Manual THOMSON 608(WL)

222 pages 3.18 mb
Download

Go to site of 222

Summary
  • THOMSON 608(WL) - page 1

    SpeedTouch™608WL and SpeedTouch™620 only SpeedT ouch™608(WL)/620 (Wireless) Business DSL Router IPSec Configuration Guide Power Ethernet W LA N Plug-in ISD N Internet ...

  • THOMSON 608(WL) - page 2

    ...

  • THOMSON 608(WL) - page 3

    SpeedTouch™ 608(WL)/620 IPSec Configuration Guide ...

  • THOMSON 608(WL) - page 4

    Copyright Copyright ©1999-2006 THOMSON. All rights reserved. Distribution and co pying of this do cument, use and c ommunication of i ts contents is no t permitted without written authorizatio n from THOMSON. The con tent of this document is furnished for informati onal use only , may be subject to chang e without notice, and should not be con str ...

  • THOMSON 608(WL) - page 5

    Contents E-DOC-CTC-20051 017-0169 v0.1 3 Contents About this IPSec Configur ation Guide ....................... 9 1 IPSec: Concept for secure IP connections ................. 11 1.1 IPSec Co ncepts .......... ........... .......... ........... ........... .......... ........... .. 12 2 SpeedTouch™ IPSec te rminology ............................. ...

  • THOMSON 608(WL) - page 6

    Contents E-DOC-CTC-2005 1017-0169 v0.1 4 3.3 VPN Server ............. .......... ........... ........... ........ ........... .......... ......... 63 3.3.1 VPN Server Page ................... .............. .............. .............. ................. .............. .............. . .6 4 3.4 Certific ates .......... .......... ........... ...... ...

  • THOMSON 608(WL) - page 7

    Contents E-DOC-CTC-20051 017-0169 v0.1 5 4.4 Peer ... .......... ........... .......... ........... ........... .......... ......... .......... ....... 118 4.4.1 Peer parameters ....................... ................ .................... ................. ................. .............. 119 4.4.2 List all peer entiti es ............ ............ ...

  • THOMSON 608(WL) - page 8

    Contents E-DOC-CTC-2005 1017-0169 v0.1 6 5.3 Via the CLI: Debug command group ..... ............ ............. ........... 167 5.4 Via SNM P ........... .......... ........... .......... ........... ........... .......... ......... 170 5.5 Pinging from the SpeedTo uch™ to the remote private network 171 6 Advanced Features ..... .................. ...

  • THOMSON 608(WL) - page 9

    Contents E-DOC-CTC-20051 017-0169 v0.1 7 6.9 Peer O ptions .......... .......... ........... ........... .......... ........... .......... ..... 201 6.9.1 List all Peer Optio ns lists .................... .............. ................. .............. .............. .............. 20 3 6.9.2 Create a Peer Op tions list .......... .............. .. ...

  • THOMSON 608(WL) - page 10

    Contents E-DOC-CTC-2005 1017-0169 v0.1 8 ...

  • THOMSON 608(WL) - page 11

    About this IPSec Configuration Guide E-DOC-CTC-20051 017-0169 v1.0 9 About this IPSec Configuration Guide Abstract This document expl ains the IPSec functi onality of the SpeedT o uch™ Release R5.4 and higher . A brief theore tical explanation is provided where ne eded, but the main goal of this document is to b e a practical guide. Applicability ...

  • THOMSON 608(WL) - page 12

    About this IPSec Configuration Guide E-DOC-CTC-2005 1017-0169 v1.0 10 ...

  • THOMSON 608(WL) - page 13

    Chapter 1 IPSec: Concept for se cure IP connections E-DOC-CTC-20051 017-0169 v1.0 11 1 IPSec: Concept for secure IP connections Policies The introduction of n etwork security main ly involves the applicatio n of traffic policies. Firstly , the polici es need to be defined, th en it should be w hether the policies are correctly applied. Security pol ...

  • THOMSON 608(WL) - page 14

    Chapter 1 IPSec: Concept for secure IP connections E-DOC-CTC-2005 1017-0169 v1.0 12 1.1 IPSec Concepts Red and Black Network Followin g nomenclature wil l be used thro ughout this docu ment:  The SpeedT ouch™ The IPSec capable DSL router  The Red network Private or truste d side of the SpeedT ouch™.  The Black network Public or non-tru ...

  • THOMSON 608(WL) - page 15

    Chapter 1 IPSec: Concept for se cure IP connections E-DOC-CTC-20051 017-0169 v1.0 13 Internet Key Exchange The Interne t Key Exchange (IKE) protocol i s the negotiatio n protocol used to establish an SA by negotiating securi ty protocols and exchanging keys. First th e IKE SA is set up, then the IKE ch annel acts as a sig nalling channel to negotia ...

  • THOMSON 608(WL) - page 16

    Chapter 1 IPSec: Concept for secure IP connections E-DOC-CTC-2005 1017-0169 v1.0 14 ...

  • THOMSON 608(WL) - page 17

    Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 15 2 SpeedTouch™ IPSec terminology Introduction In order to understand th e IPSec config uratio n of the SpeedT ouch™, a number of concepts and definition s are introduced in this section. The Gr aphical User Interface (GUI) and the Command Line Interface (CLI) provide tw ...

  • THOMSON 608(WL) - page 18

    Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 16 2.1 Policy What is ... Security is all abou t traffic policies and these can be configured using the IPSec policy commands. By defa ult, policy rules are auto matically generated whe n the IPSec connection is created and the user does not need to execute extra commands. A s ...

  • THOMSON 608(WL) - page 19

    Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 17 2.2 Security Descriptor What is ... All security parameter s required to establish a se cure tunnel a re grouped into a string called Security Descr iptor or simp ly descriptor . T wo different sets of descriptors are defi ned:  IKE session de scriptors  IPSec descri ...

  • THOMSON 608(WL) - page 20

    Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 18 2.3 Authentication Attribute What is ... T wo main methods for au thentication are suppor ted in the SpeedT ouch™:  pre-shared key  certificates The authenticatio n parameters used for the IKE n egotiations are bundled in the SpeedT ouch™ in a descripto r with a s ...

  • THOMSON 608(WL) - page 21

    Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 19 2.4 Peer (Phase 1) What is ... The Peer is a term that refers to the re mote Security Gatewa y to which the IPSec secure tunnel(s) will be established. In a first phase, an IKE Security Association is negotiated betwe en the SpeedT ouch™ and a remote Security Gateway (pe ...

  • THOMSON 608(WL) - page 22

    Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 20 2.5 Connection (Phase 2) What is ... Bundles all th e parameters requir ed for th e Phase 2 SA (IPSec) negotiation:  Peer Reference, pointing to the pe er configuration to be used . In fact, this refers to the IKE channel used fo r the Phase 2 negotiations.  Local/rem ...

  • THOMSON 608(WL) - page 23

    Chapter 2 SpeedTouch™ IP Se c terminology E-DOC-CTC-20051 017-0169 v1.0 21 2.6 Network descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedT ouch™ R5.3. Not only th e classical idea of an IP network or subnet is comprised in this concept, but also the protoco l and port number of the messages c ...

  • THOMSON 608(WL) - page 24

    Chapter 2 SpeedTouch™ IPSec termin ology E-DOC-CTC-2005 1017-0169 v1.0 22 ...

  • THOMSON 608(WL) - page 25

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 23 3 Configuration via Local Pages Prerequisites In order to use the VPN features in the SpeedT ouch™608(WL )/620, you should enable the VPN software module. T o activate this VPN module, you have to acquire the optional software ac tivation key . T o check w hether the softwar ...

  • THOMSON 608(WL) - page 26

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 24 In this section The following topics are discussed in this section: Topic Page 3.1 LAN to LA N Application 25 3.2 VPN Clie nt 51 3.3 VPN Server 63 3.4 Certificates 73 3.5 Advanced VPN Menu 75 ...

  • THOMSON 608(WL) - page 27

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 25 3.1 LAN to LAN Application Reference network A simple LAN-to-LAN network con figuration is shown h ere. The figure shows tw o LAN networks connec ted via a SpeedT ouch ™ to the public Internet. In each LAN segm ent, the IP addresses of the terminals are typically managed by ...

  • THOMSON 608(WL) - page 28

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 26 Selecting the LAN to LAN application In Expert Mode , click VPN > LAN to LAN . As a result, the following page is shown This page contains two main tab pages. Select o ne of the alternative pages, according to w hich VPN context best describes your situation.  When you ...

  • THOMSON 608(WL) - page 29

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 27 3.1.1 Remote Gateway Address Known Page VPN context Y ou know the location of the Remote Gatewa y in the public Internet, either by its IP address or its FQDN . In this case, the Sp eedT ouch™ can conn ect either as an initiator or as a responder . As an initiator of a con n ...

  • THOMSON 608(WL) - page 30

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 28 Buttons Y ou can use one of the followi ng buttons: Remote Gateway The Remo te Gatewa y paramete rs identify the peer Secu rity Gateway in the IP network.  Address or FQDN: Fill out the publi cly known network location of the remote Gateway . Y ou can specify the public IP ...

  • THOMSON 608(WL) - page 31

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 29 Miscellaneous Comprises the following settings:  Primary Untrusted Physical Interface : This field s hows a list of your SpeedT ouch™ interfaces. Y ou select the preferred Prim ary Untrusted Physical Interf ace . This interface is used as the primary carrier for yo ur VPN ...

  • THOMSON 608(WL) - page 32

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 30 IKE Security Descriptors The IKE Security Descriptor bundles the security para meters used for the IKE Security Associ ation (Phase1). A number of IKE Security Descriptors are pre-configured in th e SpeedT ouch™, and can be selected from a list. Select a Secu rity Descripto ...

  • THOMSON 608(WL) - page 33

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 31 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated in the following way: ...

  • THOMSON 608(WL) - page 34

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 32 IKE Authentication with Preshared Key When you select Use Preshared K ey Authentication , the following fi elds have to be completed:  Preshared Secret : A string to be used as a secret passw ord for the VPN conn ection. This secret needs to be identically configured at bo ...

  • THOMSON 608(WL) - page 35

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 33 Example of a completed page The illustratio n below shows a completed page. Th e data in the various fields correspond with the VPN l ayout shown on page 25 :  Pre-shared key was selected as authentica tion method.  keyid was selected for the lo cal and remote identity . ...

  • THOMSON 608(WL) - page 36

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 34 Buttons Y ou can use one of the followi ng buttons: Click ... To ... Stop All Connection s to this Gateway Stop all VPN co nnecti ons to the selected remote Security Gateway . Apply Apply modificatio n s made to the settings of the selected remo te Security Gateway . Delete D ...

  • THOMSON 608(WL) - page 37

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 35 3.1.2 Remote Gateway Address Unknown Page VPN context Y our SpeedT ouch™ may have to set up (simultaneous) VPN connections with various remote Security Ga teways. At the time you co nfigure your SpeedT ouch™, you have no clear idea about the location of the Remote Gateway( ...

  • THOMSON 608(WL) - page 38

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 36 Aggressive Mode versus Main Mode IKE specifies two modes of operation for the Phase 1 negotiations: main mode an d aggressive mode. Main mode is more secure while aggressive mode is quic ker . Buttons Y ou can use one of the followi ng buttons: Click ... To ... Aggressive mod ...

  • THOMSON 608(WL) - page 39

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 37 Miscellaneous Comprises the following settings:  Primary Untrusted Physical Interface : This field s hows a list of your SpeedT ouch™ interfaces. Y ou select the preferred Prim ary Untrusted Physical Interf ace . This interface is used as the primary carrier for yo ur VPN ...

  • THOMSON 608(WL) - page 40

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 38 IKE Security Descriptors The IKE Security Descriptor bundles the security para meters used for the IKE Security Associ ation (Phase1). A number of IKE Security Descriptors are pre-configured in th e SpeedT ouch™, and can be selected from a list. Select a Secu rity Descripto ...

  • THOMSON 608(WL) - page 41

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 39 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated in the following way: ...

  • THOMSON 608(WL) - page 42

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 40 IKE Authentication with Preshared Key When you select Use Preshared K ey Authentication , the following fi elds have to be completed:  Preshared Secret : A string to be used as a secret passw ord for the VPN conn ection. This secret needs to be identically configured at bo ...

  • THOMSON 608(WL) - page 43

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 41 Main Mode initial page When you click Main M ode , the following page is displayed: By clicking a button, the page layout changes, reveali ng other fields and butt ons. More information about the various fields and buttons is found belo w . Buttons Y ou can use one of the foll ...

  • THOMSON 608(WL) - page 44

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 42 Page layout with additional Descriptors When you click Specify Additional Descriptors , the IKE Security Descriptors ar ea of the page is updated an d shows additional fields wh ere you can specify up to four alternative IKE Security Descriptors: These will be used as alterna ...

  • THOMSON 608(WL) - page 45

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 43 Page layout for certificate authentication When you click Use Certificate Authentication , the IKE Authentication area of the page is updated in the following way: IKE Authentication: Certificate parameters When you select Use Certificate Au thentication , you have to fill out ...

  • THOMSON 608(WL) - page 46

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 44 Identification & Interface The Identification & Interface fields have to be fille d out with the following information:  Local ID T yp e and Local ID: The Local ID identifies the local SpeedT ouch™ during the Phas e 1 negotiation with the remote Security Gateway ...

  • THOMSON 608(WL) - page 47

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 45 Example of a completed page The illustratio n below shows a completed page. Th e data in the various fields correspond with the VPN l ayout shown on page 25 :  Pre-shared key was selected as authentica tion method.  keyid was selected for the lo cal and remote identity . ...

  • THOMSON 608(WL) - page 48

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 46 Buttons Y ou can use one of the followi ng buttons: Click ... To ... Stop All Connection s to this Gateway Stop all VPN co nnecti ons to the selected remote Security Gateway . Apply Apply modificatio n s made to the settings of the selected remo te Security Gateway . Delete D ...

  • THOMSON 608(WL) - page 49

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 47 3.1.3 Connections Page Page layout When you click New Connection to this Gateway , the following fields are revealed: In this section of t he page, you fill out th e characteristics of the V irtual Private Network you are building. Specify the loca l and re mote private networ ...

  • THOMSON 608(WL) - page 50

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 48 Trusted Network The Local and Remote T rusted Network parameters descr ibe which terminals have access to the secure connection at the lo cal and remote peers, respectively . T wo fields must be comp leted for each peer: T rusted Network T ype and T rusted Network IP . The T ...

  • THOMSON 608(WL) - page 51

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 49 Port If the tcp or udp protocol i s selected for the protocol parameter , then the access to the IPSec connection can be further restricted to a single port. Many well-kno wn port numbers can be selecte d from the pull-down menu . Separate fields are foreseen for the local and ...

  • THOMSON 608(WL) - page 52

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 50 Starting and stopping a connection. A VPN connection is started automatically when data is sent or received that complies with th e traffic policy . Alternatively , you can manually start and st op a VPN connection by selecting it in the table. At the bottom of the page, Star ...

  • THOMSON 608(WL) - page 53

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 51 3.2 VPN Client VPN context For a VPN client-server scenari o a dedicated set of user -friendly configuration pages is available. Separate pages exist for the cl ient and server sides. In this section the VPN client configuration page is described. The VPN client in th e SpeedT ...

  • THOMSON 608(WL) - page 54

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 52 3.2.1 VPN Client Page Initial page When you click VPN > VPN Client , the following page is displayed: The page contains a nu mber of buttons and fields to complete. It is recommended to fill out the page from top to bottom. When you click a button, the page layout changes, ...

  • THOMSON 608(WL) - page 55

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 53 Server IP Address or FQDN Fill out the publicly known network location of the remote Gatew ay . Y ou can speci fy the public IP address, if it is invariable and known. More often, the publicly k nown FQDN (such as vpn.corpor ate.com ) will be used. Backup Server IP Address or ...

  • THOMSON 608(WL) - page 56

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 54 IPSec Security Descriptor The IPSec Security De scriptor bundles the se curity parame ters used for the Phase 2 Security Association. A number of IPSec Security Descriptors are pre-config ured in the SpeedT ouch™, and can be selected from a list. Select a Security Descripto ...

  • THOMSON 608(WL) - page 57

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 55 Primary Untrusted Physical Interface This field shows a l ist of your SpeedT ouch™ interfaces. Y ou select the preferred Primary Untrusted Physical Interface . This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface ...

  • THOMSON 608(WL) - page 58

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 56 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated in the following way: IKE Authentication with Preshared Key When you select Use Preshared K ey Authentication , the following fi elds have to be compl ...

  • THOMSON 608(WL) - page 59

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 57 Starting and stopping a VPN client connection T wo start mechanisms are defined:  Manual Dialup  Automatic Start. When you use pre-shared key authentica tion, both start mechanisms require a number of parameters to be se t. The set of parameters depends on which Server V ...

  • THOMSON 608(WL) - page 60

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 58 Local LAN IP Range In this field you have to configure the local access polic y . In other wor ds, you define which IP range of local term inals has access to the VPN. Y ou can specify either a single IP address , a subnet, or a range. Set of Server Vendor specific parameters ...

  • THOMSON 608(WL) - page 61

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 59 3.2.2 Starting the VPN Client Connection Method 1: Automatic Start In section “ Starting and stopping a VP N client connection” on page 57 , the configuration o f the Automatic Start m echanism is ex plained. A ll parameters required for starting the conn ection are stored ...

  • THOMSON 608(WL) - page 62

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 60 Dialling in 1 Select the VPN server fr om the table and click Dial-In at the bottom of the screen. As a result, th e VPN Client Connect page is shown. 2 Fill out the login parameters an d click Continue . The SpeedT ouch™ starts the negotiat ions to set up the secure VPN co ...

  • THOMSON 608(WL) - page 63

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 61 Client Identification When for the IKE Authentication method th e Preshared Key method was selected, some Server V e ndor specific fields must be filled out. See “ Set of Server V endor specific parame ters” on page 58 Using XAuth When the VPN serve r uses the Extended Au ...

  • THOMSON 608(WL) - page 64

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 62 3.2.3 Closing a Connection Disconnect procedure At the bottom of the VPN Client Connection Configuration page, all active VPN connections are shown. Select the connection you wa nt to terminate and click Disconnect . The secure connection is cl osed and is removed from th e l ...

  • THOMSON 608(WL) - page 65

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 63 3.3 VPN Server VPN context In a VPN client-server scenario, the VPN se rver is always the responder in the IKE negotiations. V arious VPN cl ients can dial in to a VPN server , since it supports multiple simultan eous VPN connections. A VPN server do es not know a priori wh ic ...

  • THOMSON 608(WL) - page 66

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 64 3.3.1 VPN Server Page Initial page When you click VPN > VPN Server , the following pa ge is displayed: The page contains a nu mber of buttons and fields to complete. It is recommended to fill out the page from top to bottom. When you click a button, the page layout changes ...

  • THOMSON 608(WL) - page 67

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 65 Buttons Y ou can use one of the followi ng buttons: Local Trusted Network The Local T rusted Network open to Remote Cli ents describes which part of the local network you want to make access ible for remote VPN clients. T wo fields must be completed: T rusted Network T ype and ...

  • THOMSON 608(WL) - page 68

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 66 Page layout with additional Networks Clicking Specify Additional Networks allows you to designat e up to four addr esses/ subnets in case the Local T rust ed Network can not be described by a single address/ subnet. IKE Security Descriptor The IKE Security Descriptor bundles ...

  • THOMSON 608(WL) - page 69

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 67 Page layout with additional Descriptors When you click Specify Additional Descriptors , the IKE Security Descriptors ar ea of the page is updated an d shows additional fields wh ere you can specify up to four alternative IKE Security Descriptors: These will be used as alternat ...

  • THOMSON 608(WL) - page 70

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 68 Miscellaneous Comprises the following settings:  IKE Exchange Mode : IKE specifies two mode s of operation for the Phase 1 negotiations: main mode and aggressive mode. M ain mode is more secure wh ile aggressive m ode is quicker .  Primary Untrusted Physical Interface : ...

  • THOMSON 608(WL) - page 71

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 69 VPN Server settings Comprises the following settings:  Virtual IP Range: Specifies the range of IP addresses fr om which the VPN cl ient addresses are selected. An address range or a subnet can be entered for this parameter . Examples: 10.20.30.[5-50] 10.20.30.*  Netmask ...

  • THOMSON 608(WL) - page 72

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 70 Page layout for pre- shared key authentication When you click Use Preshared Key Authentication , the initial page is u pdated in the following way: IKE Authentication with Preshared Key When you select Use Preshared K ey Authentication , the following fi elds have to be compl ...

  • THOMSON 608(WL) - page 73

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 71  Remote ID (Filter) T ype and Remote ID Filter : The Remote ID Filter identifies the VPN client duri ng the Phase 1 ne gotiation. This identity is used as a filter for VPN clients when they join the VPN. Its value must match the settings in the VPN client in order to succes ...

  • THOMSON 608(WL) - page 74

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 72 Authorized Users List When you selected the use of XAuth (either generic or chap) in the VPN Server Configuration page, then clicking Apply revea ls an additional section at the top of the page. Compose a list of authorized users for the VPN: 1 Enter a User name and correspon ...

  • THOMSON 608(WL) - page 75

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 73 3.4 Certificates Introduction The Certificates Navigation tab gives acce ss to four main pages for certificates management. Secure Storage page This page shows the list of certif icates stored in the SpeedT ouch™. Request Import page This page allows imp orting new certifica ...

  • THOMSON 608(WL) - page 76

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 74 CEP page This page allows confi guring the Certificates E nrollment Protocol settings . Enrollment URL This URL point to the location of the CEP script on the Certifi cate Authority server . Usually , it has the follow ing fo rm: “http://<host>[: <port>]/<pat ...

  • THOMSON 608(WL) - page 77

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 75 3.5 Advanced VPN Menu When to use T he Advanc ed VPN menu gives access to two ma in pages where the complete IPSec configuration can be do ne. These pa ges are component-ori ented, as opposed to the application-o riented pages described i n sections 3.1 , 3.2 and 3.3 . Compone ...

  • THOMSON 608(WL) - page 78

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 76 Peer Profiles page When you click VPN > Advanced > Peers , the Peer Profiles page is displayed. The Peers page gives access to the following sub-pa ges: All peer parameters explained in the CLI co nfiguration method can be filled out in these pages. The parameters of th ...

  • THOMSON 608(WL) - page 79

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 77 Connection Profiles page When you click VPN > Advanced > Connections , the Connection Profiles page is displayed. The Connections page gives access to the following sub-pages: All connection parame ters explained in the CLI configuration method can be fi lled out in thes ...

  • THOMSON 608(WL) - page 80

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 78 3.5.1 Peer Profiles Page Peer Profiles page layout The Peer Profi les page bundles all parameters that define a Peer . A number of parameters make s use of sy mbolic descriptors that are defined and managed on other sub-p ages. On the Profiles page, these descriptors are sele ...

  • THOMSON 608(WL) - page 81

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 79 Local ID The Local ID identifies the local Sp eedT ouch™ during the Phase 1 negotiation wi th the remote Security Gateway . This identity must match the settings in the remote Security Gateway in order to successfully set up the IKE Security Association. The Local ID ty pes ...

  • THOMSON 608(WL) - page 82

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 80 Primary Untrusted Physical Interface This field shows a l ist of your SpeedT ouch™ interfaces. Y ou select the preferred Primary Untrusted Physical Interface . This interface is used as the primary carrier for your VPN connection. In general, the primary untrusted interface ...

  • THOMSON 608(WL) - page 83

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 81 Peer Options This optional parameter refers to the symboli c name of a peer option s list. The peer options modify the VPN behaviour . T he peer options lists are defined on the Peers Options sub-p age, see “3.5 .4 Peer Options Page” on pa ge 85 . For a basic IPSec configu ...

  • THOMSON 608(WL) - page 84

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 82 3.5.2 Authentication Page Authentication page layout The Authentication page allows you to define Authentication Attributes . T wo main methods for user authentication are suppo rted in the SpeedT ouch™:  pre-shared key  certificates The user authentication pa rameter ...

  • THOMSON 608(WL) - page 85

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 83 3.5.3 Peer Descriptors Page Descriptors page layout A Peer Security Descriptor c ontains the me thods fo r message auth entication, encryption and hash ing, and the lifetime of the IKE Security Association. The Peer Descriptors page allows you to manage Peer Security Descripto ...

  • THOMSON 608(WL) - page 86

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 84 Crypto The table below shows the encryption al gorithms supporte d by the SpeedT ouch™ along with thei r corresponding key size:  DES is relatively slow and is the weak est of the algorith ms, but it is the industry standard.  3DES is a stronger version of DES, but is ...

  • THOMSON 608(WL) - page 87

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 85 3.5.4 Peer Options Page Options page layout The Options page allows you to define Options li sts that you can later refer to in a Peer Profile . Peer options are de scribed in section “6.9 Peer Options” on page 201 . ...

  • THOMSON 608(WL) - page 88

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 86 3.5.5 VPN-Client Page VPN-Cli ent page layout The VPN-Client page allows you to define VPN Clie nt Descriptors . Client descript or name This name is used in ternally to identi fy the VPN cli ent Descriptor . This name appears in the Client/Server list on the Peer Profi les p ...

  • THOMSON 608(WL) - page 89

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 87 Type The Ty p e parameter determines which Virtual IP Address Mapping type is selected. Either dhcp or nat can be selected.  Selecting dhcp has the effect that the virtual IP address attribute d by the VPN server to the SpeedT ouch™ VPN client is effectively assigned to t ...

  • THOMSON 608(WL) - page 90

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 88 3.5.6 VPN-Server Page VPN-Server page layout The VPN-Server page allows you to define VPN Server Descriptors . Server descriptor name This name is used internally to id entify the VPN Server Des criptor . This n ame appears in the Client/Server list on the Peer Profi les page ...

  • THOMSON 608(WL) - page 91

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 89 Secondary DNS The IP address of the seco n dary DNS server , pr ovided to the VPN clients via IKE Mode Config. This is the secondary DNS s erv er in the local network that is open to VPN clients. Primary WINS The IP address of the prim ary WINS server , provided to th e VPN cl ...

  • THOMSON 608(WL) - page 92

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 90 3.5.7 VPN-Server-XAuth Page VPN-Server-XAuth page layout The VPN-Server-XAuth page allows you to define XAuth user pool s and to add authorized users to these pools. An XAuth user pool is a named list of authoriz ed users. Use Add User to define additional user records. XAuth ...

  • THOMSON 608(WL) - page 93

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 91 3.5.8 Connection Profiles Page Connection Profiles page layout The Connection Prof iles page bundles all parameters that define an IPSec Connecti on to a Peer . In other words it bundles the Phas e 2 parameters. A number of parameters make s use of sy mbolic descriptors that a ...

  • THOMSON 608(WL) - page 94

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 92 Local network This parameter is used in th e proposal presented to the remo te Security Gateway during the Ph ase 2 negotiatio n. It determine s which messages have access to the IPSec connection at the local side of the tunnel. This is the basic parameter for the dynamic IPS ...

  • THOMSON 608(WL) - page 95

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 93 Connection Options This optional parameter refe rs to th e symbolic name o f a connection option s list. The connection options modi fy the VPN beh aviour . The connection options lists are defined on the Co nnection Options sub-page, see “3.5.11 Connection Options Page” o ...

  • THOMSON 608(WL) - page 96

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 94 3.5.9 Networks Page Networks page layout The Networks page allows you to define Network Descriptors . What is a Network Descriptor? The concept of Network Descriptors is introduced for the first time in the SpeedT ouch™ R5.3. Not only the classi cal idea of an IP n etwork o ...

  • THOMSON 608(WL) - page 97

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 95 Protocol Optionally , the access to an IPSec connection can be restricted to a specific protocols by sele cting a protocol from the list. Select any if you do not want to restrict the co nnection to a specific protoc ol. Port Optionally , if the tcp or udp pro tocol is se lect ...

  • THOMSON 608(WL) - page 98

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 96 3.5.10 Connection Descriptors Page Descriptors page layout A Connection Secu rity Descriptor contains the following se curity parameters for an IPSec connection:  Encryption method  Message integrity method (also called message authentication)  Selection to use Perfe ...

  • THOMSON 608(WL) - page 99

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 97 Parameter table The following table summar izes the parameters comprised in the connecti on security descriptor: Connection Descriptor name Internal symbolic na me to iden tify the Connec tion Descriptor . Crypto The table below shows the cr yptographic functions supported by ...

  • THOMSON 608(WL) - page 100

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 98 Integrity The SpeedT ouch™ supports two types of hashing algori thms:  HMAC is always used as integrity algo rithm, combined wi th either MD5 or SHA1.  SHA1 is stronger than MD5, but slightly slower . Encapsulation T unnel mode is used in all applicati ons where the S ...

  • THOMSON 608(WL) - page 101

    Chapter 3 Configuration via Local Pages E-DOC-CTC-20051 017-0169 v0.1 99 3.5.11 Connection Options Page Options page layout The Options page allows you to define Options li sts that you can later refer to in a Connection Profile . Connection options are described in section “6.10 Co nnection Options” on page 207 . ...

  • THOMSON 608(WL) - page 102

    Chapter 3 Configuration via Lo cal Pages E-DOC-CTC-2005 1017-0169 v0.1 100 3.5.12 Client Page Client page layout The Client page is used for dialling-in to a VPN server . Connection Select from the list the name of the connection you want to start. Local ID The local ID identifies the local SpeedT ouch™ du ring the Phase 1 negotiation with the re ...

  • THOMSON 608(WL) - page 103

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 101 4 Configuration via the Command Line Interface In this chapter This chapter describes the basic configuration steps fo r building an operation al IPSec via the Com mand Line Interfa ce. Firstl y , a reference network is proposed, that serves in examples throug ...

  • THOMSON 608(WL) - page 104

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 102 4.1 Basic IPSec configuration procedure Terminology The SpeedT ouch™ uses specific IPSec t erms and definitions. Th e following table relates these terms to the question to be solved when setting up an IPSec connection to a remote network Setting up a basic ...

  • THOMSON 608(WL) - page 105

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 103 Procedure In order to set up a basic IPSec configurat ion, the following main steps have to be executed. 1 Prepare the Peer attributes:  Define a valid Authenticati on Attribut e  Define a valid Peer Security Descriptor 2 Create a new Peer entity 3 Modif ...

  • THOMSON 608(WL) - page 106

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 104 4.2 Peer: Authentication Attribute What is ... T wo main methods for user authentication are suppo rted in the SpeedT ouch™:  pre-shared key  certificates The user authentication pa rameters used for IKE negotiations are bundled in a descriptor wi th a ...

  • THOMSON 608(WL) - page 107

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 105 4.2.1 Authentication Attribute Parameters Parameter table The authentication attribute is a named descriptor , bundling the authentication parameters. The following data need to be provid ed: Parameter Possible values Description name Arbitrary . Syntax rules, ...

  • THOMSON 608(WL) - page 108

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 106 4.2.2 List all Authentication Attributes list command The ipsec peer auth list command shows al l previously created authentication attributes. Example In this example, four attributes are shown:  cert1: completely defined authentication attribute using cer ...

  • THOMSON 608(WL) - page 109

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 107 4.2.3 Create a New Authentication Attribute add command The ipsec peer auth add command allows adding a new authentication attribute. Example In the following exam ple, a new authentication attr ibute is created, named secret1 The result of this operatio n can ...

  • THOMSON 608(WL) - page 110

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 108 4.2.4 Set or Modify the Authentication Attribute Parameters modify command The ipsec peer auth modify command allows to mo dify the auth entication attribute parameters. Example In this example, the parame ters of the authentication attribute are set to use th ...

  • THOMSON 608(WL) - page 111

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 109 4.2.5 Delete an Authentication attribute delete command The IPSec peer auth delete command deletes a previously created authentication attribute. Example In the following exam ple the authentication attribut e, named secret2, is deleted. The result of this ope ...

  • THOMSON 608(WL) - page 112

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 110 4.3 Peer Security Descriptor What is ... All security parameter s required to e sta blish an IKE session are grouped into a string called a Peer Security Descriptor . This descriptor contains the methods for message authentication, encryp tion and hash ing, an ...

  • THOMSON 608(WL) - page 113

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 111 4.3.1 Peer Security Descriptor Parameters Parameter table The following table summari z es the par ameters comprise d in the peer security descriptor . The table also i ndicates the ke yword used in the CLI for each parameter: Example A Peer S ecurity Descript ...

  • THOMSON 608(WL) - page 114

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 112 Cryptographic function [crypto] The table below shows the encryptio n algorithms suppor ted by the SpeedT ouch™ along with thei r corresponding key size:  DES is relatively slow and is the weak est of the algorith ms, but it is the industry standard.  ...

  • THOMSON 608(WL) - page 115

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 113 IKE SA lifetime [lifetime_secs] The lifetime of a Security Association is specified in seconds: Lifetime measured in: Minimum value Maximum value seconds 240 (=4 minutes) 31536000 (=1 year) ...

  • THOMSON 608(WL) - page 116

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 114 4.3.2 List all Peer Security Descriptors list command Th e ipsec peer descriptor list command show s the list of all defin ed peer security descriptors. Example The example below shows the pre-define d Peer Security Descriptors of the SpeedT ouch™: [ipsec]=& ...

  • THOMSON 608(WL) - page 117

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 115 4.3.3 Create a New Peer Security Descriptor add command A new Peer Secur ity Descri ptor is created with the ipsec peer descriptor add command. Example In the fo llowing e xample, a new Peer Security Descriptor is created, named peerdes1 The result of this ope ...

  • THOMSON 608(WL) - page 118

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 116 4.3.4 Set or Modify the Peer Descriptor Parameters modify command The ipsec peer descriptor modify command sets or modifies the Peer Security Des criptor para meters. Example In this example, the parame ters of the pr eviously defined Pe er Security Descriptor ...

  • THOMSON 608(WL) - page 119

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 117 4.3.5 Delete a Peer Descriptor delete command Th e ipsec peer descriptor delete command deletes a Peer Security Descriptor . Example In this example the user -d efined Peer Security Descr iptor , named peerdes1, is deleted: The result of this operation i s ver ...

  • THOMSON 608(WL) - page 120

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 118 4.4 Peer What is ... Th e Peer is a term that refers to the remote Security Gatewa y the IPSec secure tunnel(s) will be connected to. In a first phase, an IKE Security Association is negotiated betwe en the SpeedT ouch™ and a remote Security Gateway (peer). ...

  • THOMSON 608(WL) - page 121

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 119 4.4.1 Peer parameters Parameters table The follo wing table shows the peer pa rameters: Peer name [name] The peer name identifies the peer entity . This name only has lo cal significance inside the SpeedT ouch™. This parameter is not used in the IKE negotiat ...

  • THOMSON 608(WL) - page 122

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 120 Remote Security Gateway identifier [remoteaddr] This parameter localizes the remote Security Ga teway on the Inte rnet. Eith er the public IP address or th e Fully Qualified Domain Nam e can be used as an identif ier . Backup remote Security Gateway Identifier ...

  • THOMSON 608(WL) - page 123

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 121 Remote Identifier [remoteid] This parameter identifies the remote Secu rity Gateway during the Phase 1 negotiation. This identity must match the se ttings in the remote Security Gateway in order to successfully set up the IKE Security Association. The identity ...

  • THOMSON 608(WL) - page 124

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 122 Physical Interface [phyif] Y ou can tie the peer to one of your SpeedT ouch™ interfac es. This interface is then used as the primary carrier for your VPN connection. In general, the primary untrusted interface is your DSL co nnection to the publ ic Internet. ...

  • THOMSON 608(WL) - page 125

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 123 4.4.2 List all peer entities list command Th e ipsec peer list command shows the list of all defin ed peer entities. Example In the following examp le, a list of all defined peer entities is created. [ipsec]=> [ipsec]=> peer [ipsec peer]=> list [peer1 ...

  • THOMSON 608(WL) - page 126

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 124 4.4.3 Create a new peer entity add command A new Peer is created with the ipsec peer add command. Example In the following example, a ne w peer is created, named peer1 The result of this operatio n can be verified with the list command. For the newly created p ...

  • THOMSON 608(WL) - page 127

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 125 4.4.4 Set or modify the peer parameters modify command The ipsec peer modify command sets or modifie s the peer parameters. Example In this example, the parame ters of the previously defi ne d peer , named peer1, are set: Use the list command to verify the res ...

  • THOMSON 608(WL) - page 128

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 126 4.4.5 Delete a Peer entity delete command Th e ipsec peer delete command deletes a peer entity . Example In this example the peer , named peer1, is deleted: The result of this operation i s verified with the list command. [ipsec peer]=> [ipsec peer]=> de ...

  • THOMSON 608(WL) - page 129

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 127 4.5 Connection Security Descriptor What is ... All security parameter s required to e sta blish an IPSec tunnel are grouped into a string called Connection S ecu rity Descriptor . This descriptor cont ains the following parameters:  Encryption method  Me ...

  • THOMSON 608(WL) - page 130

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 128 4.5.1 Connection Security Descriptor parameters Parameters table The follo wing table summar izes the parameters comprised in the connection security descripto r . The table also indicates the keyword used in the CLI for each parameter: Example: A Connection S ...

  • THOMSON 608(WL) - page 131

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 129 Cryptographic function [crypto] The table below shows the cr yptographic functions supported by the SpeedT ouch™ along with thei r corresponding key size:  DES is relatively slow and is the weak est of the algorith ms, but it is the industry standard.  ...

  • THOMSON 608(WL) - page 132

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 130 Perfect Forward Secrecy [pfs] Enables or disabl es the use of Perfect Forward Secrecy. A lot of vendors have Perfect Forward Secrecy (PFS) enabled by default for the Phase 2 negotiation. In order to configur e this on the SpeedT ouch™, the use of PFS must be ...

  • THOMSON 608(WL) - page 133

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 131 4.5.2 List all Connection Security Descriptors list command Th e ipsec connection descriptor list command show s the list of all defined Connectio n Security Descriptors. Example The example belo w shows the pre-defined Co nnection Security Descriptors of t he ...

  • THOMSON 608(WL) - page 134

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 132 4.5.3 Create a new Connection Security Descriptor add command A new Connection Se curity Descriptor is created with the ipsec connection descriptor add command. Example In the following exam ple, a new Connection Se curity Descriptor is created, nam ed cnctdes ...

  • THOMSON 608(WL) - page 135

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 133 4.5.4 Set the Connection Security Descriptor Parameters modify command The ipsec connection descriptor modify command sets or modifie s the connection descr iptor parameters. Example In this example, the para meters of the pr eviously defined Con nection Secur ...

  • THOMSON 608(WL) - page 136

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 134 4.5.5 Delete a Connection Security Descriptor delete command Th e ipsec connection descriptor delete command dele tes a Connection Descriptor . Example In this example the user -defi ned Connection Security Descriptor , name d cnctdes1, is deleted: The result ...

  • THOMSON 608(WL) - page 137

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 135 4.6 Network Descriptor What is ... The concept of Network Descriptors is introduced for the first time in the SpeedT ouch™ R5.3.0. Not only the classi cal idea of a n IP network or subnet i s comprised in this concept, but also the protoco l and port number ...

  • THOMSON 608(WL) - page 138

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 136 4.6.1 Network Descriptor Parameters Parameters table The follo wing table summar izes the parameters comprised in the Network Descriptor: Network name [name] This name is used intern ally to identify the Network Descriptor . Type of network and IP address [typ ...

  • THOMSON 608(WL) - page 139

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 137 Protocol [proto] Access to an IPSec co nnection can be restricted to specific protocols. This can optionally be configured with the proto parameter . V alid entries are listed in the following table. Alternatively , any vali d protocol number as assigned by IA ...

  • THOMSON 608(WL) - page 140

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 138 4.6.2 Create a New Network Descriptor add command A new Network Descriptor is created with the ipsec connection network add command. Example In the following example, a new Network descriptor is creat ed, named net1: The result of this operatio n can be verifi ...

  • THOMSON 608(WL) - page 141

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 139 4.6.3 Set the Network Descriptor Parameters modify command The ipsec connection network modify command sets or modifies the Network Descriptor parameters. Example In this example, the par ameters of th e previously defi ned network, na med net1, are set: In th ...

  • THOMSON 608(WL) - page 142

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 140 4.6.4 Delete a Network Descriptor delete command Th e ipsec connection network delete command deletes a Network Descriptor . Example In this example the Network Descr iptor , named net1, is deleted: The result of this operation i s verified with the list comma ...

  • THOMSON 608(WL) - page 143

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 141 4.7 Connection What is ... A Connection bundles all the pa rameters required for the PH2 SA negotiation:  Peer Reference, pointing to the pe er configuration to be used . In fact, this refers to the IKE channel used fo r the Phase 2 negotiations.  Local/ ...

  • THOMSON 608(WL) - page 144

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 142 4.7.1 Connection Parameters Parameters table The table b elow shows the connection parameters. Connection name [name] This symbolic name on ly has local sign ific ance inside the SpeedT o uch™ router . This parameter is not used in the Phase 2 negotiations w ...

  • THOMSON 608(WL) - page 145

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 143 Local network [localnetwork] This parameter is used in th e proposal presented to the remo te Security Gateway during the Ph ase 2 negotiatio n. It determine s which messages have access to the IPSec connection at the loca l side of the tunnel. This is basic p ...

  • THOMSON 608(WL) - page 146

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 144 Always-on connection [alwayson] This parameter determines whether the conn ection is permanentl y enabled or not. By default this parameter is set to disabl ed. I n this case the IPS ec connection is started only when tra ffic is sen t that complies with th e ...

  • THOMSON 608(WL) - page 147

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 145 4.7.2 List all Connections list command Th e ipsec connection list command shows the list of all defined connections. Example In the following examp le, a list of all defined connections is shown. [ipsec connection]=> list [connect1] Peer : peer1 Local netw ...

  • THOMSON 608(WL) - page 148

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 146 4.7.3 Create a New Connection add command A new Connection is created with the ipsec connection add command. Example In the following example, a new co nnection is created, name d connect1 The result of this operatio n can be verified with the list command. Fo ...

  • THOMSON 608(WL) - page 149

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 147 4.7.4 Set or Modify the Connection Parameters modify command The ipsec connection modify command sets or modifies the Connection parameters. Example In this example, the para meters of the pr eviously defined Con nection, named connect1, are set: Use the list ...

  • THOMSON 608(WL) - page 150

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 148 4.7.5 Delete a Connection delete command Th e ipsec connection delete command deletes a Connection. Example In this example the connection, named connect1, is deleted: The result of this operation i s verified with the list command. [ipsec connection]=> del ...

  • THOMSON 608(WL) - page 151

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 149 4.7.6 Start a Connection start command The ipsec connection start command tr iggers th e establishment of a Security Associat ion. If no IKE Security Associ ation between the SpeedT ouch™ and the remote Security Gateway exists, the Phase 1 negotiatio n is st ...

  • THOMSON 608(WL) - page 152

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 150 4.7.7 Stop a connection stop command The ipsec connection stop command tears down th e designated Security Association. The IKE Security Associat ion is n ot stopped with this command. Example In this example the connection, named connect1, is stopped: The res ...

  • THOMSON 608(WL) - page 153

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 151 4.8 Auxiliary Commands In this section The following topics are discussed in this section: Topic Page 4.8.1 Config Command 152 4.8.2 Flush Command 155 4.8.3 Clear Comm and Group 156 ...

  • THOMSON 608(WL) - page 154

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 152 4.8.1 Config Command What is it used for This command serves two different purpos es. Withou t addition al parameter , the command displays th e current VPN settings. When an additional parameter is appended, the comman d controls the setting of this VPN param ...

  • THOMSON 608(WL) - page 155

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 153 AutoPr oxyARP The automatic addition of Prox yARP entries in VPN client /server scenarios can be enabled or disabled. B y default this se tting is enabled. When disabled, the ProxyARP entries have to be entered manually . When do I need ProxyARP In a VPN scena ...

  • THOMSON 608(WL) - page 156

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 154 An example of Auto ProxyARP As an example, suppose a VPN server is configure d on a SpeedT ouch™ with the subnet 192.168.1.0 as its private LAN addre ss range. The VPN server is configured to distribute Virtual IP addr esses to the remote clients in the same ...

  • THOMSON 608(WL) - page 157

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 155 4.8.2 Flush Command What is it used for This command flushes the co mplete IPSec configuration. ...

  • THOMSON 608(WL) - page 158

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 156 4.8.3 Clear Command Group What is it used for This command group compri ses two commands, intended for clearing Security Associations:  clear all  clear session The clear command grou p is accessed in the foll owing way: clear all This command clears all ...

  • THOMSON 608(WL) - page 159

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 157 4.9 Organisation of the IPSec Command Group Introduction In this section an overview is given of the IPSec Com mand Group structu re. Underlined keywords represent a comman d g roup. Other key words are comm ands. ipsec command group The ipsec command grou p c ...

  • THOMSON 608(WL) - page 160

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 158 Connection command group The following table shows the com mands of the ipsec connection command group. Debug command group The following table shows t he commands of the ipsec debug comman d group. ipsec connection command group advanced add modify delete lis ...

  • THOMSON 608(WL) - page 161

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-20051 017-0169 v0.1 159 Peer command group The following table shows the commands of the ipsec peer command group. ipsec peer command group auth add modify delete list descriptor add modify delete list option add modify delete list subpeer add modify delete list vpnclient add modify ...

  • THOMSON 608(WL) - page 162

    Chapter 4 Configuration via the Co mmand Line Interface E-DOC-CTC-2005 1017-0169 v0.1 160 Show command group The following table shows the commands of the ipsec show command group. list ipsec peer command group ipsec show command group all config state sessions stats spd sadb ...

  • THOMSON 608(WL) - page 163

    Chapter 5 Troubleshooting Sp eedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 161 5 Troubleshooting SpeedTouch™ IPSec Introduction IPSec is a complex protocol suite and th erefore the SpeedT ouch™ offers a number of troubleshooting methods. Both the W eb pages and the CLI interface al low you to check whether a tunnel setup was successful or has ...

  • THOMSON 608(WL) - page 164

    Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 162 5.1 Via the Debug Web pages How to see the status of the VPN connection Browse to Expert mode > VPN > Debug > Status . This page shows the status of the IKE Security Asso ciation (Phase 1) and the IPSec Security Associ ation(s) (Phase 2) . For an operational V ...

  • THOMSON 608(WL) - page 165

    Chapter 5 Troubleshooting Sp eedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 163 How to monitor the IPSec negotiations Proceed as follo ws: 1 Browse to Expert mode > VPN > Debug > Loggin g . 2 Select the desired level of T race Detail . Select high to see the most detailed level of loggin g. 3 Start the VPN connection. 4 Browse again to Ex ...

  • THOMSON 608(WL) - page 166

    Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 164 How to see the amount of traffic carried by a VPN connection Browse to Expert mode > VPN > Debug > Statistics . This page shows the amount of traffic carried over the IKE Security Association (Phase 1) and the IPSec Security Association(s) (Phase 2). ...

  • THOMSON 608(WL) - page 167

    Chapter 5 Troubleshooting Sp eedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 165 5.2 Via the CLI: Show command group Show command group  Y ou can check whether the secure tunnels are up:  Y ou can check whether traffic is passing the tunnel and ke ep track of the number of packets and bytes. Therefore, take a snapshot of the number of packets ...

  • THOMSON 608(WL) - page 168

    Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 166 ... IPSecGlobalStats ---------------- IPSecGlobalActiveTunnels : 0 IPSecGlobalPreviousTunnels : 0 IPSecGlobalInOctets : 0 IPSecGlobalHcInOctets : 281483566645248 IPSecGlobalInOctWraps : 0 IPSecGlobalInDecompOctets : 0 IPSecGlobalHcInDecompOctets : 281483566645248 IPSec ...

  • THOMSON 608(WL) - page 169

    Chapter 5 Troubleshooting Sp eedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 167 5.3 Via the CLI: Debug command group Traceconfig command The traceconfig command sets the level of debugging messages that are dumped to the screen. This is shown be low: Y ou can check the Phase 1 and 2 specific informatio n be ing exchanged du ring tunnel setup via f ...

  • THOMSON 608(WL) - page 170

    Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 168 Via Syslog m essages The Syslog protocol i s a powerful mechanism to investig ate network issues. It allows for logging events occu rred on the device. The Syslog messages can be retrieved in two ways:  locally Use these CLI command to retrieve the history of Syslog ...

  • THOMSON 608(WL) - page 171

    Chapter 5 Troubleshooting Sp eedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 169 Syslog m essages Th e following table show s the syslog messages. Severity Contents ERROR unable to delete old SPD entry ERROR Peer local ID not conf igured ERROR unable to delete SPD entry NOTICE invalid certificate <REASON> INFO new phase 2 sa: fr om <IP ADD ...

  • THOMSON 608(WL) - page 172

    Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 170 5.4 Via SNMP Debugging via SNMP On the SpeedT ouch™, seve ral SNMP MIBs are availa ble allowing to r etrieve configuration and count er information. A MIB (Management In formation Base) can be considered as a repre sentation of a grou p of parameters. A huge amount o ...

  • THOMSON 608(WL) - page 173

    Chapter 5 Troubleshooting Sp eedTouch™ IPSec E-DOC-CTC-20051 017-0169 v0.1 171 5.5 Pinging from the SpeedTouch™ to the remote private network Ping command In order to verify that an IPSec tunnel is active, you can use the :ip debug pi ng CLI command of the SpeedT ouch™. With this command you are able to send ping messages from the SpeedT ouch ...

  • THOMSON 608(WL) - page 174

    Chapter 5 Troubleshootin g SpeedTouch™ IPSec E-DOC-CTC-2005 1017-0169 v0.1 172 ...

  • THOMSON 608(WL) - page 175

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 173 6 Advanced Features In this section The following topics are d escribed in this section : Topic Page 6.1 IPSec and the Stateful Inspection Firewall 174 6.3 Extended Authenti cation (XAuth) 176 6.4 VPN Clie nt 177 6.5 VPN Server 182 6.6 XAuth Users Pool 188 6.7 The Default Peer Concept 19 ...

  • THOMSON 608(WL) - page 176

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 174 6.1 IPSec and the Statef ul Inspection Firewall What about ... The SpeedT ouch™ has a built-i n firewall which is com plete ly configurable b y the user . A number of preset fire wall levels are defined that allow an easy configuration according to your security policy . In most cases, ...

  • THOMSON 608(WL) - page 177

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 175 6.2 Surfing through the VPN tunnel Web Browsing Interception and surfing through a tunnel One of the SpeedT ouch™ feat ur es for easy Internet acce ss is the so -called Web Browsing Interception, also referred to as Differentiated Servic es Detection (DSD). This feature monito rs your ...

  • THOMSON 608(WL) - page 178

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 176 6.3 Extended Authentication (XAuth) What is ... Extended Authenticati on, commonly referred to as the XAuth protocol, allows for performing extra user auth entication. A ty pical practical example is the mixed use of IKE tunnel nego tiation using p reshared key as authe ntication method ...

  • THOMSON 608(WL) - page 179

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 177 6.4 VPN Client Introduction The SpeedT ouch™ can be configured as a VP N client. SpeedT ouch™. In this function, it supp orts the IKE Mode Confi g protocol to receive con figuration parameters from the remote VPN server . Op tionally , you can enab le the use of the Extended Authenti ...

  • THOMSON 608(WL) - page 180

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 178 6.4.1 VPN Client parameters Parameters table The following table shows the VPN C lient parameters. VPN Client parameters Parameter Keyword Descrip tion VPN client name name Mandatory . Symbolic nam e for the VPN server , used internally in the SpeedT ouch™. XAuth user name xauthuser Op ...

  • THOMSON 608(WL) - page 181

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 179 6.4.2 Create a new vpnclient add command A new vpnclient is created with the ipsec peer vpnclient add comma nd. Example In the following example, a new vpnclie nt entity is created, name d client1 The result of this operatio n can be verified with the list command. For the newly created ...

  • THOMSON 608(WL) - page 182

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 180 6.4.3 Set or modify the vpnclient parameters modify command The ipsec peer vpnclient modify command sets or modifies the vpnclient entity parameters. Example In this example, the parame ters of the pr eviously defined vp nclient entity , named client1, are set: Use the list command to ve ...

  • THOMSON 608(WL) - page 183

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 181 6.4.4 Attach the vpnclient entity to the peer entity modify the peer parameters The :ipsec peer modify name=peer1 client/server=client1 command attaches the previou sly defined vp nclient enti ty to the corresponding peer . Example In this example vpnclient1 is attached to peer1: The res ...

  • THOMSON 608(WL) - page 184

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 182 6.5 VPN Server Introduction In the previou s section the SpeedT ouch™ was used as a VPN client. The SpeedT ouch™ can be used equ ally well as a VPN server . In this function, it can be configured with a XAuth user pool, to ser ve remote clients. In this section the VPN server command ...

  • THOMSON 608(WL) - page 185

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 183 6.5.1 VPN Server parameters Parameters table The follo wing table shows the VPN Se rver parameters. Connection name [name] This symbolic name on ly has local sign ific ance inside the SpeedT o uch™ router . VPN Server parameters Parameter Keyword Descrip tion VPN server name name Manda ...

  • THOMSON 608(WL) - page 186

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 184 Push IP address [push_ip] The VPN server will always p rovide an IP address to the remote VPN clie nt. VPN clients can behave in two different ways. Either: the VPN client requests an IP address. Then the VPN server responds to this request, and provides a suitable IP ad dress. Or: The V ...

  • THOMSON 608(WL) - page 187

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 185 6.5.2 Create a new VPN server add command A new VPN server is create d with the ipsec peer vpnserver add command. Example In the following example, a new vpnclie nt entity is created, name d client1 The result of this operatio n can be verified with the list command. For the newly create ...

  • THOMSON 608(WL) - page 188

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 186 6.5.3 Set or modify the vpnserver parameters modify command The ipsec peer vpnserver modify command sets or modifies the vpnserver entity parameters. Example In this example, the parame ters of the previously defi ned vpnser ver entity , named serv1, are set: Use the list command to veri ...

  • THOMSON 608(WL) - page 189

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 187 6.5.4 Attach the vpnserver entity to the peer entity modify the peer parameters The :ipsec peer modify name=peer1 client/server=serv1 command attaches the previou sly defined vpnserver enti ty to the co rresponding peer . Example In this example vpnclient1 is attached to peer1: The resul ...

  • THOMSON 608(WL) - page 190

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 188 6.6 XAuth Users Pool Introduction In the previou s section the application of the SpeedT ouch™ as a VPN server was described. In add ition to the IPSec authentication mechan isms, the clients may support the use of the XAuth protocol. In this case, the SpeedT ouch™ VPN server can ser ...

  • THOMSON 608(WL) - page 191

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 189 6.6.1 XAuth Pool parameters Parameters table The follo wing table shows the XAuth Po ol parameters. XAuth Pool parameters Parameter Keyword Description XAuth pool name name Mandatory. Symbolic name for the XAuth pool, used internally in th e SpeedT ouch™. Pool type type Mandatory . T w ...

  • THOMSON 608(WL) - page 192

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 190 6.6.2 Create a new XAuth pool add command A new XAuth pool is created with the ipsec peer vpnserver xauthpool add command. Example In the fo llowing example, a new xauthpool is created, n amed pool1 The result of this operatio n can be verified with the list command. [ipsec]=> [ipsec] ...

  • THOMSON 608(WL) - page 193

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 191 6.6.3 Modify the xauthpool type modify command With the ipsec peer vpnserver xauthpool modify command it is possible to modify the pool ty pe. Example In this example, the type of the previously defined po ol, named pool1, is s et to chap: Use the list or listpool command to verify the r ...

  • THOMSON 608(WL) - page 194

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 192 6.6.4 Attach the xauthpool entity to the vpnserver entity modify the vpnserver parameters The :ipsec peer vpnserver modify name=serv1 xauthpool=pool1 command attaches the previ ously defi ned pool to the vpnse rver , named serv1 . Example In this example pool1 is attached to vpnserver1: ...

  • THOMSON 608(WL) - page 195

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 193 6.6.5 Delete an xauthpool entity delete command Th e ipsec peer vpnserver xauthpool delete command deletes a network. Example In this example the po ol , named pool 1, is deleted: The result of this operation i s verified with the list command. [ipsec peer vpnserver xauthpool]=>delete ...

  • THOMSON 608(WL) - page 196

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 194 6.6.6 XAuth User parameters Parameters table The follo wing table shows the XAuth Use r parameters. Parameter Keyword Pool name po olname User name username Password password ...

  • THOMSON 608(WL) - page 197

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 195 6.6.7 Create a new XAuth user adduser command A new XAuth user is created with the ipsec peer vpnserver xauthpool adduser command. Example In the fo llowing example the pool, named pool1, is popu lated with a new XAuth user , named user1: The result of this operatio n can be verified wit ...

  • THOMSON 608(WL) - page 198

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 196 6.6.8 Set or modify the password of an XAuth user moduser command Th e ipsec peer vpnserver xauthpool moduser command allows setting or modifying the XAuth user password. Example In this example, the password of the prev iously defined u ser , named user1, is set: Use the list command to ...

  • THOMSON 608(WL) - page 199

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 197 6.6.9 Delete an xauthuser entity delete command Th e ipsec peer vpnserver xauthpool deluser command deletes a XAuth user entry from its pool. Example In this example the user , named user1, is deleted: The result of this operation i s verified with the list command. [ipsec peer vpnserver ...

  • THOMSON 608(WL) - page 200

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 198 6.7 The Default Peer Concept Why the default peer concept Consider the network configuratio n shown below: When the SpeedT ouch™ [1] gets its IP ad dress dynamically assi gned (e.g. du ring PPP tunnel setup), a remote IPSec pee r ca nnot know in advance which IP ad dress will be assign ...

  • THOMSON 608(WL) - page 201

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 199 Example IPSec connection, applying the default peer concept SpeedT ouch™ [1] IPSec peer configuration: The paramete r localid can rem ain either unset, o r an identifier ty pe can be use d that is independen t of the IP addr ess, such as the userfqdn. SpeedT ouch™ [2] IPSe c peer con ...

  • THOMSON 608(WL) - page 202

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 200 6.8 One Peer - Multiple Connections Multiple tunnels In order to setup a Phase 2 tunnel, a Phase 1 IKE tunnel is requir ed first. Via this Phase 1 tunnel the signalling messages, negotiating the Phase 2 tunnel, are transferred. The SpeedT ouch™ allows se tt ing up several Phase 2 tunn ...

  • THOMSON 608(WL) - page 203

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 201 6.9 Peer Options Options list The pe er options alter the behaviou r of the VPN network. Options to be applied to Peer entities are stored in na med Option Li sts. An Option List contains the following options: Local Address When multiple IP addresses are assigned to th e SpeedT ouch™, ...

  • THOMSON 608(WL) - page 204

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 202 Dead Peer Detection The SpeedT ouch™ supports the Dead Peer Detection protocol . By default, the use of this protocol is enabled. This option all ows disabling the use of the DPD protocol. DPD Idle Period The DPD prot ocol defines a wo rry period. This i s an idle time du ring which no ...

  • THOMSON 608(WL) - page 205

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 203 6.9.1 List all Peer Options lists list command Th e ipsec peer options list command shows all previously created options lists. Example In the fo llowing example, a li st of all previously created o ptions is shown. =>ipsec [ipsec]=>peer [ipsec peer]=>options [ipsec peer options ...

  • THOMSON 608(WL) - page 206

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 204 6.9.2 Create a Peer Options list add command Th e ipsec peer options add command allows adding a new op tions list. Example In the following example, a new op tions list is cr eated, named opt1 The result of this operatio n can be verified with the list command, as shown above. [ipsec]=& ...

  • THOMSON 608(WL) - page 207

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 205 6.9.3 Set or modify the Peer Option list parameters modify command The ipsec peer options modify command allows to mo dify the options list parameters. Example In the following exampl e, the options list pa rameters are modified. [ipsec peer options]=>modify name = opt1 [localaddr] = ...

  • THOMSON 608(WL) - page 208

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 206 6.9.4 Delete a Peer Options list delete command Th e ipsec peer options delete command deletes a previously crea ted options list. Example In the following example th e options list, nam ed opt2, is delete d. The result of this operatio n can be verified with the list command. [ipsec pee ...

  • THOMSON 608(WL) - page 209

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 207 6.10 Connection Options Options list The connection options alter the behavi our of the VPN network. Options to be applied to Connec tions are stored in named Option Lists. An Op tion List contains the following options: IPSec routing mode [routed] This parameter has two possible setti n ...

  • THOMSON 608(WL) - page 210

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 208 Don’t Fragment bit [force_df] IPSec encryption increases the packet length. When the MTU of a link is adjusted to pass the largest IP packet unfragmented, then messages encapsulated by IPSec will not pass if the Don’ t Fragment bit is set. In some cases, it might be required to influ ...

  • THOMSON 608(WL) - page 211

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 209 6.10.1 List all Connection Options lists list command Th e ipsec connection options list command shows all p reviously created options lists. Example In the following example, all prev iously created options are listed. [ipsec]=>connection [ipsec connection]=>options [ipsec connect ...

  • THOMSON 608(WL) - page 212

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 210 6.10.2 Create a Connection Options list add command Th e ipsec connection options add command allo ws adding a new options list. Example In the following example, a new op tions list is created, named copt1 The result of this operatio n can be verified with the list command, as shown abo ...

  • THOMSON 608(WL) - page 213

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 211 6.10.3 Set or modify the Connection Option list parameters modify command The ipsec connection options modify command allows to modify the options list parameters. Example In the following exampl e, the options list pa rameters are modified. =>ipsec [ipsec]=>connection [ipsec conne ...

  • THOMSON 608(WL) - page 214

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 212 6.10.4 Delete an Options list delete command Th e ipsec connection options delete command deletes a previo usly created options list. Example In the following example the op tions list, named copt1, is deleted. [ipsec connection options]=>delete name = copt1 :ipsec connection options ...

  • THOMSON 608(WL) - page 215

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 213 6.11 Advanced Connection Introduction The Advanced command g roup is a sub-group of the Connecti on command group. It allows addition al connection setti ngs in order to take full advantage of the dynamic policy capabilities of the SpeedT ouch™. Parameters table The table below lists p ...

  • THOMSON 608(WL) - page 216

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 214 Local network [localnetwork] This parameter is used in th e proposal presented to the remo te Security Gateway during the Ph ase 2 negotiatio n. It determine s which messages have access to the IPSec connection at the loca l side of the tunnel. This is basic parameter for the dynamic IPS ...

  • THOMSON 608(WL) - page 217

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 215 Local match [localmatch] This setting is relevant in responder mode only. It is optionall y filled out. In a basic configuration it is left unset. When unset, th e SpeedT ouch™ uses its dynamic IPSec policy capabilitie s to complete this field. The ipsec connection advanced command gro ...

  • THOMSON 608(WL) - page 218

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 216 Remote match [remotematch] This setting is relevant in responder mode only. It is optionall y filled out. In a basic configuration it is left unset. When unset, th e SpeedT ouch™ uses its dynamic IPSec policy capabilitie s to complete this field. The ipsec connection advanced command g ...

  • THOMSON 608(WL) - page 219

    Chapter 6 Advanced Features E-DOC-CTC-20051 017-0169 v0.1 217 Local selector [localselector] The local selector expresses a static IPSec policy for access to the IPSec tunnel at the local end. This s etting can optionally be filled out manually . In a basi c configuration it is left unset. In such a cas e, the SpeedT ouch™ uses its dynamic policy ...

  • THOMSON 608(WL) - page 220

    Chapter 6 Advanced Features E-DOC-CTC-2005 1017-0169 v0.1 218 ...

  • THOMSON 608(WL) - page 221

    ...

  • THOMSON 608(WL) - page 222

    Need more help? Additional help is available online at www .speedtouch.com © THOMSON 2006 . All rights reserved. E- DOC- CTC-20051017-0 169 v1.0 . ...

Manufacturer THOMSON Category Network Card

Documents that we receive from a manufacturer of a THOMSON 608(WL) can be divided into several groups. They are, among others:
- THOMSON technical drawings
- 608(WL) manuals
- THOMSON product data sheets
- information booklets
- or energy labels THOMSON 608(WL)
All of them are important, but the most important information from the point of view of use of the device are in the user manual THOMSON 608(WL).

A group of documents referred to as user manuals is also divided into more specific types, such as: Installation manuals THOMSON 608(WL), service manual, brief instructions and user manuals THOMSON 608(WL). Depending on your needs, you should look for the document you need. In our website you can view the most popular manual of the product THOMSON 608(WL).

Similar manuals

A complete manual for the device THOMSON 608(WL), how should it look like?
A manual, also referred to as a user manual, or simply "instructions" is a technical document designed to assist in the use THOMSON 608(WL) by users. Manuals are usually written by a technical writer, but in a language understandable to all users of THOMSON 608(WL).

A complete THOMSON manual, should contain several basic components. Some of them are less important, such as: cover / title page or copyright page. However, the remaining part should provide us with information that is important from the point of view of the user.

1. Preface and tips on how to use the manual THOMSON 608(WL) - At the beginning of each manual we should find clues about how to use the guidelines. It should include information about the location of the Contents of the THOMSON 608(WL), FAQ or common problems, i.e. places that are most often searched by users in each manual
2. Contents - index of all tips concerning the THOMSON 608(WL), that we can find in the current document
3. Tips how to use the basic functions of the device THOMSON 608(WL) - which should help us in our first steps of using THOMSON 608(WL)
4. Troubleshooting - systematic sequence of activities that will help us diagnose and subsequently solve the most important problems with THOMSON 608(WL)
5. FAQ - Frequently Asked Questions
6. Contact detailsInformation about where to look for contact to the manufacturer/service of THOMSON 608(WL) in a specific country, if it was not possible to solve the problem on our own.

Do you have a question concerning THOMSON 608(WL)?

Use the form below

If you did not solve your problem by using a manual THOMSON 608(WL), ask a question using the form below. If a user had a similar problem with THOMSON 608(WL) it is likely that he will want to share the way to solve it.

Copy the text from the picture

Comments (0)