statistics about NAT processing, and other NAT-related information.

configure firewall Enter firewall configuration mode.



before you load your own rule set into the firewall. Automatic rules are deleted as soon as you load a rule set into the firewall, either by using the CLI or VPN Manager. Although it is not always shown in all displays, whenever the firewall is enabled, there is an implicit drop all rule that always is the final rule in the firewall. There is no way to delete this final rule (although you can add a pass all rule before the final rule that effectively negates this behavior).Once a VPN gateway is installed by using VPN Manager, the firewall is either immediately disabled, or if it is enabled, the configuration of the firewall is determined by the rule set selected in VPN Manager. The choice of whether the firewall is enabled or disabled is made by the network manager installing the gateway.The default firewall rule set can be examined by using the following CLI command:> show firewall For more information about the show firewall command, see the show firewall command in show on page 105.This rule set can and will change slightly from version to version of the Nokia AOS Kernel. The automatic rule set will also change depending on the features that are enabled in the gateway, such as clustering or DHCP client. However, the default firewall (and NAT) rule set is only designed to allow communications to and from the VPN gateway (or cluster, if a cluster is being installed). The default rule set never allows traffic through the gateway, only to or from the gateway. The automatic rule set cannot be changed by the network manager. It can only be deleted by adding new rules to the firewall. The goal of the automatic rule set is to protect the gateway and the networks behind it during installation, and before the firewall is fully configured.The default firewall rule set includes rules that allow traffic to the VPN gateway for:

Monitoring and management purposes.Establishing and maintaining IPSec and L2TP tunnels (including tunnels over NAT using NAT traversal ports).Responding to ICMP PING (echo request) packets.Allowing Nokia-proprietary cluster communications.

When you manage the firewall by using the CLI, you also have the option of specifying a particular IP address for a VPN Manager management station automatically when enabling the firewall. The syntax for this command is:firewall enable policy-manager <dotted.ip.address>

For example:firewall enable policy-manager 10.245.12.222

When you use this variation of the enable firewall command, the firewall and NAT subsystem add two fixed rules to the firewall configuration specifically to allow communication with VPN Manager using the standard Nokia management ports (TCP port 9876). Unlike other automatic rules created by the firewall when it is first enabled, these rules (allowing communication to and from the VPN gateway and a particular VPN Manager IP address) are not disabled when other firewall rules are added.


Configuring the Firewall

Configuring the FirewallFirewall management using the CLI operates at three different levels, each with its own mode, as shown in Table 13.

Command mode (>)—enable and disable the firewall, view statistics, and clear state tables.Firewall configuration mode—define the rule sets used in the firewall as well as manage certain timeouts. You can also import and export rules, apply rules to the current firewall, and save the configuration to the FLASH memory so that it is accessible the next time the gateway boots.Rule definition mode—define the actual rules used in the firewall.

The following sections describe the three configuration modes and the commands that you can use in each of them.

Command Mode CommandsUse the command mode commands to manage the firewall and NAT subsystem. Table 14 summarizes and discusses these commands.

Table 13 Configuration Modes

CLI Mode and Prompt Capabilities

Command mode (>) Enable, disable firewall; clear firewall state; display firewall statistics, state tables, and rules.

Configuration mode: config_firewall#Enter using the command: configure firewallExit to CLI mode using the command: exit

Define and clear rules; apply rules to running firewall; define timeouts; save rules to FLASH; import and export rules; display rules.

Rule definition mode: rule-list#Enter using the command: rule-listExit to Configuration mode using the command: end

Define firewall and NAT rules.



.

Table 14 CLI Command Descriptions

Command Description

clear nat <link-id> For more information about this command, see nat clear-state <link-id>.

firewall clear-state Clears all firewall and NAT state table entries. This has the effect of disabling any existing TCP connections (or UDP flows) both to and through the VPN gateway.

CautionUse this command with care, especially if you are connected to the gateway through a TELNET or SSH session.

firewall disable Disables the firewall and NAT subsystem. All packets flow through the VPN gateway without firewalling. However, all packets are still subject to the Security Policy database rules, which may include drop, bypass, and protect options.

firewall enable Enables the firewall and NAT subsystem.

firewall rate-limit <CR>firewall rate-limit <number> <CR>

Enables or displays firewall rate-limiting features.If entered as firewall rate-limit, displays the current rate limiting set for the firewall (Default: unlimited).If entered as firewall rate-limit <number>, sets a maximum rate at which new state entries can be added to the firewall, per second. This can be used to provide a simple rate limiting or Denial of Service protection to networks protected by the VPN gateway.

nat clear-state <link-id> Clears a single NAT state table entry. This deletes the NAT state table entry, which has the effect of disabling any existing TCP or UDP flows that use this state table entry. There is no form to delete all NAT state table entries; use the firewall clear-state command to clear all NAT and firewall state table entries.

show firewall Shows the state of the firewall, statistics about the firewall, and the firewall rule set and configuration.

show firewall full Shows the state of the firewall, each of the firewall rules, and both the number of times each rule has been matched as well as the number of bytes of traffic each rule has passed or blocked. The count of state table hits and passed traffic (in bytes) is also given.



In addition, you can use the following command mode commands to enable and disable the firewall and NAT subsystems in saved configurations:

enable firewall disable firewall

Firewall Configuration ModeIn the firewall configuration mode, you can clear and define firewall rules, apply rule sets to the running firewall, define firewall timeouts, show and save rule sets, and import and export rule sets from the local flash storage or from a network file server.In firewall configuration mode, you work with a workspace of firewall rules that is separate and distinct from the set of rules in the running firewall. When you first enter firewall configuration mode, the running configuration is copied to the configuration rule workspace. Changes you make to the configuration rule workspace do not affect the running firewall, until you apply them (which pushes them to the running firewall) or save them (which saves them to FLASH to be used the next time the VPN gateway boots). You can also clear the configuration rule workspace, as well as import and export rules between the workspace and either local FLASH files or files on TFTP or NFS file servers. If you exit without saving or applying the changes, changes are lost.

show firewall state Displays the firewall state table, as well as counters on the number of state table hits and misses, maximum counts, and errors caused by insufficient memory.

show firewall statistics Displays statistics on firewall actions, including drop and pass rules, logging, subdivided into several categories.

show nat arp Displays the mapping between NAT entries and MAC addresses.

show nat state Displays the NAT state table.

show nat statistics Displays statistics on the operation of the NAT subsystem.

configure firewall Enter firewall configuration mode.

debug nat Enables debugging on the NAT subsystem. You will need to use other commands, such as log enable, to actually see debugging messages, depending on the system configuration and how you are connected to the VPN gateway.

Table 14 CLI Command Descriptions

Command Description



NoteChanges to the firewall rule sets do not take effect immediately. To make changes affect the running firewall, you must use the following command: apply.

To enter firewall configuration mode, enter the following command at the CLI command mode (>):> configure firewallTo exit firewall configuration mode and return to command mode, enter the following command at the config_firewall# prompt:config_firewall# exit

When you exit firewall configuration mode, you will be prompted by the gateway if you have not saved your changes to flash. If you wish to discard changes you have made, type the following command:config_firewall# exit Otherwise to save changes to flash enter the following command:config_firewall# apply

To exit firewall configuration mode enter the following command:config_firewall# exit

The following CLI fragment shows ending rule definition mode, and then the gateway prompt when you attempt to exit without saving changes:rule-list# end

config_firewall# exit

WARNING! Changes were done to the packet filter rules and have not been applied to the system yet.

Type 'exit' (changes will be lost) or 'apply' (to apply the changes).

config_firewall# exit

>

Table 15 lists the commands available in firewall configuration mode.Table 15 Firewall Configuration Mode Commands

Command Description

apply Applies configured rules to the currently running firewall.

clear Deletes the configured rules. Does not affect the currently running firewall.

clear icmp-timeoutclear tcp-timeoutclear udp-timeout

Deletes the configured ICMP (or TCP or UDP) timeout parameter, replacing it with the default.



applyUse the apply command to copy newly designed rules from the configuration rule workspace to the currently running firewall. When you apply rules, you have the choice to either clear all firewall state tables (which will disrupt any current connections, possibly including your SSH or Telnet console connection being used to define the firewall rules) or to leave the firewall state tables intact, allowing all existing stateful TCP, UDP, and ICMP sessions to terminate gracefully.

NoteThe apply command does not save the configuration to flash, therefore if the gateway is rebooted, the configuration is lost. To save configuration to flash, you must use the save command.

Syntax

config_firewall# apply

config_firewall# apply keep-state

export <filename> Exports the configured rules to a file, either on the local flash or to a network file server (using tftp:// or nfs:// syntax).

import <filename> Imports a file of firewall rules to the configured rules, either from a local or network drive.

icmp-timeout <value>tcp-timeout <value>udp-timeout <value>

Defines the firewall's global ICMP timeout parameter.

rule-list Enter firewall rule configuration mode, appending any rules to the existing rule set.

save Save the configured firewall rules to the local system configuration. These rules are used on the next system boot.

show Show the configured rule set, which may not match the currently running firewall rules

Table 15 Firewall Configuration Mode Commands (continued)

Command Description



clear Use the clear command to clear all firewall rules from the configuration rule workspace. Because the configuration rule workspace is copied from the running firewall, when you enter firewall configuration mode, you may want to clear the workspace before you enter new rules or import rules from a file. If you do not clear the workspace, any rules you enter using the rule-list command are appended to the existing set of rules in the configuration rule workspace.You can also use the clear command to remove configuration information for the ICMP, TCP, and UDP timeout parameters. If these configuration entries are removed, the Nokia-defined defaults apply.

Syntax

config_firewall# clear

config_firewall# clear icmp-timeout

config_firewall# clear tcp-timeout

config_firewall# clear udp-timeout

Exampleconfig_firewall# clear icmp-timeout

config_firewall# clear tcp-timeout config_firewall# clear udp-timeout config_firewall# clear config_firewall# apply

firewall: 'apply' aborted due to empty ruleset.

firewall: failed to apply firewall config.

config_firewall# saveconfig_firewall#

Arguments

keep-state • If keep-state is specified, all existing connections are retained and allowed to complete whether they satisfy the new rule set being applied or not.

• If keep-state is not specified, all existing state table entries for firewall and NAT are cleared and the rules are copied from the configuration rule workspace to the running firewall.



Arguments

export Use the export command to export the configuration rule workspace to a file. Rules are written in normal ASCII. To export the file to a remote file server, you may use the tftp:// or nfs:// forms of file names supported by the gateway CLI.

Syntaxconfig_firewall# export <filename> <CR>

Exampleconfig_firewall# export flash:my-test-rules.txt

config_firewall# export tftp://10.245.12.222/firewall.rulesconfig_firewall# export pccard1:ginger.firewall-rules

import Use the import command to import firewall rules from an ASCII file. The file must be in the form of a sequence of rules that are accepted by the firewall configuration mode (that is, as if you were to type them in to the rule-list command). To import a file from a remote file server, use the tftp:// or nfs:// forms of file names supported by the gateway CLI.

clear icmp-timeout ICMP timeout value is cleared from the configuration and the defined default of 60 seconds is used by the firewall.

clear tcp-timeout TCP timeout value is cleared from the configuration and the defined default of 432,000 seconds (5 days) is used by the firewall.

clear udp-timeout UDP timeout value is cleared from the configuration and the defined default of 120 seconds is used by the firewall.

Arguments

<filename> May refer to any file system and filename recognized by the local CLI. Depending on the hardware available, this may include one or more flash memory cards. Remote file servers accessible through NFS or TFTP may also be part of the file system.



NoteBefore you import firewall rules from a file using the import command, you may want to clear the existing firewall rules from the configuration rule workspace using the clear command. If you do not use the clear command, the rules you import are appended to the existing rules in the configuration workspace.

Syntax

config_firewall# import <filename>

Exampleconfig_firewall# import flash:my-test-rules.txt

config_firewall# import tftp://10.245.12.222/firewall.rulesconfig_firewall# import pccard1:ginger.firewall-rules

icmp-timeout, tcp-timeout, and udp-timeoutUse the icmp-timeout, tcp-timeout, and udp-timeout commands to set the firewall timeouts for established connections. ICMP and UDP do not have true connections in the same sense that TCP does. Therefore, the timeouts for ICMP and UDP are applied to any connection set up by the firewall that is idle. When a connection state entry for a UDP or ICMP session is idle for the timeout value, it is removed from the state table. Because there is no graceful session teardown for ICMP or UDP, the timeout is the only way that ICMP or UDP state will be removed from the firewall state tables.TCP timeout is also used on idle connections. However, TCP does have a graceful teardown mechanism. The TCP timeout is only used when a TCP connection is not torn down (or reset), but is idle with no traffic in either direction.

Syntax

config_firewall# icmp-timeout <timeout>

config_firewall# tcp-timeout <timeout>

config_firewall# udp-timeout <timeout>

Arguments

<filename> May refer to any file system and filename recognized by the local CLI. Depending on the hardware available, this may include one or more flash memory cards. Remote file servers accessible through NFS or TFTP may also be part of the file system.



Exampleconfig_firewall# icmp-timeout 117

config_firewall# tcp-timeout 555

config_firewall# udp-timeout 10

rule-listThe rule-list command allows you to define new firewall rules. To enter rule definition mode from firewall configuration mode (config_firewall#), use the following command:config_firewall# rule-list

When you enter rule definition mode, the CLI prompt of the gateway changes to: rule-list#.

NoteBefore you begin with the rule definition mode, you may want to clear the existing firewall rules in the configuration rule workspace using the clear command. If you do not use the clear command, any rules entered in rule definition mode are appended to the end of the existing rules in the workspace.

To exit rule definition mode, enter the following command:rule-list# end

For more information about the rule-list command, see “Rule Definition Mode” on page 269.

Syntax

config_firewall# rule-list

Arguments

icmp-timeout <timeout> ICMP timeout for pseudo-connections. The timeout value must be in the range of 1 second to 86400 seconds (1 day).Default value: 60 seconds

tcp-timeout <timeout> TCP timeout for the connections.The timeout value must be in the range of 1 second to 86400 seconds (1 day).Default value: 432000 seconds (5 days), which cannot be set.

udp-timeout <timeout> UDP timeout for pseudo-connections. The timeout value must be in the range of 1 second to 86400 seconds (1 day).Default value: 120 seconds



Exampleconfig_firewall# rule-list

rule-list# match all target drop log

rule-list# end

config_firewall#

saveUse the save command to save the current configuration rule workspace to the flash configuration. The firewall rules are stored in the gen_info.txt file, with an associated version number within the file itself. Upon rebooting, the gateway loads the most recently saved rule list from the gen_info.txt file.

NoteThe save command does not affect the currently running firewall rule set. You can only save firewall rules that have been applied to the currently running firewall. To apply the current configuration rule workspace and replace the firewall rules currently in operation, use the apply command before saving.

Syntax

config_firewall# save

Exampleconfig_firewall# save

firewall: WARNING!Modified rules have not been applied to the system yet.

firewall: type 'apply' first and then 'save'.

config_firewall# apply

config_firewall# save

config_firewall#

show Use the show command to display the firewall rules currently in the configuration rule workspace. The show command also displays any non-default ICMP, TCP, and UDP timeout values.

NoteThe show command does not show the running rules in the firewall, although the running firewall rules are copied to the configuration rule workspace when you first enter firewall configuration mode.



Syntax

config_firewall# show

Exampleconfig_firewall# show

Firewall Connection Time out Table

Tcp Timeout :555

Udp Timeout :10

Icmp Timeout :117

Firewall Rules:

1 match from any to broadcast target pass

2 match all target drop log

# DEFAULT match from any to any target drop

config_firewall#

Rule Definition ModeYou can enter firewall rules by using a console terminal session and rule definition mode or you can import firewall rules into the configuration rule workspace by using the import command in firewall configuration mode. The same syntax is used for firewall rules whether they are part of a CLI-based firewall configuration or are used in the Advanced configuration part of the VPN Manager. The three ways of defining firewall and NAT rules are summarized in Table 16..

No matter how firewall and NAT rules are defined, they are all evaluated in the same way. The firewall matches the rules in the same order in which the rules are added.The following sections use the rule definition mode (using the rule-list command to define new firewall rules) in the examples. However, the rules in these examples and all of the syntax of firewall and NAT rules applies equally no matter what mode is used to add the rules to the gateway. To enter rule definition mode from firewall configuration mode (config_firewall#), use the following command:config_firewall# rule-list

Table 16 Defining Firewall and NAT Rules

Rule definition mode Enter the rule definition mode, from the firewall configuration mode, using the following command: rule-list. Enter the rules one at a time and exit using the following command: end.

Firewall configuration mode Import rules by using the import command to pull from a file on flash or a remote file server (tftp or NFS).

VPN Manager Enter the rules by using a simple text editor in VPN Manager when Advanced firewall configuration mode is selected.



When you enter rule definition mode, the CLI prompt of the gateway changes to rule-list#. To exit rule definition mode, enter the following command:rule-list# end The following example illustrates entering rule definition mode, adding a single rule to the end of the current firewall list, and exiting rule definition mode:config_firewall# rule-list

rule-list# match all target drop logrule-list# end

config_firewall#

NoteWhen you enter the firewall configuration mode, the existing running firewall rules are copied from the firewall into the configuration rule workspace. This means that any import commands in firewall configuration mode, or rule-list commands entering rule definition mode will add new rules to the end of the list of existing rules. If you want to clear the configuration rule workspace before adding rules, use the clear command.

Figure 2 gives an overview of how rules move in and out of the configuration rule workspace and the running firewall and NAT subsystem.



Figure 2 Overview

Overview of Firewall Rule SyntaxYou can define firewall rules to match certain types of TCP/IP flows, and qualify those flows based on other traffic characteristics, such as the source interface or tunnel or IP or TCP options. When you have matched a TCP/IP flow, you can specify three general actions: pass (allow this flow to continue), drop (block this flow), and translate (pass this flow and apply Network Address Translation transformations). Firewall rules have some additional parameters to assist in management, such as logging options, that are optional.Both firewall pass and drop rules and NAT translate rules are intermixed in the same rule base. As the firewall and NAT subsystem evaluates rules, it takes the action based on the first matching rule, whether NAT translation, or pass or drop. When a rule specifies that stateful firewalling or NAT translation should be performed, the firewall creates a state table entry ahead of the rule base that will pass through (and possibly NAT) traffic within defined and permitted flows. Figure 3 shows the general structure of all firewall and NAT rules.



Figure 3 Structure of Firewall and NAT Rules

Every rule must have two main parts:A MATCH clause that specifies the interfaces, source IP and port, destination IP and port, and other IP options to match the flow with.A TARGET clause that specifies the action to take on the flow.

Within the MATCH and TARGET clauses, there are a large number of options that can be used to provide more specific or less specific matches and actions.

Optionally, any rule can also have a LOG clause that gives you the ability to log both rule matches and the actual traffic within them. Figure 4 breaks up firewall rules into more specific sections, highlighting the MATCH, TARGET, and LOG clauses separately. The following three sections detail each of the three clauses and the complete syntax of each component of the firewall rule.

Figure 4 Sections of Firewall Rules

MATCH Clauses in Firewall RulesYou use the MATCH clause in a firewall rule to indicate the flow (or what single IP datagram, if you are not using the stateful features of the firewall in a rule) you want this rule to match. A flow is described by attributes of the first packet, including source and destination addresses and ports, along with other flow attributes, such as the interface or tunnel the flow will use. You also have the ability to be very specific with some IP and TCP options in defining flows in the MATCH clause, although these are less common.



To understand the MATCH clause, it is helpful to divide it into four parts: interface source, source IP and port, destination IP and port, and other qualifiers. Figure 5 displays these further qualifiers.

Figure 5 Match Clause

Source Interface Matching in MATCH Clauses

The first part of the MATCH clause is the optional source interface. This is the interface that the first IP datagram of the flow originates on. This qualifier to the clause is optional; if it is omitted, then an implicit ON ANY is assumed which means that any interface can match this subclause. Because most flows are bi-directional, the source interface only applies to the first datagram in the flow. Any datagrams that are permitted by a stateful flow in the reverse direction will have a destination interface as specified by the MATCH clause.If you want to specify a destination interface rather than a source interface, this is also possible, but you must specify the destination interface as part of the destination matching part of the rule (the TO qualifier of the MATCH clause).The actual interfaces allowed in a source interface match subclause are dependent on the exact hardware model of the Nokia IP VPN Gateway, because different models of the Nokia IP VPN Gateway support different sets of interfaces. Table 17 provides a list of the most common interfaces and other interfaces that may be specified in the ON qualifier.Table 17 Common Interfaces

ON <intf-spec> Description

ON eth-1ON eth-2ON eth-3

Packets arriving on the ETH-1 (or ETH-2, ETH-3) interface of the VPN gateway.

ON internal Packets arriving on an interface marked as internal (that is, inside the protected network).

ON external Packets arriving on an interface marked as external (that is, outside the protected networks, towards the Internet).

ON local Packets that are originated from the VPN gateway itself (For example, management traffic).

ON tunnel Packets coming over a tunnel that terminates on the VPN gateway. These are typically encrypted packets.

ON any Packets coming over any interface, including local and tunnel interfaces. This is the default if no ON subclause is given.



Source IP Matching in MATCH Clauses

The source IP of the first datagram of the flow can be specified to include (or exclude) IP addresses and subnets, as well as groups of addresses. The source IP matching optionally can include the UDP or TCP port number of the datagram.The Source IP matching subclause (the subclause beginning with FROM) is not required. However, if no FROM subclause is present, then the keyword ALL must be used to specify all source and destination IP addresses and ports.Any IP address can also be qualified by NOT, meaning that the source IP matches all IP addresses except those specified in the rule.The syntax of the FROM clause is:FROM [NOT] <ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | <ip/mask> | <host> > [PORT < EQ | NE | LT | GT | LE | GE> <port>]

Table 18 provides additional explanation of the pieces of the Source IP matching subclause..

Table 18 Source IP Matching

Source IP matching Subclause Part Description

FROM Constant, always present, starts all source IP matching subclauses.

NOT Optional; negates the rest of the subclause, matching all IP addresses and ports except those listed.

<ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | <ip/mask> | <host> >

Specifies the IP address or subnet to match. One of the following formats must be present:• ANY—any IP address.• ANY-INSIDE—any IP address that would be routed to

an internal interface for transmission.• ANY-OUTSIDE—any IP address that would be routed

to an external interface for transmission.• BROADCAST—any IP broadcast (but not multicast)

address.• LOCAL—IP addresses considered local to the VPN

gateway (i.e., all the physical interfaces as well as the loopback interface).

• <ip/mask>—an A.B.C.D/E format subnet.• <host>—an A.B.C.D IPv4 address.



Destination IP Matching in MATCH Clauses

You use the Destination IP matching subclause in a MATCH clause to specify where the flow is going. The destination IP of the first datagram of the flow can be specified to include (or

<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming an IPv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255). You may also specify a subnet <ip/mask> using the format A.B.C.D MASK E.F.G.H where A.B.C.D is the dotted-quad IP address, MASK is the constant word MASK, and E.F.G.H is the network mask in traditional dotted-quad format, such as 255.255.255.0.

<host> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad IPv4 address. For example, 10.245.12.50.

PORT Signifies that a port qualifier follows. Optional, but required if a port qualifier is to be included. The port qualifier does not specify whether the port is UDP or TCP.

<EQ | NE | LT | GT | LE | GE>

Required in a PORT qualifier (but optional in a FROM subclause), gives the Boolean operator to compare the TCP or UDP port in the datagram against for matching purposes:• EQ—equal to (that is, the port in the datagram is

equal to the one in the PORT qualifier).• NE—not equal to.• LT—less than (that is, the port in the datagram is

numerically less than the one in the PORT qualifier).• LE—less than or equal to.• GT—greater than (that is, the port in the datagram is

numerically greater than the one in the PORT qualifier).

• GE—greater than or equal to.

<port> Required in a PORT qualifier (but optional in a FROM subclause), the port number to match. Port numbers are in the range of 0 to 65535.

Table 18 Source IP Matching

Source IP matching Subclause Part Description



exclude) IP addresses and subnets, as well as groups of addresses, and whether or not the traffic is to be sent to a VPN tunnel. The destination IP matching optionally can include the UDP or TCP port number of the datagram.If a source IP subclause is present, a Destination IP subclause (a subclause beginning with the keyword TO) must also be present. If no Source IP subclause (FROM subclause) is present, then you must use the keyword ALL to specify all source and destination IP addresses and ports (and no destination IP subclause can be present).

NoteThe ALL keyword indicates all source IP addresses and all ports going to all destination IP addresses and all ports. The ANY keyword is used positionally to mean either all source IP addresses or all destination IP addresses, depending on whether it is in a source IP subclause or destination IP subclause. The ALL keyword replaces both source and destination IP subclauses and means all IP traffic, while the ANY keyword is used within a subclause to indicate all addresses in the context of that subclause.

Any IP address can also be qualified by NOT, meaning that the destination IP matches all IP addresses except those specified in the rule.The syntax of the TO clause is:TO [NOT] <ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | VPN-TUNNEL | <ip/mask> | <host> > [PORT < EQ | NE | LT | GT | LE | GE> <port>] [ON <phys-intf>]

Table 19 provides additional explanation of the pieces of the Destination IP matching subclause.Table 19 Destination IP Matching

Destination IP Subclause Part Description

TO Constant, always present, starts all destination IP matching subclauses.

NOT Optional; negates the rest of the subclause, matching all destination IP addresses and ports except those listed.

<ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | VPN-TUNNEL | <ip/mask> | <host> >

Specifies the IP address or subnet to match. One of these formats must be present:• ANY—any IP address.• ANY-INSIDE—any IP address that will be routed to an

internal interface for transmission.• ANY-OUTSIDE—any IP address that will be routed to an

external interface for transmission.• BROADCAST—any IP broadcast (but not multicast) address.• LOCAL—IP addresses considered local to the VPN gateway

(that is, all the physical interfaces as well as the loopback interface; any datagram destined for the gateway itself).

• VPN-TUNNEL—IP addresses reachable through VPN tunnels (IPSec only).

• <ip/mask>—an A.B.C.D/E format subnet.• <host>—an A.B.C.D Ipv4 address.



<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming a standard dotted-quad Ipv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255).You may also specify a subnet <ip/mask> using the format A.B.C.D MASK E.F.G.H where A.B.C.D is the dotted-quad IP address, MASK is the constant word MASK, and E.F.G.H is the network mask in traditional dotted-quad format, such as 255.255.255.0.

<host> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad Ipv4 address. For example, 10.245.12.50.

PORT Signifies that a port qualifier follows. Optional, but required if a port qualifier is to be included. The port qualifier does not specify whether the port is UDP or TCP.

<EQ | NE | LT | GT | LE | GE>

Required in a PORT qualifier (but optional in a TO subclause), gives the Boolean operator to compare the TCP or UDP port in the datagram against for matching purposes:• EQ—equal to (that is, the port in the datagram is equal to the

one in the PORT qualifier).• NE—not equal to.• LT—less than (that is, the port in the datagram is numerically

less than the one in the PORT qualifier).• LE—less than or equal to.• GT—greater than (that is, the port in the datagram is

numerically greater than the one in the PORT qualifier).• GE—greater than or equal to.

<port> Required in a PORT qualifier (but optional in a TO subclause), the port number to match. Port numbers are in the range of 0 to 65535.

Table 19 Destination IP Matching




Additional Matching in MATCH Clauses

In addition to matching flows based on the incoming interface, source, and destination information, you can also use a large number of additional options to further qualify or match frames and flows. Many of these additional qualifiers within the additional matching subclause can be specified multiple places within a MATCH clause; they do not have to be placed at the end of the clause. However, all of these additional qualifiers are position-independent within the frame. For example, the PROTO qualifier specifies the IP protocol number in the datagram. Since this only occurs once in a datagram, it is not a FROM or TO qualifier.Some additional matching qualifiers related to IP options can also be combined using WITH, AND, and NOT logic. This can be used to match flows that have some options present, but do not have other options present.

ON Signifies that a destination interface qualifier follows. Optional, but required if a destination interface is included. The destination interface specified in this subclause can only be a physical interface name. To match on flows going to a tunnel, use the TO VPN-TUNNEL form of the destination IP matching subclause.

<phys-intf> Required in an ON qualifier (but optional in a TO subclause), gives the physical interface name for the destination of the flow.Examples of physical interfaces are eth-1, eth-2, and eth-3. You cannot specify other types of interfaces (such as internal, external, local, or tunnel) in an ON qualifier to a TO subclause.

Table 19 Destination IP Matching




Table 20 list the several broad categories additional matching qualifiers.Table 20 Additional Matching Qualifiers

Option Name Description

tcp-flags Matches on the presence of particular control bits in the fourth longword in the header of a TCP segment. TCP control bits are specified using the first letter of the control bit as defined in RFC 793. These are:• U—URG, Urgent pointer valid flag• A—ACK, Acknowledgement number valid flag• P—PSH, Push flag• R—RST, Reset connection flag• S—SYN, Synchronize sequence numbers flag• F—FIN, End of data flagFlags to match on are listed without separation, such as tcp-flags SAP to match flags that have the SYN, ACK, and PSH flags all set.

icmp-type Matches on a particular ICMP type in the first longword in the header of an ICMP packet. The ICMP type is an 8-bit number and can be specified as an integer from 0 to 255, or the following types are pre-defined: • echorep—0, echo reply• unreach—3, destination unreachable• squench—4, source quench• redir—5, redirect• echo—8, echo request• routerad—9, router advertisement• routersol—10, router solicitation• timex—11, time exceeded• paramprob—12, parameter problem• timest—13, timestamp request• timestrep—14, timestamp reply• inforeq—15, information request• inforep—16, information reply• maskreq—17, address mask request• maskrep—18, address mask reply

proto Matches on the IP protocol number in the third longword in the header of an IP packet. The IP protocol is an 8-bit number and can be specified as an integer from 0 to 255, or the following types are pre-defined: icmp (0), tcp (6), udp (17).

tos Matches on the IP Type of Service bits in the first longword in the header of an IP packet. The IP TOS is an 8-bit number and is specified as a hexadecimal number from 0 to FF. This field includes the Precedence, D, T, R, and M bits as well as the reserved low order bit 0. Not for beginners.

TTL Matches on the TTL field in the third longword in the header of an IP datagram. The IP TTL is an 8-bit number and is specified as an integer from 0 to 255. You cannot specify TTL ranges or Boolean qualifiers such as less than.



The syntax supported in this part of the MATCH clause is fairly complex. However, the following BNF provides a minimum set of legal operations that should be sufficient to express any firewall rule.additional-matches := [<tcp-flags>] [<icmp-type>] [<proto>] [<tos>] [<ttl>] [<ip-opts>][<length>]

tcp-flags := "tcp-flags" [A][P][U][S][F][R]

8-bit-hex-number := 0x00 .. 0xFF

8-bit-decimal-number := 0 .. 255

icmp-type := "icmp-type" < <8-bit-decimal-number> | "echorep"| "unreach" | "squench" | "redir" | "echo" | "routerad' | "routersol" | "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | "inforep" | "maskreq" | "maskrep" >

proto := "proto" < <8-bit-decimal-number> | "tcp" | "udp" | "icmp">

tos := "tos" <8-bit-hex-number>

ttl := "ttl" <8-bit-decimal-number>

ip-opts-single-option := "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" | "e-sec" | "cipso" | "satid" | "addext" | "visa" | "imitd" | "eip" | "finn"> ["sec-class" < "unclass" |

IP Options Matches on IP options that may be present in the IP header. The IP options that can be specified include:• nop—1, NOP• rr—7, record route• zsu—10, experimental measurement• mtup—11, MTU probe• mtur —12, MTU reply• encode• ts—4, timestamp• tr—18, traceroute• sec—2, security• e-sec—5, extended security• cipso—6, commercial security• satid—8, stream identifier• addext—19, address extension• visa—14, experimental access control• imitd—16, IMI traffic descriptor• eip—17, extended internet protocol• finn—13, experimental flow controlThe presence of any IP options can also be specified using the ipopts keyword.

length Matches IP datagrams that are too short to contain a valid IP header (less than 20 octets long) with the with short keyword.

Table 20 Additional Matching Qualifiers

Option Name Description



"confid" | "reserv-1" | "reserv-2" | "reserv-3" | "reserv-4" | "secret" | "topsecret"> ]

ip-opts := "with" < "ipopts" | ["not"] "opt" <ip-opts-single-option> [, <ip-opts-single-option>] >

length := "with short"

TARGET Clauses in Firewall RulesYou use the TARGET clause in a firewall rule to indicate the action that the firewall should take for the datagram or flow matched. The TARGET clause consists of the word TARGET followed by one of three actions (PASS, DROP, or TRANSLATE) and optionally other qualifiers.The firewall and NAT subsystem supports three different target actions as described in Table 21.

Figure 6 displays the part of a firewall rule after the MATCH clause, which includes both the TARGET and optional LOG clauses.

Figure 6 A Part of a Firewall Rule after the Match Clause

PASS Qualifiers in TARGET Clauses in Firewall Rules

The syntax for a PASS qualifier is in the target clause is:target pass [open-channel <alg-name>] [keep-state]

Table 22 describes PASS qualifiers in the TARGET clause.

Table 21 TARGET Action

Action Description

PASS Allow this datagram to pass through the firewall. If keep-state is specified, then also set up a translation so that the stateful packet flow for TCP, UDP, or ICMP is maintained. PASS can also invoke an application layer gateway for protocols that require ALG support, such as FTP.

DROP Do not allow this datagram to pass through the firewall. The firewall can either silently drop the datagram, or return one of three error responses. Not all responses are appropriate for all protocols.

TRANSLATE Same as PASS, but with the addition of either source or destination IP address NAT. Because NAT is also inherently stateful, TARGET action of TRANSLATE implies keep-state as well. TRANSLATE can also invoke application layer gateways.



.

DROP Qualifiers in TARGET Clauses in Firewall Rules

The syntax for a DROP qualifier is:target drop [ return-icmp <icmp-type> | return-icmp-as-dest <icmp-type> | return-rst ]

If none of the return-x keywords are given after the drop qualifier, then the packet is silently discarded by the firewall and no indication is given back to the sender that the datagram was dropped.Table 23 describes DROP qualifiers in a TARGET clause.

Table 22 PASS Qualifier

PASS Qualifier Keyword Description

PASS Required. Indicates that this is a pass qualifier.

OPEN-CHANNEL <alg-name>

Optional. Indicates that this rule should call the application layer gateway to open additional ports and channels to support the application. Four application layer gateways are supported, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia). If OPEN-CHANNEL is used, then KEEP-STATE should also be used.

KEEP-STATE Optional. Indicates that the packet matched is part of a flow, and the firewall should make an entry into the firewall state table to allow return packets for this flow to pass. When you use the PASS qualifier in a TARGET clause, you must use KEEP-STATE to activate the stateful part of the firewall. If you do not use KEEP-STATE, only the single packet matched will be allowed through the firewall, not the rest of the flow. The timeouts for the stateful inspection are defined by the ICMP-TIMEOUT, TCP-TIMEOUT, and UDP-TIMEOUT firewall configuration values.

Table 23 DROP Qualifiers

DROP qualifier keyword or part Description

target Required. Starts all target clauses.

drop Required. Indicates that this is a drop clause. If no return-x keyword is present, the datagram is silently dropped with no response to the sender.

return-icmp <icmp-type>

Optional. Indicates that an ICMP error message is returned to the sender. For more information on return-icmp and the icmp-type, see the discussion below this table.



Use the three return-x keywords to vary the behavior of the firewall and return different types of error messages.The return-rst keyword indicates that the firewall should send back a TCP message with the RST flag bit set, telling the connecting system to reset and tear down the TCP connection.The return-rst flag is only valid for TCP protocol messages and has no additional action if it is used on a rule that matches UDP or ICMP (or other IP protocol) protocols.Use the return-icmp keyword to configure the firewall to send back an ICMP error message to the originator. In the return-icmp case, this ICMP error message comes from the firewall; in the return-icmp-as-dest case, the ICMP is sent as if it came from the destination of the original packet (such as, simulating the presence of the unreachable system). When a return-icmp or return-icmp-as-dest is sent back, the DROP qualifier in the rule must also indicate which of the ICMP error codes are to be returned. The ICMP message that will be sent is an ICMP type 3, Destination Unreachable. You must also then specify the 8-bit code. This can be specified as a decimal number (from 0 to 255) or one of a set of symbolically defined ICMP error codes from Table 24. In most cases, the most appropriate response is filter-prohib (error code 13).

return-icmp-as-dest <icmp-type>

Optional. Indicates that an ICMP error message is returned to the sender, from the apparent destination of the message. For more information on return-icmp-as-dest and the icmp-type, see the discussion below this table.

return-rst Optional. Indicates that a TCP RST message should be send to the sender. For more information on return-rst, see the discussion below this table.

Table 24 ICMP Error Codes

ICMP Error CodeEquivalent Value Description of the Error Code

net-unr 0 Network unreachable error.

host-unr 1 Host unreachable error.

proto-unr 2 Protocol unreachable error. When the designated transport protocol is not supported.

port-unr 3 Port unreachable error. When the designated transport protocol (for example, UDP) is unable to demultiplex the datagram but has no protocol mechanism to inform the sender.

needfrag 4 The datagram is too big. Packet fragmentation is required but the DF bit in the IP header is set.

srcfail 5 Source route failed error.

net-unk 6 Destination network unknown error.

Table 23 DROP Qualifiers

DROP qualifier keyword or part Description



TRANSLATE Qualifiers in TARGET Clauses in Firewall Rules

The translate qualifier is a PASS-and-NAT action. The firewall and NAT subsystem supports both destination NAT and source NAT operations. The syntax of the translate qualifier is to the target clause is:target translate < <destination < <ip/mask> | <ip> > [ port <port-number>]> | <source < external | <ip/mask> | <ip> > > [open-channel <alg-name>]

For outgoing connections from a protected network where the gateway is providing the NAT function towards the general Internet, source NAT is the most common operation. This changes the source IP address of datagrams that are emitted from the gateway to hide the internal IP addresses behind the gateway. Because NAT is a stateful operation, enabling NAT for a flow automatically allows the reverse NAT procedure for datagrams within the same TCP, UDP, or ICMP flow. Both source NAT using the external IP address of the VPN gateway (technically NAPT) and source NAT using additional addresses or a range of addresses are supported. When using NAT with IP addresses other than the VPN gateway's own IP address, the gateway will automatically proxy ARP for the additional IP addresses.For incoming connections to a protected network where the gateway is providing the NAT function towards the general Internet, a destination NAT is used. This changes the destination IP

host-unk 7 Destination host unknown error.

isolate 8 Source host isolated error. Obsolete.

net-prohib 9 The destination network is administratively prohibited.

host-prohib 10 The destination host is administratively prohibited.

net-tos 11 The network is unreachable for Type Of Service.

host-tos 12 The host is unreachable for Type Of Service.

filter-prohib 13 Communication Administratively Prohibited. This is generated if a router cannot forward a packet due to administrative filtering.

host-preced 14 Host precedence violation. Sent to indicate that a requested precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port.

preced-cutoff 15 Precedence cutoff in effect. The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level.

Table 24 ICMP Error Codes (continued)

ICMP Error CodeEquivalent Value Description of the Error Code



address in the datagram to be one hidden by the VPN gateway, such as to an internal email or web server. As with source translation, destination translation is fully stateful. Because destination translation is done on a port-by-port basis, destination translation often has a port number. For example, if you wanted to allow connections to a non-standard web server running on port 88 protected by a VPN gateway on IP address 192.245.12.80, the translate qualifier might look like: translate destination 10.10.10.25 port 88. This would allow external users to connect to port 80 using their web browser, and have that translated to port 88. When open-channel is used with the translate qualifier, the same set of application layer gateways (ALGs) is supported as with the pass qualifier, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia).Table 25 provides more information on the syntax and qualifiers, when translating the destination address of the target of a flow.Table 25 TRANSLATE Destination Qualifiers

TRANSLATE destination qualifier keyword Description

target Required. Always present in target clause to indicate start of target clause.

translate Required. Indicates that this is a translate qualifier with source or destination address translation (NAT).

destination Required. Indicates that the destination IP address of the flow target (and possibly the port number) should be translated. Normally used for connections coming from the public Internet (or other public address space) to the internal network protected by the gateway.

<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming an IPv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255).

<ip> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad IPv4 address. For example, 10.245.12.50.



Table 26 provides more information on keywords and qualifiers, when translating the source IP address of a flow (such as when allowing outbound connections from a protected private network to the general Internet).

port <port-number> Optional. Indicates that this destination translation should also change the destination port number. This would be used to change from the indicated port number in the match clause to a different port number. If you do not want to change the port number (i.e., if the external address connection is to port 80, and you want this to be translated internally to a system listening on port 80), then you do not need to specify the port keyword. <port-number> is an integer in the range 0 to 65535.

open-channel <alg-name>

Optional. Indicates that an application layer gateway is needed to further open additional ports (and perform additional network address translation) as part of this flow. Four application layer gateways are supported, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia).

Table 26 TRANSLATE Source Qualifiers

TRANSLATE source qualifier keyword Description

target Required. Always present in target clause to indicate start of target clause.

translate Required. Indicates that this is a translate qualifier with source or destination address translation (NAT).

source Required. Indicates that the source IP address originating a particular matched flow should be translated. Normally used for connections from a private network protected by the gateway to the general Internet. Source is followed by one of external or an <ip/mask> or a single <ip>.

external Optional. Indicates that the outgoing source IP address should be translated to the external IP address of the VPN gateway. This allows the creation of firewall NAT rules without actually having to know the IP address of the gateway.

Table 25 TRANSLATE Destination Qualifiers (continued)

TRANSLATE destination qualifier keyword Description


NAT Before IPSec Translations

NAT Before IPSec TranslationsNAT before IPSec is required when the same private address space is needed for the protected networks on both ends of a VPN gateway. To NAT traffic to the VPN (192.168/16 in this example) using a statically defined address but also NAT TCP traffic to the Internet, the configuration might be the following:…match proto tcp from any-inside to 192.168/16 target translate source 10.10/16

match proto tcp from any-inside to any-outside target translate source external

…It is assumed that a selector 10.10/16 < > 192.168/16 protect through IPSec-peer exists. When the destination address is to the Internet, the first rule does not match and the second rule matches. The current external IP address of the gateway is used as the alias address. It is assumed that this NATed packet hits the default selector of bypass and travels to the Internet.When the destination address is to the VPN (192.168/16), the first rule matches and 10.10/16 is used as the alias network address. When the NATed packet is run against the selectors, the protect selector matches and the NATed packet gets tunneled.

<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming an IPv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255).

<ip> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad IPv4 address. For example, 10.245.12.50.

open-channel <alg-name>

Optional. Indicates that an application layer gateway is needed to further open additional ports (and perform additional network address translation) as part of this translated flow. Four application layer gateways are supported, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia).

Table 26 TRANSLATE Source Qualifiers

TRANSLATE source qualifier keyword Description



Application Level Gateways

Firewall supports the following Application Level Gateways (ALGs):FTPIRC Direct Client ConnectionsReal MediaTFTP

Any firewall rule defined using the ALGs listed above are useful to allow the corresponding protocol, that use more than one connection for peer-to-peer communication.

Examples rule-list# match proto tcp from any-inside to any-outside port eq 21 tcp-flags S target pass keep-state open-channel ftp

This rule allows FTP connections initiated from the internal network to external network. The FTP ALG creates a channel in the firewall automatically to allow the FTP data connection, as the FTP data connection is initiated by the client or server, on a different port number, negotiated in the respective control connection.

LOG Clauses in Firewall RulesThe LOG clause is an optional part of each firewall rule that allows you to log firewall rule matches and, if you want, the actual packet data either of the first datagram to match or of the entire session. Logging is handled through the SYSLOG facility defined in other parts of the VPN gateway configuration. For more information about the syslog, see “syslog” on page 182. For more information about defining SYSLOG serversr syslog options from the VPN Manager, see the Nokia IP VPN Gateway Configuration Guide v6.3.The syntax of the LOG clause is:LOG [body] [entire-session] [level facility <facility> priority <priority>]

Table 27 describes the LOG clause in more detail.Table 27 LOG Clauses

LOG clause keyword Description

LOG Required. Indicates that this rule match is to be logged. If no other qualifiers are provided, will only log the rule match and no other data.

BODY Optional. Indicates that the first 128 octets of packet data are to be logged when this rule matches. This has the potential to generate a high volume of traffic and should be used with care.


Firewall Rule Examples

Firewall Rule Examplesrule-list# match proto tcp from any-inside to any-outside port eq 23 tcp-flags S target pass keep state

This rule allows Telnet connections to be initiated from a host in the internal network to the external network. rule-list# match proto tcp from any-outside to 192.245.12.100 port eq 80 tcp-flags S target pass keep-state

This rule allows HTTP connections initiated from any host in the Internet to a specific host in the protected inside network.match proto tcp from any-inside to any-outside target translate source external This NAT rule translates the source address of all outgoing TCP traffic to the current IP address of the external interface.match proto tcp from any-inside to any-outside target translate source 192.245.12.3

This NAT rule translates all outgoing TCP traffic to the address 10.10.12.3. Any packet that is part of the internal network and that is destined for the external network encounters the NAT rule and its source address changes to 10.10.12.3.match proto tcp from any-outside to local port eq 80 target translate destination 192.168.100.1/32

ENTIRE-SESSION Optional. When a stateful rule is matched (either through explicit KEEP-STATE on a PASS rule or implicitly in a TRANSLATE rule), all matches of the rule and all matches of the state created for a flow will be logged. This has the potential to generate a high volume of traffic. When combined with the BODY qualifier, this can generate a very high volume of traffic and should be used with extreme caution.

LEVEL FACILITY <facility> PRIORITY <priority>

Optional. Used to apply a particular SYSLOG facility and severity to logged firewall rules. The level supplied here will override the default facility and severity in the VPN gateway configuration, allowing you to isolate firewall rule matches from other logging. When LEVEL is specified, both a FACILITY and a PRIORITY must be specified.FACILITY codes supported are auth, authpriv, cron, daemon, ftp, kern, local0 through local7, lpr, mail, news, syslog, user, and uucp. PRIORITY codes supported are emerg, alert, crit, err, warn, notice, info, and debug.

Table 27 LOG Clauses

LOG clause keyword Description



This NAT rule translates the destination address of all incoming HTTP requests destined to the gateway, to 192.168.100.1/32 (which belongs to a HTTP server in the internal network).match proto tcp from any-outside to local port eq 80 target translate destination 192.168.100.1/32 port 8080

This NAT rule translates the destination address and the destination port of all the incoming HTTP traffic to the gateway from the external network as 192.168.100.1 and 8080 (which belongs to the HTTP server running on port 8080 on the internal network).


A PCS and Crypto Command Diagrams

This appendix presents the following diagrams:“IPSec CLI Configuration Map” on page 292 shows the IPSec CLI configuration map.

Note* For more information about the commands in the illustration “IPSec CLI Configuration Map” on page 292, see “Configuring Policy Configuration System” on page 219.

“Policy Diagram” on page 293 shows the policy diagram.“Crypto Command Diagram” on page 294 shows the crypto command diagram.



IPSec CLI Configuration Mapco

nfig

pol

icy

oakl

ey-

grou

p*

oakl

ey-

grou

p

lifet

ime*

auth

en*

actio

n*

flags

addr

*

mas

k*

port*

ciph

er*

auth

*

ciph

er

hash

*

flags

*

exit

exit

prot

ocol

*

actio

n*

dst_

mas

k*

flags

*

flags

*

mod

e

dst_

addr

*

exit

exit

exit

exit

prot

ocol

lifet

ime

sele

ctor

*

trans

form

*

user

_fqd

n*

dst_

addr

*

src_

addr

*

sele

ctor

*

trans

form

*

dst-p

ort*

src_

addr

*

src_

mas

k*

src_

port*

grou

p*su

ite*

gate

way

*

save

map

*un

load

*sh

ow*

ipse

clo

ad*

clea

r*ap

ply

ike

Not

e: T

hese

cha

rts d

o no

t sho

w e

very

opt

ion

avai

labl

e.

oakl

ey-

grou

p

prot

ocol

*

0010

2

cl-s

elec

tor*

gw-s

elec

tor

trans

form

clie

ntga

tew

ay


Policy Diagram

Policy Diagram

IKE Gateways

Peer IP Address

IKE Group

IKE Suite

authentication method

cipher

flags

integrity hash

sa lifetimeoakley-group

IKE Suite

IKE Group

IKE Suite

IKE Suite

IKE Gateways

IPSec Gateway

tunnel src addresstunnel dst addressoakley-group

Note: These charts do not show every option available.

IPSec GW Selector

action

destination addressdestination maskdestination portsource addresssource masksource portflags

IP protocol

IPSec GW Selector

action

destination addressdestination maskdestination portsource addresssource masksource portIP protocol

IPSec Transform

authenticator

cipher

flags

lifetime

mode

protocol

IPSecGateways

Packet FilterSelectors

Config Policy

IPSec Transform(s)

IPSec GatewaySelector

00104

pre-sharedrsa public keyrsa digital cert

aes3DESBlowfishCastDES

initial contactnomadicvendor id

md5sha

modp-768modp-1024modp-1536modp-2048

protect

asymmetriclocal-broadcastlocal-dstlocal-srcunique-dstunique-srcunique-dportunique-sportunique-protocol

modp-768modp-1024modp-1536modp-2048

hmac-md5hmac-shahmac-ripend

aes3DESBlowfishCastDES

commit-bitreplay-statusresponder-lifetm

kbytesminutes

tunneltransport

ahespah-esp

dropbypass



Crypto Command Diagram

brieffull

condorcopy-dfdisplay

hifnhost-icmp

inlinenat-traversal

replaysa-cache

serverstable<cr>

keys

delete [<#>]lifetime <#>

ikeipsec<cr>

ikeipsec<cr>

rekey <#> brieffull

localremote

disable

enable

ike

ipsec

policy reload

show

shutdown

Crypto

ahespinput

outputqueue

brieffull<#>

allchains

identitiesnamespublic<cr>

-nbriefclientfull

gatewayike

ipsecmatched

spd<cr>

public<cr>all

blockedcertified

presharedtrusted-root

automagicclusterdeadoption

pendingreplay

selectoruuid<cr>

-nstatistics

clear

flush

cachedoptionspolicy

activeall

deadexpiredipsec

pendingike

cluster

00103


B Dynamic Gateway Deployment

This appendix describes how to configure a simple dynamic gateway deployment, when two dynamic (spoke) gateways, and a hub pass traffic among one another. The gateways communicate between themselves (spoke-to-spoke through the hub), and with the hub (spoke-to-hub). This appendix is organized into the following sections:

OverviewConfiguring the GatewayTopology of the Deployed GatewayConfiguring Network SettingsCreating and Installing CertificatesSetting Gateway SelectorsDynamic Hello

NoteThis appendix assumes that you are familiar with the CLI modes and navigation between the modes. For more information about CLI modes and navigating between them, see “Introducing the Command-Line Interface” on page 15.

OverviewDynamic gateway deployment refers to a scenario where one or more deployed gateways have an IP address that is not known during deployment, or might change over time. Gateways that receive IP addresses from a DHCP server, or use PPPoE to connect, are classified as dynamic gateways. To connect to the dynamic gateways, an intermediary (deployment proxy) is required. A simple method to accomplish this is to use a hub-and-spoke configuration where the hub is also the deployment proxy. Traffic that is destined for any protected host group of a dynamic gateway first passes through the hub gateway.The deployment hub passes the relevant traffic to the dynamic gateways. To pass traffic, it must learn the dynamic IP address of the dynamic gateway. This is handled by the dynamic gateway itself. In this topology all traffic destined for the dynamic gateway must pass through the hub. Therefore, when the dynamic gateway obtains a new IP address, it updates the hub.



Configuring the GatewayAll gateways must be in a newly provisioned state. If you already configured a gateway, use the configure wizard command to erase existing configuration. For more information about the configure wizard command, see “configure” on page 77.

To set up the hub and spoke gateways1. Configure basic gateway interface information.2. Create and install certificates.3. Configure policies.4. Set up the appropriate deployment_hub commands (for dynamic gateways).5. Reboot the gateways to turn on the appropriate subsystems, and allow traffic to pass.

NoteThe following sections describe each of these steps in detail by using an example scenario, with two dynamic spoke gateways (A and B) each protecting a subnet, and obtaining dynamic external IP addresses issued from a DHCP server. The deployment hub gateway hub functions as both the hub and the deployment proxy.

Topology of the Deployed GatewayThe topology consists of two dynamic spoke gateways that each protect a subnet and obtain the dynamic external IP addresses that a DHCP server issues.Table 28 Topology of the Deployed Gateway

Topology Description

Host and domain information All gateways are part of the test.net domain.

External IP address subnet Represents the external IP address range for all gateways.• IP range—10.0.1.0/24• Default gateway—10.0.1.1• Dynamic address range offered from

DHCP server—10.0.1.100 to 10.0.1.120

hub gateway • External interface—eth-2• Internal interface—eth-1• External IP address—10.0.1.10• Protected host group—10.0.10/24• Internal IP address—10.0.10.1• Host name—hub


Configuring the Gateway

Configuring Network SettingsThe following section describes how to set up the gateway topology.

Setting Up the Gateway TopologyFrom the configuration mode (Config#), use the commands listed in Table 29 to set up each gateway. For more information about the configuration mode, see “Configuration Mode” on page 17.

Dynamic gateway A • External dynamic interface—eth-2• Internal interface—eth-1• Protected host group—10.0.100/24• Internal IP address—10.0.100.1• Host name—dynamo1

Dynamic gateway B • External dynamic interface—eth-2• Internal interface—eth-1• Protected host group—10.0.200/24• Internal IP address—10.0.200.1• Host name—dynamo2

Table 28 Topology of the Deployed Gateway (continued)

Topology Description

Table 29 Commands to Set Up Each Gateway

Command Description

hostname Set the host name for the gateway. Use the hostname command with the dns domain-name command to generate the fully qualified domain name (FQDN). For more information about the host name command, see “hostname” on page 130.

dns domain-name Set the domain name. For more information about the dns domain-name command, see “dns” on page 61.

Notedns domain name refers to the name of the domain in which the gateway participates. For example, name.cips.nokia.com has a host name of name and a domain-name of cips.nokia.com.



Based on the topology defined in Table 28, and the commands listed in Table 29, set up the gateways as described in Table 30.

interface <eth-1 |eth-2> <address> <netmask> <external> <dhcp>

Use the interface command to set the following options for each Ethernet interface:• eth-1 | eth-2—select the interface to

configure.• address—assign the static IP address.• netmask—netmask of the subnet that the

interface is a part of.• external—designate the interface as

external (not a protected host group) interface.

• dhcp—assign a dynamic IP address through DHCP.

For more information about the interface command, see “Configuring Gateway Interfaces” on page 28.

route Assign a default route to the gateway hub. A default route has the source address default and the source mask 0.0.0.0. For more information about the route command, see “Config# [no] route” on page 46.

disable firewall Disable the firewall. For more information about disabling the firewall, see “firewall” on page 53.

Table 30 Gateway Setup

Gateway Interface configuration

deployment hub • hostname hub• dns domain-name test.net• interface eth-1 address 10.0.10.1 netmask

255.255.255.0• interface eth-2 address 10.0.1.10 netmask

255.255.255.0 external• route default 0.0.0.0 10.0.1.1• disable firewall

Table 29 Commands to Set Up Each Gateway (continued)

Command Description


Creating and Installing Certificates

NoteTo save the configuration on each gateway, from the command mode (>), use the config save command. For more information about the config save command, see “configure” on page 77.

Creating and Installing CertificatesThis example uses an internal Certificate Authority (ICA) in the Nokia IP VPN Gateways. The ICA is a simplified Certificate Authority (CA) that meets the basic needs of using certificates between Nokia IP VPN gateways. Only one CA is required in a VPN deployment, and in Nokia IP VPN gateways, the CA is located on one of the gateways. For this example, the internal CA is located on the hub gateway. You must create the ICA from the PKI configuration mode (pki_config#) on the hub gateway. The minimum information that must be defined for the internal CA is lifetime, size of the public-

Dynamic gateway A • hostname dynamo1• dns domain-name test.net• interface eth-1 address 10.0.100.1 netmask

255.255.255.0• interface eth-2 dhcp external• disable firewall

NoteRoutes are not defined for dynamic gateways. The DHCP server provides a default route to each of the dynamic interfaces in addition to the dynamic IP address.

Dynamic gateway B • hostname dynamo2• dns domain-name test.net• interface eth-1 address 10.0.200.1 netmask

255.255.255.0• interface eth-2 dhcp external• disable firewall

NoteRoutes are not defined for dynamic gateways. The DHCP server provides a default route to each of the dynamic interfaces in addition to the dynamic IP address.

Table 30 Gateway Setup (continued)

Gateway Interface configuration



and private-keys, subject-name, and alternative name (using the FQDN of the gateway). For more information about ICA, see “Configuring Public Key Infrastructure” on page 191.

NoteAll commands that pertain to the internal CA are of the form ca <label> internal.

To generate and install a certificate1. Generate the certificate request on the appropriate gateway.2. Sign the certificate request by using the internal CA, which is configured on the hub

gateway.3. Import the new certificate as a device certificate to the gateway that generated the request.

NoteDynamic gateways require the subject-alt-name of fqdn, as the external IP address is dynamic. Static gateways (the hub gateway) require the subject-alt-name to use the external interface, in this case eth-2. All three gateways must have the trusted root certificate and a device certificate, after which the selectors are set up.

Generating the Internal CAThe following sections describe how to generate the internal CA.

To generate the internal CA1. From the PKI configuration mode (config_pki#) enter the commands listed in Table 31.

NoteCommands that begin with ca hub-ca internal certificate set up the details of the CA certificate.

Table 31 CA Commands

Command Description

ca hub-ca internal certificate lifetime 24

lifetime specifies the time period that the certificate is valid, in months. In this case a request is made for a certificate that is valid for two years.

ca hub-ca internal certificate rsa-with-sha1 1024

rsa-with-sha1 specifies both the type and length of the public and private keys required. rsa is the algorithm, sha1 the hash function, and the length 1024 bits. (1024 bits is the minimum key size used).



NoteYou can access the commands listed in Table 31 by using the hub-ca label.

To validate device certificates that a CA issues, each gateway requires that the certificate of the CA be installed as a trusted root. You do not need to install the CA certificate because the certificates are generated by using the hub gateway as the internal CA, and the CA certificate is always present. However, the certificate needs to be displayed to install it on both dynamic gateways.

2. From the command mode (>) enter the command: show config pki. The current PKI configuration is listed as show in the following example:hub> show config pki

#

# PKI configuration written at Thu Jul 15 01:45:37 2004 GMT by *Unknown*

#

version 1.1

ca hub-ca internal certificate subject-name common-name hub-ca

ca hub-ca internal certificate subject-alt-name fqdn

ca hub-ca internal certificate lifetime 24

ca hub-ca internal certificate rsa-with-sha1 1024

ca hub-ca uuid 2d8911a1-7681b2a7-efcb1ef3-a89c3671

# trusted root id 2d8911a1-7681b2a7-efcb1ef3-a89c3671

certificate trusted-root hub-ca


MIIBwjCCASugAwIBAgIcMjAwNDA3MTUwMTM1MDJaLWh1Yi50ZXN0Lm5ldDANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNMDQwNzE0MDEzNDU4WhcNMDYwNzI5MDEzNDU4WjARMQ8wDQYDVQQDEwZodWItY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMzWzTi3Xk0uXLKBr

ca hub-ca internal certificate subject-name common-name hub-ca

subject-name is a series of possible fields that define the identity in the certificate. In this case, only the common-name field that is set to hub-ca is used.

ca hub-ca internal certificate subject-alt-name fqdn

subject-alt-name is a set of possible alternative identities that can be included in a certificate. fqdn indicates that for the hub, only the FQDN of the hub (or the concatenation of host name and domain-name which is hub.test.net) must be included.

ca hub-ca internal generate generate generates the key pair and a certificate for the internal CA.

Table 31 CA Commands (continued)



Udq+CMnjVM3471U3Wd1KN6tazeNFRfhNZKwJhMjc9WG491NcIg868kz3SK65nJeMYqjKqlIjYE6r/M+0FDfO8nEdGu4knT9 j4y9AmLkEq42hHdDiQp8zjronr3SCfKGJZoqcl/bkZMscm51qtC5FERccLoHAgMBAAGjDzANMAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQUFAAOBgQCHQx8C201U8++6 N8we4Qu1IyyQpUsUJKRawogaDeAl/dnGAZxzON0EXbmzLXNplf0Mi5uMFrPW6mSAuM5wRpOV3ggjzSPb6RNNiP3yleu3cYltplVXWU6awm10d9uqBS9pGgSIA8d+H vWPgS1CC1K22pVLlIeHcP=


uuid e6891dc9-fdd5d811-90c700a0-8e7204d8

------------------------------------------------------------

3. Copy the data beginning from certificate trusted-root hub-ca to END CERTIFICATE.4. On each dynamic gateway, paste the data copied in step 3 in the PKI configuration mode

(pki_config#). For example, on dynamic gateway A, the result of the process displays as:dynamo1> config pkiconfig_pki# certificate trusted-root hub-ca


? MIIBwjCCASugAwIBAgIcMjAwNDA3MTUwMTM1MDJaLWh1Yi50ZXN0Lm

? hkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNDEzNDU4WhcN

? MDYwNzI5MDEzNDU4WjARMQ8wDQYDVQQDEtY2EZ8wDQYJKoZIhvcNAQEB

? BQADgY0AMIGJAoGBAMzWzTi3Xk0uXLq+CMn471U3Wd1KN6tazeNFRfh

? NZKwJhMjc9WG491NcIg868kz3SK6qjKqlIjYE6rM+0FDfO8nEdGu4kn

? j4y9AmLkEq42hHdDiQpSCfKGJZoqclbkZMscm51qtC5FERccLoHAgMB

? AAGjDzANMAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQUFAAOBgQC8++6

? N8we4Qu1IyyQpUsUJKRawogaDeAl/dnGAZxzON0EXbm/zLXNplf0M/

? SAuM5wRpOV3ggjzSNiP3yleucYltplV10d9uqBS9pGgSIA8d+H

? vWP/gS1CC1K22pVLlIeHcPm/xrtW2Q==


?

config_pki#

NoteThere are now three gateways that communicate, an internal CA on the hub gateway, and a common trusted root (CA) certificate installed on all three gateways. You need to generate device certificates for each gateway.

Creating Device CertificatesTo create certificates for each gateway, first generate a certificate request on each gateway in sequence. This process generates data that is encapsulated in the text of the certificate request.



The internal CA uses this data and signs the request, and the resulting certificate is encapsulated in text of the certificate request to be pasted back into the gateway.The requirements for the device certificates differ between the hub gateway (a static gateway) and the dynamic gateways (they have an unknown external IP address). The minimum amount of information needed for a certificate for a static gateway are a common-name, an alternative name that is the external IP address (in this case, interface eth-2), and a key-length for the certificate. The alternative-name is used during the IKE negotiation phase to identify the hub gateway.

Creating the Hub Gateway Certificate

The base of each command ca hub-ca enrollment indicates that the rest of the command is related to process of enrolling a certificate related to the CA certificate configured previously (hub-ca certificate).When the base is followed by the key word certificate the entries specify the contents of the certificate request. From the PKI configuration mode (config_pki#) enter the following commands.

The certificate request for the hub gateway is listed as shown in the following example:-----BEGIN CERTIFICATE REQUEST-----

MIIBfDCB5gIBADAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwX35QZTZoLUkG2aiqToqLj3KEGDkRodKmeJp5s9V4dT8SMthZ8zwMe1LWN0Y3650+kNQnZl22dZbxeP4+nEboKXgNG0vihyDETjt0ttxvi/0S3xfFSqrZevmclMDT22ZI9OQtaBC3iM3roDwqjVIWk7MXWfB9XAnuTxb9BxAgMBAAGgLzAtBgkqhkiG9w0BCQ4xIDAeMA8GA1UdEQQIMAaHBAoABwowCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAJb6dah7Qe1i3c+kv1jKaFuycvxqMAnt24ZyM4jOMf1Bn4Oj0ANG/e9g/

Command Description

ca hub-ca enrollment certificate subject-name common-name hub

subject-name is a textual name that can have a variety of fields. common-name typically refers to the name associated with the entity that uses the certificate. For the hub gateway, hub is selected.

ca hub-ca enrollment certificate subject-alt-name eth-2

subject-alt-name allows for different names to be placed in the certificate. The external IP address of the hub gateway is associated with eth-2.

ca hub-ca enrollment certificate rsa-with-sha1 1024

rsa-with-sha1defines the type of public or private key required and the size of the key (minimum of 1024 bits).

ca hub-ca enrollment protocol pkcs10

protocol is the type of certificate request required. pkcs10 is a manual method that uses data binary large objects.

ca hub-ca enroll hub enroll command notifies the hub gateway to generate a key pair and the certificate request.



5ibihmou32EhGR49MDN5nLNaUsO+Vbw8F0iTW2aRVdqg9xPqC1Nmo3Qxsak8ERzqsHLwG4NptfSJBRzx6vYwdvB4+06ZJZgA+NhGZyVrBDwA4+wDDUY

-----END CERTIFICATE REQUEST-----

Signing Device CertificatesWhen the hub gateway generates the certificate request, the CA must sign the request to obtain a certificate. Certificates must be signed for both the hub gateway and the dynamic gateways. The CA created (the internal CA) is present on the hub gateway.

To sign a certificate1. From the PKI configuration mode (config_pki#), enter the following commands:

ca hub-ca internal csr lifetime 12

ca hub-ca internal csr issue

2. The question mark (?) prompt appears. 3. Copy and paste the certificate request for the gateway that requires the internal CA signature

and issuance of certificate.

The resulting certificate, including the certificate request, appears as follows:?-----BEGIN CERTIFICATE REQUEST-----

? MIIBfDCB5gIBADAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQ

? MIGJAoGBALwX35QZTZoLUkg2aiqToqLj3KEGDkRodKms9VthZ8zN

? wMe1LWN0Y3650+kNQnZl22dZbxeP4+nENG0vihy0ttxvi/0S3xfFSq

? rZevmclMDT22ZI9OQtaBC3iM3roDwqjVIWk7MXWxAgMBAAGgLzAt

? BgkqhkiG9w0BCQ4xUdEQQIMAaHBAoABwowCwYDVR0PBAQDAgWgMA0G

? CSqGSIb3DQ4GBAJb6dah7Qe1i3c+kv1jKaFuycvxqMAnt24ZyM4jOMf1B

? n4Oj0ANG/e9g/5ibihmou32EhGR49MDN5nLNaUsO+Vbw8F0iTW2aN

? mo3Qxsak8ERzqsHLwG4NptfSJBRzx6vYwdvBA4+wDDUY

? -----END CERTIFICATE REQUEST-----

?

Two new commands are based on the ca hub-ca internal csr command. The commands that begin with this base indicate that the internal CA is used to configure the options for signing certificate signing requests (CSRs). lifetime sets the duration that the certificates issued are valid. issue triggers the process that signs and issues the certificate. The result appears as follows:---------------------------------------------------------------

Certificate Request:

Data:

Version: 0 (0x0)

Subject: CN=hub

Subject Public Key Info:

Public Key Algorithm: rsaEncryption



RSA Public Key: (1024 bit)

Modulus (1024 bit):

00:bc:17:df:94:19:4d:9a:0b:52:41:bf:83:66:a2:

a9:3a:2a:2e:3d:ca:10:60:e4:46:87:4a:99:e2:69:

e6:cf:55:e1:d4:fc:48:cb:61:67:cc:cd:c0:c7:b5:

2d:63:74:63:7e:b9:d3:e9:0d:42:76:65:db:67:59:

6f:17:8f:e3:e9:c4:6e:82:97:80:d1:b4:be:28:72:

0c:44:e3:b7:4b:6d:c6:f8:bf:d1:2d:f1:7c:54:aa:

ad:97:af:99:c9:4c:0d:3d:b6:64:8f:4e:42:d6:81:

0b:78:8c:de:ba:03:c2:a8:d5:21:69:3b:31:75:9f:

07:d5:c0:9e:e4:f1:6f:d0:71

Exponent: 65537 (0x10001)

Attributes:

Requested Extensions:

X509v3 Subject Alternative Name:

IP Address:10.0.7.10

X509v3 Key Usage:

Digital Signature, Key Encipherment

Signature Algorithm: sha1WithRSAEncryption

96:fa:75:a8:7b:41:ed:62:dd:cf:a4:bf:58:ca:68:5b:b2:72:

fc:6a:30:09:ed:db:86:72:33:88:ce:31:fd:41:9f:83:a3:d0:

03:46:fd:ef:60:ff:98:9b:8a:19:a8:bb:7d:84:84:64:78:f4:

c0:cd:e6:72:cd:69:4b:0e:f9:56:f0:f0:5d:22:4d:6d:9a:45:

57:6a:83:dc:4f:a8:2d:4d:9a:8d:d0:c6:c6:a4:f0:44:73:aa:

c1:cb:c0:6e:0d:a6:d7:d2:24:14:73:c7:ab:d8:c1:db:c1:e3:

ed:3a:64:96:60:03:e3:61:19:9c:95:ac:10:f0:03:8f:b0:0c:

35:18

UUID: dce93636-8345cc49-fa3f48e1-f7104f63


MIIBxDCCAS2gAwIBAgIQD38DOqivtJwG4UsrGPLwvTANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNMDQwNzE0MTYyOTIwWhcNMDUwNzIyMTYyOTIwWjAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwX35QZTZoLUkGg2aiqToqLj3KEGDkRodKmeJp5s9V4dT8SMthZ8zNwMe1LWN0Y3650+kNQnZl22dZbxeP4+nEboKXgNG0vihyDETjt0ttxvi0S3xfFSqrZevmclMDT22ZI9OQtaBC3iM3roDwqjVIWk7MXWfB9XAnuTxb9BxAgMBAAGjIDAeMA8GA1UdEQQIMAaHBAoABwowCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAIARqjaQjdmvxiYCSAoHImusNMYhPFxz+beOSmJPu8IIN03w2qvByCNQ6Dr81aoHZszk0KFZ9OnACxSduXw0i2Jaz87qRTx3PsYMRN8jkUNArcergMjEHotaAtkbFwxCDB+LU2b+/H9JYN7qZpIX47fDGgFJrlMWE5k8OeU0JeB




Installing Device CertificatesThough a certificate is obtained, the device certificate must be installed in the gateway. To import the device certificate to the hub gateway from the PKI configuration mode (config_pki #) enter the following command:config_pki# certificate device hub-dev

NoteDevice certificates are used to establish IKE communications. The command certificate device <label> specifies that certificate with the specified type device is imported. The <label> is a tag that is meaningful to the user.

The gateway prompts with a question mark prompt (?). Paste the text of the certificate request onto the certificate text between the BEGIN and END CERTIFICATE lines. -----BEGIN CERTIFICATE-----

MIIBxDCCAS2gAwIBAgIQD38DOqivtJwG4UsrGPLwvTANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNMDQwNzE0MTYyOTIwWhcNMDUwNzIyMTYyOTIwWjAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwX 35QZTZoLUkG/g2aiqToqLj3KEGDkRodKmeJp5s9V4dT8SMthZ8zNwMe1LWN0Y365 0+kNQnZl22dZbxeP4+nEboKXgNG0vihyDETjt0ttxvi/0S3xfFSqrZevmclMDT22 ZI9OQtaBC3iM3roDwqjVIWk7MXWfB9XAnuTxb9BxAgMBAAGjIDA1UdEQQI MAaHBAoABwowCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAIARqjaQjdmvxiYCSAoHImusNMYhPFxz+beOSmJPu8IIN03w2qvByCNQ6Dr81aoHZszk0KFZ9OnACxSduXw0i2Jaz87qRTx3PsYMRN8jkUNArcergMjEHotaAtkbFwxCDB+LU2b+/H9JYN7qZpIX47fDGgFJrlMWE5k8OeU0JeB


NoteCertificate requests must also be generated on the dynamic gateways, the internal CA must sign these requests, and then the resulting device certificates must be imported into the appropriate gateways. The process is the same as described for the hub gateway, but the requirements need to be modified for the certificate request for dynamic gateways. This is necessary as the hub gateway (a static gateway) has a static external IP address. For the dynamic gateways, you must use the FQDN.

To generate the certificate request for dynamic gateways A and B1. From the configuration mode (config_pki#) prompt, enter the following commands:

ca hub-ca enrollment certificate subject-name common-name dynamo1

ca hub-ca enrollment certificate subject-alt-name fqdn

ca hub-ca enrollment certificate rsa-with-sha1 1024

ca hub-ca enrollment protocol pkcs10

ca hub-ca enroll dynamo1


Setting Gateway Selectors

NoteYou must apply these commands to both the gateways. (For gateway B, replace the value dynamo1 with dynamo2).

The resulting certificate request is similar to the certificate generated for the hub gateway. 2. Sign the certificate request by using the internal CA configured on the hub gateway.3. Import the certificate request as a device certificate to the dynamic gateway in which you

generated the request in step 1.

NoteFollow the steps in sequence when you generate the certificate request. Dynamic gateways require the subject-alt-name of the fqdn because the external IP address is dynamic and might change. The hub gateway (a static gateway) requires that the subject-alt-name is set to use the external interface (eth-2 in this example).

All three gateways now have the trusted root certificate and a device certificate. The next step is to set the gateway selectors.

Setting Gateway SelectorsYou must configure the following gateway selectors to ensure that gateways establish secure communications:

IKE—authenticates the gateways and initiates the Security Association (SA). For more information about IKE, see “IKE Policy Configuration Commands” on page 225.IPSec—sets rules for traffic to be protected based on origination and destination, and the path that traffic takes. For more information about IPSec,“IPSec Policy Configuration Commands” on page 228.

NoteYou must use the apply command to execute commands, and the save command to write changes to flash memory. For more information about the apply and save commands, see “apply” on page 220 and “save” on page 222.

Configuring IKE SettingsIKE policy parameters must match the gateways that establish secure traffic with the gateway that the policy is configured on.



To configure IKE settings1. Set up a suite that determines the properties used for IKE negotiation. 2. Based on the IP address, specify a gateway that uses the configured suite.

NoteYou must configure IKE settings from the PCS configuration mode (config_policy#). For more information about how to access the PCS configuration mode (config_policy#), see “Entering and Exiting PCS Configuration Mode” on page 219.

SuitesSuites specify the following:

authentication—how authentication is handled.cipher—encryption algorithm to use.oakley-group—Diffie-Helman group to use as part of Oakley.hash—hash algorithm to use.flags—any additional or special flags that you need to use.

The IKE suites of the gateways that you want to communicate with each other must have the same cryptographic parameters.

Command Value

authentication Certificate authentication

cipher AES


hash SHA

flags Set the following flags:• initial-contact—when a gateway

establishes contact, if any data associated with that gateway exists it is removed and the connection is treated as a new connection.

• vendor-id—the gateway sends data that indicates the type of gateway.

• fqdn—use the FQDN as the identity during IKE.

• dynamic peer—the gateway that initiates the communication.



GatewaysSuites are associated with gateways. The gateway command specifies the suite to use with an external gateway IP address, and a suite pair. In the case of dynamic gateways where the IP address is not known, use the IP address 0.0.0.0. For static gateways, use the IP address that contacts the gateway on which the policy is being configured (the external IP address).Because dynamic gateways communicate with each other through the hub, only IKE gateway associations for the hub need to be set. The hub communicates directly with the dynamic gateways (spokes). You need to set only one IKE gateway association on the hub to handle dynamic gateways.

Defining IKE SuitesIKE suites are defined from the IKE protection suite mode. For more information on IKE suites and how to access the IKE protection suite mode, see “IKE Protection Suite Configuration Commands” on page 226. Define the following IKE suite on the hub (and IKE gateway association) to allow communication with the dynamic gateways:ike suite dynamic-defaultflags dynamic-peer vendor-id initial-contactauthentication rsa-signature hub_cacipher aes 256oakley-group modp-1536hash shaexitike gateway 0.0.0.0 dynamic-default

The IKE gateway is for dynamic peers. The 0.0.0.0 address on the gateway association indicates that initial communication uses this IKE suite. On dynamic gateways, the IKE suite (and IKE gateway association) to allow communication with the hub is defined as follows:ike suite static-defaultflags fqdn vendor-id initial-contactauthentication rsa-signature hub_cacipher aes 256oakley-group modp-1536hash shaexitike gateway 10.0.7.10 static-default

This IKE suite does not support dynamic peers. When the hub contacts the dynamic gateways, the gateway association with the IP address 10.0.7.10 (the external address of the hub) matches the static-default IKE suite defined.



Configuring IPSec SettingsIPSec settings determine how traffic is protected based on the type of traffic, where it originates from, and the destination. IPSec selectors determine what traffic is acted on, and the parameters that you can use to include the source and destination addresses (and netmasks), source and destination ports, what action to take if a match occurs, and flags that provide additional controls or context to the rule set up.The IPSec gateway determines the path that the traffic protected by a selector takes. Each IPSec gateway setting also needs a transform that indicates how to exactly protect traffic that needs to be protected.For more information about IPSec and how to access the IPSec mode, see “IPSec Policy Configuration Commands” on page 228.

SelectorsYou can use selectors to protect traffic as well as to enable a bypass for certain types of traffic based on IP address, port, or both. Each of the dynamic gateways rely on a DHCP server to provide their external IP address. Therefore, each gateway needs a bypass selector to allow them to retrieve the address. On each dynamic gateway enter the following:ipsec gw-selector dhcp_clientdst-port 68action bypassexit

This command informs the gateway to allow all traffic coming in on port 68 (the port that the DHCP client uses to receive its information from the DHCP server).Selectors are also used to protect traffic between two points. On the dynamic gateways it is necessary to protect all traffic originating from its protected host group regardless of the destination. For dynamic gateway A with protected host group 10.0.100/24, the selector to be entered on that gateway is:ipsec gw-selector dynamo1_protectedsrc-addr 10.0.100.0src-mask 255.255.255.0dst-addr 0.0.0.0dst-mask 0.0.0.0action protectexit



For dynamic gateway B with protected host group 10.0.200/24, the selector is:ipsec gw-selector dynamo2_protectedsrc-addr 10.0.200.0src-mask 255.255.255.0dst-addr 0.0.0.0dst-mask 0.0.0.0action protectexit

The src-addr and the src-mask entries indicate the IP address range of traffic that the selector must act upon. dst-addr and dst-mask indicate the destination of protocol traffic. Thus, traffic that originates from the src-addr and src-mask range destined to the dst-addr and dst-mask range have the action applied to it, in this case protect. destination address and destination mask are set to 0.0.0.0. This indicates to the gateway that the destination is any.

TransformTo determine how traffic is protected, IPSec needs a transform that specifies relevant parameters. This transform must be the same on each gateway.Each dynamic gateway (and the hub gateway) needs the following transform:ipsec transform aes_shacipher aes 256authenticator hmac-shamode tunnelprotocol espexit

For this transform, traffic is encrypted with 256-bit AES, using HMAC/SHA1 to authenticate the data, while using tunneling mode with the ESP protocol.The IPSec gateway handles how to route traffic that matches a particular selector. The IPSec gateway setting provides a start and end point for moving traffic that matches a selector; it also specifies the way the traffic is protected (that is the IPSec transform used). This data is similar for each dynamic gateway, but refers to the gateway-specific selector.

NoteAs each dynamic gateway goes through the same hub, dynamic gateways have the same destination.

For dynamic gateway A, enter the following:ipsec gateway dynamo1-hubdst-addr 10.0.7.10selector dynamo1_protectedtransform aes_shaoakley-group modp-1536exit



For dynamic gateway B, enter the following:ipsec gateway dynamo2-hubdst-addr 10.0.7.10selector dynamo2_protectedtransform aes_shaoakley-group modp-1536exit

The dst-addr is set to the external IP address of the hub gateway. This is a common reachable address between each of the three gateways. The external IP addresses for the dynamic gateways are dynamically assigned through DHCP from a server on the same (10.0.7/24) subnet. The transform refers to the ipsec transform aes_sha which was defined previously. oakley-group specifies a parameter used to establish a public- or private-keypair during the establishment of IPSec security associations. The selector refers to the selector for the gateways.On each dynamic gateway, apply and then save the changes. The process is complete for the dynamic gateways. For more information about how to apply and save changes, see “apply” on page 220 and “save” on page 222. Selectors and IPSec gateway settings require two sides to operate properly. Two dynamic gateways with policies point to a hub gateway. The hub must be configured with the appropriate IPSec policy. The only IPSec policy that should be present on the hub is the IPSec transform. To communicate with the dynamic gateways from the hub, you must mirror the selectors that were defined on them. From the hub gateway enter the following for traffic destined to dynamic gateway A:ipsec gw-selector to_dynamo1_protectedsrc-addr 0.0.0.0src-mask 0.0.0.0dst-addr 10.0.100.0dst-mask 255.255.255.0action protectexit

For traffic destined to dynamic gateway B, enter the following:ipsec gw-selector to_dynamo2_protectedsrc-addr 0.0.0.0src-mask 0.0.0.0dst-addr 10.0.200.0dst-mask 255.255.255.0action protectexit

These selectors protect all traffic destined for the dynamic gateways. Each selector requires a gateway setting.



Gateway SettingsFor traffic destined to dynamic gateway A, enter the following gateway settings:ipsec gateway hub-dynamo1src-addr 10.0.7.10identity dynamo1.test.netselector to_dynamo1_protectedtransform aes_shaoakley-group modp-1536exit

For traffic destined to dynamic gateway B, enter the following gateway settings:ipsec gateway hub-dynamo2src-addr 10.0.7.10identity dynamo2.test.netselector to_dynamo2_protectedtransform aes_shaoakley-group modp-1536exit

The difference between this gateway setting and the gateway setting on the dynamic gateway is the way the source and destination tunnels are handled. The tunnel source in this case is the external IP address of the hub gateway, which is the opposite of the dynamic gateways. The new option included in these gateway settings is the identity option. This informs the hub gateway that the tunnel is established by a gateway with the identity specified in the identity entry.To set up tunnels between the dynamic gateways and the hub and pass protected traffic, enter the commands apply and save. In dynamic gateway deployments, the hub gateway cannot contact the dynamic gateways (the IP address is not known as it is assigned through DHCP). To circumvent this obstacle, dynamic gateways require a deployment hello. For more information about the deployment hello, see “Dynamic Hello” on page 315.To communicate between two spoke gateways (through a hub) you must add additional policies on the hub using asymmetric selectors. Traffic destined for dynamic gateway A from dynamic gateway B does not have a path that is symmetric to the way traffic travels from dynamic gateway A to dynamic gateway B.



For traffic that originates from dynamic gateway A and that is destined for dynamic gateway B, the selector and corresponding gateway entry are the following:ipsec gw-selector dynamo1_to_dynamo2_protectedsrc-addr 10.0.100.0src-mask 255.255.255.0dst-addr 10.0.200.0dst-mask 255.255.255.0action protectflags asymmetricexit

ipsec gateway dynamo1_to_dynamo2src-addr 10.0.7.10identity dynamo2.test.netselector dynamo1_to_dynamo2_protectedtransform aes_shaoakley-group modp-1536exit

For traffic that originates from dynamic gateway B and is destined for dynamic gateway A, the selector and corresponding gateway entry are the following:ipsec gw-selector dynamo2_to_dynamo1_protectedsrc-addr 10.0.200.0src-mask 255.255.255.0dst-addr 10.0.100.0dst-mask 255.255.255.0action protectflags asymmetricexitipsec gateway dynamo2_to_dynamo1src-addr 10.0.7.10identity dynamo1.test.netselector dynamo2_to_dynamo1_protectedtransform aes_shaoakley-group modp-1536exit

The selectors and the gateway settings are similar to the selectors defined. The asymmetric flag is necessary because, while the selectors are essentially symmetric, the path that the data takes from A to B differs from the path from B to A. The identity for a destination indicates that the dynamic gateways must contact the hub so that proper information is present in the hub for it to pass traffic to the dynamic gateways.Use the apply and save commands on the hub gateway to ensure that all relevant policies are configured. For more information about the apply and save commands, see “apply” on page 220 and “save” on page 222.


Dynamic Hello

NoteFor more information about enabling the firewall, see “Configuring Firewall and Network Address Translation” on page 255.

Dynamic HelloIn dynamic gateways, the external IP address associated with the gateway is not known (and might change). The dynamic gateway must provide information to the hub so that the two can pass traffic between one another. The deployment_hub command allows the dynamic gateway to provide the IP address to the hub by negotiating a VPN connection.

deployment_hubUse the deployment_hub command to generate Hello packets to maintain an IPSec connection with the hub, thereby informing the hub of the current external IP address of the dynamic gateway, and maintaining continuous management and VPN connectivity.For more information about the deployment_hub command, see “deployment_hub” on page 128.For each dynamic gateway, enter the commands from the configuration mode (Config#). In the following example, the dynamic gateways contact the internal IP address of the hub gateway, and attempt to communicate every five minutes.

When you enter the commands, save the configuration on each gateway and reboot each of the gateways. This procedure ensures that proper tunnels are activated and enables communication between each of the nodes.

Gateway Command

On dynamic gateway A

deployment_hub source 10.0.100.1 destination 10.0.10.1deployment_hub hellointerval 5

On dynamic gateway B

deployment_hub source 10.0.200.1 destination 10.0.10.1deployment_hub hellointerval 5


C List of Commands

Config# interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<eth-1 | eth-2 | eth-3 | eth-4 | loop-0>

[-alias][-backup][-dhcp][-external][-primary][address <A.B.C.D>][alias][backup priority <value>][broadcast <A.B.C.D>][clear][destination <A.B.C.D>][dhcp][down][external][family <inet>][flowcontrol <active | default | none | passive>][media <autoselect | 10 | 10-Full-Duplex | 100 | 100-Full-Duplex>][mtu <72-16366>][netmask <A.B.C.D>][primary][up]

Config# dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34disconnectmode <dynamic | independent | wan-backup back-up priority <priority>>profile <1-5>

auth <any | chap | none | pap>dns1 <A.B.C.D>dns2 <A.B.C.D>mtu <56-1500>preferred_address <A.B.C.D>username <XXXXXX> password <XXXXXX> phone_number <XXXXXX>

Config# wanbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36backup_interface <eth-1 | eth-2 | eth-3 | eth-4> default_route <A.B.C.D>


C List of Commands

failover-timeout <timeout>fallback-timeout <timeout>mode <dialup | none | simple>tcp-check <A.B.C.D> port <value> interval <interval>

Config# pppoe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39profile <name> eth-interface <eth-1 | eth-2 | eth-3 | eth-4> user <user name> passwd <<passwd> | <CR>>

[acname <name>][auth <chap | mschap | noauth | pap>][debug <all | info>][dns <primarydns | secondarydns>][external][ifroute <ip_address/masklen>][mode <demand | keepalive>][mtu <number>][nodefaultroute][nonstandard <0xABCD:0xABCD>][service <name>][timeout <number>][type <static srcaddr <source-ip-address/masklen> dstaddr <pppoe-peer-ip-address/masklen>> | <dynamic>][wins <primarywins | secondarywins>][<CR>]

Config# [no] pppoe profile <name> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Config# pppoe interface profilename <profile> . . . . . . . . . . . . . . . . . . . . . . 39Config# [no] pppoe interface <name> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Config# [no] vrrp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Config# vrrp interface <eth-1 | eth-2 | eth-3 | eth-4> <address> <priority <backup | master | <1-255>>> vrid <1-255> . . . . . . . . . . . . . . . 44

Config# [no] vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44[advertisement-interval <1-255>][auth-passwd][no-preempt][while-backup <allow-forwarding | allow-ipsec | call-dialup>]

vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46[disable][enable]

Config# [no] route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<ADDR> <NETMASK> <ADDR> <[blackhole | cloning | expire <decimal> | genmask <ADDR> | inet | mtu <decimal> | nostatic | static]>

ipsrd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48[dump][reconfigure][restart]

cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49


reboot <now>reset <now>

Config# [no] cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50external

address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]

internaladdress <A.B.C.D> | family inet address <A.B.C.D>

<interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]

mode <forward | unicast | multicast>name <STRING>

arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52-a-f-n-<options><HOST>

firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53clear-global-logclear-statedisableenable <policy-manager <ADDR> | <CR>>global-lograte-limit <<NUMBER> | <CR>>

Config# [no] arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55add <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>change <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>delete <ADDR> <proxy>

Config# [no] bootp-forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56[interface <eth-1 | eth-2 | eth-3 | eth-4> servers <ADDR> <ADDR>]

Config# [no] dhcp-server <eth-1 | eth-2 |eth-3 | eth-4> . . . . . . . . . . . . 58[default-route <A.B.C.D>][dns-servers <A.B.C.D>][domain-name <domainname>]dynamic <A.B.C.D> <A.B.C.D>[exclude <A.B.C.D>][ignore-ras][lease <number-of-seconds>][nbt-dd-servers <A.B.C.D>][nbt-name-servers <A.B.C.D>][nbt-node-type <broadcast | hybrid | mixed | peer>]


C List of Commands

[nbt-scope <scope>][netmask <A.B.C.D>][non-authoritative]static <A.B.C.D> <client-id <Client ID> | <MAC ADDR>>

Config# diff-serv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61codepoint

[assured <AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43>][best-effort][expedited][pass-through][<NUMBER>]

Config# [no] dns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62[domain-name <domain name>][retrans <1-60 (seconds)>][retry <1-10>][servers <A.B.C.D>]

Config# [no] ip-address-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<name> <A.B.C.D> <A.B.C.D>

Config# [no] lns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<client name>

<authentication <chap | mschap | pap>><basic <local name> <secret> <decimal number>><require <ipsec | mppe40 | none>>

Config# [no] mss-clamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<val>

Config# [no] ntp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65[auth-key md5 <md5-key>][interval <seconds>][servers <ADDR> <ADDR>][version <1 | 2 | 3>]

Config# [no] pns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66authentication <chap | mschap | pap>require <ipsec | mppe40 | none>

Config# [no] ppp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67user <username> <[<address <allow-selection> | <A.B.C.D>> | group <group> | password <passwd>]>

Config# ppp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67group <PPP group name> <[address pool <address pool name> | dns <A.B.C.D> <A.B.C.D> | wins <A.B.C.D> <A.B.C.D>]>

Config# [no] snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68access <<address/netmask> <community string>>authentrapsbindtointernalcpuutil <percentage>group <NAME> <usm> <User Name>ioload <pkts/sec>


ipdrop <percentage>logtrapsmemusage <percentage>pollrate <seconds>syscontact <sysContact value>syslocation <sysLocation value>trap2sink <A.B.C.D> <community_string>trapdelay <seconds>trapsink <A.B.C.D> <community_string>udpdrop <percentage>user <NAME> <MD5 | SHA> <<encode type> <encoded password> <DES> | <cleartext passphrase> <DES>>v3access <<groupName> <usm> <<authnopriv> | <authpriv> | <noauthnopriv>> <readView> <writeView> <notifyView>>view <NAME> included <OID> [<mask>]

aosinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74-h<filename><CR>

backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75[list <NAME>][restore <NAME> <NAME>][save <NAME> <NAME>]

clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76[arp][dns-resolver][ike][ipsec][nat <link-id>][queue][route <all | dynamic | static>][vpdn <all | tunnel <NUMBER>>]<CR>

configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77[firewall][pki][policy][save <cluster | <CR>>][wizard][<CR>]

crypto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79[clear <ike | ipsec | <CR>>][disable]

<copy-df><dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>


C List of Commands

pppoe <interface <CR> | profile <CR>>processesschedulesensor <all | fan | ps | temp | volt>snmpssh <[config | public-key auth]>statistics <ah | esp | icmp | igmp | ike | ip | ipsec | nat | queue | random | replay | sa | sec-proc | tcp | udp | <CR>>subsystemsyslogterminalversionvpdn <all | brief | ip-address <HOST> | username | <CR>>vrrpwanbackup

tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<tcpdump options> tcpdump [-aAdeflLnNOpqRStuvxX] [-c count] [-C filesize] [-F file] [-i interface] [-r file] [-s snaplen] [-T type] [-w file] [expression]Can also type 'tcpdump -h' for usage.Visit http://www.tcpdump.org/tcpdump_man.html, or consult product documents for more information.[disable][enable <<A.B.C.D> | <CR>>][port <port>][secret <secret>]<CR>

terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123[editing-style <emacs | vms>][idle-timeout <seconds>][length <0-512>][more <enable | disable>][width <0-512>]

validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124any | gre | icmp | ipinip | tcp | udp | <NUMBER>

<SRC-ADDR> <any | <SRC-PORT>> <DST-ADDR> <any | <DST-PORT>>

Config# [no] crypto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126[copy-df][dead-peer-detection][deferred-delete][diff-serv][dpd-interval <seconds>][dpd-retries <count>][host-icmp][ike-retries <count>][nat-traversal][replay][spd-sorting][stable]


[<CR>]

Config# [no] deployment_hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128hellointerval <minutes>source <A.B.C.D> destination <A.B.C.D>timeout <seconds>

Config# disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129[dhcp][dialup][firewall][ipsec][ipsrd][l2tp][oob][pptp][sshd]<CR>

Config# enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129[dhcp][dialup][firewall][ipsec][ipsrd][l2tp][oob][pptp][sshd]<CR>

Config# [no] hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<hostname>

Config# [no] icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131[allow][bmcast][bypass][ignore][prohibit][rate-limit <rate-limit>][redirects][source-filter][stealth][unreach <filter | host | net>][CR]

Config# [no] ipsec-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133wins <A.B.C.D> [<A.B.C.D>] [<A.B.C.D>] | <CR>

Config# [no] ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<server name | id> <LDAP server address> <LDAP server port> <as_active_directory | as_openldap> <LDAP search timeout> <LDAP base DN> <base | onelevel | tree> <initial bind DN> <<0|1|2|3> <encoded bind password> | <bind password in clear text>>


C List of Commands

<<attribute> | <CR>>

Config# modem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dialmode <pulse | tone>initstring <XXX...XXX>speed <9600 | 19200 | 38400 | 57600 | 115200 | 230400 | 460800>type <standard | custom>

Config# oob. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136localip <A.B.C.D> remoteip <A.B.C.D> idletimeout <value> vjcomp <yes | no>

Config# [no] panic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136haltreboot

Config# [no] radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137<radius server address> <<encode type> <encoded secret>> | <<secret> <port number>>

Config# [no] terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138editing-style <emacs | vms>idle-timeout <1-10000000>length <number-of-rows>logging <level <none | emergency | alert | critical | error | warning | notice | info | debug> | <timestamp <microsecond> | <CR>> | <CR>>moretype <terminal-type>width <number-of-columns>

Config# [no] uuid <uuid> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140flowbee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140

[-I <ADDR> | -L | -P <number> | -Q | -R | -T <number> | -a | -c <number> | -d | -f | -i <number> | -l <number> | -n | -p <pad> | -q | -r | -s <number> | -v | <HOST>]

netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142[-A | -I <eth-1 | eth-2 | eth-3 | eth-4> | -a | -b | -d | -f <INET> | -g | -i | -m | -n | -o | -p <ICMP | IGMP | IP | LOCAL | RAW | TCP | UDP> | -r | -s | -t | -u | -w <seconds> | <-options>]

ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144[-I <ADDR>][-L][-Q][-R][-T <NUMBER>][-a][-c <NUMBER>][-d][-f][-i <NUMBER>]


[-l <NUMBER>][-n][-p <PAD>][-q][-r][-s <NUMBER>][-v]<HOST>

telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<HOST> <<PORT> | <CR>>

traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148[-F][-I][-d][-f <NUMBER>][-g <HOST>][-i <eth-1 | eth-2 | eth-3 | eth-4>][-m <NUMBER>][-n][-p <NUMBER>][-q <NUMBER>][-r][-s <HOST>][-t <NUMBER>][-v][-w <NUMBER>][-x][<HOST>]

Config# [no] tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150default server <ADDR>

copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152[<NAME> <NAME>]

create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152<NAME>

delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152<NAME>

differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<NAME> <NAME>

directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<NAME> | <CR>

rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<NAME> <NAME>

source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<filename>

type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<NAME>


C List of Commands

[enrollment retry-period <minutes>][enrollment url <URL>][internal certificate]

[<lifetime <decimal>][rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>][subject-alt-name <email <string> | fqdn>][subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>]

[internal crl <enable | http_url <url> | ldap_url <url> | update_interval <decimal>>][internal csr <issue | lifetime <decimal>][internal generate][internal ldap <enable | server <name>][internal list_certs][internal set_cert_status <uuid>]

<active | deleted | granted | pending | revoked_aa_compromise | revoked_affiliation_changed | revoked_ca_compromise | revoked_certificate_hold | revoked_cesation_of_operation | revoked_key_compromise | revoked_priviledge_withdrawn | revoked_remove_from_crl | revoked_superseded | revoked_unspecified>]

[option <crl-optional>][uuid <uuid>]

config_pki# certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208[device <<string> | <UUID>>][intermediary-ca <<string> | <UUID>>][management <device <string> | trusted-root <string>>][other <<string> | <UUID>>][trusted-root <<string> | <UUID>>]

config_pki# crl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210<string><UUID>

config_pki# keypair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210generate rsa [<512 <string> | 768 <string> | 1024 <string> | 1536 <string> | 2048 <string>>]pin <string> |<UUID>

config_pki# pkcs12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211device <<string> | <UUID>>

config_pki# public-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212default <UUID>local <string> | <UUID>remote <string> | <UUID>

config_pki# uuid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212<uuid>

config_policy# apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220


config_policy# clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221ipsec-mapvpn-schema<CR>

config_policy# exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221config_policy# load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221

<filename>

config_policy# map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222[all][client][ike][ipsec][selector]

config_policy# save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<NAME><CR>

config_policy# show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223[all][ike-gateway <ip <pattern>>| <CR>][ike-group][ike-suite][ipsec-client <name <pattern>> | user_fqdn <pattern> | <CR>][ipsec-gateway <ip <pattern>> | name <pattern> | <CR>][ipsec-selector <ip <pattern>> | name <pattern> | <CR>][ipsec-transform][vpn-node <ip <pattern>> | name <pattern>> | user_fqdn <pattern> | <CR>][vpn-schema]

config_policy# unload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224<filename>

config_policy# [no] ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225gateway <<ADDR> <ike_suite> [ipsec_transform] | <CR>>group <group_policy_name> <ike_policy_name> [<ike_policy_name>]suite <NAME>

ike-suite# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226authentication <challenge-response | pre-shared <key> <key> | rsa-encrypt | rsa-encrypt-compat | rsa-signature>cipher <3des | aes <<128 | 192 | 256> | <CR>> | blowfish <<40-448> | <CR>> | cast <<40-128> |<CR>> |des>flags <check-dns | deferred-delete | dynamic-peer | fqdn | initial-contact | internal-address | nomadic | vendor-id>hash <md5 | sha>lifetime <number>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048>exit

config_policy# [no] ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228


authenticator <hmac-md5 | hmac-ripemd | hmac-sha | null>cipher <3des | aes <128 | 192 | 256> | blowfish <40-448> | cast <40-128> | des | null>flags <commit-bit | replay-status | responder-lifetime>lifetime <kbyte <NUMBER> | minutes <NUMBER>>mode <transport | tunnel>protocol <ah | ah-esp | esp>exit

config_policy# vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236linknodeschema

link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>] . . . . . . . 236no vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>] . . . . 236vpn_node# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237

addr <ADDR>ca-idgw-addr <ADDR>mask <NETMASK>port <NUMBER>id <dn | user-fqdn>exit

vpn-schema# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>gw-addr <ADDR>ike-suitemask <NETMASK>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UDP | <NUMBER>>transformexit

config_policy# ipsec gw-selector <name>. . . . . . . . . . . . . . . . . . . . . . . . . . . 243config_firewall# apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263config_firewall# apply keep-state. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263config_firewall# clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264config_firewall# clear icmp-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264config_firewall# clear tcp-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264config_firewall# clear udp-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264


C List of Commands

config_firewall# import <filename> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# icmp-timeout <timeout> . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# tcp-timeout <timeout> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# udp-timeout <timeout> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# rule-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267config_firewall# save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268config_firewall# show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269


Index

Numerics1000BASE-T 32100BASE-T 3210BASE-T 32

Aaccess CLI

console port 15SSH 16telnet 16

application server, debug (configuration mode) 172apply command

firewall configuration mode 263PCS mode 220

arp commandcommand mode 52configuration mode 55

arp, show command (command mode) 108audit command 168audit messages 169authentication 184

Bbackup command 74block command 197bootp-forwarder command 56

Cca command 198certificate authority 198certificate command 208clear command

command mode 76PCS mode 221

CLIconnect to CLI 15features 20modes 16

CLI modescommand mode 16

Nokia IP VPN Gateway Command-Line Summary v6.3

configuration mode 17firewall mode 18navigate between modes 18PCS mode 18PKI mode 18save changes 19

clientIPSec 133IPSec configuration 229

clusterconfiguration 50configuration file 23debug (command mode) 158debug (configuration mode) 172NFS server 155NTP server 65referees 50save changes (configuration mode) 17save changes (PKI mode) 191show command (command mode) 108

cluster commandcommand mode 49configuration mode 50

command mode commandsaosinfo 74arp 52backup 74clear 76cluster 49configure 77copy 151crypto 78date 97debug 156delete 152differences 153directory 153examine 98finger 140firewall 53flash 99flowbee 140

Index - 339

kernel 100log 166nat 101netstat 142pin 102ping 144reboot 103rename 154schedule 103show 105source 154tcpdump 119telnet 147terminal 123traceroute 148type 155validate 124

command-line, help 21community strings 70configuration files

boot 23cluster 23IPSec 23keys 23node 23PKI 23

configuration modeenter 17exit 17FLASH 17

configuration mode commandsarp 55audit 168bootp-forwarder 56cluster 50console 169crypto 126debug 170deployment_hub 128dhcp-server 57dialup 34diff-serv 60disable 128dns 61enable 129hostname 130icmp 131interface 32ip-address-pool 62ipsec-client 133log 179

login 184modem 135mss-clamp 63nfs 155ntp 65oob 135panic 136pkttrace 180ppp 66pppoe 37radius 137route 46snmp 68sshd 186syslog 182terminal 138tftp 150uuid 139VRRP 44wanbackup 35

configuration server, debug 176configuration wizard 20, 78configure

interface 32configure command 77configuring firewall 255configuring NAT 255connect to CLI 15console

audit messages 169logging levels 169

console command 169console port 15copy command 151crl command 210crypto command

command mode 78configuration mode 126

Ddate command 97debug (command mode)

IKE 159IPSec 159NAT 161PKID 164PPP 161SCEP 164scheduler 165SSH 165

Index - 340 Nokia IP VPN Gateway Command-Line Summary v6.3

debug (configuration mode)application server 172configuration server 176event logging 170IKE 173L2TP 176ldap 177monitor server 175nat 175PKID 178PPP 175RADIUS 175scheduler 178SECP 178SSH 178tunneling 176VPDN 176

debug commandcommand mode 156configuration mode 170

delete command 152deployment_hub command 128dhcp relay. See bootp-forwarderdhcp-server command 57dialup 34differences command 153diff-serv command 60directory command 153disable command 128display

statistics 142traffic 142

display information 105dns command 61DNS, clear 76document conventions

command-line 10notices 10text conventions 12

documentationconventions 10related 13structure 9

dynamic routing 47

Eedit command 20editing style


emacs 20VMS 20

enable command 129enter

configuration mode 17firewall 259PCS mode 219PKI mode 191

Ethernet 32Ethernet Autonegotiation 29event logging 170examine command 98exit

command mode 19configuration mode 17current session 19firewall 259PCS mode 219PKI mode 191

exit commandPCS mode 221PKI mode 210

external IP address 51

Ffinger command 140firewall

command mode commands 259configuration mode 261configure 259default behavior 257

firewall command 53firewall configuration mode commands

apply 263clear 264export 265icmp-timeout 266import 265log clause 288match clause 272rule definition mode 269rule-list 267save 268show 268target clause 281tcp-timeout 266udp-timeout 266

FLASHfiles 22restore 74

Nokia IP VPN Gateway Command-Line Summary v6.3 Index - 341

save 74save configuration changes 23, 24

flash command 99flowbee command 140FQDN 130

Ggraphic user interface 24

Hhelp, command-line 21hostname command 130

IICMP

examine command 98packets 131validate command 124

icmp command 131IKE

clear 76debug (command mode) 159debug (configuration mode) 173policy configuration commands 225show (command mode) 109

ike command (PCS mode) 225ike-suite command 226interface command 32internal addressing, WINS server 133internal IP address 51IP

addressing 51show (command mode) 110

ip-address-pool command 62IPSec 133

clear 76client configuration 229configuration file 23configure a cluster 78debug (command mode) 159IPSecIPPool 62parameters 92policy configuration commands 228show (command mode) 110WINS 133

ipsec command 228IPSec configuration commands

cl-selector 231, 232gateway 229, 230

gateway selector 232, 234transform 234, 236

ipsec-client command 133, 229ipsec-client-selector command 231ipsec-gateway command 230ipsec-gateway-selector command 232ipsec-transform command 235

Kkernel

check 101commit 101upgrade 101

kernel command 100keypair command 210

LL2TP

debug (command mode) 162show (command mode) 119

ldap, debug (configuration mode) 177link command 236load command 221lock, show command (command mode) 116log clause 288log command


logging levels 169login command 184

Mmap command 222match clause 272MD5 65mode

command 16PCS 219

modem 135monitor server, debug (configuration mode) 175mss-clamp 63

NNAT

clear 76debug (command mode) 161debug (configuration mode) 175

NAT before IPSec translations 287


nat commandcommand mode 101

netstat command 142network address translation 101network management 68NFS 25nfs command 155no command

PKI mode 211ntp command 65

Ooob 135

Ppanic command 136passwords 184PCS mode

common commands 220ipsec 228ipsec cl-selector 231ipsec gateway 229ipsec gw-selector 232ipsec-client 229ipsec-client-selector 231ipsec-gateway 230ipsec-gateway-selector 232ipsec-transform 235link 236vpn 236vpn schema 238vpn_node 237

PCS mode commandsapply 220clear 221exit 221ike 225ike-suite 226IPSec policy 228load 221map 222save 222show 223unload 224

PCS. See policy configuration systempin command 102ping command 144PKI mode

save changes 191view PKI configuration 192

PKI mode commandsblock 197ca 198certificate 208crl 210exit 210keypair 210no 211public-key 211uuid 212

PKIDdebug (command mode) 164debug (configuration mode) 178

pkttrace 180policy configuration commands

ike 225ipsec 228, 229ipsec cl-selector 231, 232ipsec gateway 230ipsec gateway configuration 229ipsec gateway selector 232, 234ipsec transform configuration 236ipsec-transform 234VPN configuration 236VPN link 236VPN node configuration 237VPN schema 237

policy configuration system 219policy manager software 24policy, show command (command mode) 117PPP

address allocation 62debug (command mode) 161debug (configuration mode) 175

ppp command 66pppoe command 37PPTP, show command (command mode) 119private-key pair 198proxy ARP 56public-key command 211public-key pair 198

RRADIUS

authentication 184debug (configuration mode) 175

radius command 137RADIUS server 137reboot 105reboot command 103

Nokia IP VPN Gateway Command-Line Summary v6.3 Index - 343

recall command 20related documentation 13rename command 154route command 46

Ssave changes

configuration mode 17PKI mode 191

save commandfirewall 268PCS mode 222

save configuration 78SCEP

debug (command mode) 164debug (configuration mode) 178

schedule command 103scheduler


show commandcommand mode 105firewall 268PCS mode 223

snmp command 68source command 154SSH 16, 186


sshd command 186staggered reboot 105static roots 46static routing 46statistics, show command (command mode) 118syslog 70syslog command 182syslog server 179system date and time 97

Ttarget clause 281TCP

examine command 98validate command 125

tcpdump command 119telnet 16telnet command 147terminal command


TFTP 25tftp command 150TFTP server 150timestamps, log command 167traceroute command 148traffic statistics 142tunneling

clear 77debug (command mode) 162

type command 155

UUDP

examine command 98validate command 125

unload command 224upgrade nodes 105usernames 184UUID 139uuid command

configuration mode 139PKI mode 212

Vvalidate command 124version

configuration 24show (command mode) 118

view files 155VPDN

debug (command mode) 162show (command mode) 119

VPNconfiguration commands 236link commands 236node configuration commands 237schema configuration commands 237

vpn command 236vpn schema command 238vpn_node command 237VRRP 44VT100 terminal type 138

Wwanbackup 35WINS server, internal addressing 133


nokia ip vpn gateway command-line summary, …...about this guide 10 nokia ip vpn gateway...

Documents