COPYRIGHT©2005 Nokia. All rights reserved.Rights reserved under the copyright laws of the United States.
RESTRICTED RIGHTS LEGENDUse, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
IMPORTANT NOTE TO USERS This software and hardware is provided by Nokia Inc. as is and any express or implied warranties, including, but not limited to, implied warranties of merchantability and fitness for a particular purpose are disclaimed. In no event shall Nokia, or its affiliates, subsidiaries or suppliers be liable for any direct, indirect, incidental, special, exemplary, or consequential damages (including, but not limited to, procurement of substitute goods or services; loss of use, data, or profits; or business interruption) however caused and on any theory of liability, whether in contract, strict liability, or tort (including negligence or otherwise) arising in any way out of the use of this software, even if advised of the possibility of such damage.
Nokia reserves the right to make changes without further notice to any products herein.
TRADEMARKS Nokia is a registered trademark of Nokia Corporation. Other products mentioned in this document are trademarks or registered trademarks of their respective holders.
050110
2 Nokia IP VPN Gateway Command-Line Summary v6.3
Nokia Contact InformationCorporate Headquarters
Regional Contact Information
Nokia Customer Support
Web Site http://www.nokia.com
Telephone 1-888-477-4566 or 1-650-625-2000
Fax 1-650-691-2170
Mail Address
Nokia Inc.313 Fairchild DriveMountain View, California94043-2215 USA
Americas Nokia Inc.313 Fairchild DriveMountain View, CA 94043-2215USA
Tel: 1-877-997-9199Outside USA and Canada: +1 512-437-7089email: [email protected]
Europe, Middle East, and Africa
Nokia House, Summit AvenueSouthwood, FarnboroughHampshire GU14 ONG UK
Tel: UK: +44 161 601 8908Tel: France: +33 170 708 166email: [email protected]
Asia-Pacific 438B Alexandra Road#07-00 Alexandra TechnoparkSingapore 119968
Tel: +65 6588 3364email: [email protected]
Web Site: https://support.nokia.com/
Email: [email protected]
Americas Europe
Voice: 1-888-361-5030 or 1-613-271-6721
Voice: +44 (0) 125-286-8900
Fax: 1-613-271-8782 Fax: +44 (0) 125-286-5666
Asia-Pacific
Voice: +65-67232999
Fax: +65-67232897
050602
Nokia IP VPN Gateway Command-Line Summary v6.3 3
Contents
About This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9In This Guide . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9Conventions This Guide Uses . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10
Notices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Command-Line Conventions. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 10Text Conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12IP Address Notation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
1 Introducing the Command-Line Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15Connecting to the CLI. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Command Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17Public Key Infrastructure Configuration Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Policy Configuration System Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Firewall Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18
Navigating Between CLI Modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 18Saving Changes Made in CLI Modes. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19configure wizard command . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20General CLI Features. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Execute Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Command Recall and Editing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20Command-Line Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Flash Memory Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Common Flash Files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22Saving Configuration Changes to Flash Memory . . . . . . . . . . . . . . . . . . . . . . . . . 23
Using Network File System, Trivial File TransferProtocol and Secure Copy with Configuration Files . . . . . . . . . . . . . . . . . . . . . . . . . 25Troubleshooting . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
2 Configuring the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27Configuring Gateway Interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring Interface Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29Configuring a Serial Interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34Configuring WAN Backup Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Nokia IP VPN Gateway Command-Line Summary v6.3 5
Configuring PPPoE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37Configuring VRRP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Configuring Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Static Routing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46Dynamic Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Configuring Clustering. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Configuring Network Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
3 Managing the Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Gateway Administration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125
Network Utilities . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150
Managing Files and Directories. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 151Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155
Logging and Debugging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 156Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168
Configuring User Accounts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184
4 Configuring Public Key Infrastructure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Entering and Exiting PKI Configuration Mode. . . . . . . . . . . . . . . . . . . . . . . . . . . . 191Committing PKI Configuration Commands to Memory . . . . . . . . . . . . . . . . . . . . . 191
Saving Changes to a Cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 191PKI Configuration Tasks . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192Viewing Your PKI Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 192
show configuration pki . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193show key info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194Differences Between configuration PKI and show key
Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 195PKI Configuration Mode Commands. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 196
block. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208
6 Nokia IP VPN Gateway Command-Line Summary v6.3
crl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210keypair. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210no . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211pkcs12 device . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211public-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211uuid . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
Integrating with Third-Party CAs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212
5 Configuring Policy Configuration System . . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Entering and Exiting PCS Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . 219Saving Crypto Policy Configuration to Flash Memory . . . . . . . . . . . . . . . . . . . . . . 220PCS Configuration Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220Common PCS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220clear. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221exit. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222save. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223unload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224
Specific PCS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225IKE Policy Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225IPSec Policy Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228VPN Configuration Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236
IPSec Configuration with PCS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 239IKE Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 240IPSec Policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 242Other PCS Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Requirements and Limitations. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Summary . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 249Example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 250
6 Configuring Firewall and Network Address Translation . . . . . . . . . . . . . . . . . 255Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 255Managing the Firewall Using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Default Firewall Behavior . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 257Configuring the Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259
Command Mode Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 259Firewall Configuration Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 261
Nokia IP VPN Gateway Command-Line Summary v6.3 7
Rule Definition Mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269NAT Before IPSec Translations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 287LOG Clauses in Firewall Rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 288Firewall Rule Examples. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 289
A PCS and Crypto Command Diagrams . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 291IPSec CLI Configuration Map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 292Policy Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 293Crypto Command Diagram . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 294
B Dynamic Gateway Deployment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 295Configuring the Gateway. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296
Topology of the Deployed Gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 296Configuring Network Settings. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 297
Creating and Installing Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 299Generating the Internal CA . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 300
Setting Gateway Selectors . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Configuring IKE Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 307Configuring IPSec Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 310
Dynamic Hello . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315deployment_hub. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 315
C List of Commands . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 317
Index. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 339
8 Nokia IP VPN Gateway Command-Line Summary v6.3
About This Guide
This guide provides information about how to use the command-line interface (CLI) to configure, monitor, and manage Nokia IP VPN Gateway. It also provides a reference of the commands you can enter from the Nokia IP VPN Gateway CLI.This guide is written for system administrators and network engineers who need to configure or monitor Nokia IP VPN Gateway by using the CLI.You can also configure all of the features of Nokia IP VPN Gateway through the Nokia VPN Manager software (the GUI-based interface). For more information about the Nokia VPN Manager software, see the Nokia IP VPN Gateway Configuration Guide v6.3.
CautionYou must use either the CLI or VPN Manager for configuration, but not both. When you apply changes by using VPN Manager, configuration changes you made by using the CLI are overwritten in the configuration files.
Only experienced technicians or Nokia approved service providers should perform installation and maintenance of Nokia IP VPN Gateways. For more information about how to install Nokia IP VPN Gateway hardware, see the relevant Nokia IP VPN Gateway Installation Guide.This preface provides the following information:
In This GuideConventions This Guide UsesRelated Documentation
In This GuideThis guide is organized into the following chapters and appendixes:
Chapter 1, “Introducing the Command-Line Interface” presents an introduction to using the Nokia IP VPN Gateway CLI.Chapter 2, “Configuring the Gateway” describes the commands you can enter from the CLI command mode and the configuration mode to perform initial gateway configuration, and configure routing, clustering, and network settings for the gateway.
Nokia IP VPN Gateway Command-Line Summary v6.3 9
About This Guide
Chapter 3, “Managing the Gateway” describes the commands you can enter from the CLI command mode and configuration mode to manage the gateway, validate network and gateway parameters, disable and enable subsystems, and configure network access and services.Chapter 4, “Configuring Public Key Infrastructure” describes the commands you can enter from the CLI Public Key Infrastructure (PKI) mode.Chapter 5, “Configuring Policy Configuration System” describes the commands you can enter from the CLI Policy Configuration System (PCS) mode.Chapter 6, “Configuring Firewall and Network Address Translation” describes how you can configure Firewall and Network Address Translation from the CLI Firewall mode.Appendix A, “PCS and Crypto Command Diagrams” presents diagrams that summarize the PCS commands and subcommands, and the crypto command diagram.Appendix B, “Dynamic Gateway Deployment” describes how to configure a simple dynamic gateway deployment, when two dynamic (spoke) gateways and a hub pass traffic among one another.Appendix C, “List of Commands” lists the CLI commands. Use this appendix as a quick reference to locate specific commands.
Conventions This Guide UsesThe following sections describe the conventions this guide uses, including notices, text conventions, and command-line conventions.
Notices
CautionCautions indicate potential equipment damage, equipment malfunction, loss of performance, loss of data, or interruption of service.
NoteNotes provide information of special interest or recommendations.
Command-Line ConventionsThis section defines the elements of commands that are available in Nokia Internet Communications products. You might encounter one or more of the following elements on a command-line path.
10 Nokia IP VPN Gateway Command-Line Summary v6.3
Conventions This Guide Uses
Table 1 Command-Line Conventions
Convention Description
command This required element is usually the product name or other short word that invokes the product or calls the compiler or preprocessor script for a compiled Nokia product. It might appear alone or precede one or more options. You must spell a command exactly as shown and use lowercase letters.
Italics Indicates a variable in a command that you must supply. For example:delete interface if_name
Supply an interface name in place of the variable. For example:delete interface nic1
angle brackets < > Indicates arguments for which you must supply a value:retry-limit <1–100>
Supply a value. For example:retry-limit 60
Square brackets [ ] Indicates optional arguments.delete [slot slot_num]
For example:delete slot 3
Vertical bars, also called a pipe (|)
Separates alternative, mutually exclusive elements. framing <sonet | sdh>
To complete the command, supply the value. For example:framing sonet
orframing sdh
-flag A flag is usually an abbreviation for a function, menu, or option name, or for a compiler or preprocessor argument. You must enter a flag exactly as shown, including the preceding hyphen.
Nokia IP VPN Gateway Command-Line Summary v6.3 11
About This Guide
Text ConventionsTable 2 describes the text conventions this guide uses.
IP Address NotationNokia IP VPN Gateway uses standard notation to identify IP addresses. The subnet mask is represented in the hexadecimal format.Example: 192.168.1.1 with subnet mask 0xFFFFFF00.In this example, 192.168.1.1 is a Class C address, so the first three octets (bytes) represent the network address, and the last octet represents the host address. 192.168.1.1 is the host IP address with the subnet mask 255.255.255.0.
.ext A filename extension, such as .ext, might follow a variable that represents a filename. Type this extension exactly as shown, immediately after the name of the file. The extension might be optional in certain products.
( . , ; + * - / ) Punctuation and mathematical notations are literal symbols that you must enter exactly as shown.
' ' Single quotation marks are literal symbols that you must enter as shown.
Table 1 Command-Line Conventions (continued)
Convention Description
Table 2 Text Conventions
Convention Description
monospace font Indicates command syntax, or represents computer or screen output, for example:Log error 12453
bold monospace font Indicates text you enter or type, for example:# configure nat
Key names Keys that you press simultaneously are linked by a plus sign (+):Press Ctrl + Alt + Del.
The words enter and type Enter indicates you type something and then press the Return or Enter key.Do not press the Return or Enter key when an instruction says type.
12 Nokia IP VPN Gateway Command-Line Summary v6.3
Related Documentation
To specify the network address of the given IP address, the host section of the IP address is set to zeros. In this example, 192.168.1.0 specifies the network address with the subnet mask 255.255.255.0. The IP address range in this network can vary from 192.168.1.1 to 192.168.1.254. Table 3 lists the mapping of the subnet mask to the notation.
Table 3 Mapping Subnet Mask to Notation
Related Documentation In addition to this guide, documentation for this product includes the following:
Nokia IP VPN Gateway Getting Started Guide v6.3Nokia 5i and 10i Installation GuideNokia 50i Installation GuideNokia 100i Installation GuideNokia 500i Installation Guide Nokia IP VPN Gateway Configuration Guide v6.3Nokia IP VPN Gateway Routing Administration Guide v6.3
Subnet mask Notation
0xff000000 255.0.0.0
0xffff0000 255.255.0.0
0xffffff00 255.255.255.0
Nokia IP VPN Gateway Command-Line Summary v6.3 13
1 Introducing the Command-Line Interface
This chapter details the information you need to access and use the Nokia IP VPN Gateway CLI. It also describes the administration tasks you can perform by using the Nokia IP VPN Gateway CLI. This chapter contains the following sections:
Connecting to the CLICLI ModesNavigating Between CLI ModesSaving Changes Made in CLI Modesconfigure wizard commandGeneral CLI FeaturesFlash Memory FilesUsing Network File System, Trivial File Transfer Protocol and Secure Copy with Configuration FilesTroubleshooting
Connecting to the CLIYou can access the CLI by using any of the three following methods:
Console port—connect a terminal directly to the console port of Nokia IP VPN Gateway.Use the following settings for the hyperterminal:
COM port (to which the gateway is connected)9600 bps8 data bitsParity - None1 stop bitFlow control - None
Nokia IP VPN Gateway Command-Line Summary v6.3 15
1 Introducing the Command-Line Interface
NoteYou must use the console port the first time you connect to the gateway. For more information about how to connect to the console port of the gateway, see the relevant Nokia IP VPN Gateway Installation Guide.
Telnet—use Telnet to connect to the CLI.SSH—use Secure Shell (SSH) compliant with V2 of the SSH protocol. To set up SSH, use the sshd command. For more information about the sshd command, see “sshd” on page 186.
NoteYou can enable or disable the access methods through the Config# login source command. For more information about the Config# login source command, see “login” on page 184.
CLI ModesCLI commands are specific to a CLI mode. Each CLI mode allows you to perform specific functions by using relevant commands. The CLI modes are:
Command ModeConfiguration ModePublic Key Infrastructure Configuration ModePolicy Configuration System ModeFirewall Configuration Mode
NoteAppendix C, “List of Commands” lists the CLI commands. Use this appendix as a quick reference to locate specific commands.
Command ModeUse command mode to enter system-wide or cluster-wide configuration and monitoring commands. The default command mode prompt is the greater-than sign (>).
NoteTo display the host name as the command mode prompt, use the Config# hostname command. For example, if the host name is gateway, the system prompt appears as gateway>. For more information about the hostname command, see “hostname” on page 130.
16 Nokia IP VPN Gateway Command-Line Summary v6.3
CLI Modes
Configuration Mode Use configuration mode to modify the running system configuration. Commands issued in configuration mode take effect as soon as the command is entered. The configuration mode prompt is: Config#.
Entering and Exiting Configuration ModeUse the following commands to enter or exit configuration mode:
To enter configuration mode, enter one of the following commands from the command mode prompt:> config
> configure
The prompt changes to: Config#. To exit configuration mode and return to command mode, enter the exit command at the prompt:Config# exit
Saving Configuration Commands to Flash MemoryCommands that you enter from configuration mode take effect immediately. To write settings from memory to flash memory; from the command mode, enter the following command:> config save
Saving Changes to a ClusterTo save changes made to a cluster, from the master node, switch to command mode, and enter the following command: > config save cluster
This command causes the master node of the cluster to write its configuration to flash memory, and commands all the nodes in the cluster to copy and apply the new flash configuration version.All configuration commands relate to changing or viewing the parameters on the local node. Some commands also allow you to change the configuration of other nodes within the cluster. To apply changes throughout a cluster, you must reboot the other nodes. Nokia recommends that all configuration take place on the master node of the cluster.
CautionBecause of the nature of a clustered environment IP addressing, routing information and other configuration settings must be consistent across all nodes.
Nokia IP VPN Gateway Command-Line Summary v6.3 17
1 Introducing the Command-Line Interface
NotePKI and PCS configuration is clustered.
Public Key Infrastructure Configuration ModeUse the Public Key Infrastructure (PKI) configuration mode to configure and view PKI, and the public- and private-keys for Nokia IP VPN Gateway.Commands issued in PKI configuration mode take effect as soon as the commands are entered. The PKI mode prompt is: config_pki#. For more information about the PKI mode, see “Configuring Public Key Infrastructure” on page 191.
Policy Configuration System ModeUse the Policy Configuration System (PCS) mode to create, modify, and delete policies from the command-line interface. PCS supports IKE protection suites, IKE policy groups, gateway policies, IPSec policies, IPSec clients, and Selectors. The PCS mode prompt is: config_policy#.For more information about the PCS mode, see “Configuring Policy Configuration System” on page 219.
Firewall Configuration ModeUse the Firewall Configuration mode to add, remove, and modify lists that contain packet filtering rules. The firewall mode prompt is: config_firewall#.For more information about the firewall mode, see “Configuring Firewall and Network Address Translation” on page 255.
Navigating Between CLI ModesBy default, the console displays the command mode (>). Use the commands described in Table 4 to navigate between modes.
NotePress Return or Enter to execute the command.
18 Nokia IP VPN Gateway Command-Line Summary v6.3
Saving Changes Made in CLI Modes
End Current SessionTo end the current session, enter the exit command from the command mode.
Saving Changes Made in CLI ModesChanges made in each of the four modes are not saved across system reboots unless you explicitly save the changes. For information about saving changes, see “Saving Configuration Changes to Flash Memory” on page 23.
Table 4 Navigation Between Modes
Switch to mode From modes Enter command Notes
command (>) • config or• PKIor• PCS
exit The default is the command mode.
configuration (Config#) command mode • config or• configure
• PKIor• PCS
• exit (The mode changes to the command mode.)From the command mode, enter one of the following commands: • config or• configure
You cannot directly switch to the configuration mode from the:• PKI mode• PCS mode or• firewall modeYou must switch to the command mode and enter the relevant commands.
PKI (config_pki#) command • configure pki or• config pki
You can switch to the PKI mode only from the command mode.
PCS (config_policy#) command • configure policy or• config policy
You can switch to the PCS mode only from the command mode.
firewall (config_firewall#) command • configure firewall or• config firewall
You can switch to the firewall mode only from the command mode.
Nokia IP VPN Gateway Command-Line Summary v6.3 19
1 Introducing the Command-Line Interface
configure wizard commandThe configure wizard command initializes the gateway and allows you to configure the gateway. For more information about the configure wizard command, see the wizard command in “configure” on page 77.
CautionWhen you initialize the gateway by using the configure wizard command, all configuration data is erased from flash memory.
General CLI FeaturesThis section describes general CLI features that you can use with any command in any mode.
Execute CommandsPress Return or Enter to execute the completed command string. The cursor does not have to be at the end of the line when you press Return or Enter.
Command Recall and EditingYou can recall and edit previously issued commands by using command-line editing.
NoteUse the Up arrow to recall commands. You can recall a maximum of 32 commands.
Editing Styles for emacs and VMSCLI supports limited line editing that lets you recall previously entered commands and edit them without having to retype the entire line. You can choose between two styles of line editing: emacs and VMS.To select a style of line editing, from the command mode, enter the terminal editing style command followed by the required style (emacs or VMS), as shown in the following example:> terminal editing-style VMS
20 Nokia IP VPN Gateway Command-Line Summary v6.3
General CLI Features
Table 5 lists the differences between the emacs and VMS editing styles.
Table 6 lists keys common to emacs and VMS.
Command-Line Help You can use command-line help to:
Table 5 Editing Styles
Control character behavior emacs VMS
Beginning of line Ctrl + A Ctrl + K
Exit Ctrl + Z Ctrl + D
Toggle Insert or overstrike Ctrl + A
Back one character Ctrl + B Ctrl + D
Delete previous word Ctrl + W Ctrl + J
Delete current character Ctrl + D
Delete from current character to end of line Ctrl + K
Line terminator Return key or NL Return key
Previous line Ctrl + P orUp arrow
Ctrl + B orUp arrow
Table 6 Keys Common to emacs and VMS
Control character behavior Keys
End of line Ctrl + E
Next line Ctrl + N orDown arrow
Abort line Ctrl + C
Forward one character Ctrl + F
Redraw line Ctrl + L or Ctrl + R
Erase to beginning of line Ctrl + U
Exit (at beginning of line only) Ctrl + Z
Nokia IP VPN Gateway Command-Line Summary v6.3 21
1 Introducing the Command-Line Interface
View the list of commands available from the current prompt—type a question mark (?) at the prompt.View available options for a command—from the current mode, type the command, then press Space bar followed by a question mark (?) as shown in the following example:Config# arp ?
add Add an ARP entry
change Change an ARP entry
delete Delete an ARP entry
View commands or command options that begin with a particular character—from the current mode, type the character followed by a question mark (?) as shown in the following examples:config_pki# c?
ca certificate crl
> show s?
schedule snmp statistics subsystem syslog
Execute automatic command-line completion—abbreviate the command to the smallest number of nonambiguous characters and press the Tab key. In the following example, when the user types exa and presses the Tab key, the command-line utility displays the complete command:> exa
> examine
Flash Memory FilesThis section:
Lists the common flash memory files.Describes how to save to flash memory configuration changes made through the CLI.
NoteFlash memory is of two types: internal and external. You can install external flash memory cards only on the gateways that support external flash. For more information about flash memory and gateways that support external flash memory cards, see the relevant Nokia IP VPN Gateway Installation Guide.
Common Flash FilesWhen you enter CLI commands and save your changes, the information is written to the appropriate file on flash memory.
22 Nokia IP VPN Gateway Command-Line Summary v6.3
Flash Memory Files
NoteFor more information about manipulating files on flash memory, see “Managing Files and Directories” on page 151.
The following files are found on flash memory during normal operation:
Saving Configuration Changes to Flash MemoryChanges you enter by using the CLI remain in memory until the system is rebooted. To save changes permanently, you must save the commands to flash memory.
• boot.config Contains configuration version information, boot kernel information and boot kernel flags. Also used during kernel upgrades.
• cluster_config_<version>.txt Contains cluster-wide configuration information.
• node_config_<version>.txt Contains node-specific configuration information.
• ipsrd_<version>.txt Contains the IPSRD configuration file.
• gen_info.txt Contains general configuration information, including schedules.
• keys_<version>.txt Contains cryptographic keys that must be kept confidential. Stored in ASCII text.
• pki_<version>.txt Contains PKI data. If PKI configuration is saved with the config save pki-test command, the extension for this file is .DAT, but the file is actually readable.
• ipsec_policy_<version>.dat Contains the IPSec security policy. Stored in binary mode.
• boot-authorization Contains authorization parameters required to authorize the gateway.
• aos-v[version number]-[build number].[arch]
The Nokia AOS Ver 6.3 kernel.
Nokia IP VPN Gateway Command-Line Summary v6.3 23
1 Introducing the Command-Line Interface
Table 7 lists the CLI modes and the respective save commands.
Saving Configuration Changes Made to a ClusterTo change or save configuration information in a cluster, you must:
Ensure that all the nodes in the cluster have the same configuration.Execute all CLI configuration commands from the master node.Reboot each node to apply the command (to all the nodes in the cluster).
NoteUse the schedule stagreboot command to automatically reboot each node in sequence. For more information about the stagreboot command, see “schedule” on page 103.
For configurations other than PCS, you must reboot the other nodes to cause the configuration to be copied. When you save configuration information from the master node, it increments the version number of the configuration. When you reboot a node in the cluster, it connects to the master node and is automatically updated with the current configuration information.
CautionYou must use either the CLI or VPN Manager for configuration, but not both. When you apply changes by using VPN Manager, configuration changes you made by using the CLI are overwritten in the configuration files.
Table 7 Save Commands
Mode Enter save commands from Save command Notes
Command command mode Commands cannot be saved.
Configuration command mode • config save or• config save
cluster
To save changes made on a cluster, enter the config save cluster command from the master node.
PKI configuration command mode config save
PCS PCS mode • apply and • save
These commands automatically update changes to the cluster.
Firewall configuration firewall configuration mode save
24 Nokia IP VPN Gateway Command-Line Summary v6.3
Using Network File System, Trivial File Transfer Protocol and Secure Copy with Configuration Files
Using Network File System, Trivial File TransferProtocol and Secure Copy with Configuration Files
You can use Network File System (NFS) and Trivial File Transfer Protocol (TFTP) servers to copy, back up, and restore configuration files. When you use NFS, you must configure the mountd command to allow the mounting of individual files. This is the default in Solaris and requires the -r flag option to the mountd command on a BSD-based NFS implementation.If you use TFTP, the target file must exist in the specified location and must be configured with world write permissions. You can identify files and directories by using the following syntax:<NFS | TFTP>://<hostname>/<pathname>/<bkup_file | directory>
The following are examples of the correct syntax to access the myfile.txt file on the NFS server Nokia_nfs and the TFTP server Nokia_tftp.nfs://Nokia_nfs/home/Nokia_files/myfile.txttftp://Nokia_tftp/tftproot/myfile.txt
You can use the TFTP default server and NFS default server configuration mode commands to shorten filenames. For example, if the TFTP default server Nokia_tftp command is in effect, the filename might shorten to tftp:/tftproot/myfile.txt.You can use Secure Copy (SCP) to securely copy files to and from an SSH server. The version of SSH supported is OpenSSH. You must define the user on the SSH server. SCP uses public key authentication, so the gateway's host key must be pasted in the authorized_keys file in the .ssh directory, under the user's home directory on the SSH server. The host key can be copied by using the following command:Config# ssh host-key show
NoteThere should be no carriage returns in the host key when it is pasted into the authorized_keys file.
SCP Syntax:scp://<user>@<hostname | IP Address>/<absolute path name of the file> <local file name>
You can use SCP with copy, backup and restore.Examplescopy scp://[email protected]//root/aos-v6.3-58.kl aos-v6.3-58.kl
backup save flash: scp://[email protected]//home/administrator
backup restore scp://[email protected]//home/administrator/<file name> flash:
Nokia IP VPN Gateway Command-Line Summary v6.3 25
1 Introducing the Command-Line Interface
TroubleshootingFor information about how to troubleshoot Nokia IP VPN Gateways, see the Nokia IP VPN Gateway Configuration Guide v6.3.
26 Nokia IP VPN Gateway Command-Line Summary v6.3
2 Configuring the Gateway
This chapter describes the commands required to perform initial gateway configuration and configure routing, clustering, and network settings for the gateway.
NoteThis chapter assumes that you are familiar with the command mode and the configuration mode, and navigation between them. For more information about CLI modes and navigating between them, see “Introducing the Command-Line Interface” on page 15.
You can configure Nokia IP VPN Gateway through the CLI, or through VPN Manager. For more information about how to configure the gateway through VPN Manager, see the Nokia IP VPN Gateway Configuration Guide v6.3.
CautionYou must use either the CLI or VPN Manager for configuration, but not both. When you apply changes by using VPN Manager, configuration changes you made by using the CLI are overwritten in the configuration files.
To configure Nokia IP VPN Gateway 1. Connect the system to the console port of Nokia IP VPN Gateway.
NoteFor more information about how to connect to the console port of the gateway, see the relevant Nokia IP VPN Gateway Installation Guide.
2. Press Enter or Return.3. The initial configuration setup appears.
The initial configuration setup lists the interfaces available on the gateway, syntax for interface, default route, and host name configurations.
4. Enter the security token at the security token prompt.
Nokia IP VPN Gateway Command-Line Summary v6.3 27
2 Configuring the Gateway
You can configure the gateway directly through the CLI by entering exit or void, or you can copy-and-paste the security token and other information that VPN Manager generates to manage the gateway through VPN Manager.
To configure Nokia IP VPN Gateway by using the CLIAt the security token prompt, enter:
exit—to exit the configuration. The command mode prompt (>) appears.orvoid—to enter the wizard mode. The wizard# prompt appears. You can configure internal and external interfaces, the default route, and the host name from this mode. For more information about interface, default route, and host name configurations, see “Configuring Interface Settings” on page 29, “Static Routing” on page 46, and “hostname” on page 130.To exit the wizard mode, at the wizard# prompt, enter the following command: wizard# exit
The command mode prompt (>) appears.
NoteTo permanently save changes made to the configuration, you must write the commands to flash memory. For more information about saving configuration changes, see “Saving Configuration Changes to Flash Memory” on page 23.
To configure Nokia IP VPN Gateway with VPN Manager InformationAt the security token prompt, enter the security token number and other details that VPN Manager generates. For more information about generating the security token number and other details, see the Nokia IP VPN Gateway Configuration Guide v6.3.
NoteVPN Manager generates the security token and other details. You can copy-and-paste this information from VPN Manager to Nokia IP VPN Gateway.
Configuring Gateway InterfacesThe number of interfaces that you can configure on the gateway is dependent on the type of gateway. For more information about the number of interfaces on the gateway and interface naming conventions, see the relevant Nokia IP VPN Gateway Installation Guide. Interfaces can be designated internal or external:
Internal interfaces—by default, all interfaces are internal. You can configure multiple internal interfaces by using the interface command. For more information about the interface command, see “Configuring Interface Settings” on page 29.
28 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
External interfaces—you can configure only one external interface, except when configuring for wanbackup. For more information about the interface and wanbackup commands, see “Configuring Interface Settings” on page 29 and “Configuring WAN Backup Settings” on page 35.
NoteYou must manually configure an external interface.
Configuring Interface SettingsUse the interface command to configure the internal and external interfaces, and configure interface-specific parameters for the gateway.
Ethernet Autonegotiation Nokia recommends the use of Ethernet autonegotiation to configure the speed and duplex settings of an Ethernet interface. Any manual action to disable autonegotiation on either end of a link can result in mismatched speed and duplex settings that might prevent or degrade communication. A mismatch in the speed setting prevents communication. A mismatch in the duplex setting causes spurious collisions, cyclic redundancy check (CRC) errors, short packets, lost packets, and a general degradation in performance.If you enable autonegotiation on the gateway Ethernet interface, then you should enable autonegotiation on the Ethernet hub or switch. If you disable autonegotiation on one side (either the gateway Ethernet interface, or the Ethernet hub or switch), then you should disable autonegotiation on the other side, and both sides must be set to the same speed (10/100) and duplex (half/full). The default setting for the gateway Ethernet interface is autonegotiation enabled.
CautionIf you enable autonegotiation on one side and disable it on the other, HalfDuplex is assumed on the enabled side. Therefore, if you disable autonegotiation on one side then you must set it to HalfDuplex, unless you disable autonegotiation on the other side also, and both sides are manually set to FullDuplex.
Most older 10-MBps Ethernet hubs do not support autonegotiation and some newer equipment does not provide a way to disable autonegotiation. In these cases, set the Nokia IP VPN Gateway Ethernet interface to autonegotiate.To determine if the gateway is autonegotiating the Ethernet connection, set the console logging severity level to debug. For more information about this command, see the console logging level debug command in “Config# [no] console” on page 169.The following is an example of an autonegotiated connection:eth-1: link UP 100BaseTX-HalfDuplex (auto-negotiated) eth-1:
Nokia IP VPN Gateway Command-Line Summary v6.3 29
2 Configuring the Gateway
peer offered: 10BaseT 100BaseTX
If you enable autonegotiation on the gateway Ethernet interface, but do not support it on the other side, the link UP message reports the speed detected and assumes HalfDuplex: eth-1: link UP 10BaseT-HalfDuplex (peer not autonegotiating, half duplex assumed).If you disable autonegotiation on the gateway Ethernet interface, the link UP message reports the manual settings:eth-1: link UP 100BaseTX-HalfDuplex (manual)
Nokia recommends that both sides use autonegotiation. If you do not use auto negotiation, both sides must be set to the same speed (10/100) and duplex (half or full).
Cluster Configuration and Common Switch Configuration
Cisco switches implement the Spanning Tree Protocol (STP). The spanning tree protocol is used to discover and mitigate switching loops.When a link is first established on a Cisco switch port, the switch blocks all traffic except for the STP. It blocks traffic to attempt to communicate with other switches and to learn the topology of those switches. The traffic delay is about 30 seconds. This delay can cause clustering problems when a cluster node tries to join a cluster.To disable STP on a Cisco switch port, turn on the portfast option for that port. For more information, see the following Cisco document: http://www.cisco.com/warp/public/473/12.html.Some switches attempt to negotiate trunking and fast Ether channel on their ports. If this takes longer than a few seconds, it needs to be disabled. An example of this is on the Cisco Catalyst 6500 switch.To disable trunking or fast Ether channel, use the following commands:set port channel <module>/<port> mode off
set trunk <module> /<port> off
A delay also occurs in port initialization when STP starts. This delay can also cause problems in cluster booting. Rather than disabling STP, Nokia recommends that you use the PortFast feature.Examples of some common switches:
Catalyst 5000 or 6500set spantree port fast <module_num> / <port_nums> enable
where <module_num> is the card or module number and <port_nums> are the port numbers of the Catalyst 5000 ports into which any Nokia IP VPN Gateway devices are plugged.Catalyst 2900Config# interface FastEthernet <module_num> / <port_nums> (con fig- if)#spantree port fast
where <module_num> is the card or module number and <port_nums> are the port numbers of the ports into which Nokia IP VPN Gateway devices are plugged.
30 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
Switches and Cluster Multicast Mode
When a cluster is running in multicast mode, a virtual multicast MAC address is mapped to the cluster IP address and all nodes in the cluster expect to receive packets sent to this address. Catalyst 5000 switches do not advertise this address automatically. To make this mode work from a Catalyst 5000, you must create a static CAM entry for each port that an inside interface of your cluster is attached to.The format of the multicast MAC address is: 01:50:5A:00:<X>:<Y>—here X and Y are the last two numbers in the IP address of the cluster inside interface (in hexadecimal). For example:10.0.32.4 is 01.50.5A.00.20.04
If you have a two-node cluster, with the inside interfaces attached to Catalyst ports 10 and 11, where 10 and 11 are in vlan3, to set the static CAM entry for those ports, issue the following command:
> enable set cam static 01-50-5a-0-20-4 3/10,3/11
Static multi cast entry added to CAM table.
> enable show cam static
VLAN Destination MAC Destination Ports or VCs ---- ------------------ ------------------------
4 01-50-5a-00-20-043/10-11
Matching CAM Entries = 1
Cisco Routers and Cluster Multicast Mode
Cisco routers do not automatically detect multicast addresses. For the router to detect a multicast address, create a static ARP entry on the router for the interface on the same LAN.If you have a cluster with the cluster address of 10.0.32.4, issue the following command on the router:router(config)#arp 10.0.32.4 0150.5a00.2004 arpa
DHCP ClientDHCP dynamically assigns networking configuration to participating hosts in the network. A DHCP client requests its networking configuration from the network by using a broadcast message. A DHCP server on the network responds with the appropriate information to the host. The server also ensures that each host gets a unique IP address, so as to avoid misconfiguration on the network.You can configure gateway interfaces to use DHCP to obtain an IP address dynamically. Other configuration options obtained with DHCP are netmask, default route, and DNS servers.When DHCP is enabled for an interface, the gateway tries to contact a DHCP server and obtain configuration information. If no server response is received within four seconds, the gateway follows a randomized (range -2 to +2) exponential backoff retransmission strategy with a cutoff of 120 seconds. If no server responds, the gateway waits for two minutes before retransmitting DHCP discover packets and the process is repeated until an offer from some server is received,
Nokia IP VPN Gateway Command-Line Summary v6.3 31
2 Configuring the Gateway
or DHCP is disabled on the interface. If the interface flag is inactive or the link on the interface is inactive, the client waits for the link to become active before starting discovery. When DHCP is disabled on an interface, any address acquired for the interface is released. The DHCP client does not save lease information.If DHCP is enabled on an interface and an address is acquired, and later DHCP is disabled followed by enabling it at some future time, a different address can be acquired.
Syntax
Config# interface <eth-1 | eth-2 | eth-3 | eth-4 | loop-0>
[-alias][-backup][-dhcp][-external][-primary][address <A.B.C.D>][alias][backup priority <value>][broadcast <A.B.C.D>][clear][destination <A.B.C.D>][dhcp][down][external][family <inet>][flowcontrol <active | default | none | passive>][media <autoselect | 10 | 10-Full-Duplex | 100 | 100-Full-Duplex>]
[mtu <72-16366>][netmask <A.B.C.D>][primary][up]
Arguments
<eth-1 | eth-2 | eth-3 | eth-4 | loop-0>
Configure an interface:• eth-1—name of the interface to configure.• eth-2—name of the interface to configure.• eth-3—name of the interface to configure.• eth-4—name of the interface to configure.• loop-0—name of the interface to configure.
-alias Remove address as an IP alias to the interface.
-backup Designate the interface as primary.
-dhcp Disable dhcp-client functionality on the interface.
32 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
-external Designate the interface as internal.
-primary Unset the interface as primary.
address <A.B.C.D> Set the interface address.
alias Add address as an IP alias to the interface.
backup priority <value> Designate the interface as external interface:• priority—set backup priority value.• value—priority value for this backup
external interface.
broadcast <A.B.C.D> Set the broadcast address (for broadcast media).
clear Clear the interface.
destination <A.B.C.D> Set the destination address (for point-to-point media).
dhcp Configure the interface as dhcp client.
down Turn interface off.
external Designate the interface as external.
family <inet> Set the address family:• inet—interface address family.
flowcontrol <active | default | none | passive>
Set the interface flow control.• active—set active interface flow control
(transmit and receive).• default—set the interface flow control to the
default setting.• none—set no interface flow control.• passive—set passive interface flow control
(receive only).
media <autoselect | 10 | 10-Full-Duplex | 100 | 100-Full-Duplex>
Set the interface media type (broadcast interfaces only):• autoselect—set the interface media to
autoselect.• 10—set the interface media to10 Mbit.• 10-Full-Duplex—set the interface media to
10 Mbit/Full Duplex.• 100—set the interface media to 100baseTX
Mbit.• 100-Full-Duplex—set the interface media to
100baseTX Mbit/Full Duplex.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 33
2 Configuring the Gateway
Related CommandsSee the show dhcp-client command in “show” on page 105.
Configuring a Serial InterfaceUse the dialup module to configure a dialup interface to dial out. The dialup interface can be a primary external interface, or a backup to another external interface.
NoteTo configure dialup, you must enable dialup by using the Config# enable dialup command. You can disable dialup by using the Config# disable dialup command.
Syntax
Config# dialupdisconnectmode <dynamic | independent | wan-backup back-up priority <priority>>
profile <1-5>auth <any | chap | none | pap>dns1 <A.B.C.D>dns2 <A.B.C.D>mtu <56-1500>preferred_address <A.B.C.D>username <XXXXXX> password <XXXXXX> phone_number <XXXXXX>
mtu <72-16366> Set the interface MTU:• 72-16366—MTU in bytes (maximum 1500
for 10/100, 16366 for Gigabit Ethernet).
netmask <A.B.C.D> Set the subnet mask for the address.
primary Designate the interface as primary.
up Turn interface on.
Arguments
Arguments
disconnect Disconnect the active dialup connection.
34 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
Configuring WAN Backup SettingsThe wanbackup module activates the backup interface if the following events occur:
Primary (external) physical interface is deactivated.A logical interface like PPPoE is deactivated.An IP address is not allocated to a DHCP-enabled interface.
To enable WAN backup1. Set the wanbackup mode to simple or dialup.2. Configure an external backup interface by using the interface backup command.
mode <dynamic | independent | wan-backup back-up priority <priority>>
Configure the mode:• dynamic—configure mode when using with
VRRP.• independent—configure mode to use the
dialup as the primary external interface.• wan-backup—configure mode to use dialup
as the backup interface.• wan-backup backup priority <priority>—
backup priority number (1 to 255).
profile <1-5>auth <any | chap | none | pap>dns1 <A.B.C.D>dns2 <A.B.C.D>mtu <56-1500>preferred_address <A.B.C.D>username <XXXXXX> password <XXXXXX> phone_number <XXXXXX>
Configure a dialup profile:• profile <1-5>—index of this profile in profile
list.• auth—configure authentication.• auth any—configure any authentication.• auth chap—configure chap authentication.• auth none—configure for no authentication.• auth pap—configure pap authentication.• dns1—configure a primary DNS server.• dns1 <A.B.C.D>—set the IP address of the
primary DNS server.• dns2—configure a secondary DNS server.• dns2 <A.B.C.D>—set the IP address of the
secondary DNS server.• mtu—configure the Maximum Transmission
Unit (MTU).• mtu <56-1500>—set the MTU value.Default: 1500• preferred_address—configure a preferred
address.• preferred_address <A.B.C.D>—preferred
local IP address.• username—set username.• password—set password.• phone_number—set phone number.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 35
2 Configuring the Gateway
You must assign an external interface as a backup interface. You can configure multiple backup interfaces (Ethernet interfaces with static IP addresses, DHCP, PPPoE, and a dialup interface). For more information about the interface backup command, see “Configuring Interface Settings” on page 29.
NoteThe wanbackup module allows you to configure a tcp-check to ensure effective WAN backup. The tcp-check option checks whether the specified IP address can be reached. If the IP address is unreachable for any reason, the wanbackup module causes a failover to the backup interface. tcp-check uses TCP SYN ping.
The wanbackup module allows you to specify:Failover time limit (the time lapse, in seconds, after which to activate the backup interface after the primary interface is deactivated).Fall-back time limit (the time lapse, in seconds, after which to deactivate the backup interface after the primary interface is activated).
Syntax
Config# wanbackupbackup_interface <eth-1 | eth-2 | eth-3 | eth-4> default_route <A.B.C.D>
failover-timeout <timeout>fallback-timeout <timeout>mode <dialup | none | simple>tcp-check <A.B.C.D> port <value> interval <interval>
Arguments
backup_interface <eth-1 | eth-2 | eth-3 | eth-4> default_route <A.B.C.D>
Configure a backup interface:• eth-1—backup interface name.• eth-2—backup interface name.• eth-3—backup interface name.• eth-4—backup interface name.• default_route <A.B.C.D>—IP address of
the default route.
NoteYou must configure the default route to redirect traffic through the backup interface when it is activated.
failover-timeout <timeout>
Failover timeout:• timeout—timeout value (5 to 3600
seconds).Default: 5 seconds
36 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
Related CommandsSee the interface backup command in “Config# interface” on page 32.See the interface up command in “Config# interface” on page 32.See the interface down command in “Config# interface” on page 32.
Configuring PPPoE SettingsUse the pppoe command to create multiple PPPoE interfaces in the system. You can also use this command to show, delete, and activate or deactivate a PPPoE client interface. The PPPoE client interfaces are listed as pppoe0, pppoe1, and so on.
NoteThe cluster works on multiple access media while PPPoE works on point-to-point, therefore the cluster functionality cannot be achieved on the PPPoE interface.
You can specify the following characteristics for the PPPoE client:Interface type—can be set to static or dynamic. The static interface option allows you to assign the IP address when negotiating IP Control Protocol (IPCP) with a peer. The dynamic interface option allows the peer to specify the IP address.Interface mode—the PPPoE interface works in two modes: the demand mode and the keepalive mode. In the demand mode the PPPoE interface is activated when traffic is sent. If
fallback-timeout <timeout>
Fallback timeout:• timeout—timeout value (5 to 3600
seconds).Default: 5 seconds
mode <dialup | none | simple>
Configure mode:• dialup—configure the WAN backup mode
to include one or both dialup and Ethernet interfaces.
• none—disable WAN backup.• simple—configure the WAN backup mode
to include only Ethernet interfaces as backup interfaces.
tcp-check <A.B.C.D> port <value> interval <interval>
Configure the tcp-check option:• <A.B.C.D>—tcp-check target address.• port <value>—configure the port value to
use for the tcp-check. Enter a value between 1 to 65535.
• interval <interval>—configure the interval time to use between checks. Enter a value between 5 to 60 seconds.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 37
2 Configuring the Gateway
no traffic occurs for a specified time limit (idle timeout), the interface is made inactive. When traffic is sent, the interface is activated once again.
NoteYou must specify the destination interface IP address for the system to create an interface route. The interface route is created because the PPPoE client cannot identify the IP address of the peer until it connects to the peer. It then initiates the connection and sends packets on the interface.
In the keepalive mode the PPPoE interface is always active regardless of the traffic flow. If the PPPoE connection fails, the interface is activated by connecting to the peer again.Authentication method—the PPPoE client autodetects the authentication method that the peer uses.You can set the authentication method to pap, mschap, chap, or noauth.
To create a PPPoE client interface1. Select an Ethernet interface (external) on which to create the virtual PPPoE interface.2. Ensure that the Ethernet interface is connected to the network and is active.
NoteUse the Config# interface <ethernet-interface> up command to activate the interface.
3. Create a PPPoE profile by using the pppoe profile command.
NoteUse the show pppoe profile <all | profile-name> command to confirm the creation of a PPPoE profile with all correct values set.
4. Create a PPPoE interface by using the Config# pppoe interface profilename <profile-name> command.
NoteUse the show pppoe interface command to confirm the pppoe interface creation.
38 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
Syntax
Config# pppoe profile <name> eth-interface <eth-1 | eth-2 | eth-3 | eth-4> user <user name> passwd <<passwd> | <CR>>
[acname <name>][auth <chap | mschap | noauth | pap>][debug <all | info>][dns <primarydns | secondarydns>][external][ifroute <ip_address/masklen>][mode <demand | keepalive>][mtu <number>][nodefaultroute][nonstandard <0xABCD:0xABCD>][service <name>][timeout <number>][type <static srcaddr <source-ip-address/masklen> dstaddr <pppoe-peer-ip-address/masklen>> | <dynamic>]
[wins <primarywins | secondarywins>][<CR>]
Config# [no] pppoe profile <name>
Config# pppoe interface profilename <profile>
Config# [no] pppoe interface <name>
Arguments
profile <name> eth <eth-1 | eth-2 | eth-3 | eth-4> user <user name> passwd <<passwd> | <CR>>
Create a new profile:• name—profile name.• eth-1—Ethernet interface name.• eth-2—Ethernet interface name.• eth-3—Ethernet interface name.• eth-4—Ethernet interface name.• user name—user name.• passwd—password.• CR—end.
acname <name> ISPs Access Concentrator name (PPPoE server):• name—ISP Access Concentrator name.
Nokia IP VPN Gateway Command-Line Summary v6.3 39
2 Configuring the Gateway
auth <chap | mschap | noauth | pap>
The PPPoE client negotiates authentication as proposed by the PPPoE server:• chap—Challenge Handshake
Authentication Protocol.• mschap—Microsoft Challenge Handshake
Authentication Protocol.• noauth—no authentication.• pap—Password Authentication Protocol.Default: autodetect
debug <all | info> • View debug messages:• all—all debug messages about connection
details.• info—useful information about connection
details.
NoteThe debug option is not saved in the PPPoE profile across reboots.
dns <primarydns | secondarydns>
DNS options (if provided by the ISP):• primarydns—primary DNS server only.• secondarydns—both primary and
secondary DNS servers.
external Use this option to make the PPPoE interface an external interface.
ifroute <ip_address/masklen>
Interface route for dynamic interface:• ipaddress—IP address for interface route.• masklen—mask for interface route.
NoteYou must specify the destination interface IP address for the system to create an interface route. The interface route (ifroute) is created as the PPPoE client cannot identify the IP address of the peer until it connects to the peer. The PPPoE client then initiates the connection and sends packets on the interface.
mode <demand | keepalive>
PPPoE connection mode:• demand—PPPoE connection mode.• keepalive—PPPoE connection mode.Default mode: keepalive
Arguments
40 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
mtu <number> MTU for PPPoE Interface:• number—MTU value in bytes. MTU value range: 136 to 1492
nodefaultroute Use this option to enable the system to use the manually added default route.
NoteBy default if nodefaultroute option is not used in the profile settings, the system automatically adds the default route after the PPPoE session is activated, using the pppoe peer IP address as the next hop IP address. It also overwrites any existing default-route. If the PPPoE session is deactivated, the system deletes the default route. To prevent the system from adding a default route (using the peer-IP address) automatically (whenever the PPPoE session becomes active), use the nodefaultroute option in the profile and manually add a default route by using the following command: Config# route 0.0.0.0 0.0.0.0 <next-hop-ipaddress>.
nonstandard <0xABCD:0xABCD> Note
Use this option only if your ISP supports it, or if you connect to a 3COM PPPoE server that processes ethertypes requests with non-standard ethertypes: 0x3c12 & 0x3c13 only.
Ethertypes other than 0x8863 0x8864:• hexadecimal_number—ethertype value for
discovery phase.• hexadecimal_number—ethertype value for
session phase.For more information on discovery and session phase, see RFC 2516.
service <name>
NoteUse this option if your ISP supports it.
ISP service name:• name—ISP service name.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 41
2 Configuring the Gateway
timeout <number> Idle or connection check timeout:• number—timeout in seconds.Default: 60 secondsTimeout value range: 30 to 11800
type <static srcaddr <source-ip-address/masklen> dstaddr <pppoe-peer-ip-address/masklen>> | <dynamic>
PPPoE interface type:• static—PPPoE interface type.• dynamic—PPPoE interface type.Default type: dynamic
NoteThe ifroute <ip address/masklen value> must be entered if a dynamic type PPPoE profile is selected. The masklen value must be 32. The system automatically creates the interface route for the IP address pointing to the PPPoE interface as the next hop.
wins <primarywins | secondarywins> Note
Use this option if your ISP supports it.
WINS and NBNS option:• primarywins—primary WINS/NBNS server
only.• secondarywins—both primary and
secondary WINS/NBNS servers.
<CR> End.
[no] pppoe profile <name>
Delete an existing profile:• name—profile name.
interface profilename <profile>
You can create only one PPPoE interface per PPPoE profile. Multiple pppoe interfaces are created automatically in sequential order (pppoe-0, pppoe-1, pppoe-2, and so on).
NoteYou can create multiple pppoe profiles by using the same Ethernet interface if the values for the command options used in the profiles are not duplicated.
Create a PPPoE interface by using the profile name:• profile—name of the profile.
Arguments
42 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
Modify a PPPoE ProfileTo modify individual values of any option in an existing PPPoE profile, retype the PPPoE profile command and the profile name. Change the value of the relevant option.For the new profile values to come into effect, either reboot the system, or deactivate and then activate the pppoe-interface.
Examples Create a PPPoE interface with dynamic-IP type and demand mode, and authentication CHAP on the eth-2 external interface with a remote destination gateway IP address of 100.1.1.1.Config# int eth-2 up
Config# pppoe profile prof1 eth eth-2 user <username> passwd <password> auth chap type dynamic ifroute 100.1.1.1/32 mode demand timeout 120 debug info
Config# pppoe interface profilename prof1Config# exit
show pppoe profile prof1
show pppoe interface
Create a PPPoE interface with static-IP type and demand mode, and authentication PAP on the eth-3 interface with the following inputs:
Source IP address: 200.5.6.27/24PPPoE peer IP address: 192.168.10.1/24
Config# int eth-3 UP
Config# pppoe profile prof2 eth eth-3 user <username> passwd <password> auth pap type static srcaddr 200.5.6.27/24 dstaddr 192.168.10.1/24 mode demand timeout 300
Config# pppoe interface profilename prof2
Config# exitshow pppoe profile prof2
show pppoe interface
[no] pppoe interface <name>
Delete a PPPoE interface:• name—interface name.
NoteYou cannot delete a PPPoE profile if an existing PPPoE interface is bound to the profile. You must first delete the PPPoE interface associated with the profile.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 43
2 Configuring the Gateway
Create a PPPoE interface with dynamic type and keepalive mode with 3COM as the PPPoE server:Config# int eth-2 upConfig# pppoe profile 3com eth eth-2 user <username> passwd <password> type dynamic ifroute 192.168.1.1/32 nonstandard 0x3c12:0x3c13
Config# pppoe interface profilename 3com
Config# exit
show pppoe profile 3com
show pppoe interface
NoteIn the preceding example, the default mode is keepalive and the authentication type is autodetect.
Related CommandsSee the Config# interface <pppoe-n> down command in “Config# interface” on page 32.See the Config# interface <pppoe-n> up command in “Config# interface” on page 32.See the “mss-clamp” command on page 63.
Configuring VRRPUse the vrrp command to configure VRRP. VRRP provides a simple way to have a standby gateway take over an IP address if the primary gateway fails. VRRP is not supported on a clustered environment.
NoteTo enable or disable VRRP, from the command mode (>) use the vrrp enable or vrrp disable commands. To enable the VRRP daemon, use the vrrp interface command.
Syntax
Config# [no] vrrp interface
Config# vrrp interface <eth-1 | eth-2 | eth-3 | eth-4> <address> <priority <backup | master | <1-255>>> vrid <1-255>
Config# [no] vrrp[advertisement-interval <1-255>][auth-passwd][no-preempt][while-backup <allow-forwarding | allow-ipsec | call-dialup>]
44 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Gateway Interfaces
NoteTo check if a device is acting as the VRRP master, use the show vrrp command to view the current state of the device.
Arguments
no Negate the command.
interface <eth-1 | eth-2| eth-3 |eth-4> address <priority [backup | master | <1-255>]vrid <1-255>>
Select the interface on which VRRP is to be enabled.
NoteYou can enable VRRP on only one interface at a time.
• address—IP address of the virtual router. Set the priority to one of the following:• priority backup• priority master
NoteIf the priority is set to master, the IP address of the virtual router must be the same as the IP of the device interface.
• a specific priority value.• vrid—virtual router ID value.
advertisement-interval <1-255>
Overrides the default advertisement interval value. Default: one second.
auth-passwd Enable the simple text password authentication between peers. You must enter an eight character password string.
no-preempt Configure the virtual router to prohibit preemption. Default: set to preempt.
no vrrp interface Deletes the VRRP configuration.
while-backup <allow-forwarding | allow-ipsec | call-dialup>
Options when vrrp is in back up state:• allow-forwarding—allow forwarding in back
up state.• allow-ipsec—allow IPSec in backup state.• call-dialup—on becoming master call
dialup.
Nokia IP VPN Gateway Command-Line Summary v6.3 45
2 Configuring the Gateway
Enable or Disable VRRPUse the vrrp command (from the command mode (>)) to enable or disable VRRP.
Syntax
vrrp[disable][enable]
Related CommandsSee the show vrrp command in “show” on page 106.See the debug vrrp command in “[no] debug” on page 157.See the Config# [no] debug vrrp command in “Config# [no] debug” on page 171.
Configuring RoutingYou can configure one of the following types of routing for Nokia IP VPN Gateway:
Static RoutingDynamic Routing
RIPv1 and RIPv2OSPFv2BGPv4Routing over IPSec
Static RoutingUse the route command to configure a static route. With a static route entry, packets for a specified destination address are directed to the interface associated with the next-hop address.
Syntax
Config# [no] route <ADDR> <NETMASK> <ADDR> <[blackhole | cloning | expire <decimal> | genmask <ADDR> | inet | mtu <decimal> | nostatic | static]>
Arguments
disable Temporarily disable VRRP.
enable Enable VRRP.
46 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Routing
ExamplesConfig# route 10.0.0.0 255.0.0.0 10.2.2.2
Routes traffic to the network 10.0.0.0/8 through the interface associated with next-hop address 10.2.2.2.Config# route default 0.0.0.0 10.3.3.3
Directs all packets for unknown destinations to next-hop address 10.3.3.3. Config# no route 10.10.0.0 255.0.0.0 10.2.2.2
Deletes the route to network 10.10.0.0/8.
Dynamic RoutingUse the IPSRD command to manage the IPSRD process if it is enabled.For more information about IPSRD, RIPv1 and RIPv2, OSPFv2, and BGP4, see the Nokia IP VPN Gateway Routing Administration Guide v6.3.
Arguments
no Negate the command.
<ADDR> <NETMASK> <ADDR> <[blackhole | cloning | expire <decimal> | genmask <ADDR> | inet | mtu <decimal> | nostatic | static]>
Configure a route:• ADDR—destination address (or default: the
address 0.0.0.0, used to direct traffic with an unknown address).
• NETMASK—route destination netmask.• ADDR—route gateway address.• blackhole—silently discard packets during
updates.• cloning—generate new route on use.• expire—set route expiration.• expire decimal—route expiration.• genmask—set route genmask address.• genmask ADDR—route GENMASK
address.• inet—set the address family for this route to
Internet.• mtu—set the MTU for this route.• mtu decimal—route MTU.• nostatic—clear the static route flag on this
route.• static—set state route flag for this route.
Nokia IP VPN Gateway Command-Line Summary v6.3 47
2 Configuring the Gateway
NoteTo start IPSRD use the command Config# enable ipsrd. To stop IPSRD use the command Config# disable ipsrd. For more information about the enable and disable commands, see “enable” on page 129 and “disable” on page 128.
Syntax
ipsrd[dump] [reconfigure][restart]
Routing over IPSecIPSec routing reduces user configuration by connecting routing to dynamic IPSec policy entries. A domain can grow or change without having to reconfigure the IPSec configuration every time a network is added or deleted.
Arguments
dump <NAME> Dump IPSRD state into a specified file:• NAME—name of dump file.
NoteThis command effects only the node on which the command is run.
reconfigure Reconfigure IPSRD. IPSRD re-reads the IPSRD configuration file, and incorporates the changes into the running protocols.
NoteReconfiguring IPSRD on any node of a cluster, automatically reconfigures IPSRD on all the nodes of the cluster.
restart IPSRD process is killed and then restarted.
NoteIPSRD restarts only the node on which the command is run.
48 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Clustering
NoteFor more information about Routing over IPSec, see the Nokia IP VPN Gateway Routing Administration Guide v6.3.
Configuring ClusteringUse the cluster commands to set or modify cluster information.
Command Mode CommandsUse the following command mode command to set or modify cluster information.
clusterUse the cluster command to reboot all the nodes in a cluster.
Syntax
cluster reboot <now>reset <now>
Related CommandsSee the debug cluster command in “debug” on page 156.See the “reboot” command on page 103.See the “schedule” command on on page 103.
Arguments
reboot <now> Perform a reboot of each node in the cluster:• now—reboot or reset all nodes in the
cluster immediately.
NoteDuring a staggered reboot, the system takes 120 seconds for the last node to reboot. During this sequence, security tunnels load balance to each remaining node. After approximately 30 minutes, the load evenly rebalances across the rebooted nodes.
reset <now> Reset each node in the cluster:• now—reboot or reset all the nodes
immediately.
Nokia IP VPN Gateway Command-Line Summary v6.3 49
2 Configuring the Gateway
See the show cluster command in “show” on page 105.
Configuration Mode CommandsUse the following configuration mode command to set or modify cluster information.
clusterUse the cluster command to change cluster information. Clusters share internal and external IP addresses and referees, cluster names, and cluster modes. All nodes in a cluster must have the same cluster parameters. The clustered gateway uses the cluster internal and external IP addresses for communication.All clusters must have referees for proper operation. Referees are set on the internal and external sides separately, and one referee is required on each side. A cluster without referees on the internal interface and the external interface does not operate reliably.Cluster IP addresses must be in the same subnet as the individual addresses on each node for each side. For example, all of the external interface addresses, including the cluster address, must have the same subnet mask. For more information about cluster modes, see the Nokia IP VPN Gateway Configuration Guide v6.3.
NoteWhen you change cluster-specific information, you must save changes to every node in the cluster and reboot them before the changes can take effect.
Syntax
Config# [no] cluster external
address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>
[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]
internaladdress <A.B.C.D> | family inet address <A.B.C.D>
<interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>
[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]
mode <forward | unicast | multicast>name <STRING>
50 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Clustering
Arguments
no Negate the command.
external address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>> | netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>
Configure the cluster external address or specify the address family:• external address <A.B.C.D>—cluster IP
address.• family inet address <A.B.C.D>—cluster IP
address.• interface—configure the associated cluster
interface.• eth-1—name of interface to bind to cluster
address.• eth-2—name of interface to bind to cluster
address.• eth-3—name of interface to bind to cluster
address.• eth-4—name of interface to bind to cluster
address.• referee <A.B.C.D>—configure IP address
of a referee for checking connectivity.
internal address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4> <referee <A.B.C.D>> | netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>
Configure the cluster internal address or specify the address family:• internal address <A.B.C.D>—cluster IP
address.• family inet address <A.B.C.D>—cluster IP
address.• interface—configure the associated cluster
interface.• eth-1—name of interface to bind to cluster
address.• eth-2—name of interface to bind to cluster
address.• eth-3—name of interface to bind to cluster
address.• eth-4—name of interface to bind to cluster
address.• referee <A.B.C.D>—configure IP address
of a referee for checking connectivity.
mode <forward | unicast | multicast>
Configure cluster communication mode:• forward—master forwarding. This is the
default mode.• unicast—unicast packet forwarding.• multicast—multicast packet forwarding.
name <string> Configure cluster name:• string—cluster name (a maximum of 15
alphanumeric characters).
Nokia IP VPN Gateway Command-Line Summary v6.3 51
2 Configuring the Gateway
ExamplesConfig# cluster internal address 10.10.10.10 netmask 255.0.0.0 interface eth-1 referee 10.10.10.20
Assigns the IP address 10.10.10.10 to the internal cluster address.Config# cluster name mycluster
Changes the name of the cluster to mycluster.Config# cluster mode unicast
Changes the cluster communication mode to unicast.
Related Commands
See the “pin” command on page 102.
Configuring Network SettingsUse the following command mode and configuration mode commands to configure network settings.
Command Mode CommandsUse the following command mode commands to configure network settings.
arpThe arp command displays, and allows you to modify, the IP address-to-Ethernet address translation tables that the Address Resolution Protocol (ARP) uses.
Syntax
arp -a-f-n-<options><HOST>
Command Description
arp Utility to display or clear ARP cache.
firewall Firewall commands.
52 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
Related CommandsSee the clear arp command in “clear” on page 76.See the show arp command in “show” on page 105.See the “Config# [no] arp” command on page 55.
firewallUse the firewall command to clear stateful entries, disable, or enable firewall commands. For more information about configuring firewall and NAT, see Configuring Firewall and Network Address Translation on page 255.
Syntax
firewallclear-global-logclear-statedisableenable <policy-manager <ADDR> | <CR>>global-lograte-limit <<NUMBER> | <CR>>
Arguments
-a Display all ARP entries.
NoteThe arp -a command displays the same information as the show arp command.
-f Flush ARP table.
-n Do not lookup symbolic host names.
-<options> Combination of ARP options.
<HOST> Host name or the dotted-decimal IP address.
Arguments
clear-global-log Removes the global log option for the firewall rules. This command is clustered aware and is not be persistent on reboots.
clear-state Clear the stateful packet entries.
disable Disable firewall processing.
Nokia IP VPN Gateway Command-Line Summary v6.3 53
2 Configuring the Gateway
Configuration Mode CommandsUse the following configuration mode commands to configure network settings.
enable <policy-manager <ADDR> | <CR>>
Enable firewall features:• policy-manager—allow firewall to pass local
policy manager traffic.• policy-manager ADDR—peer dotted-
decimal address.• CR—enable firewall processing.
global-log Enables the global log for all firewall rules. This log is enabled only for the rules which do not have any log option in the rule.Log level for this global log is Notice. This command is clustered aware and is not persistent on reboots.
rate-limit <<NUMBER> | <CR>>
Limit rate of new state entries:• NUMBER—maximum new states per
second (0 = no limit).• CR—show current rate limit.
Arguments
Command Description
arp Configure an ARP table entry.
bootp-forwarder Configure the BootP forwarder.
DHCP Server Configure the DHCP server.
diff-serv Configure general diff-serv marking properties.
dns Configure the DNS client options.
ip-address-pool Configure the IP address pools.
lns Configure the LNS values.
mss-clamp Configure TCP maximum segment size clamping.
ntp Configure the NTP client.
pns Configure the PPTP PNS values.
ppp Configure PPP values.
snmp Configure the SNMP agent.
54 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
arpUse the arp command to add, delete, and change ARP entries in the node ARP table.
Syntax
Config# [no] arpadd <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>change <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>delete <ADDR> <proxy>
Arguments
no Negate the command.
add <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>
Add an ARP entry to the node ARP table:• ADDR—ARP host name or dotted-decimal
address.• auto—determine MAC address from the
local interface on network for host.• auto publish—set the publish flag on this
ARP entry.• auto temporary—set the temporary flag on
this ARP entry.• proxy—create a proxy entry. The publish
and temporary flags can also be specified, which causes the gateway to respond to ARP requests with its own MAC address.
• proxy publish—set the publish flag on this ARP entry.
• proxy temporary—set the temporary flag on this ARP entry.
• MAC ADDR—specify the ARP MAC address (for example, A0:B1:C2:D3:E4:F5).
• MAC ADDR publish—set the publish flag on this ARP entry.
• MAC ADDR temporary—set the temporary flag on this ARP entry.
Nokia IP VPN Gateway Command-Line Summary v6.3 55
2 Configuring the Gateway
bootp-forwarder or dhcp relayUse the bootp-forwarder command to forward BOOTP and DHCP requests to a BOOTP or DHCP server on another network segment.
Syntax
Config# [no] bootp-forwarder[interface <eth-1 | eth-2 | eth-3 | eth-4> servers <ADDR> <ADDR>]
change <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>
Change an ARP entry in the node ARP table:• ADDR—ARP host name or dotted-decimal
address.• auto—determine MAC address from local
interface on network for host.• auto publish—set the publish flag on this
ARP entry.• auto temporary—set the temporary flag on
this ARP entry.• proxy—change to a proxy entry. The
publish and temporary flags are also available.
• proxy publish—set the publish flag on this ARP entry.
• proxy temporary—set the temporary flag on this ARP entry.
• MAC ADDR—specify the ARP MAC address (for example, A0:B1:C2:D3:E4:F5).
• MAC ADDR publish—set the publish flag on this ARP entry.
• MAC ADDR temporary—set the temporary flag on this ARP entry.
delete <ADDR> <proxy> Delete an ARP entry from the node ARP table:• ADDR—ARP host name or dotted-decimal
address.• proxy—delete proxy ARP entry.
Arguments
no Negate the command.
Arguments
56 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
ExamplesConfig# bootp-forwarder interface eth-1 servers 10.23.44.5 10.23.44.6
Enables the forwarding of BOOTP requests on eth-1 to 10.23.44.5 and 10.23.44.6
dhcp-serverUse the dhcp-server command to configure the following elements:
IP address pool for dynamic assignmentsStatic entries (map IP addresses to Ethernet addresses)NetmaskDefault routeDNS serversDomain nameLease timeMicrosoft networking options (NetBIOS)
NoteThe DHCP server, and bootp-forwarder or dhcp-relay commands are mutually exclusive features. If you enable the BOOTP forwarder, the DHCP server feature is automatically disabled, and the reverse.
interface <eth-1 | eth-2 | eth-3 | eth-4>
Interface option for the BOOTP forwarder. Interface on which BOOTP requests are received:• eth-1—interface name for this BOOTP
forwarder server list.• eth-2—interface name for this BOOTP
forwarder server list.• eth-3—interface name for this BOOTP
forwarder server list.• eth-4—interface name for this BOOTP
forwarder server list.
servers <ADDR> Identify the BOOTP server:• ADDR—host name or IP address of the
BOOTP server.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 57
2 Configuring the Gateway
Syntax
Config# [no] dhcp-server <eth-1 | eth-2 |eth-3 | eth-4>[default-route <A.B.C.D>][dns-servers <A.B.C.D>][domain-name <domainname>] dynamic <A.B.C.D> <A.B.C.D>[exclude <A.B.C.D>][ignore-ras][lease <number-of-seconds>][nbt-dd-servers <A.B.C.D>][nbt-name-servers <A.B.C.D>][nbt-node-type <broadcast | hybrid | mixed | peer>][nbt-scope <scope>][netmask <A.B.C.D>][non-authoritative]static <A.B.C.D> <client-id <Client ID> | <MAC ADDR>>
NoteTo enable the DHCP server, you must use the static or dynamic commands.
Arguments
no Negate the command.
default-route <A.B.C.D>
Overrides the default route for this interface:• <A.B.C.D>—default route for hosts on this
subnet. The default value assigned is the IP address of the gateway interface.
dns-servers <A.B.C.D> Overrides the DNS servers for this interface:• <A.B.C.D>—IP address of the DNS servers
to be provided to the DHCP clients.
domain-name <domainname>
Override the domain name for this interface:• domainname—domain name that is to be
provided to the DHCP clients.
dynamic <A.B.C.D> <A.B.C.D>
Configure an IP address pool for this interface:• <A.B.C.D>—starting IP addresses of the
DHCP clients.• <A.B.C.D>—ending IP addresses of the
DHCP clients.Pool range is 1 to 256 addresses only.
exclude <A.B.C.D> The IP address that must be excluded from the dynamic range:• <A.B.C.D>—list of individual IP addresses
that must be excluded from the dynamic range.
58 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
ignore-ras Ignore RAS servers on this interface. Default value: respond to RAS requests.
lease <number-of-seconds>
Set the DHCP lease duration for this interface:• number-of-seconds—time (in seconds) that
a lease should be granted. Default lease duration: 3600 seconds.
nbt-dd-servers <A.B.C.D>
Configure NetBIOS Datagram Distribution servers to set on the DHCP clients for this interface:• <A.B.C.D>—IP address of NetBIOS
Datagram servers that must be provided to the DHCP clients.
NoteYou can configure only two servers for each interface.
nbt-name-servers <A.B.C.D>
Configure NetBIOS name servers (WINS) to set on the DHCP clients for this interface. The name server translates NetBIOS names to IP addresses.
NoteYou can configure only two servers for each interface.
• <A.B.C.D>—IP address of NetBIOS name servers that must be provided to the DHCP clients.
nbt-node-type <broadcast | hybrid | mixed | peer>
Configure the NetBIOS node type to set on DHCP clients for this interface:• broadcast—clients broadcast for NetBIOS
lookups. • hybrid—clients use WINS before broadcast
for NetBIOS lookups. • mixed—clients use broadcast before WINS
for NetBIOS lookups. • peer—clients connect to WINS for NetBIOS
lookups.
nbt-scope <scope> Configure NetBIOS scopeID to set on DHCP clients for this interface:• scope—NetBIOS scope to give to the
DHCP clients. Maximum of 32 characters.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 59
2 Configuring the Gateway
Related Commands
See the debug dhcp server command in “debug” on page 156.
Example
In the following examples, the client_id value is represented by a string and as a hexadecimal:dhcp-server eth-1 static 123.121.222.126 client_id AAAAAAThe DHCP server reserves the IP address 123.121.222.126 for the dhcp-client whose client ID is AAAAAA. dhcp-server eth-1 static 123.121.222.126 client_id 40:40:40:40:40:40The DHCP server reserves the IP address 123.121.222.126 for the DHCP client whose client ID is 40:40:40:40:40:40.
diff-servUse the diff-serv command to configure diff-serv marking properties.
netmask <A.B.C.D> Override the netmask value for this interface:• <A.B.C.D>—netmask for hosts on this
subnet. The default value assigned is the netmask of the gateway interface.
non-authoritative Run in the nonauthoritative mode. The default value assigned is to be authoritative (in the authoritative mode the DHCP server issues DHCP NAKs).
NoteYou might need to run in the nonauthoritative mode (disable the NAKs) when the LAN has multiple IP subnets on the same broadcast segment.
static <A.B.C.D> <client-id <Client ID> | <MAC ADDR>>
Configure a static IP address entry: • <A.B.C.D>—IP address of the static DHCP
client.• Client ID—client identifier value can be
entered as a string or a hexadecimal value (for example XX:XX:XX:XX:XX:XX:XX:XX). This value can have a maximum of 255 characters.
• MAC ADDR—MAC address (XX:XX:XX:XX:XX:XX) of the static DHCP client.
Arguments
60 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
Syntax
Config# diff-serv codepoint
[assured <AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43>]
[best-effort][expedited][pass-through][<NUMBER>]
ExamplesConfig# diff-serv codepoint assured AF13
Sets the default diff-serv marking codepoint value to the AF13 value defined in the RFC#2597.Config# diff-serv codepoint pass-through
Sets the default diff-serv marking behavior to not alter the DS filed in packets flowing through the gateway.
dnsUse the dns command to define DNS parameters for the cluster. You can configure:
DNS server IP addresses for the clusterThe domain name
Arguments
assured <AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43>
Set default codepoint to assured:• AF11—set default codepoint to AF11.• AF12—set default codepoint to AF12.• AF13—set default codepoint to AF13.• AF21—set default codepoint to AF21.• AF22—set default codepoint to AF22.• AF23—set default codepoint to AF23.• AF31—set default codepoint to AF31.• AF32—set default codepoint to AF32.• AF33—set default codepoint to AF33.• AF41—set default codepoint to AF41.• AF42—set default codepoint to AF42.• AF43—set default codepoint to AF43.
best-effort Set default codepoint to best-effort.
expedited Set default codepoint to expedited.
pass-through Set default codepoint to pass-through.
<NUMBER> Set default codepoint to value between 0 to 63.
Nokia IP VPN Gateway Command-Line Summary v6.3 61
2 Configuring the Gateway
Retransmission and retry timeouts
Syntax
Config# [no] dns [domain-name <domain name>][retrans <1-60 (seconds)>][retry <1-10>] [servers <A.B.C.D>]
ip-address-pool Use the ip-address-pool command to create IP address pools for address allocation to dial-up PPP users. The IP addresses that this pool identifies must be consecutive. Because no sanity checking exists for broadcast or subnet addresses, you must assign these address carefully.Nokia IP VPN Gateway uses the IPSecIPPool pool for internal addressing of IPSec clients. If you use internal addressing, you must define the IPSecIPPool first.
Syntax
Config# [no] ip-address-pool <name> <A.B.C.D> <A.B.C.D>
Arguments
no Negate the command.
domain-name <domain name>
Local default domain that the DNS client uses:• domain name—domain name for the DNS.
retrans <1-60 (seconds)>
DNS client retransmission timeout:• 1 to 60 (seconds)—DNS resolver
retransmission timeout in seconds.
retry <1-10> DNS client retry count:• 1 to 10—DNS resolver retry count. Default: two retries
servers <A.B.C.D> List of DNS servers that the DNS client uses:• <A.B.C.D>—one or more (space
separated) IP addresses of DNS servers that the DNS client or resolver queries. These IP addresses are also specified to PPTP and L2TP clients.
Arguments
no Negate the command.
<name> Name of the IP address pool.
62 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
ExamplesConfig# ip-address-pool ppp 10.10.10.1 10.10.20.254
Configures an IP address pool named ppp with the range of IP addresses from 10.10.10.1 through 10.10.20.254.
lnsUse the lns command to configure lns values.
Syntax
Config# [no] lns<client name>
<authentication <chap | mschap | pap>> <basic <local name> <secret> <decimal number>><require <ipsec | mppe40 | none>>
mss-clamp Use the mss-clamp command to set the TCP maximum segment size. This command addresses the following data and packet transmission issues:
<A.B.C.D> • <A.B.C.D>—IP address of first entry in the pool.
<A.B.C.D> • <A.B.C.D>—IP address of last entry in the pool.
Arguments
<client name> LNS remote client name.
<authentication <chap | mschap | pap>>
Authentication options:• chap—Challenge Handshake
Authentication Protocol.• mschap—Microsoft Challenge Handshake
Authentication Protocol.• pap—Password Authentication Protocol.
<basic <local name> <secret> <decimal number>>
Basic configuration options:• local name—LNS local name.• secret—LNS secret.• decimal number—LNS window size.
<require <ipsec | mppe40 | none>>
MPPE minimum required encryption strength:• ipsec—require IPSec encapsulation.• mppe40—require 40-bit MPPE minimum.• none—do not require anything.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 63
2 Configuring the Gateway
PPPoE—PPPoE is a dynamic IP addressing mechanism used by dynamic gateways to connect to the Internet. PPPoE has a lower MTU value when compared to Ethernet (MTU 1500), due to PPPoE encapsulation (overhead of 8 bytes). Therefore, communication between hosts behind dynamic gateways, with hosts in the Internet experience difficulties in network services (like WEB, FTP and E-mail); especially when data transfers are maximum in size. TCP—TCP negotiates MSS (maximum segment size). Because end-hosts have Ethernet interfaces connected, and Ethernet accommodates 1500 size of data, TCP utilizes 1500-40 = 1460 as MSS. After establishing a connection, TCP uses MSS to transmit data, if there is additional data to transmit. When gateways use interfaces like PPPoE, with MTU less than 1500, or use different encapsulation (for example: IPSec), the same MSS is applied at the end-hosts, because they are not informed. As a result when a packet arrives at the gateway with a segment size greater than it can transmit, the gateway drops the packet. Gateways then generate relevant ICMP error messages. The problem with the ICMP error is two-fold. First, the ICMP error is generated on a per connection basis. Therefore, generation of ICMP errors is repeated for every connection between hosts several times. This affects performance. Secondly, though the gateway encounters problems, it may not generate ICMP errors. Hosts also may not process ICMP errors. Such scenarios affect communication.
IPSec—data packet sizes increase significantly due to IPSec encapsulation (encapsulation for tunnel mode is 28), and encryption overhead (due to blocked ciphers and padding).When a packet arrives at a gateway from an internal host with a segment size based on the host's local Ethernet interface (1460 bytes), and if this packet has to be processed by IPSec, the size of the packet increases because of the additional overheads. The size of the packet becomes greater than the MTU of the gateway's interface. If the DF bit in the IP header is set, this packet cannot be fragmented and is dropped. If IPSec encounters these packets, it generates relevant ICMP errors. The sender of the data packet adjusts to the proposed size. ICMP errors are generated for a particular TCP connection only. But TCP still uses the original MSS for new connections. Further packets may encounter similar problems. Access is slow and performance is reduced, due to repeated errors.
Clamping TCP MSS
Clamping TCP MSS solves the PPPoE, TCP and IPSec issues. When the MSS option is set in both directions at connect time, MSS option is adjusted to a configured value. By default a value of 1460 is used in SYN packet of TCP. Clamping reduces the size to 1452 (in case of PPPoE), so that the receiver of the data packet sends only 1452 only instead of 1460. TCP utilizes the lower value of the two (proposed 1460 and suggested 1452) to send the data. MSS is not adjusted if the original MSS is less than or equal to the configured value.
Syntax
Config# [no] mss-clamp<val>
64 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
NoteNokia recommends that you use this command in:- Dynamic gateways where PPPoE is enabled.- Spokes, only if hub-and-spoke connectivity is used and all the traffic through the hub is opted, irrespective of whether PPPoE is enabled or not.
MSS Values (bytes) used with IPSec Encryption Algorithms
Nokia recommends the following MSS values be used with IPSec Encryption Algorithms:
Arguments
ntpUse the ntp command to select an NTP server for the cluster to synchronize its internal clock with. You can specify a version of NTP that is running on your network, a polling interval, and configure a key for the MD5 hash.
NoteThe NTP command does not enable a true NTP client. Nokia IP VPN Gateway queries the NTP server for the time only; it does not implement a full NTP client. All times on the Nokia IP VPN Gateway are in Universal Coordinated Time (UTC).
Syntax
Config# [no] ntp [auth-key md5 <md5-key>][interval <seconds>][servers <ADDR> <ADDR>][version <1 | 2 | 3>]
AES 128, AES192, AES 256 3DES 168 CAST 128 BLOWFISH 448
With PPPoE 1370 1386 1386 1386
Without PPPoE 1378 1394 1394 1394
no Disable the clamping MSS option.
<val> TCP maximum segment size clamping value.MSS range: 512 to 1459
Arguments
no Negate the command.
Nokia IP VPN Gateway Command-Line Summary v6.3 65
2 Configuring the Gateway
pnsUse the pns command to configure the PPTP PNS values.
Syntax
Config# [no] pnsauthentication <chap | mschap | pap>require <ipsec | mppe40 | none>
pppUse the ppp command to configure the PPP parameters for L2TP and PPTP.
NoteIf you configure either L2TP or PPTP, you also need to configure PPP. PPP configuration commands are used to define both PPP users and groups.
auth-key md5 <md5-key> Specify an MD5 key for NTP authentication:• md5-key—MD5 key.
interval <seconds> The NTP polling interval:• seconds—polling interval in seconds for the
NTP client.
servers <ADDR> The NTP server to communicate with:• ADDR—IP name or address of an NTP
server.
version <1|2|3> The NTP version to use:• 1—use NTP version 1.• 2—use NTP version 2.• 3—use NTP version 3.
Arguments
authentication <chap | mschap | pap>
Authentication options:• chap—Challenge Handshake
Authentication Protocol.• mschap—Microsoft Challenge Handshake
Authentication Protocol.• pap—Password Authentication Protocol.
require <ipsec | mppe40 | none>
MPPE minimum required encryption strength:• ipsec—require IPSec encapsulation.• mppe40—require 40-bit MPPE minimum.• none—do not require anything.
Arguments
66 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
PPP allows users who are connecting through layer-2 PPP tunnel protocols to be authenticated and are given an IP address to use.
Syntax
Config# [no] pppuser <username> <[<address <allow-selection> | <A.B.C.D>> | group <group> | password <passwd>]>
Config# pppgroup <PPP group name> <[address pool <address pool name> | dns <A.B.C.D> <A.B.C.D> | wins <A.B.C.D> <A.B.C.D>]>
Related CommandsSee the Config# login source ppp command in “login” on page 184.See the “Config# [no] ip-address-pool” command on page 62.
Arguments
no Negate the command.
user <username> <[<address <allow-selection> | <A.B.C.D>> | group <group> | password <passwd>]>
Configure a PPP user:• username—PPP user name.• address—configure user IP addressing
options.• address allow-selection—allow the user to
specify an IP address during PPP negotiation.
• address <A.B.C.D>—assign a specific IP address to this user.
• group—PPP group to which the user belongs.
• passwd—PPP user's password or secret (a maximum of 63 characters).
group <PPP group name> <[address pool <address pool name> | dns <A.B.C.D> <A.B.C.D>| wins <A.B.C.D> <A.B.C.D>]>
Configure a PPP group:• ppp group name—name of a PPP group.• address pool name—IP address pool used
for address assignment of the PPP users.• dns—specify group DNS options.• dns <A.B.C.D>—IP address of primary
DNS server.• dns <A.B.C.D>—IP address of secondary
DNS server (optional).• wins—specify group WINS servers.• wins <A.B.C.D>—IP address of primary
WINS server.• wins <A.B.C.D>—IP address of secondary
WINS server (optional).
Nokia IP VPN Gateway Command-Line Summary v6.3 67
2 Configuring the Gateway
snmpUse the snmp command to configure the SNMP agent.
Syntax
Config# [no] snmpaccess <<address/netmask> <community string>>authentrapsbindtointernalcpuutil <percentage>group <NAME> <usm> <User Name>ioload <pkts/sec>ipdrop <percentage>logtrapsmemusage <percentage>pollrate <seconds>syscontact <sysContact value>syslocation <sysLocation value>trap2sink <A.B.C.D> <community_string>trapdelay <seconds>trapsink <A.B.C.D> <community_string>udpdrop <percentage>user <NAME> <MD5 | SHA> <<encode type> <encoded password> <DES> | <cleartext passphrase> <DES>>
v3access <<groupName> <usm> <<authnopriv> | <authpriv> | <noauthnopriv>> <readView> <writeView> <notifyView>>
view <NAME> included <OID> [<mask>]
68 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
Arguments
no Negate the command.
access <<address/netmask> <community string>>
Configure SNMPv1 and SNMPv2 access for the SNMP Agent:• address—IP address of the SNMP
manager or SNMP manager network. To grant access to any network, specify the value default.
• netmask—netmask allowed to access the SNMP agent.
• community—community name of the SNMP agent.
authentraps Send SNMP authentication failure traps.
bindtointernal Bind source address to internal interface address for SNMP traps.
cpuutil <percentage> Set CPU use trap limit:• percentage—send trap when CPU load
exceeds this limit.
group <NAME> <usm> <User Name>
Creates a group with the supported security model:
NoteUSM is the only supported security model.
• NAME—group name.• usm—security model. The only supported
security model is USM.• User Name—user name assigned to this
group.
ioload <pkts/sec> Set IO load trap limit:• pkts/sec—send trap when five minute
average load in packets per second exceeds this limit.
ipdrop <percentage> Set IP drop rate trap limit:• percentage—send trap when IP pack drop
rate exceeds this percentage.
Nokia IP VPN Gateway Command-Line Summary v6.3 69
2 Configuring the Gateway
logtraps Send a copy of SNMP traps to the configured syslog server:
NoteThe syslog server clusters identical messages. This might cause a delay if multiple traps arrive in quick succession.
memusage <percentage> Set memory usage trap limit:• percentage—send trap when memory
usage exceeds this percentage.
pollrate <seconds> Set overload detection poll rate:• seconds—polling rate in seconds.
syscontact <sysContact value>
Sets the MIB-II SysContact string to the value specified. If the string contains special characters, such as a space, enclose the string within quotation marks:• sysContact value—contact for the system.
syslocation <sysLocation value>
Sets the MIB-II SysLocation string to the value specified. If the string contains special characters, such as space, enclose the string within quotation marks:• sysLocation value—location of the system.
trap2sink <A.B.C.D> <community_string>
Configures an IP address to send SNMP version 2 trap messages to, and the community string to use:• <A.B.C.D>—IP address of the trap sink.• community_string—community string to
use for this trap.
trapdelay <seconds> Delay sending traps for the specified number of seconds:• seconds—trap sending rate in seconds.
trapsink <A.B.C.D> <community_string>
Configure an IP address to send SNMP trap messages to, and the community string to use:• <A.B.C.D>—IP address of the destination
to which the SNMP v1 trap is sent.• community_string—community string to
use for this trap.
udpdrop <percentage> Set UDP drop rate trap limit:• percentage—send trap when UDP packet
drop exceeds the specified percentage.
Arguments
70 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring Network Settings
user <NAME> <MD5 | SHA> <<encode type> <encoded password> <DES> | <cleartext passphrase> <DES>>
Create an SNMPv3 user. The user name must be unique. If the user name exists in the database, an error message appears:• NAME—SNMPv3 user name.• MD5—MD5 authentication type.• SHA—SHA authentication type.• encode type—authpass encoding version
number.• cleartext passphrase—passphrase
(minimum of 8 characters) for authentication.
• encoded password—encoded password.• DES—DES privacy protocol.
v3access <<groupName> | <model> | <<noauthnopriv | <authnopriv> | <authpriv>> | <readView> <writeView> <notifyView>>
• groupName—existing group name.• usm—security model. Only the USM
security model is supported.• noauthnopriv—does not require
authentication and privacy.
NoteNokia recommends that the SNMPv3 not be accessed through the noauthnopriv level.
• authnopriv—requires authentication but not privacy.
NoteTo access the SNMP agent through this level, the SNMP manager must use the same authentication type and parse phrase as the SNMP user in the specified group name.
• authpriv—requires both authentication and privacy.
NoteTo access the SNMP agent through this level the SNMP manager must use the same authentication type and parse phrase, privacy type and parse phrase, as the SNMP user in the specified group name.
• readView—existing view to support SNMP read operations.
• writeView—existing view to support SNMP write operations.
• notifyView—existing view to support SNMP notify operations.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 71
2 Configuring the Gateway
ExamplesConfig# snmp access 10.0.4.0/255.255.255.0 public
Allows only hosts from the 10.0.4.0 network to access the gateway by using the public community string.Config# snmp syscontact “The System Administrators”
Sets the sysContact MIB variable value to The System Administrators. Config# snmp trapsink 10.0.4.55 trapperjohn
Informs the SNMP agent to send SNMPv1 traps to 10.0.4.55 by using the community string trapperjohn. Config# snmp trap2sink 10.0.4.56 newandimproved
Informs the SNMP agent to send SNMPv2 traps to 10.0.4.56 by using the community string newandimproved.Config# snmp view read included .1.3.6.1.2.1.2.2.1.1.2 ff:a0 .1.3.6.1.2.1.2.2.1.1.2 equals interfaces.ifTable.ifEntry.ifIndex.2 and ff:a0 equals 11111111:10100000. This command allows access to external interface information only if the external interface index is 2.
view <NAME> included <OID> [<mask>]
Create a view with the specified access type of the OID and the mask:• NAME—SNMP view name.• included—allow the SNMP manager to
access the OID.• OID—OID. The OID can have a maximum
length of 32 bytes.• mask—mask to be applied on the specified
OID. A mask can have a maximum length of 32 bytes. Each hex value in the mask must be separated by either a period (.) or a colon (:).
Arguments
72 Nokia IP VPN Gateway Command-Line Summary v6.3
3 Managing the Gateway
This chapter details the commands required to manage the gateway, validate network and gateway parameters, disable and enable subsystems, and configure network access and services.
NoteThis chapter assumes that you are familiar with the command mode and the configuration mode, and navigation between them. For more information about CLI modes and navigating between them, see “CLI Modes” on page 16.
Gateway AdministrationGateway administration commands allow you perform routine administration tasks on the gateway, and validate network and gateway parameters.
Command Mode CommandsUse the following command mode commands to perform gateway administration.
Command Description
aosinfo Snapshot of run-time configuration.
backup Back up or restore contents of flash memory.
clear Clear tables and counters.
configure Enter configuration mode.
crypto IKE and IPSec administration.
date Set or display the date and time.
examine Evaluate IPSec per-packet policy.
flash Flash memory administration.
Nokia IP VPN Gateway Command-Line Summary v6.3 73
3 Managing the Gateway
aosinfoUse the aosinfo command to obtain a snapshot of run-time configuration.
Syntax
aosinfo-h<filename><CR>
backupUse the backup command to:
Back up the contents of flash file system to a file. Restore the contents of a backup file to flash file.
The backup command creates a single file called a saveset, which is in a Nokia proprietary format. You can perform backup and restore operations by using NFS or TFTP. If you use NFS, you must configure the mountd settings to allow mounting of the individual files. This is the default
kernel Operating system kernel administration.
nat Network Address Translation (NAT) administration.
pin PIN administration.
reboot Reboot local node only.
schedule Display and modify scheduled event list.
show Show information about the system.
tcpdump Native tcpdump and tcpdump client-server administration.
terminal Terminal configuration (current session).
validate Validate IPSec per-packet policy.
Arguments
-h HTML output qualifier for console.
<filename> Name of Output File.
<CR> Display on Console.
Command Description
74 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
in Solaris and requires the -r flag option to mountd on BSD-based NFS implementation. If you use TFTP, ensure that write permissions are configured on the target directory (directory in which the backup is saved).
Syntax
backup [list <NAME>][restore <NAME> <NAME>][save <NAME> <NAME>]
CautionThe backup restore command (in the following table) formats flash files before restoring files. You must save necessary files to flash memory before you perform a restore operation.
Examplesbackup list nfs://Nokia_nfs/home/current_files/my_file
Displays the contents of a backup file on the Nokia_nfs NFS server.backup restore nfs://Nokia_nfs/home/current_files/my_file
Restores to the flash memory the contents of a backup file on the Nokia_nfs NFS server.backup save pccard1: nfs://Nokia_nfs/home/current_files/my_file
Saves the contents of pccard1 flash memory into backup.
Arguments
list <NAME> List the files in a saveset:• NAME—name of the saveset file.
restore <NAME> <NAME> Restore the contents of the flash file system from a specified saveset file by using the following syntax: <NFS |TFTP>://<hostname>/<pathname>/<bkup_file>.• NAME—name of the saveset file.• NAME—name of flash memory.
save <NAME> <NAME> Save the contents of the flash file system to a specified saveset file by using the following syntax: <NFS | TFTP>://<hostname>/<pathname>/<bkup_file>.All the files on flash memory are saved.• NAME—name of the flash memory.• NAME—name of the saveset file.
Nokia IP VPN Gateway Command-Line Summary v6.3 75
3 Managing the Gateway
Related CommandsSee the “flash” command on page 99.See the “schedule” command on page 103.
clearUse the clear command to clear entries and tables for the specified subsystems.
Syntax
clear [arp][dns-resolver][ike][ipsec][nat <link-id>][queue][route <all | dynamic | static>][vpdn <all | tunnel <NUMBER>>]<CR>
Arguments
arp Flush ARP table.
NotePerforms the same function as the arp -f command.
dns-resolver Flush DNS resolver cache.
ike Clear IKE security associations.
ipsec Clear IPSec security associations.
nat <link-id> Clear NAT entries:• link-id—name assigned to the NAT link.
queue Clear IPSec packet sequencing queue.
route <all | dynamic | static>
Clear route entries: • all—flush static and dynamic routes.• dynamic—flush only dynamically learned
routes.• static—flush only statically set routes.
76 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
configureUse the configure command to:
Save the current configuration.Delete the current configuration and reboot the gateway.Change to a different mode.
Syntax
configure [firewall][pki][policy][save <cluster | <CR>>][wizard][<CR>]
CautionThe configure wizard command (in the following table) erases configurations from flash memory and requires a complete reinstallation.
vpdn <all | tunnel <NUMBER>>
Clear tunnels and sessions:• all—clear all tunnels and sessions.
NoteThe clear vpdn all command affects all nodes in a cluster.
• tunnel NUMBER—clear the specified tunnel.
<CR> Exit. At least one option must be specified.
Arguments
Arguments
firewall Enter the firewall configuration mode to configure packet filtering rules.
pki Enter PKI configuration mode.
policy Enter PCS configuration mode.
Nokia IP VPN Gateway Command-Line Summary v6.3 77
3 Managing the Gateway
Related CommandsSee the debug cfg_server command in “debug” on page 156.See the show config command in “show” on page 105.
cryptoUse the crypto command to manage the IPSec configuration for all of the nodes in a cluster. For a graphical representation of the crypto command, see “Crypto Command Diagram” on page 294.
save <cluster | <CR>> Saves the running configuration to the flash file system on the local gateway:• cluster—save configuration to all nodes.
This command must be run from the master node only.
• CR—save the running configuration.
wizard Erases all files on the flash file system, clears the hardware PIN, reboots the gateway.
<CR> Enter configuration mode.
Arguments
78 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Syntax
crypto [clear <ike | ipsec | <CR>>][disable]
<copy-df><dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
<deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
<diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
<display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
<host-icmp><inline><nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
<replay><sa-cache><sec-proc> <server <ah | esp | input | output | queue>><spd-sorting><stable><CR>
[enable]<brief><copy-df><dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
<deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
<diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
<display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
Nokia IP VPN Gateway Command-Line Summary v6.3 79
3 Managing the Gateway
<full><host-icmp><inline><nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
<replay><sa-cache><sec-proc><server <ah | esp | input | output | queue>><spd-sorting><stable><CR>
[flush <ike | ipsec | <CR>>][ike <delete <NUMBER>> | lifetime <NUMBER>>][ipsec <delete <NUMBER> <ADDR> <ah | esp>> | lifetime <NUMBER> | rekey <NUMBER> <ADDR> <ah | esp>]
[policy reload <NAME>][show]
<active <brief | full | <SPI> | <CR>>>address-cacheall <brief | full>cached <all <brief | full> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>
clusterdead <brief | full>expired <brief | full>ike <-n | brief | full | statistics | <SEQ> | <ADDR> | <fqdn> | <rfc822> | <CR>>
ipsec <brief | full | <SPI> | <CR>>keys <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root <brief | full>
optionspending <brief | full>policy <-n | brief | client <brief | full | matched | <CR>> | full | gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>
statistics <ah | esp | ike | random | replay | sa | sec-proc | <CR>>
CautionThe disable command in the following table disables IPSec processing. All IP traffic is forwarded in the clear if IPSec security processing is disabled.
80 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
.
Arguments
clear <ike | ipsec | <CR>>
Clear all IKE and IPSec security associations. All current IPSec tunnels are deleted. This command affects all nodes in a cluster.
NoteOn a system with a large number of security associations (SAs) the crypto clear command can create a temporary performance slowdown, because all IPSec connections need to renegotiate IKE and IPSec security associations to re-establish traffic flow.
• ike—clear IKE security associations.• ipsec—clear IPSec security associations.• CR—clear all IKE and IPSec security
associations.
disable Disable IPSec processing. This command affects all nodes in a cluster.
disable <copy-df> Disable copying of don't fragment (DF) bit to outer header.
Nokia IP VPN Gateway Command-Line Summary v6.3 81
3 Managing the Gateway
disable <dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Disable Dead Peer Detection:• all—all events.• attribute—ISAKMP attribute processing
(IKE).• basic—basic events.• cluster—cluster processing.• cookie—ISAKMP cookie processing (IKE)• death—SA deletion events.• download—management software
download (IKE).• event—general event logging.• header—ISAKMP header processing (IKE).• id—ISAKMP ID payload processing (IKE).• io—send or receive message logging (IKE).• isadb—database operations (IKE).• locking—locking operations (IKE).• mapping—IPSEC SA mapping creation or
deletion.• notify—ISAKMP notify payload processing.• option—ISAKMP options processing.• payload—ISAKMP payload processing.• pending—pending entry creation or
deletion (IPSEC).• policy—policy operations (IKE).• rekey—rekey operations.• ring—public- or private-key ring operations
(IKE).• route—routing updates (PF_ROUTE).• saapi—kernel operations (IKE).• selector—miscellaneous selector logging
(IPSEC).• state—state machine changes (IKE).• CR—all events, if no other options are
specified.
Arguments
82 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
disable <deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
Disable deferred main mode deletions:• deferred-delete automagic—automatically
generated selectors.• deferred-delete cluster—IKE or IPSec
cluster messaging statistics.• deferred-delete dead—dead security
associations.• deferred-delete option—IKE negotiation
options.• deferred-delete pending—pending security
association requests.• deferred-delete replay—IPSec replay
detection information.• deferred-delete selector—IPSec traffic
selector information.• deferred-delete uuid—policy and selector
identifiers.• deferred-delete <CR>—set full display
mode, if no other options are specified.
disable <diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Disable differentiated services market:• diff-serv all—all events.• diff-serv attribute—Internet Security
Association Key Management Protocol (ISAKMP) attribute processing (IKE).
• diff-serv basic—basic events.• diff-serv cluster—cluster processing.• diff-serv cookie—ISAKMP cookie
processing (IKE).• diff-serv death—SA deletion events.• diff-serv download—management software
download (IKE).• diff-serv event—general event logging.• diff-serv header—ISAKMP header
processing (IKE).• diff-serv id—ISAKMP ID payload
processing (IKE).
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 83
3 Managing the Gateway
• diff-serv io—send or receive message logging (IKE).
• diff-serv isadb—database operations (IKE).• diff-serv locking—locking operations (IKE).• diff-serv mapping—IPSec SA mapping
creation or deletion.• diff-serv notify—ISAKMP notify payload
processing.• diff-serv option—ISAKMP options
processing.• diff-serv payload—ISAKMP payload
processing.• diff-serv pending—pending entry creation
or deletion (IPSec).• diff-serv policy—policy operations (IKE).• diff-serv rekey—rekey operations.• diff-serv ring—public- or private-key ring
operations (IKE).• diff-serv route—routing updates
(PF_ROUTE).• diff-serv saapi—kernel operations (IKE).• diff-serv selector—miscellaneous selector
logging (IPSec).• diff-serv state—state machine changes
(IKE).• diff-serv <CR>—all events, if no other
options are specified.
disable <display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
• display—disable display information.• display automagic—automatically
generated selectors.• display cluster—IKE or IPSec cluster
messaging statistics.• display dead—dead security associations.• display option—IKE negotiation options.• display pending—pending security
association requests.
• display replay—IPSec replay detection information.
• display selector—IPSec traffic selector information.
• display uuid—policy and selector identifiers.
• display <CR>—set full display mode, if no other options are specified.
disable <host-icmp> Do not forward host-generated Internet Control Message Protocol (ICMP) errors.
disable <inline> Disable inline processing on resource allocation failures.
Arguments
84 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
disable <nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Disable NAT traversal encapsulation:• nat-traversal all—all events.• nat-traversal attribute—ISAKMP attribute
processing (IKE).• nat-traversal basic—basic events.• nat-traversal cluster—cluster processing.• nat-traversal cookie—ISAKMP cookie
processing (IKE).• nat-traversal death—SA deletion events.• nat-traversal download—management
software download (IKE).• nat-traversal event—general event logging.• nat-traversal header—ISAKMP header
processing (IKE).• nat-traversal id—ISAKMP ID payload
processing (IKE).• nat-traversal io—send or receive message
logging (IKE).• nat-traversal isadb—database operations
(IKE).• nat-traversal locking—locking operations
(IKE).
• nat-traversal mapping—IPSec SA mapping creation or deletion.
• nat-traversal notify—ISAKMP notify payload processing.
• nat-traversal option—ISAKMP options processing.
• nat-traversal payload—ISAKMP payload processing.
• nat-traversal pending—pending entry creation or deletion (IPSec).
• nat-traversal policy—policy operations (IKE).
• nat-traversal rekey—rekey operations.• nat-traversal ring—public- or private-key
ring operations (IKE).• nat-traversal route—routing updates
(PF_ROUTE).• nat-traversal saapi—kernel operations
(IKE).• nat-traversal selector—miscellaneous
selector logging (IPSec).• nat-traversal state—state machine changes
(IKE).• nat-traversal <CR>—all events, if no other
options are specified.
disable <replay> Disable replay detection in IPSec security associations.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 85
3 Managing the Gateway
disable <sa-cache> Disable last-used SA cache.
disable <sec-proc> Disable security processors.
disable <server <ah | esp | input | output | queue>>
Disable multiprocessor server processing:• server ah—secondary processing for
aunthentication header (AH).• server esp—secondary processing for
encapsulation security payload (ESP).• server input—input sequencing queue.• server output—output sequencing queue.• server queue—input and output
sequencing queue.
disable <spd-sorting> Disables sorting of IPSec selectors in the security policy database (SPD). SPD selectors are not sorted based on number of specified parameters.
NoteSelectors in SPD are always arranged in the order of most-specific selectors at the beginning of the list, and less-specific selectors at the end of the list. The disable spd-sorting command maintains the selectors in the order they are created regardless of the number of parameters specified in the selector. If this option is not selected, the selectors are sorted based on number of parameters specified in the selector.
disable <stable> Disable stable download processing.
disable <CR> Disable IPSec processing.
enable Enable IPSec processing.
enable <brief> Set default display mode to brief.
enable <copy-df> Enable copying of don't fragment (DF) bit to outer header.
Arguments
86 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
enable <dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Enable Dead Peer Detection:• all—all events.• attribute—ISAKMP attribute processing
(IKE).• basic—basic events.• cluster—cluster processing.• cookie—ISAKMP cookie processing (IKE).• death—SA deletion events.• download—management software
download (IKE).• event—general event logging.• header—ISAKMP header processing (IKE).• id—ISAKMP ID payload processing (IKE).• io—send or receive message logging (IKE).• isadb—database operations (IKE).• locking—locking operations (IKE).• mapping—IPSEC SA mapping creation or
deletion.• notify—ISAKMP notify payload processing.• option—ISAKMP options processing.• payload—ISAKMP payload processing.• pending—pending entry creation or
deletion (IPSEC).• policy—policy operations (IKE).• rekey—rekey operations.• ring—public- or private-key ring operations
(IKE).• route—routing updates (PF_ROUTE).• saapi—kernel operations (IKE).• selector—miscellaneous selector logging
(IPSEC).• state—state machine changes (IKE).• CR—all events, if no other options are
specified.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 87
3 Managing the Gateway
enable <deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
Enable deferred main mode deletions:• deferred-delete automagic—automatically
generated selectors.• deferred-delete cluster—IKE or IPSec
cluster messaging statistics.• deferred-delete dead—dead security
associations.• deferred-delete option—IKE negotiation
options.• deferred-delete pending—pending security
association requests.• deferred-delete replay—IPSec replay
detection information.• deferred-delete selector—IPSec traffic
selector information.• deferred-delete uuid—policy and selector
identifiers.• deferred-delete <CR>—set full display
mode, if no other options are specified.
enable <diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Enable differentiated services market:• diff-serv all—all events.• diff-serv attribute—ISAKMP attribute
processing (IKE).• diff-serv basic—basic events.• diff-serv cluster—cluster processing.• diff-serv cookie—ISAKMP cookie
processing (IKE).• diff-serv death—SA deletion events.• diff-serv download—management software
download (IKE).• diff-serv event—general event logging.• diff-serv header—ISAKMP header
processing (IKE).• diff-serv id—ISAKMP ID payload
processing (IKE).• diff-serv io—send or receive message
logging (IKE).• diff-serv isadb—database operations (IKE).• diff-serv locking—locking operations (IKE).• diff-serv mapping—IPSec SA mapping
creation and deletion.• diff-serv notify—ISAKMP notify payload
processing.• diff-serv option—ISAKMP options
processing.• diff-serv payload—ISAKMP payload
processing.• diff-serv pending—pending entry creation
or deletion (IPSec).
Arguments
88 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
• diff-serv policy—policy operations (IKE).• diff-serv rekey—rekey operations.• diff-serv ring—public- or private-key ring
operations (IKE).• diff-serv route—routing updates
(PF_ROUTE).• diff-serv saapi—kernel operations (IKE).• diff-serv selector—miscellaneous selector
logging (IPSec).• diff-serv state—state machine changes
(IKE).• diff-serv <CR>—all events, if no other
options are specified.
enable <display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>>
Enable display information:• display automagic—automatically
generated selectors.• display cluster—IKE or IPSec cluster
messaging statistics.• display dead—dead security associations.• display option—IKE negotiation options.• display pending—pending security
association requests.• display replay—IPSec replay detection
information.• display selector—IPSec traffic selector
information.• display uuid—policy and selector
identifiers.• display <CR>—set full display mode, if no
other options are specified.
enable <full> Set default display mode to full.
enable <host-icmp> Forward host-generated ICMP errors.
enable <inline> Enable inline processing on resource allocation failures.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 89
3 Managing the Gateway
enable <nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Enable NAT traversal encapsulation:• nat-traversal all—all events.• nat-traversal attribute—ISAKMP attribute
processing (IKE).• nat-traversal basic—basic events.• nat-traversal cluster—cluster processing.• nat-traversal cookie—ISAKMP cookie
processing (IKE).• nat-traversal death—SA deletion events.• nat-traversal download—management
software download (IKE).• nat-traversal event—general event logging.• nat-traversal header—ISAKMP header
processing (IKE).• nat-traversal id—ISAKMP ID payload
processing (IKE).• nat-traversal io—send or receive message
logging (IKE).• nat-traversal isadb—database operations
(IKE).• nat-traversal locking—locking operations
(IKE).• nat-traversal mapping—IPSec SA mapping
creation and deletion.• nat-traversal notify—ISAKMP notify
payload processing.• nat-traversal option—ISAKMP options
processing.• nat-traversal payload—ISAKMP payload
processing.• nat-traversal pending—pending entry
creation or deletion (IPSec).• nat-traversal policy—policy operations
(IKE).• nat-traversal rekey—rekey operations.
• nat-traversal ring—public- or private-key ring operations (IKE).
• nat-traversal route—routing updates (PF_ROUTE).
• nat-traversal saapi—kernel operations (IKE).
• nat-traversal selector—miscellaneous selector logging (IPSec).
• nat-traversal state—state machine changes (IKE).
• nat-traversal <CR>—all events, if no other options are specified.
enable <replay> Enable replay detection.
Arguments
90 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
enable <sa-cache> Enable last-used SA cache.
enable <sec-proc> Enable security processors.
enable <server <ah | esp | input | output | queue>
Enable multiprocessor server parameters:• server ah—secondary processing for AH.• server esp—secondary processing for ESP.• server input—input sequencing queue.• server output—output sequencing queue.• server queue—input and output
sequencing queue.
enable <spd-sorting> Enables sorting of IPSec selectors in SPD This is the default setting.
enable <stable> Enable stable download processing.
enable <CR> Enable IPSec processing.
flush <ike | ipsec |CR> Clear IKE and IPSec security associations:• ike—clear IKE security associations.• ipsec—clear IPSec security associations.• CR—clear all.
NoteThe flush command performs the same function as the crypto clear command.
ike <delete <NUMBER>> | lifetime <NUMBER>>]
Set IKE parameters:• delete—delete IKE security association.• delete NUMBER—sequence number.
NoteDeletes the tunnel that the IKE security association indexes with the indicated sequence number. IKE and IPSec security associations are created again to reestablish traffic flow. This command affects all nodes in the cluster.
• lifetime—set default IKE lifetime.• lifetime NUMBER—lifetime value.
ipsec <delete <NUMBER> <ADDR> <ah | esp>> | lifetime <NUMBER> | rekey <NUMBER> <ADDR> <ah | esp>
Set IPSec parameters:• delete—delete IPSec security association. • delete NUMBER—SPI.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 91
3 Managing the Gateway
NoteDeletes the IPSec security association indexed by the indicated SPI number. The IKE security association remains unchanged, but a new IPSec security association is created to reestablish traffic flow. This command affects all nodes in a cluster.
• delete ADDR—dotted-decimal address of a peer.
• delete ah—AH IPSec protocol.• delete esp—ESP IPSec protocol.• lifetime—set default IPSec lifetime.• lifetime NUMBER—lifetime value.• rekey—initiate IPSec rekey.• rekey NUMBER—SPI.• rekey ADDR—dotted-decimal address of a
peer.• rekey ah—AH IPSec protocol.• rekey esp—ESP IPSec protocol.
policy <reload <NAME>> Reload crypto policy: • NAME—security policy database name.
show Show security associations.
show <active <brief | full | <SPI> | <CR>>>
Show active security associations:• active brief—show active SAs in brief.• active full—show active SAs in full.• active <SPI>—show active SA by security
parameter index (SPI).• active <CR>—show all active SAs.
show address-cache Show cached internal addresses.
show all <brief | full> Show all security associations.
NoteThe crypto show all command performs the same function as the crypto show ike and crypto show ipsec commands.
• all brief—show all SAs.• all full—show all SAs in full.
Arguments
92 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
show cached <all <brief | full>> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>
Show IKE cached keying material:• cached all—show all cached keying
materials.• cached all brief—show all cached keying
materials.• cached all full—show all cached keying
materials in full.• cached chains—show cached certificate
chains.• cached chains local—show cached local
certificate chains.• cached chains remote—show cached
remote certificate chains.• cached chains brief—show cached local
certificate chains.• cached chains full—show cached local
certificate chains in full.• cached identities—show cached certificate
identities.• cached identities local—show cached local
identities.• cached identities remote—show cached
remote identities.• cached identities brief—show cached local
certificate identities.• cached identities full—show cached local
certificate identities in full.
• cached names—show cached certificate subject names.
• cached names brief—show cached certificate subject names.
• cached names full—show cached certificate subject names in full.
• cached public—show cached uncertified public keys.
• cached public local—show cached local uncertified public keys.
• cached public remote—show cached remote uncertified public keys.
• cached public brief—show cached remote identities
• cached public full—show cached remote identities in full.
show cluster Show IKE cluster state.
show dead <brief | full>
Show dead security associations:• dead brief—show dead SAs.• dead full—show dead SAs in full.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 93
3 Managing the Gateway
show expired <brief | full>
Show expired security associations:• expired brief—show expired SAs.• expired full—show expired SAs in full.
show ike <-n | brief | full | statistics | <SEQ> | <ADDR> | <fqdn> | <rfc822> | <CR>>
Show IKE security associations:• ike -n—don't lookup symbolic host names.• ike brief—show IKE information in brief.• ike full—show IKE information in full.• ike statistics—show IKE statistics.• ike <SEQ>—show IKE information by
sequence number (SEQ).• ike <ADDR>—show IKE information by IP
address.• ike <fqdn>—show IKE information by fully
qualified domain name.• ike <rfc822>—show IKE information by rfc
reference.• ike <CR>—show IKE information in default
display mode.
show ipsec <brief | full | <SPI> | <CR>>
Show all active, inactive, expired, and pending IPSec security associations:• ipsec brief—show active SAs in brief.• ipsec full—show active SAs in full.• ipsec <SPI>—show active SA by security
parameter index (SPI).• ipsec <CR>—show all active SAs.
show keys <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root> <brief | full>
Show PKI database:• keys all—show all keys.• keys all brief—show all keys.• keys all full—show all keys in full.• keys blocked—show blocked certified
public keys.• keys blocked brief—show blocked certified
public keys.• keys blocked full—show blocked certified
public keys in full.
Arguments
94 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
• keys certified—show local certified public keys.
• keys certified brief—show certified public keys.
• keys certified full—show certified public keys in full.
• keys preshared—show preshared keys.• keys preshared brief—show preshared
keys.• keys preshared full—show preshared keys
in full.• keys public—show uncertified public keys.• keys public local—show local uncertified
public keys.• keys public remote—show remote
uncertified public keys.• keys public brief—show local uncertified
public keys.• keys public full—show local uncertified
public keys in full.• keys trusted-root—show trusted
certification authority root keys.• keys trusted-root brief—show trusted
certification authority root keys.• keys trusted-root full—show trusted
certification authority root keys in full.
show options Show policy options.
show pending <brief | full>
Show pending associations:• pending brief—show pending SAs.• pending full—show pending SAs in full.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 95
3 Managing the Gateway
show policy <-n | brief | client <brief | full | matched | <CR>> | full | gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>
Show policy database:• policy -n—do not look up symbolic host
names.• policy brief—show all policies in brief.• policy client—show client access control
list.• policy client brief—show all client policies in
brief.• policy client full—show all client policies in
full.• policy client matched—show only matched
client access entries.• policy client <CR>—show policy client.• policy full—show all policies in full.• policy gateway—show gateway
associations.• policy ike—show IKE policy records.• policy ipsec—show IPSec policy records.• policy matched—show only matched
selectors and client access.• policy protnet—show protected networks
database.• policy spd—show security policy database.• policy spd brief—show all policies in brief.• policy spd dynamic—show only dynamic
selectors.• policy spd full—show all policies in full.• policy spd matched—show only matched
selectors.• policy spd routing—show only routing
selectors.• policy spd static—show only static
selectors.• policy spd <CR>—show policy spd.• policy <CR>—show crypto policy in brief.
Arguments
96 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
NoteIn the display, the items with the id tags (such as ipsec policy id) are database record numbers used for internal policy indexing.
Examplescrypto enable display automagic
Enables display of autogenerated selectors when used with crypto show policy commands.crypto show keys all
Displays certificates and keys.crypto show all
Displays current security associations that have been established across the cluster. crypto policy reload
Reloads IPSec policy database on the current node from the ipsec_policy_<version>.dat file on flash memory.
Related Commands
See the “show” command on page 105.
dateUse the date command to set or view the current system date and time. All Nokia IP VPN Gateway time is expressed in VTC/GMT.
show statistics <ah | esp | ike | random | replay | sa | sec-proc | <CR>>
Shows current activity counters for the node: • statistics ah—show Authentication Header
(AH) statistics.• statistics esp—show Encapsulating
Security Payload (ESP) statistics.• statistics ike—show IKE statistics.• statistics random—show random number
generator statistics.• statistics replay—show IPSec replay
detection statistics.• statistics sa—show security association
statistics.• statistics sec-proc—show security
processor statistics.• statistics <CR>—show all statistics.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 97
3 Managing the Gateway
Syntax
date[[[yyyy]mm]dd]HH]MM[.ss]] [<CR>]
Exampledate 200207202315.25
Sets the date to July 20, 2002 and the time to 23:15:25.
examineUse the examine command to determine the action taken when a packet is sent or received on the cluster. This command:
Inspects the selectors.Determines the filter that applies to the packet.Determines if the cluster will drop, pass in the clear, or protect the packet by using IPSec.
Syntax
examineany | gre | icmp | ipinip | tcp | udp | <NUMBER>
<SRC-ADDR> <any | SRC-PORT> <DST-ADDR> <any | DST-PORT>
Arguments
date[[[[yyyy]mm]dd]HH]MM[.ss]]
Set system date and time.
<CR> Display system date and time.
Arguments
any Any protocol.
gre Select Generic Routing Encapsulation (GRE) protocol.
icmp Select ICMP.
ipinip Select IPINIP protocol.
tcp Select Transmission Control Protocol (TCP).
udp Select User Datagram Protocol (UDP).
<NUMBER> IP protocol number.
<SRC-ADDR> Source dotted-decimal address.
98 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Examplesexamine tcp 172.16.32.12 any 10.134.66.5 23
Inspects gateway filters for the traffic from 172.16.32.12 (from any port) to the Telnet server port on 10.134.66.5.
Related CommandsSee the clear ike command in “clear” on page 76.See the clear ipsec command in “clear” on page 76.See the “crypto” command on page 78.See the show crypto command in “crypto” on page 78.See the show ike command in “show” on page 105.See the show ipsec command in “show” on page 105.See the show pending command in “show” on page 105.See the show policy command in “show” on page 105.
flashUse the flash command to manage the contents of the flash memory and the files it contains.
Syntax
flash [duplicate <<NAME> | <CR>> <<NAME> | <CR>>][format <-d <<NAME> | <CR>> | <NAME>>]
<any | SRC-PORT> • any—any port.• SRC-PORT—source port.
<DST-ADDR> Destination dotted-decimal address.
<any | DST-PORT> • any—any port.• DST-PORT—destination port.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 99
3 Managing the Gateway
Examplesflash format flash:
Erases the contents and formats the primary flash memory, creating an empty flash file system.flash duplicate cfcard1: pccard1:
Copies the contents of the flash memory in the internal CompactFlash slot to the flash memory in the PC-Card slot 1.
Related CommandsSee the “type” command on page 155.See the “copy” command on page 151.See the “differences” command on page 153.See the “backup” command on page 74.
kernelUse the kernel command to manage the kernel file.
Syntax
kernel [check <filename>][commit][upgrade <filename>]
Arguments
duplicate <<NAME> | <CR>> <<NAME> | <CR>>
Copy all the files from one flash memory to another.
NoteSupported only for Nokia IP VPN Gateways that have more than one flash memory.
• NAME—name of flash memory to be copied.
• CR—copy flash memory by default.• NAME—name of flash memory to be
copied to.• CR—copy to flash1 memory by default.
format <-d <<NAME> | <CR>> | <NAME>>
Format flash memory:• -d—delete all files from flash memory, but
do not call process to format flash memory.• -d NAME—name of flash memory.• -d <CR>—delete files in the current flash
memory by default.• NAME—name of flash memory.
100 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
natUse the nat command to delete all NAT entries in the NAT table. For more information about the nat command, see “Configuring Firewall and Network Address Translation” on page 255.
Syntax
nat clear-state
Arguments
check <filename> Displays information about the image, such as kernel architecture, version, clustering version, signature, and flags. Check a kernel image:• filename—name of kernel file.
commit Commit the upgraded kernel image.
NoteYou can commit the image only if the image is acceptable when you reboot after you apply the kernel upgrade command. Committing the image selects it to boot on the next reboot. The kernel must be booted by using the kernel upgrade command, for the kernel commit command to perform any actions. If you boot a new kernel by using the kernel upgrade command but do not apply the kernel commit command (or if the reboot fails), the node reverts to the original kernel image the next time it boots.
upgrade <filename> Upgrade the kernel boot image:• filename—name of kernel file.
NoteNotifies the node to boot the image you select. You must enter the kernel commit command after the node reboots, to use the upgraded kernel on the next reboot.
Arguments
clear-state Flush all active NAT table entries.
Nokia IP VPN Gateway Command-Line Summary v6.3 101
3 Managing the Gateway
pinUse the pin command to encrypt and secure keying material, and to secure intracluster communication. The keying material is used for authentication from the gateway to VPN Manager during initial download before it generates an SSL certificate. A PIN is created during initial installation of the gateway. All nodes in a cluster must share the same PIN.
CautionUsing the pin command incorrectly can render the gateway configuration unusable. The only recovery might be to reinstall and reconfigure the gateway.
Syntax
pin [set <generate | none | <HEX>>][show][update <none | <HEX>>][zero]
CautionThe pin update command is not supported in clustered configurations. To change the PIN in a cluster, you must change the PIN on each node individually without other nodes booted.
Arguments
set <generate | none | <HEX>>
Restore PIN and allow the node to be added to the cluster:• generate—generate a new PIN.• HEX—PIN.• none—disable use of the PIN.
NoteUse this command only when a new node is added to an existing cluster, or to restore a PIN on a computer on which the PIN was cleared.
show Show the PIN.
update <none | <HEX>> Change the PIN:• none—disable use of the PIN.• HEX—PIN.
zero Clear the PIN from NVRAM.
102 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Examplespin update bcbea45fd841f7b0b9805b94563c0b86
Changes the current PIN value to a named PIN on the cluster node: Reads the current PIN from hardware (NVRAM).Decrypts the keying material by using the current PIN.Encrypts the keying material under the new PIN.Stores the new PIN in NVRAM.
pin update none
Similar to the pin update <HEX> command. Clears the PIN, leaving keying material unencrypted and intracluster communication unprotected. This applies to all nodes in a cluster.pin set bcbea45fd841f7b0b9805b94563c0b86
Sets the PIN to the PIN number specified in NVRAM.
rebootUse the reboot command to restart the gateway.
Syntax
reboot
Related CommandsSee the “date” command on page 97.See the “finger” command on page 140.See the “schedule” command on page 103.See the “show” command on page 105.
scheduleUse the schedule command to schedule backup and other administrative tasks.
Nokia IP VPN Gateway Command-Line Summary v6.3 103
3 Managing the Gateway
Syntax
schedule[backup <<date/time> <PATH> <seconds>>][bump][cancel][commit <date/time> <version>][kernel <kernel_filename>][list][reboot <date/time>][resume][rollupgrade <date/time> <#nodes>][session <date/time>][stagreboot <date/time>][suspend][upgrade <date/time> <#nodes>]
Arguments
backup <<date/time> <PATH> <seconds>>
The schedule command performs the same function as the back up save command.Back up flash files:• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.• PATH—path to a system.• seconds—interval in seconds between
backups.
bump Version of schedule commitment.
cancel Cancel all scheduled events.
commit <date/time> <version> Note
Performs the same function as the kernel commit command.
Commit to new configuration files:• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.• version—version number of configuration.
kernel <kernel_filename> Note
Performs the same function as the kernel upgrade command.
Set filename of kernel for next upgrade:• kernel_filename—name of kernel file for
upgrade.
104 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Examplesschedule backup 27/08/2004-18:40:00 nfs://192.168.17.212/usr/local/fbackup 86400
The schedule command backs up the flash configuration files to the given file on an NFS server with the IP address 192.168.17.212 every 24 hours (86,400 seconds).
Related CommandsSee the “backup” command on page 74.See the “terminal” command on page 100.See the “reboot” command on page 103.
showUse the show command to display information about gateway modes and configuration settings.
list List scheduled events.
reboot <date/time>
NotePerforms the same function as the reboot command.
Reboot all nodes in a cluster:• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.
resume Resume event schedule handler.
rollupgrade <date/time> <#nodes>
Rolling upgrade of all nodes in the cluster:• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.• #nodes—number of nodes in the cluster.
session <date/time> Session interval:• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.
stagreboot <date/time> Reboot all nodes in sequence:• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.
suspend Suspend event schedule handler.
upgrade <date/time> <#nodes>
Upgrade all nodes in the cluster.• date/time—schedule time in the form dd/
mm/yyyy-HH:MM:SS.• #nodes—number of nodes in the cluster.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 105
3 Managing the Gateway
Syntax
show address-poolarp <-a | -n | -<options> | <HOST>>bootp-forwardercluster <-n | aggregation | keepalive | workspace>configuration <active | pki <active | private | startup | <CR>> | startup | <CR>>
cryptodatedebugdhcp-clientdhcp-server <client <A.B.C.D> | full | <CR>>dialupfastpath <-n | <CR>>filter-cachefirewall <full | state | statistics | <CR>>flashfruhardwareike <-n | brief | full | statistics | <SEQ> | <ADDR> <brief | full | <CR>> | <fqdn> | <rfc822> | <CR>>
interface <statistics <eth-1 | eth-2 | eth-3 | eth-4 | loop-0> | status <eth-1 | eth-2 | eth-3 | eth-4 | loop-0>>
ip <anti-spoofing | connections | forwarding | icmp | nat <all | <CR>> | routes <<ADDR> | <CR>>
ipsec <brief | full | <SPI> | <CR>>ipsrd
<bgp <errors | groups | memory | paths | peers <detailed | <A.B.C.D> <advertised | detailed | received> | <CR>> | statistics | <CR>>
<configuration><ipsec-peer <not-allowed-networks | peers <<A.B.C.D> <received> <CR> | <CR>> | protected-networks | <CR>>
<memory><ospf>
<database <area | asbr-summary | checksum | database-summary | external | network | router | summary | type | <CR>> | errors <brief | dd | hello | ip | lsack | lsr | lsu |proto | <CR>>>
<events><interface <detail | <CR>>> <neighbor <detail | <A.B.C.D> | <CR>>><packets><CR>
<rip <errors | interfaces | neighbors | packets | <CR>>><route>
<aggregate><all <aggregate | bgp | direct | ipsec-peer | ospf | rip | static | <CR>>>
106 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
<bgp <aspath | communities | detailed | metrics | suppressed | <CR>>>
<destination <A.B.C.D>><direct><exact-match <A.B.C.D>><inactive <aggregate | bgp | direct | ospf | rip | static | <CR>>>
<ipsec-peer><less-specific <A.B.C.D>><more-specific <A.B.C.D>><ospf><rip><static><summary><CR>>
key <cache <all <full |brief> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>>
key <info <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root <brief | full>>>
locksloggermemorymodemnat <arp | state | statistics>ntpdateoobpacket-tracepending <brief | full>policy <-n | brief | client <brief | full | matched> | full | gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>
pppoe <interface <CR> | profile <CR>>processesschedulesensor <all | fan | ps | temp | volt>snmpssh <[config | public-key auth]>statistics <ah | esp | icmp | igmp | ike | ip | ipsec | nat | queue | random | replay | sa | sec-proc | tcp | udp | <CR>>
subsystemsyslogterminalversionvpdn <all | brief | ip-address <HOST> | username | <CR>>vrrpwanbackup
Nokia IP VPN Gateway Command-Line Summary v6.3 107
3 Managing the Gateway
Arguments
address-pool Show address pool information.
arp <-a | -n | -<options> | <HOST>>
Show ARP tables:• -a—display all ARP entries.• -n—show addresses as numbers (valid
only with -a or HOST).• -<options>—combination of ARP options.• HOST—host name or dotted-decimal
address.
bootp-forwarder Show bootp-forwarder information.
cluster <-n | aggregation | keepalive | workspace>
Show cluster information:• -n—do not look up symbolic host names.• keepalive—show cluster keepalive
statistics.• aggregation—show cluster aggregation
statistics.• workspace—show cluster workspace
assignments.
configuration <active | pki <active | private | startup | <CR>> | startup | <CR>>
Show active or startup configurations:• active—show active configuration.• pki—show PKI configuration.• pki active—show active configuration.• pki private—show private PKI configuration.• pki startup—show startup configuration.• pki <CR>—show active configuration.• startup—show startup configuration.• CR—show active configuration.
crypto Show IKE or IPSec run-time options.
date Show date and time.
debug Show current debug settings.
dhcp-client Show DHCP client information.
dhcp-server <client <A.B.C.D> | full | <CR>>
Show DHCP server status:• client <A.B.C.D>—show DHCP information
associated with client at the specified IP address.
• full—show detailed DHCP server status.• CR—show summary report.
dialup Show dialup information.
108 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
fastpath <-n | <CR>> Show diagnostic IP fastpath information:• -n—do not look up symbolic host names.• CR—look up symbolic host names.
filter-cache Show packet-filter cache information.
firewall <full | state | statistics | <CR>>
Show firewall information:• full—show active firewall rules in detail.• state—show firewall state.• statistics—show firewall statistics.• CR—show active firewall rules.
flash Show flash memory information.
fru Show various FRU values from EEPROM.
hardware Show hardware information.
ike <-n | brief | full | statistics | <SEQ> | <ADDR> <brief | full <CR>> | <fqdn> | <rfc822> | <CR>>
NotePerforms the same function as the crypto show ike command.
Show IKE security associations:• -n—do not look up symbolic host name.• brief—show IKE information in brief.• full—show IKE information in full.• statistics—show IKE statistics.• SEQ—show IKE information by sequence
number (SEQ).• ADDR—show IKE information by IP
address.• ADDR brief—show IKE information in brief.• ADDR full—show IKE information in full.• ADDR CR—show IKE information in default
display mode.• fqdn—show IKE information by fully
qualified domain name (FQDN).• rfc822—show IKE information by RFC
reference.• CR—show IKE information in default
display mode.
interface <statistics <eth-1 | eth-2 | eth-3 | eth-4 | loop-0> | status <eth-1 | eth-2 | eth-3 | eth-4 | loop-0> >
Show interface information:• statistics—show interface network statistics
for eth-1, eth-2, eth-3, eth-4 or loop-0.• status—show interface status for eth-1, eth-
2, eth-3, eth-4 or loop-0.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 109
3 Managing the Gateway
ip <anti-spoofing | connections | forwarding | icmp | nat <all |<CR>> | routes <<ADDR> | <CR>>
Show IP information:• anti-spoofing—IP anti-spoofing (source
address spoofing protection). Show if anti-spoofing is enabled or disabled.
• connections—show IP connection information.
• forwarding—IP forwarding information.• icmp—ICMP information.• nat—NAT information.• nat all—show all subsystem active NAT
table entries.• nat <CR>—show active IP NAT table
entries.• routes—IP route information.• routes ADDR—dotted-decimal address.• routes <CR>—show all routing entries.
ipsec <brief | full | <SPI> | <CR>> Note
Performs the same function as the crypto show ipsec command.
Show IPSec security associations:• brief—show active SAs in brief.• full—show active SAs in full.• SPI—show active SA by security parameter
index (SPI).• CR—show all active SAs.
ipsrd Show routing process state.
ipsrd <bgp <errors | groups | memory | paths | peers <detailed | <A.B.C.D> <advertised | detailed | received> | <CR>> | statistics | <CR>>
Show BGP state information:• errors—show BGP errors.• groups—show BGP groups.• memory—show BGP memory usage.• paths—show BGP AS paths.• peers—show BGP peers summary.• peers advertised—show routes advertised
to BGP.• peers detailed—show BGP peer
information in detail.• peers received—show routes received from
BGP.• statistics—show BGP statistics.• CR—show BGP summary.
ipsrd <configuration> Show IPSRD configuration file.
Arguments
110 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
ipsrd <ipsec-peer <not-allowed-networks | peers <<A.B.C.D> <received> <CR> | <CR>> | protected-networks | <CR>>
Show IPSec-peer state information:• not-allowed-networks—show networks not
advertised by this peer.• peers—show IPSec-peer peers.• peers <A.B.C.D>—IPSec-peer IP address.• peers <A.B.C.D> received—show networks
received from peer.• peers <A.B.C.D> <CR>—show information
about peer.• peers <CR>—show IPSec peers summary.• protected-networks—show networks
protected and advertised by this peer.• CR—show IPSec-peer summary.
ipsrd <memory> Show memory usage.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 111
3 Managing the Gateway
ipsrd ospf <database <area | asbr-summary | checksum | database-summary | external | network | router | summary | type | <CR>> | errors <brief | dd | hello | ip | lsack | lsr | lsu |proto | <CR>> | events | interface <detail | <CR>> | neighbor <detail | <A.B.C.D> | <CR>> | packets | <CR>>
Show OSPF summary:• database—show OSPF database.• database area—show OSPF database
area.• database asbr-summary—show OSPF
database asbr-summary-lsa.• database checksum—show OSPF
database checksum.• database database-summary—show OSPF
database summary.• database external—show OSPF database
external-lsa.• database network—show OSPF database
network-lsa.• database router—show OSPF database
router-lsa.• database summary—show OSPF database
summary-lsa.• database type—show OSPF database lsa
type.• database <CR>—show OSPF database.• errors—show OSPF errors.• errors brief—show OSPF errors brief.• errors dd—show OSPF errors dd.• errors hello—show OSPF errors hello.• errors ip—show OSPF errors ip.• errors lsack—show OSPF errors lsack.• errors lsr—show OSPF errors lsr.• errors lsu—show OSPF errors lsu.• errors proto—show OSPF errors proto.• errors <CR>—show OSPF errors.• events—show OSPF events.• interface—show OSPF interfaces.• interface detail—show OSPF interface
detail.• interface <CR>—show OSPF interface.• neighbor—show OSPF neighbors.• neighbor detail—show OSPF neighbor
detail.• neighbor <A.B.C.D>—show OSPF
neighbor <A.B.C.D>.• neighbor <CR>—show OSPF neighbor.• packets—show OSPF packets.• CR—show OSPF summary.
Arguments
112 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
ipsrd <rip <errors | interfaces | neighbors | packets | <CR>>
Show RIP state information:• errors—show RIP errors.• interfaces—show RIP interfaces.• neighbors—show RIP neighbors.• packets—show RIP packets.• CR—show RIP summary.
ipsrd <route <aggregate | all <aggregate | bgp | direct | ipsec-peer | ospf | rip | static | <CR>> | bgp <aspath | communities | detailed | metrics | suppressed | <CR>> | destination <A.B.C.D> | direct | exact-match <A.B.C.D> | inactive <aggregate | bgp | direct | ospf | rip | static | <CR>> | ipsec-peer | less-specific <A.B.C.D> | more-specific <A.B.C.D> | ospf | rip | static | summary | <CR>><CR>>
Show active routes:• aggregate—show active aggregate routes.• all—show all routes.• all aggregate—show all aggregate routes.• all bgp—show all BGP routes.• all direct—show all direct routes.• all ipsec-peer—show all IPSec-peer routes.• all ospf—show all OSPF routes.• all rip—show all RIP routes.• all static—show all static routes.• all <CR>—show all routes.• bgp—show active BGP routes.• bgp aspath—show routes along with AS
paths.• bgp communities—show route along with
communities.• bgp detailed—show routes in detail.• bgp metrics—show routes along with
metrics.• bgp suppressed—show suppressed routes.• bgp <CR>—show active BGP routes.• destination—show the route to a given
destination.• destination <A.B.C.D>—show route to
destination address.• direct—show active direct routes.• exact-match—show a specific route.• exact-match <A.B.C.D>—masklen route in
the form address or masklen.• inactive—show inactive routes.• inactive aggregate—show inactive
aggregate routes.• inactive bgp—show inactive BGP routes.• inactive direct—show inactive direct routes.• inactive ospf—show inactive OSPF routes.• inactive rip—show inactive rip routes.• inactive static—show inactive static routes.• inactive <CR>—show inactive routes.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 113
3 Managing the Gateway
• ipsec-peer—show active IPSec-peer routes.
• less-specific—show routes that are less-specific than a given route.
• less-specific <A.B.C.D>—masklen route in the form address or masklen.
• more-specific—show routes that are more-specific than a given route.
• more-specific <A.B.C.D>—masklen route in the form address or masklen.
• ospf—show active OSPF routes.• rip—show active RIP routes.• static—show active static routes.• summary—show route summary.
ipsrd <CR>> Show IPSRD summary.
key <cache <all <full |brief> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>
Show keying material information:• cache—show cached keying material.• cache all—show all cached keying
materials.• cache all full—show all cached keying
materials in full.• cache all brief—show all cached keying
materials.• cache chains—show cached certificate
chains.• cache chains local—show cached local
certificate chains.• cache chains remote—show cached
remote certificate chains.• cache chains brief—show cached remote
certificate chains.• cache chains full—show cached remote
certificate chains in full.• cache identities—show cached certificate
identities.• cache identities local—show cached local
identities.• cache identities remote—show cached
remote identities.• cache identities brief—show cached local
certificate identities.• cache identities full—show cached local
certificate identities in full.
Arguments
114 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
• cache names—show cached certificate subject names.
• cache names brief—show cached certificate subject names.
• cache names full—show cached certificate subject names in full.
• cache public—show cached uncertified public keys.
• cache public local—show cached local uncertified public keys.
• cache public remote—show cached remote uncertified public keys.
• cache public brief—show cached local identities.
• cache public full—show cached local identities in full.
key <info <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root <brief | full>>>
Show keying material information:• all—show all keys.• all brief—show all keys.• all full—show all keys in full.• blocked—show certificates that are moved
to the blocked certificate list.• blocked brief—show blocked certified
public keys.• blocked full—show blocked certified public
keys in full.• certified—show certificates for public keys
that are certified:• certified brief—show certified public keys.• certified full—show certified public keys in
full.• preshared—show preshared secrets used
for IKE authentication.• preshared brief—show preshared keys.• preshared full—show preshared keys in
full.• public—show public- or private-key pairs
that are not certified.• public local—show local uncertified public
keys.• public local brief—show local uncertified
public keys.• public local full—show local uncertified
public keys in full detail.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 115
3 Managing the Gateway
• public remote—show remote uncertified public keys.
• public remote brief—show remote uncertified public keys.
• public remote full—show remote uncertified public keys in full detail.
• trusted-root—show certificates of certification authorities known as trusted roots.
• trusted-root brief—show trusted certification authority root keys.
• trusted-root full—show trusted certification authority root keys in full.
locks Show lock information.
logger Show logger statistics.
memory Show memory statistics.
modem Show modem information.
nat <arp | state | statistics>
Show nat information:• arp—show arp.• state—show active NAT table entries.• statistics—show NAT statistics.
ntpdate Show ntpdate statistics.
oob Show oob information.
packet-trace Show packet trace information.
pending <brief | full> Show pending security associations (SAs):• brief—show pending SAs in brief.• full—show pending SAs in full.
Arguments
116 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
policy <-n | brief | client <brief | full | matched | <CR>> | full |gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>
Show security policy database:• -n—do not look up symbolic host names.• brief—show all policies in brief.• client—show client access control list.• client brief—show all client policies in brief.• client full—show all client policies in full.• client matched—show only matched client
access entries.• client <CR>—show policy client.• full—show all policies in full.• gateway—show gateway associations.• ike—show IKE policy records.• ipsec—show IPSec policy records.• matched—show only matched selectors
and client access.• protnet—show protected networks
database.• spd—show security policy database.• spd brief—show all policies in brief.• spd dynamic—show only dynamic
selectors.• spd full—show all policies in full.• spd matched—show only matched
selectors.• spd routing—show only routing selectors.• spd static—show only static selectors.• spd <CR>—show policy spd.• CR—show crypto policy in brief.
pppoe <interface <CR> | profile <CR>>
Show Point-to-Point Protocol over Ethernet (PPPoE) information:• interface—PPPoE interface information.• interface <CR>—existing PPPoE
interfaces.• profile—PPPoE profile Information.• profile <CR>—all existing profiles.
processes Show process status.
schedule Lists currently scheduled events.
sensor <all | fan | ps | temp | volt>
Show sensor values:• all—show all sensor values.• fan—show only fan sensor values.• ps—show only power supply sensor values.• temp—show only temperature sensor
values.• volt—show only voltage sensor values.
snmp Show SNMP information.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 117
3 Managing the Gateway
ssh <config | public-key auth>
The ssh command displays SSH active configuration including ciphers supported, connection per period, SSH enabled interface name, login grace time and SSH port:• config—display SSH active configuration.• public-key auth—display the user name
and MD5 hash (finger print) of public key.
statistics <ah | esp | icmp | igmp | ike | ip | ipsec | nat | queue | random | replay | sa | sec-proc | tcp | udp | <CR>>
Show protocol statistics:• ah—show authentication header (AH)
statistics.• esp—show encapsulating security payload
(ESP) statistics.• icmp—show ICMP statistics.• igmp—show IGMP statistics.• ike—show IKE statistics.• ip—show IP statistics.• ipsec—show IPSec statistics.• nat—show NAT statistics.• queue—show sequencing queue statistics.• random—show random number generator
statistics.• replay—show IPSec replay detection
statistics.• sa—show security association statistics.• sec-proc—show security processor
statistics.• tcp—show TCP statistics.• udp—show UDP statistics.• CR—show all statistics.
subsystem Show subsystem information.
syslog Show syslog information.
terminal Show terminal information.
version Show version information.
Arguments
118 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
tcpdumpUse the tcpdump command to control the operations of both the native tcpdump application and the tcpdump client-server application.
NoteIn Nokia AOS Ver 6.3, tcpdump is available both as a native application and as a client-server application.
Syntax
Use the tcpdump command to invoke: Native tcpdump application—you execute the native tcpdump application when you enter one of the following commands: tcpdump <tcpdump options> or tcpdump <CR>. For the native tcpdump application additional software is not required. The application runs in the same manner from the console window, Telnet, or SSH window. The following tcpdump command options: tcpdump <tcpdump options> and tcpdump <CR> are available only for the native tcpdump application. These commands run continuously until a key is pressed. Once a key is pressed the native tcpdump application exits. (For the command tcpdump -h, or an error condition the application exits automatically.)The native tcpdump application is overloaded with the tcpdump server commands and is based on tcpdump 3.8.3.
vpdn <all | brief | ip-address <HOST> | username | <CR>>
Show L2TP and PPTP (VPDN) information:• all—show all L2TP and PPTP (VPDN)
information.• brief—show summary L2TP and PPTP
(VPDN) information.• ip-address—show L2TP and PPTP (VPDN)
information for the specified IP address.• ip-address <HOST>—host name or dotted-
decimal address.• username—show L2TP and PPTP (VPDN)
information for the specified username.• CR—show all L2TP and PPTP (VPDN)
information.
vrrp Show virtual router information.
wanbackup Show WANBACKUP information.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 119
3 Managing the Gateway
NoteThe following tcpdump 3.8.3 options are not supported in the current version of Nokia AOS Ver 6.3: -y, - m, -U, -D and -E.
tcpdump client-server—to execute the client-server tcpdump application, you must activate the tcpdump server on the Nokia AOS Ver 6.3 platform by entering the following command: tcpdump enable.The tcpdump client is run on other platforms, for example a FreeBSD platform. The application runs in the same manner from the console window, Telnet, or SSH window.The following command options are available for the TCP server option only: tcpdump disable, tcpdump enable, tcpdump port <port>, tcpdump secret <secret>.
CautionUse the tcpdump server to tap traffic travelling through the security gateway. Enable the tcpdump server under controlled and secure circumstances.
tcpdump <tcpdump options> tcpdump [-aAdeflLnNOpqRStuvxX] [-c count] [-C filesize] [-F file] [-i interface] [-r file] [-s snaplen] [-T type] [-w file] [expression]
Can also type 'tcpdump -h' for usage.Visit http://www.tcpdump.org/tcpdump_man.html, or consult product documents for more information.
[disable][enable <<A.B.C.D> | <CR>>][port <port>][secret <secret>]<CR>
NoteUse the command: tcpdump -h, to list the native tcpdump command options.
120 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Arguments
<tcpdump options> tcpdump[-aAdeflLnNOpqRStuvxX] [-c count][-C filesize] [-F file] [-i interface][-r file][-s snaplen][-T type] [-w file] [expression]
NoteEnter the command tcpdump -h to view all available options.
• -a—backward compatibility• -A—print the packet in ASCII• -d—print the filter code.• -e—print Ethernet header.• -f—don't translate foreign IP address.• -l—make stdout linebuffered.• -L—list available data link types and exit.• -n—leave addresses as numbers.• -N—remove domains from printed host
names.• -O—filter code optimization (default).• -p—promiscuous mode (default).• -q—quick (shorter) output (default).• -R—print sequence # field in AH/ESP.• -S—print raw TCP sequence numbers.• -t—print packet arrival time (default).• -u—print undecoded NFS handles.• -v—verbose.• -x—print packet in hex.• -X—print packet in ascii and hex.
• [-c count]—print 'count' number of packets.• [-C file_size]—rotate dump files after this
many bytes.• [-F file]—provide the infile for filter
expression.• [-i interface]—provide the interface in
Ethernet<num> or eth-<num> format.• [-r file]—read packets from file.• [-s snaplen]—show snaplen bytes from
each packet.• [-T type]—force packets selected by
expression to be inter-preted the specified type. Currently known types are: Remote Procedure Call (rpc), Real-Time Applications protocol (rtp), Real-Time Applications control protocol (rtcp), Visual Audio Tool (vat), and distributed White Board (wb).
• [-w file]—write raw packets to file.
Nokia IP VPN Gateway Command-Line Summary v6.3 121
3 Managing the Gateway
• [expression]—filter which can be provided to select the packets. For example host 172.19.184.25 and port 22 picks ssh traffic for 172.19.184.25.
Expression consists of one or more primitives. Primitives consist of an ID (name or number) preceded by one or more qualifiers. The following are the three types of qualifiers:• type—defines what the id name or number
refers to. Possible types are: host, net and port. For example, host foo, net 128.3, port 20. If there is no type qualifier, host is assumed.
• dir—specifies a particular transfer direction to or from id. Possible directions are: src, dst, src or dst and src and dst. For example, src foo, dst net 128.3, src or dst port ftp-data. If there is no dir qualifier, src or dst is assumed. For null link layers (like point-to-point protocols such as slip) the inbound and out-bound qualifiers may be used to specify a desired direction.
• proto—restricts the match to a particular protocol. Possible protocols are: ether, fddi, ip, arp, decnet, lat, sca, moprc, mopdl, iso, esis, isis, tcp and udp. For example, ether src foo, arp net 128.3, tcp port 21. If there is no proto qualifier, all protocols consistent with the type are assumed. For example, src foo denotes (ip or arp or rarp) src foo (except the latter is not legal syntax), net bar denotes (ip or arp or rarp) net bar and port 53 denotes (tcp or udp) port 53.
Primitives may be combined using the following: • Negation (! or not). • Concatenation (&& or and).• Alternation (|| or or). Negation has highest precedence. Alternation and concatenation have equal precedence and associate left to right.
disable Disable tcpdump server.
enable <<A.B.C.D> | <CR>>
Enable tcpdump server:• <A.B.C.D>—IP address to which tcpdump
service is restricted. • CR—allow any IP address.
port <port> TCP port to listen on:• port—TCP port number to use.Default: 4000
Arguments
122 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Related CommandsSee the “netstat” command on page 142.See the “ping” command on page 144.See the show interface command in “show” on page 105.See the “traceroute” command on page 148.See the “telnet” command on page 147.
terminalUse the terminal command to set the terminal characteristics for the current console session.
Syntax
terminal[editing-style <emacs | vms>][idle-timeout <seconds>][length <0-512>][more <enable | disable>][width <0-512>]
secret <secret> Set tcpdump server SSL authentication secret:• secret—secret used to authenticate the
incoming SSL connection.
<CR> Start tcpdump.
Arguments
editing-style <emacs | vms>
Set terminal editing style:• emacs—set the editing style to emacs. Default editor: emacs• vms—set the editing style to vms.
idle-timeout <seconds> The timeout in seconds for idle sessions. If set to zero, no timeout occurs:• seconds—time in seconds for the idle
session timeout (0 to 10000000).Default: 60 seconds
length <0-512> Set terminal page length in lines:• 0 to 512—terminal page length. Default: 24 lines
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 123
3 Managing the Gateway
Related CommandsSee the “telnet” command on page 147.See the show terminal command in “show” on page 105.See the “log” command on page 166.
validateUse the validate command to ascertain the action taken when a packet is sent or received. This command:
Inspects the selectors.Determines that the filter applies to the packet.Determines if the cluster will drop, pass in the clear, or protect the packet by using IPSec.
When the preceding actions are completed, this command actively tries to activate IKE and IPSec security associations if protect selectors match.
Syntax
validate any | gre | icmp | ipinip | tcp | udp | <NUMBER>
<SRC-ADDR> <any | <SRC-PORT>> <DST-ADDR> <any | <DST-PORT>>
more <enable | disable> When auto-more is enabled, the CLI pauses output of commands that are longer than the terminal page length, and prompts you to press the spacebar to view the next page of output, or to press the q key to quit scrolling output.When auto-more is disabled, the terminal page length is ignored.Set auto-more value:• enable—enable auto-more.• disable—disable auto-more.Default: enable
width <0-512> Set the terminal line width in characters:• <0 to 512>—terminal width. Default: 80 characters
Arguments
any Any protocol.
gre Select GRE protocol.
icmp Select ICMP protocol.
Arguments
124 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Examplesvalidate tcp 172.16.32.12 any 10.134.66.5 23
Inspects and tries gateway filters for the traffic from 172.16.32.12 (from any port) to the Telnet server port on 10.134.66.5.
Configuration Mode CommandsUse the following configuration mode commands to perform gateway administration.
ipinip Select IPINIP protocol.
tcp Select TCP protocol.
udp Select UDP protocol.
<NUMBER> IP protocol number.
<SRC-ADDR> Dotted-decimal address of source.
<any | <SRC-PORT>> • any—any port.• SRC-PORT—port number of source.
<DST-ADDR> Dotted-decimal address of destination.
<any | <DST-PORT>> • any—any port.• DST-PORT—port number of destination.
Arguments
Command Description
crypto Configure IPSec processing options.
deployment_hub Configure the deployment hub for this gateway.
disable Disable subsystems.
enable Enable subsystems.
hostname Configure the system host name.
icmp Configure ICMP processing.
ipsec-client Specify WINS information given to the IPSec clients.
ldap-server Configure LDAP-server parameters.
modem Configure modem settings.
oob Configure out-of-band management settings.
Nokia IP VPN Gateway Command-Line Summary v6.3 125
3 Managing the Gateway
cryptoUse the crypto command to:
Configure the behavior of IPSec processing on the node. Enable or disable the copying of the don’t fragment (DF) bit in an IP packet header when encapsulating it in an IPSec tunnel header. This option is disabled by default. Enable or disable replay detection for an IPSec SA. You can select whether or not to forward host-generated ICMP errors for transport mode SAs. For more information about host-generated ICMP address, see RFC 2401. For a comprehensive list of IPSec configuration commands, see “Configuring Policy Configuration System” on page 219.
Syntax
Config# [no] crypto [copy-df][dead-peer-detection][deferred-delete][diff-serv][dpd-interval <seconds>][dpd-retries <count>][host-icmp][ike-retries <count>][nat-traversal][replay][spd-sorting][stable][<CR>]
panic Set the behavior of the panic call.
radius Configure RADIUS values.
terminal Configure the default terminal parameters.
uuid Configure the configuration version UUID.
Arguments
no Negate the command.
copy-df IPSec encapsulation copies the DF to outer header. Default: off
dead-peer-detection Do Dead Peer Detection.
Command Description
126 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
deferred-delete Defer main mode SA deletion if all underlying IPSec SAs are deleted. Default: on
diff-serv Perform differentiated services marking. For more information about diff-serv, see “diff-serv” on page 60.Default: on
dpd-interval <seconds> DPD liveness check interval (worry metric):• seconds—time (in seconds).Valid Time Range (in seconds): 2 to 3600Default: 30 seconds
dpd-retries <count> DPD message retry count:• count—number of DPD messages to send
before giving up.Valid Range: 2 to 10Default retries: 3
host-icmp Forward host-generated ICMP errors for transport mode SAs. Default: on
ike-retries <count> IKE message retry count:• count—number of IKE messages to send
before giving up.Valid Range: 2 to 10Default retries: 5
nat-traversal Perform Nokia-proprietary IPSec over UPD when NAT or PAT is detected. Valid for client-server only. Default: off
replay Perform replay detection when negotiated. Default: off
spd-sorting Allows or disallows sorting of IPSec selectors in SPD.Default: sort IPSec selectors in SPD.
stable Policy reload assumes stable policy database indices. Default: off
<CR> Exit. At least one option must be specified.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 127
3 Managing the Gateway
deployment_hubUse the deployment_hub command to generate Hello packets to maintain an IPSec connection with the hub, thereby informing the hub of the current external IP address of the dynamic gateway and maintaining continuous management and VPN connectivity.
Syntax
Config# [no] deployment_hubhellointerval <minutes>source <A.B.C.D> destination <A.B.C.D>timeout <seconds>
disableUse the disable command to disable the specified subsystem.
Arguments
no Negate the command.
hellointerval <minutes>
Deployment proxy hello-packet frequency setting:• minutes—number of minutes to wait
between hello packets.
source <A.B.C.D> destination <A.B.C.D>
Source IP address when sending packets to deployment hub:• <A.B.C.D>—address for sourcing packets
sent to the deployment. Destination IP addresses that are deployment hubs.• <A.B.C.D>—address for the deployment
hub.
NoteThis command attempts to initiate communication between the dynamic gateway and the hub. As a result, an IPSec tunnel is established.
timeout <seconds> Deployment proxy timeout settings:• seconds—number of seconds of an idle
connection to a dynamic gateway.Default: 60 seconds
128 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Syntax
Config# disable[dhcp][dialup][firewall][ipsec][ipsrd][l2tp][oob][pptp][sshd]<CR>
enableUse the enable command to enable the specified subsystem.
Syntax
Config# enable [dhcp][dialup]
Arguments
dhcp Disable dhcp server.
dialup Disable dialup PPP.
firewall Disable firewall processing.
ipsec Disable IKE and IPSec processing.
ipsrd Disable IPSRD processing.
NoteDisabling IPSRD on any node of a cluster, automatically disables IPSRD on all the nodes of the cluster.
l2tp Disable L2TP processing.
oob Disable out-of-band management.
pptp Disable PPTP processing.
sshd Disable SSH server.
<CR> Exit. At least one option must be specified.
Nokia IP VPN Gateway Command-Line Summary v6.3 129
3 Managing the Gateway
[firewall][ipsec] [ipsrd][l2tp][oob][pptp] [sshd]<CR>
hostnameUse the hostname command to configure the system host name. In a nonclustered environment, the host name is used as part of the FQDN in certificate signing requests. The host name is also displayed as the CLI command mode prompt.
Arguments
dhcp Enable DHCP processing.
dialup Enable dialup PPP.
firewall Enable firewall processing.
ipsec Enable IKE and IPSec processing.
ipsrd Enable IPSRD processing.
NoteEnabling IPSRD on any node of a cluster, automatically enables IPSRD on all the nodes of the cluster.
l2tp Enable L2TP processing.
oob Enable out-of-band management.
pptp Enable PPTP processing.
sshd Enable SSH server.
NoteTo enable password authentication between the SSH server and the SSH client, you must set the login source ssh local command.
<CR> Exit. At least one option must be specified.
130 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
Syntax
Config# [no] hostname<hostname>
ExamplesConfig# hostname server-1
Changes the system host name to server-1.
Related Commands
See the Config# cluster name command in “cluster” on page 50.
icmpUse the icmp command to alter the behavior of ICMP packets generated and received by the node.
Syntax
Config# [no] icmp [allow][bmcast][bypass][ignore][prohibit][rate-limit <rate-limit>][redirects][source-filter][stealth][unreach <filter | host | net>][CR]
Arguments
no Negate the command.
hostname <hostname> • hostname—system host name. You can specify a maximum of 63 characters.
Arguments
no Negate the command.
allow Control the processing of inbound ICMP redirects to the cluster. Default: off
bmcast Control processing of ICMP responses to broadcast and multicast ICMP requests.
Nokia IP VPN Gateway Command-Line Summary v6.3 131
3 Managing the Gateway
bypass Control the sending of locally generated ICMP errors, even if a drop filter would normally apply to these packets. Default: on
ignore Cause the cluster to ignore all inbound ICMP errors, with the exception of packet too big. Default: on
prohibit Control the sending of ICMP errors that indicate that traffic cannot traverse the filtering cluster. Default: off
rate-limit <rate-limit>
ICMP responses are sent according to the rate-limit specified:• rate-limit—the ICMP rate limit in messages
per second.
redirects Allow for the sending of ICMP redirects by the cluster. Default: off
source-filter Control source-address filtering of ICMP packets.
stealth Enable or disable stealth mode on the external interface. If stealth mode is enabled, ICMP errors and TCP resets are not generated on the internal interface.
NoteThis option is useful for hiding from port scanners.
unreach <filter | host | net>
Allow for setting the ICMP errors generated because of a filter that requires IPSec protection or that drops the packet (default filter). • filter—set the ICMP destination
unreachable code to FILTER-PROHIBIT [13].
• host—set the ICMP destination unreachable code to HOST-PROHIBIT [10].
• net—set the ICMP destination unreachable code to NET-PROHIBIT [9].
<CR> Exit. At least one option must be specified.
Arguments
132 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
ipsec-clientUse the ipsec-client command to specify WINS information that is provided to IPSec clients that request internal addressing from the gateway.
Syntax
Config# [no] ipsec-clientwins <A.B.C.D> [<A.B.C.D>] [<A.B.C.D>] | <CR>
ldap-serverUse the ldap-server command to configure the LDAP server parameters.
NoteThe LDAP server is used to authorize users, and to store Certificate Revocation List (CRL) and device certificates that the internal CA issues.
Syntax
Config# [no] ldap-server<server name | id> <LDAP server address> <LDAP server port> <as_active_directory | as_openldap> <LDAP search timeout> <LDAP base DN> <base | onelevel | tree> <initial bind DN> <<0|1|2|3> <encoded bind password> | <bind password in clear text>> <<attribute> | <CR>>
Arguments
no Negate the command.
wins <A.B.C.D> <A.B.C.D> <A.B.C.D> | <CR>
Specify WINS information:• <A.B.C.D>—IP address. You can specify a
maximum of three WINS servers.• CR—exit. At least one WINS server must
be specified.
Arguments
<server name | id> Any ASCII string that identifies the LDAP server:• server name | id—server name or ID
(maximum of 30 characters).
<LDAP server address> IP address of the system on which the LDAP server is running: • LDAP server address—dotted-decimal
address.
<LDAP server port> Port number for LDAP server to listen on.
Nokia IP VPN Gateway Command-Line Summary v6.3 133
3 Managing the Gateway
<as_active_directory | as_openldap>
• as_active_directory—server behaves like an active directory server.
• as_openldap—server behaves like a general openldap server.
<LDAP search timeout> The search timeout value after which the LDAP server times out if the search is not complete:• LDAP search timeout—number of seconds.
<LDAP base DN> DN string.
NoteYou must specify the base DN within quotation marks.
<base | onelevel | tree>
The LDAP directory search scope:• base—search the base entry only.• onelevel—search all entries one level
below base entry.• tree—search an entire tree.
<initial bind DN> Bind DN of a user with LDAP search privileges.
NoteYou must specify the bind DN within quotation marks.
<0|1|2|3> <encoded bind password> | <bind password in clear text>
• 0|1|2|3—password encoding type (0 = none, 1 = des, 2 = md5, 3 = md5 network).
• encoded bind password—bind password of a user with LDAP search privileges.
• bind password in clear text—bind password of a user with LDAP search privileges.
<attribute> | <CR> The attribute must be specified when LDAP is used to authenticate users. The value of the attribute specified must be a user name. The LDAP server searches directory entries for the specified attribute, and matches the user name with the name stored in the LDAP attribute.Default attribute: uid• attribute—attribute to be used in search
filter.• CR—default attribute (uid).
Arguments
134 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
ExamplesConfig# ldap_server corporateLDAPserver 10.0.4.35 389 30 "o=Nokia,c=US" tree "CN=Admin,ou=Engineer,ou=AmericasDevision,o=Nokia,c=US" secretPW123 uid
Configure an LDAP server.Config# ldap_server remote-site-server 132.239.4.35 389 45 "o=WesternCo,c=US" base "CN=Admin,ou=Management,o=WesternCo,c=US" super-123-secret
Configure an LDAP server.
modemUse the modem command to configure a serial interface and modem settings.
Syntax
Config# modemdialmode <pulse | tone>initstring <XXX...XXX>speed <9600 | 19200 | 38400 | 57600 | 115200 | 230400 | 460800>type <standard | custom>
oobUse the oob module to manage out-of-band (OOB) devices. The oob module allows you to connect to and manage a device in a remote location when you cannot connect to the device. For example if the Ethernet interface fails, or the external interface fails.
Arguments
dialmode <pulse | tone> Configure the dialmode:• pulse—configure dialmode to pulse.• tone—configure dialmode to tone.
initstring <XXX...XXX> Configure an initialization string:• <XXX...XXX>—initialization string.
speed <9600 | 19200 | 38400 | 57600 | 115200 | 230400 | 460800>
Override the modem default speed (57600):• 115200—configure speed to 115200 baud.• 19200—configure speed to 19200 baud.• 230400—configure speed to 230400 baud.• 38400—configure speed to 38400 baud.• 460800—configure speed to 460800 baud.• 57600—configure speed to 57600 baud.• 9600—configure speed to 9600 baud.
type <standard | custom>
Override the default modem type (standard):• custom—configure type to custom.• standard—configure type to standard.
Nokia IP VPN Gateway Command-Line Summary v6.3 135
3 Managing the Gateway
NoteTo configure oob, you must enable oob by using the Config# enable oob command. You can disable oob by using the Config# disable oob command.
NoteThe oob dial in username and password must already exist as a PPP user.
Syntax
Config# oob localip <A.B.C.D> remoteip <A.B.C.D> idletimeout <value> vjcomp <yes | no>
panicUse the panic command to set the behavior of the panic function call. This setting determines the behavior of Nokia IP VPN Gateway when the operating system detects an unrecoverable error. The default is to reboot.
Syntax
Config# [no] panic haltreboot
Arguments
localip <A.B.C.D> Configure the local IP address:• <A.B.C.D>—local IP address used for
out-of-band management.
remoteip <A.B.C.D> Configure the remote IP address:• <A.B.C.D>—remote IP address used for
out-of-band management.
idletimeout <value> Configure the timeout value:• value—number of minutes for idle timeout.
vjcomp <yes | no> Configure the vjcomp value:• yes—enable vjcomp.• no—disable vjcomp.
Arguments
no Negate the command.
reboot Reboot option for panic operation. This is the default option.
136 Nokia IP VPN Gateway Command-Line Summary v6.3
Gateway Administration
radiusUse the radius command to identify the RADIUS server used for authentication and to provide the shared secret. When used with a text secret, this command encrypts the text secret. When used with an encrypted secret, this command enables communications with the specified RADIUS server.
NoteNokia IP VPN Gateway uses RADIUS only for authentication. RADIUS accounting records are not written.
Syntax
Config# [no] radius <radius server address> <<encode type> <encoded secret>> | <<secret> <port number>>
ExamplesConfig# radius-server 10.2.3.4 secret
halt Halt option for panic operation.
Arguments
Arguments
no Negate the command.
<radius server address> IP address of the RADIUS server.
<encode type> <encoded secret>
• encode type—currently only the value 0 (zero) is used.
NoteYou must enter the value 0 (zero). Other values are reserved for future use to allow different methods of encrypting the shared secret.
• encoded secret—the RADIUS encoded secret.
<secret> <port number> • A text string of more than three characters used as a shared secret with the RADIUS server for authentication.
• Define an alternative port number that the RADIUS server can listen on.
Default: 1812
Nokia IP VPN Gateway Command-Line Summary v6.3 137
3 Managing the Gateway
Encrypts the clear text secret secret. Config# radius-server 10.2.3.4 0 Zm9V
Saves the encrypted value Zm9V as the shared secret to use to authenticate the gateway to a RADIUS server.
terminalUse the terminal command to configure the default terminal parameters.
Syntax
Config# [no] terminal editing-style <emacs | vms>idle-timeout <1-10000000>length <number-of-rows>logging <level <none | emergency | alert | critical | error | warning | notice | info | debug> | <timestamp <microsecond> | <CR>> | <CR>>
moretype <terminal-type>width <number-of-columns>
Arguments
no Negate the command.
editing-style <emacs | vms>
Set the command-line control key behavior:• emacs—set the default editing style to
emacs.• vms—set the default editing style to VMS.Default: emacs
idle-timeout <1-10000000>
Sets timeout in seconds for idle session. Default: 600. If set to zero, idle timeout does not occur.
length <number-of-rows>
Set the terminal output line length:• number-of-rows—default terminal length.Default: 24
logging <level <none | emergency | alert | critical | error | warning | notice | info | debug> | <timestamp <microsecond> | <CR>> | <CR>>
Set default terminal logging characteristics:• level—set minimum level for logging. For a
list of log levels, see “syslog” on page 182.• timestamp—control whether time stamps
are presented on the local messages.• timestamp microsecond—add time stamp
to syslog messages sent to the terminal. • timestamp CR—enable or disable terminal
microsecond time stamp. • CR—enable or disable terminal logging.
138 Nokia IP VPN Gateway Command-Line Summary v6.3
Network Utilities
ExamplesConfig# terminal idle-timeout 0
Disables the idle terminal timeout for all future shell sessions.Config# no terminal more
Disables the auto-more function for all future shell sessions.
uuidUse the uuid command to configure the configuration version Universal Unique Identifier (UUID).
Syntax
Config# [no] uuid <uuid>
Network UtilitiesNetwork utility commands allow you to perform network tasks.
more Enable or disable default auto-more mode Default: enableUse the no terminal more command to disable auto-more mode.
type <terminal-type> Set the terminal type value:• terminal-type—default terminal type.Default: VT100
NoteWhen you Telnet out of Nokia IP VPN Gateway, the Telnet client uses the terminal type to negotiate the terminal type with a remote Telnet server.
width <number-of-columns>
number-of-columns—default terminal width. Default: 80
Arguments
no Negate the command.
uuid <uuid> Configure the configuration version UUID:• uuid—configuration version's UUID.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 139
3 Managing the Gateway
Command Mode CommandsUse the following command mode commands to perform network administration.
fingerUse the finger command to display all running processes.
Syntax
finger
flowbeeUse the flowbee command to test connectivity to a specific system. The flowbee command is an extension of the ping command as it adds the option to specify the packet rate, in addition to the options that the ping command provides.This utility is provided as an unsupported tool. Nokia does not guarantee that the results using the flowbee command are accurate. Because you can specify the packet rate, you can select a packet rate that is faster than the remote host or the network can handle. This can result in lost packets. You cannot always use the results obtained by using the flowbee command to determine a connectivity problem. Select the packet rate carefully, considering the remote host, and type and speed of the connection.For more information about the flowbee command, contact Nokia technical support.
Syntax
flowbee [-I <ADDR> | -L | -P <number> | -Q | -R | -T <number> | -a | -c <number> | -d | -f | -i <number> | -l <number> | -n | -p <pad> | -q | -r | -s <number> | -v | <HOST>]
Command Description
finger Show system status.
flowbee Packet flow check utility.
netstat UNIX-style netstat utility.
ping Ping utility.
telnet Remote login utility.
traceroute Traceroute utility.
140 Nokia IP VPN Gateway Command-Line Summary v6.3
Network Utilities
Related CommandsSee the “ping” command on page 144.See the “traceroute” command on page 148.
Arguments
-I <ADDR> Interface for sourcing multicast packets:• ADDR—interface IP address.
-L Suppress loopback on multicast packets.
-P <number> Set a packet rate flow:• number—number of packets per second.
-Q Set quiet output.
-R Record route.
-T <number> Set TTL for multicast packets:• number—number of hops.
-a Set bell ON.
-c <number> Set number of ECHO_RESPONSE packets:• number—number of packets.
-d Set SO_DEBUG.
-f Flood flowbee.
-i <number> Set time interval between packet sent:• number—number of seconds.
-l <number> Set preload size:• number—number of packets.
-n Set numerical output only.
-p <pad> Set pattern to fill flowbee buffer:• pad—pattern.
-q Set output to be quiet.
-r Bypass routing tables.
-s <number> Set size of a flowbee buffer:• number—number of bytes.
-v Verbose output.
<HOST> Host name or dotted-decimal address.
Nokia IP VPN Gateway Command-Line Summary v6.3 141
3 Managing the Gateway
netstatThe netstat command displays the contents of network-related data structures, protocol statistics, active network connections, routing tables, and interface statistics. The output formats depend on the options used with the command.
Syntax
netstat [-A | -I <eth-1 | eth-2 | eth-3 | eth-4> | -a | -b | -d | -f <INET> | -g | -i | -m | -n | -o | -p <ICMP | IGMP | IP | LOCAL | RAW | TCP | UDP> | -r | -s | -t | -u | -w <seconds> | <-options>]
Arguments
-A With the default display, displays the address of any protocol control blocks associated with sockets.
-I <eth-1 | eth-2 | eth-3 | eth-4>
Display information about the specified interface:• <eth-1 | eth-2 | eth-3 | eth-4>—any internal
interface, or the external interface.• interface -b—shows the number of bytes in
and out.• interface -d—shows the number of dropped
packets.• interface-t—shows watchdog timers.
NoteFor information about the in and out bytes on all the interfaces, use the -t option with the -i option.
-a With the default display, displays the state of all sockets; normally sockets that the server processes use are not shown.
-b Shows the number of in and out bytes
NoteFor information about the in and out bytes on all the interfaces, use the -b option with the -i option.
142 Nokia IP VPN Gateway Command-Line Summary v6.3
Network Utilities
-d Shows the number of dropped packets.
NoteYou can use the -d option with the -i and -w options.
-f INET Limit statistics or address control block reports to those of the specified address family. The only address family recognized is inet, for AF_INET.
-g Display information related to multicast (group address) routing. By default, this flag displays the IP multicast virtual-interface and routing tables. With the -s option, displays multicast routing statistics.
-i Display the state of interfaces that are automatically configured (interfaces statically configured into a system, but not located at boot time are not displayed).Used with the -a option, the multicast addresses currently in use are displayed for each Ethernet interface and for each IP interface address. Multicast addresses are displayed on separate lines following the interface address with which they are associated.
-m Display statistics recorded by the memory management routines (the network manages a private pool of memory buffers).
-n Display network addresses as numbers. You can use this option with any of the other netstat arguments.
-o Display interface counters, including collision statistics.
-p <ICMP | IGMP | IP | LOCAL | RAW | TCP | UDP>
Display protocol statistics:• ICMP—ICMP protocol.• IGMP—IGMP protocol.• IP—IP protocol.• LOCAL—LOCAL protocol.• RAW—RAW protocol.• TCP—TCP protocol.• UDP—UDP protocol.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 143
3 Managing the Gateway
Examplesnetstat -n -r
Shows the routing table and does not use DNS to resolve the names. This command could be abbreviated as follows: netstat -nr.
Related CommandsSee the “ping” command on page 144.See the show interface command in “show” on page 105.See the “telnet” command on page 147.See the “traceroute” command on page 148.See the “tcpdump” command on page 119.
pingUse the ping command to test connectivity between the gateway and the specified network.
Syntax
ping [-I <ADDR>][-L][-Q][-R][-T <NUMBER>][-a][-c <NUMBER>][-d][-f][-i <NUMBER>]
-r Display routing tables. Used with the -s option, shows routing statistics.
-s Display per-protocol statistics. If this option is repeated, counters with a value of zero are suppressed.
-t Show watchdog timers. Can be used with the with -i option.
-u Set address family to AF_UNIX.
-w <seconds> Display network statistics at intervals of wait seconds.
-<options> Combination of netstat options.
Arguments
144 Nokia IP VPN Gateway Command-Line Summary v6.3
Network Utilities
[-l <NUMBER>][-n][-p <PAD>][-q][-r][-s <NUMBER>][-v] <HOST>
Arguments
-I <ADDR> Source multicast packets with the given interface address. This flag applies only if the ping destination is a multicast address.
-L Suppress loopback of multicast packets. This flag applies only if the ping destination is a multicast address.
-Q Somewhat quiet output. Do not display ICMP error messages that are in response to query messages.Without the -Q flag, the ping command prints any ICMP error messages that its own ECHO_REQUEST messages cause.
-R Record route. Includes the RECORD_ROUTE option in the ECHO_REQUEST packet and displays the route buffer on returned packets.
NoteThe IP header is large enough for nine such routes; the traceroute command is usually better at determining the route that packets take to a particular destination.
If more routes come back than should (because of an illegal spoofed packet) the ping command prints the route list and truncates it at the correct spot.Many hosts and gateways ignore or discard the RECORD_ROUTE option.
-T <NUMBER> Set the IP time to live for multicasted packets. This flag applies only if the ping destination is a multicast address.
-a Audible. Include a bell character (ASCII 0x07) in the output when any packet is received. This option is ignored if other format options are present.
Nokia IP VPN Gateway Command-Line Summary v6.3 145
3 Managing the Gateway
-c <NUMBER> Stop after sending (and receiving) count ECHO_RESPONSE packets.
-d Set the SO_DEBUG option on the socket being used.
-f Flood ping. Outputs packets as fast as they return, or one hundred times per second, whichever is more. For every ECHO_REQUEST sent, a period (.) is printed, while for every ECHO_REPLY received, a backslash (/) is printed. This convention provides a rapid display of how many packets are being dropped.
CautionUse the -f option with care. Flood pinging a system might overload it or the intervening network.
-i <NUMBER> Wait (number of seconds) between sending each packet. The default is one second. This option is incompatible with the -f option.
-l <number> If a number is specified with the -l option, preload behavior occurs. When preload behavior occurs, the ping command sends <number> packets as quickly as possible, then returns to its normal mode of behavior.
-n Numeric output only. No attempt is made to look up symbolic names for host addresses.
-p <PAD> Specify up to 16 pad bytes to fill out the packet sent. This pad is useful to diagnose data-dependent problems in a network. For example, -p ff causes the sent packet to be filled with all ones.
-q Quiet output. Nothing is displayed except the summary lines at startup time and when completed.
Arguments
146 Nokia IP VPN Gateway Command-Line Summary v6.3
Network Utilities
Examplesping -n -c 1 10.10.10.10
Pings the specified IP address with 1 packet (-c 1), and does not use DNS to resolve host names.
Related CommandsSee the “netstat” command on page 142.See the show interface command in “show” on page 105.See the “traceroute” command on page 148.
telnetUse the telnet command to create a Telnet connection to the specified host. The Telnet escape character is exit or CTRL+ Z. The Telnet client sends terminal options to the host.
Syntax telnet <HOST> <<PORT> | <CR>>
Related CommandsSee the “terminal” command on page 123.
-r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. You can use the -r option to ping a local host through an interface that has no route through it.
-s <NUMBER> Specify the number of data bytes to be sent. The default is 56, which translates into 64 ICMP data bytes when combined with the 8 bytes of ICMP header data.
-v Verbose output. ICMP packets other than ECHO_RESPONSE that are received are listed.
<HOST> Host name or IP address.
Arguments
<HOST> <<PORT> | <CR>> Remote login utility:• HOST—host name or IP address of the
destination Telnet server.• PORT—port number to connect to. Default Telnet port: 23• CR—connect to a default Telnet port.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 147
3 Managing the Gateway
See the show terminal command in “show” on page 105.
tracerouteUse the traceroute command to examine the path between the source and the destination host.
Syntax
traceroute [-F][-I][-d][-f <NUMBER>][-g <HOST>][-i <eth-1 | eth-2 | eth-3 | eth-4>][-m <NUMBER>][-n][-p <NUMBER>][-q <NUMBER>][-r][-s <HOST>][-t <NUMBER>][-v][-w <NUMBER>][-x][<HOST>]
Arguments
-F Set the don't fragment (DF) bit in all IP packets. This setting helps debug fragmentation problems that noncompliant routers and firewalls cause along the path.
-I Set ICMP protocol. This is the default.
-d Set the SO_DEBUG option on the socket being used.
-f <NUMBER> Set the initial TTL value. This skips <number> of gateways.
-g <HOST> Specify one or more loose source route gateways by name or IP address. You can specify a maximum of eight gateways.
-i <eth-1 | eth-2 | eth-3 | eth-4>
Specify the interface name to source packets.
148 Nokia IP VPN Gateway Command-Line Summary v6.3
Network Utilities
-m <NUMBER> Set the maximum time to live (maximum number of hops) used in outgoing probe packets. Default: 30 hops (the same default used for TCP connections).
-n Print hop addresses numerically rather than symbolically and numerically (saves a nameserver address-to-name lookup for each gateway found on the path).
-p <NUMBER> Set the base UDP port number used in probes.Default: 33434Traceroute expects that no other application is listening on UDP ports base to base + nhops - 1 at the destination host (so an ICMP PORT_UNREACHABLE message is returned to terminate the route tracing). If another application is listening on a port in the default range, you can use the -p option to pick an unused port range.
-q <NUMBER> Set the number of UDP packets to be sent towards the destination host at each hop. Default: 3
-r Bypass the normal routing tables and send directly to a host on an attached network. If the host is not on a directly attached network, an error is returned. You can use the -r option to ping a local host through an interface that has no route through it.
-s <HOST> Use the IP address (which must be given as an IP number, not a host name) as the source address in outgoing probe packets.Use this option to force the source address to be any other IP address, other than the IP address of the interface that the probe packet is sent on.If the IP address is not one of the interface addresses for this security gateway, an error is returned and nothing is sent. This command performs the same function as the -i option.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 149
3 Managing the Gateway
Related CommandsSee the “netstat” command on page 142.See the “ping” command on page 144.See the show interface command in “show” on page 105.
Configuration Mode CommandsUse the following configuration mode command to perform network administration.
tftpUse the tftp command to configure a default TFTP server for the CLI.
Syntax
Config# [no] tftp default server <ADDR>
-t <NUMBER> Set the type of service (TOS) in probe packets to <number>, which must be a decimal integer in the range 0 to 255. This option is used to check if different types of service result in different paths. Not all values of TOS are legal or meaningful.
NoteFor more information about definitions, see RFC 791. Useful values are -t 16 (low delay) and -t 8 (high throughput).
-v Verbose output. Lists ICMP packets other than TIME_EXCEEDED and unreachable that are received.
-w <NUMBER> Set the time (in seconds) to wait for a response to a probe. Default: 5
-x Disable checksum computations.
<HOST> Host name or dotted-decimal address.
Arguments
Command Description
tftp Configure the TFTP client.
150 Nokia IP VPN Gateway Command-Line Summary v6.3
Managing Files and Directories
ExamplesConfig# tftp default server 1.1.1.1
Configures a default TFTP server for the cluster to use.
Managing Files and DirectoriesThe file and directory commands allow you to manage files and directories.
Command Mode CommandsUse the following command mode commands to manage files and directories from the command mode.
copyUse the copy command to copy files locally on the gateway, or to a remote location through TFTP or NFS.
Arguments
no Negate the command.
default Set the default TFTP client options.
server <ADDR> Set the default server for the TFTP client:• ADDR—IP address of the TFTP server.
Command Function
copy Copy a file.
create Create a file.
delete Delete a file.
differences Compare files.
directory List directory contents.
rename Rename a file.
source Process a file of shell commands.
type Type out the contents of a file.
Nokia IP VPN Gateway Command-Line Summary v6.3 151
3 Managing the Gateway
Syntax
copy [<NAME> <NAME>]
Examplescopy nfs://192.168.202.154/home/c-v1.2-86.kl.kz flash:cc-v1.2-86.kl
Copies the c-v1.2-86.kl.kz files from an NFS file system to the cc-v1.2-86.k1 file on the flash memory in the primary slot.
createUse the create command to create a new file on the local flash file system, on a TFTP, or an NFS server. To terminate the file, type Ctrl + z or a line with a period (.) as its only character.
Syntax
create<NAME>
deleteUse the delete command to delete a file.
NoteThe delete command works only on the local flash file system.
Syntax
delete<NAME>
Arguments
copy <NAME> <NAME> Copy a file:• NAME—name of the source file to be
copied.• NAME—name of the destination file into
which the source file is to be copied.
Arguments
create <NAME> Create a new file:• NAME—name of the file to be created.
Arguments
delete <NAME> Delete the specified file:• NAME—name of the file to be deleted.
152 Nokia IP VPN Gateway Command-Line Summary v6.3
Managing Files and Directories
Examplesdelete myfile.txt
Deletes the myfile.txt file.delete pccard1:boot-config
Deletes the boot-config file on pccard1.
differencesUse the differences command to compare the contents of two files. When comparing:
Text files, the differences between the files are listed. Binary files, the result returned indicates if the files are the same or different.
Syntax
differences <NAME> <NAME>
Examplesdifferences myfile1.txt myfile2.txt
Compares the contents of myfile1.txt and myfile2.txt and lists the differences.differences cc-v4.0-90.sr tftp://Nokia_files.com/cc-v4.0-90.sr
Compares the contents of cc-v4.0-90.sr and tftp://Nokia_files.com/cc-v4.0-90.sr and indicates whether they are the same or different.
directoryUse the directory command to display files in flash memory or the specified directory.
Syntax
directory <NAME> | <CR>
Arguments
differences <NAME> <NAME>
Compare two files:• NAME—name of the file to be compared.• NAME—name of the file to be compared
with.
Arguments
directory <NAME> | <CR> Display the specified directory:• NAME—name of the directory to display.• CR—displays the contents of flash memory.
Nokia IP VPN Gateway Command-Line Summary v6.3 153
3 Managing the Gateway
Examplesdirectory pccard1:
Displays the contents of pccard1 flash memory.
renameUse the rename command to rename a file in the flash file system.
NoteFiles cannot be renamed across different flash memory.
Syntax
rename <NAME> <NAME>
Examplesrename oldfile.txt newfile.txt
Replaces the file name oldfile.txt with a new file name, newfile.txt.
sourceUse the source command to run a script from a file that contains command mode CLI commands.
NoteThis file must not contain configuration mode commands.
Syntax
source<filename>
Arguments
rename <NAME> <NAME> Rename a file:• NAME—name of the file to be renamed.• NAME—name of the new file.
Arguments
source <filename> Process a file of shell commands: • filename—name of a file with shell
commands.
154 Nokia IP VPN Gateway Command-Line Summary v6.3
Managing Files and Directories
Examplesource tftp://Nokia_tftp/setdelay.scp
Executes a set of commands from a TFTP server.
typeUse the type command to view the contents of a specified file. You can view flash files, TFTP, or NFS files.
Syntax
type <NAME>
Exampletype flash:cluster_config_1.txt
Displays the contents of the named file on the flash memory in the primary slot.
Related Commands
See the “terminal” command on page 123.
Configuration Mode CommandsUse the nfs configuration mode command to manage files and directories from the configuration mode.
nfsUse the nfs command to define a default NFS server for the cluster. You can also set default UID and GID values. If a default NFS server is set, you can omit the NFS server name option. For example, you can shorten the file system specification nfs://nfs.Nokia_files.com/boot-config to nfs:boot-config.
Syntax
Config# [no] nfs default <[gid <NFS GID> | server <ADDR> | uid <NFS UID>]>
Arguments
type <NAME> Type out the contents of a file:• NAME—name of a file to be displayed.
Command Function
nfs Configure the NFS client.
Nokia IP VPN Gateway Command-Line Summary v6.3 155
3 Managing the Gateway
ExamplesConfig# nfs default server 10.3.4.5Config# nfs default uid 106Config# nfs default gid 10
Related Commands
See the Config# “tftp” command on page 150.
Logging and Debugging The logging and debugging commands allow you to set debug activities and the log server configuration.
Command Mode CommandsUse the following command mode commands to set debug activities and the log server configuration.
debugUse the debug command to enable or disable event logging at different levels for different gateway subsystems. To view debug messages on a Telnet or SSH session, you must have logging enabled through configuration or by using the log enable command.
Arguments
no Negate the command.
default <[gid <NFS GID> | server <ADDR> | uid <NFS UID>]>
The default keyword for the NFS client:• gid—GID keyword for the NFS client.• gid NFS GID—default GID or the NFS
client.• server—server keyword for the NFS client.• server ADDR—IP address of NFS server.• uid—UID keyword for the NFS client.• uid NFS UID—default UID for the NFS
client.
Command Function
debug Set debug activities.
log Log server configuration.
156 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
Syntax
[no] debug anti-spoofing[app-clustering <debug | error | info | none>][cluster <all | connectivity | default | event | load-balancing | membership | workspace>]
[dhcp-server <all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras>]
[ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify | options | payload | policy | rekey | ring | route | saapi | state>]
[ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>]
[ipsrd]<bgp <cluster | keepalive | open | update | <CR>>><global <cluster | normal | policy | route | state | task | timer |<CR>>>
<ipsec-peer <cluster | packet <<peer-id> | <CR>> | proxy | route | <CR>>
<ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>>
<rip <request | response | <CR>>[monitor <debug | default | error | info | <CR>>][nat][ntp <debug | default | error | info | none>][ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>]
[radius <accounting | all | attributes | authentication | authorization | cluster | packets>]
[vpdn <all | cluster | detailed | l2tp | pptp>][cfg_server <all | boot | commands | communication | events | files | flow | geninfo>]
[chat <all | chat>dgwp <all | cluster | communication | server | <CR>>[dhcp-client <all | misc | packet | packet-dump | parse | state>]dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>dialupoob <all | cfg | dlpool | err | gen | ipc | stm>[ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>]
oob <all | chat | err | gen | ipc | oob | ppp | stm | <CR>>[pkid <all | misc>][scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>][schedule <all | command | execution | management | startup>][sshd <all | config | events | original | scp>][ssl <all | misc>][userauth <all | common | ldap | local>][vrrp <all | event | misc | packet | state>]wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>
Nokia IP VPN Gateway Command-Line Summary v6.3 157
3 Managing the Gateway
Arguments
no Negate the command.
anti-spoofing Enable or disable anti-spoofing debug messages.
app-clustering <debug | error | info | none>
Configure the cluster app-server debug level:• debug—enable cluster app-sever debug
level event logging.• error—enable cluster app-sever error level
event logging.• info—enable cluster app-sever info level
event logging.• none—stop cluster app-sever event
logging.
cluster <all | connectivity | default | event | load-balancing | membership | workspace>
Configure the cluster debug level:• all—all event logging.• connectivity—cluster connectivity logging.• default—default event logging.• event—cluster event logging.• load-balancing—cluster load-balancing
logging.• membership—cluster membership logging.• workspace—cluster workspace assignment
logging.
dhcp-server <all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras>
Select Dynamic Host Configuration Protocol (DHCP) server debugging classes:• all—enable all event logging.• bootp-forwarder—BOOTP forwarding
processing.• client-db—client database processing.• communications—communications
processing.• packets—packet tracing processing.• parse—packet parsing.• ping-check—ping-check processing.• ras—ignore-ras processing.
158 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify | options | payload | policy | rekey | ring | route | saapi | state>
Select IKE debugging classes:• all—all event logging.• attribute—IKE attribute negotiation events.• basic—basic event logging.• cluster—IKE cluster processing.• cookie—ISAKMP cookie processing.• death—SA deletion events.• default—default event logging.• download—management software
download logging.• event—general event logging.• header—ISAKMP header processing.• id—ISAKMP ID payload processing.• io—send or receive message logging.• isadb—database operation events.• locking—locking operations.notify—
ISAKMP notify payload processing.• options—ISAKMP options processing.• payload—ISAKMP payload processing.• policy—policy operations.• rekey—rekey operations.• ring—public- or private-key ring operations.• route—routing updates (PF_ROUTE).• saapi—kernel operations.• state—state machine changes.
ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>
Select IPSec debugging classes:• all—enable all event logging.• basic—enable basic event logging.• cluster—IPSec cluster processing.• death—SA deletion events.• default—enable default event logging.• event—general event logging.• mapping—IPSec SA mapping creation or
deletion events.• pending—pending entry creation or
deletion events.• rekey—IPSec rekey events.• selector—miscellaneous selector logging.
ipsrd Configure IPSRD debug activities.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 159
3 Managing the Gateway
ipsrd <bgp <cluster | keepalive | open | update | <CR>>
• bgp—trace BGP state.• bgp cluster—trace BGP clustering
messages.• bgp keepalive—trace BGP KEEPALIVE
messages.• bgp open—trace BGP OPEN messages.• bgp update—trace BGP UPDATE
messages.• bgp <CR>—trace all BGP messages.
ipsrd <global <cluster | normal | policy | route | state | task | timer |<CR>>>
• global—trace IPSRD state.• global cluster—trace clustering.• global normal—trace normal events.• global policy—trace policy decisions.• global route—trace routing table changes.• global state—trace state machine
transitions.• global task—trace tasks and jobs.• global timer—trace timer functions.• global <CR>—set all of above.
ipsrd <ipsec-peer <cluster | packet <<peer-id> | <CR>>| proxy | route | <CR>>
• ipsec-peer—trace IPSec-peering state.• ipsec-peer cluster—trace IPSec-peer
cluster messages.• ipsec-peer packet—trace IPSec-peer
packets.• ipsec-peer packet <peer-id>—trace IPSec-
peer packets to and from the peer.• ipsec-peer packet <CR>—trace all IPSec-
peer messages.• ipsec-peer proxy—trace IPSec-peer proxy
operations.• ipsec-peer route—trace IPSec-peer routes.• ipsec-peer <CR>—trace all IPSec-peer
messages.
ipsrd ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>>
• ospf—trace OSPF state.• ospf ack—trace link state ack packets.• ospf cluster—trace OSPF clustering.• ospf dd—trace database descriptor
packets.• ospf drelect—trace designated router
election.• ospf hello—trace hello packets.• ospf lsa—trace link state ack packets.• ospf lsr—trace link state request packets.• ospf lsu—trace link state update packets.• ospf spf—set SPF debugging.• ospf <CR>—all of above.
Arguments
160 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
ipsrd rip <request | response | <CR>>
• rip—trace RIP state.• rip request—trace RIP request messages.• rip response—trace RIP response
messages.• rip <CR>—trace all RIP messages.
monitor <debug | default | error | info | <CR>>
Configure the monitor server debug level:• debug—enable monitor server debug level
event logging.• default—enable monitor server event
logging to the default level.• error—enable monitor server error level
event logging.• info—enable monitor server info level event
logging.• CR—enable monitor server event logging
to the default level.
nat Configure NAT debug activities.
ntp <debug | default | error | info | none>
Configure the Network Time Protocol (NTP) debug level:• debug—enable NTP debug level event
logging.• default—enable NTP event logging to the
default level.• error—enable NTP error level event
logging.• info—enable NTP info level event logging.• none—stop NTP event logging.
ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>
Configure the PPP debugging classes:• all—all event logging.• authentication—PPP authentication.• ccp—CCP events.• detailed—detailed information.• ipcp—IPCP events.• lcp—LCP events.• negotiations—PPP negotiations.• protocol—PPP protocol.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 161
3 Managing the Gateway
radius <accounting | all | attributes| authentication | authorization | cluster | packets>
Configure the RADIUS debugging classes:• accounting—RADIUS accounting event
logging.• all—all RADIUS event logging.• attributes—RADIUS attribute event logging.• authentication—RADIUS authentication
event logging.• authorization—RADIUS authorization event
logging.• cluster—RADIUS cluster event logging.• packets—RADIUS packet event logging.
vpdn <all | cluster | detailed | l2tp | pptp>
Configure the Layer Two Tunneling Protocol (L2TP) or Point-to-Point Tunneling Protocol (PPTP) (VPDN) debugging classes:• all—all event logging.• cluster—L2TP or PPTP (VPDN) cluster
events.• detailed—detailed information.• l2tp—L2TP events.• pptp—PPTP events.
cfg_server <all | boot |commands |communication | events | files | flow | geninfo>
Configures server help classes:• all—enables all facility groups.• boot—boot related logging.• commands—command logging.• communication—communicate specific
logging.• events—log events.• files—file access logging.• flow—information flow logging.• geninfo—gen_info.txt specific logging.
chat <all | chat> Modem chat debugging classes:• all—enable all facility groups.• chat—modem CHAT debug information.
dgwp <all | cluster | communication | server | <CR>>
DGW Proxy debugging classes• all—enable all facility groups.• cluster—cluster debug information.• communication—communication events
debug information.• server—server debug information.
Arguments
162 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
dhcp-client <all | misc | packet | packet-dump | parse | state>
DHCP client debugging classes:• all—enable all facility groups.• misc—DHCP client miscellaneous.• packet—DHCP client packet debug.• packet-dump—DHCP client packet dump.• parse—DHCP client parse packet.• state—DHCP client states.
dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>
Dialup stm debugging classes:• all—enable all facility groups.• chat—dialup chat debug information.• dialup—dialup debug information.• err—dialup error debug information.• gen—dialup general debug information.• ipc—dialup ipc debug information.• ppp—dialup ppp debug information.• stm—dialup state machine debug
information.
dialupoob <all | cfg | dlpool | err | gen | ipc | stm>
Dialup OOB stm debugging classes:• all—enable all facility groups.• cfg—dialupOOB configuration debug
information.• dlpoob—dialupOOB debug information.• err—dialupOOB error debug information.• gen—dialupOOB general debug
information.• ipc—dialupOOB ipc debug information.• stm—dialupOOB state machine debug
information.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 163
3 Managing the Gateway
ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>
Light Weight Directory Access Protocol (LDAP) application help classes:• acl—debug ACLs.• all—debug traces.• any—other debugging.• args—debug args.• ber—debug BER.• config—debug configuration.• conns—debug connections.• daemon—LDAP daemon internal debug.• deprecated—debug deprecated.• filter—debug filters.• ipc—daemon IPC debug.• none—non-listed debug.• packets—debug packets.• parse—debug parsing.• shell—shell debug.• stats—statistics debug.• stats2—more statistic debug.• trace—debug trace.
oob <all | chat | err | gen | ipc | oob | ppp | stm | <CR>>
OOB stm debugging classes:• all—enable all facility groups.• chat—OOB chat debug information.• err—OOB error debug information.• gen—OOB general debug information.• ipc—OOB ipc debug information.• oob—OOB debug information.• ppp—OOB ppp debug information.• stm—OOB state machine debug
information.
pkid <all | misc> PKID application help classes:• all—enable all facility groups.• misc—miscellaneous debug information.
scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>
Configure Simple Certificate Enrollment Protocol (SCEP) application help classes:• all—enables all facility groups.• bio—BIO debug information.• ca—certificate authority debug information.• cmds—commands debug information.• http—HTTP debug information.• keys—keys debug information.• misc—miscellaneous debug information.• nvdt—Nokia VPN Deployment Tool debug
information. • pkcs—PCKCS management debug
information.
Arguments
164 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
Examplesdebug cluster event
schedule <all | command | execution | management | startup>
Scheduler application help classes:• all—enable all facility groups.• command—specific debug information.• execution—execution debug information.• management—schedule management
debug information.• startup—startup debug information.
sshd <all | config | events | original | scp>
Configure secure shell daemon debugging classes:• all—enable all facility groups.• config—configuration details of the server.• events—event logging information.• original—original SSH debug output.• scp—secure copy (SCP) related debug
output.
ssl <all | misc> Configure SSL debugging classes:• all—enable all facility groups.• misc—miscellaneous debug information.
userauth <all | common |ldap |local>
Configure user authentication debugging classes.• all—enable all facility groups.• common—common authentication events.• ldap—LDAP authentication events.• local—local authentication events.
vrrp <all | event | misc | packet | state>
Virtual router debugging classes:• all—enable all facility groups.• event—virtual router events.• misc—miscellaneous information.• packet—dropped incoming VRRP packets.• state—virtual router state change.
wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>
WAN backup debugging classes:• all—enable all facility groups.• cfg—WB configuration debug information.• err—WB error debug information.• gen—WB general debug information.• ipc—WB ipc debug information.• rt—WB routing debug information.• stm—WB state machine debug information.• wb—WAN backup debug information.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 165
3 Managing the Gateway
Sets debugging activities on cluster events. debug ipsrd ospf spf state
Turns on debugging in the IPSRD OSPF subsystem for calculating the shortest path first (SPF) tree, and traces state transitions.
Related Commands
See the show debug command in “show” on page 105.
logUse the log command to control the display of debug and audit messages.
Syntax
log [audit <enable <nobacklog | <CR>> | disable>][backlog <audit | <CR>>][disable][duplicate <enable | disable>][enable <nobacklog | <CR>>][flush <audit | <CR>>][level <none | emergency | alert | critical | error | warning | notice | info | debug>]
[timestamps <enable <microsecond> | disable>]
Arguments
audit <enable <nobacklog | <CR>> | disable>
Control the display of audit type log messages:• enable—enable audit terminal logging.• enable nobacklog—no backlog messages
logging.• enable CR—backlog messages logging.• disable—disable audit terminal logging.
backlog <audit | <CR>> Display the last n messages stored in the log:• audit—display only audit type messages.• CR—display all messages.
disable Disable the logging of messages on the terminal.
166 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
duplicate <enable | disable>
If the duplicate option is disabled, all duplicate messages are displayed. If the duplicate option is enabled, only the first message in a series of duplicate messages is displayed until a nonduplicate message arrives.A summary of the count of duplicate messages received is displayed when a set number is received, or a timeout occurs.Control how duplicate log message messages are handled:• enable—suppress duplicate log message
printing.• disable—print duplicate log messages.
enable <nobacklog | <CR>>
Enable terminal logging:• nobacklog—no backlog messages logging.• CR—backlog messages logging.
flush <audit |<CR>> Delete the log history buffers for the terminal:• audit—flush only audit type messages.• CR—flush all messages.
level <none | emergency | alert | critical | error | warning | notice | info | debug>
Control the display of log messages based on priority:• none—do not display any messages.• emergency—set the minimum log severity
level to emergency.• alert—set the minimum log severity level to
alert.• critical—set the minimum log severity level
to critical.• error—set the minimum log severity level to
error.• warning—set the minimum log severity
level to warning.• notice—set the minimum log severity level
to notice.• info—set the minimum log severity level to
info.• debug—set the minimum log severity level
to debug.
timestamps <enable <microsecond> | disable>
Enable or disable time stamps on terminal logging:• enable—enable time stamp.• enable microsecond—enable microsecond
time stamps.• disable—disable time stamp.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 167
3 Managing the Gateway
Related CommandsSee the “debug” command on page 156.See the “terminal” command on page 123.
Configuration Mode CommandsUse the following configuration mode commands to set audit options, configure the console, and debug events.
auditUse the audit command to alter the number of buffers allocated for the audit log history.Audit messages are stored in audit buffers. To ensure that messages are not lost, forward messages to a syslog server, or monitor them by using Nokia IP VPN Gateway. The default audit buffer size is 20 messages.
Syntax
Config# [no] audit buffers <number>
ExamplesConfig# audit buffers 50
Changes the number of buffers allocated for audit history to 50.
Command Function
audit Configure audit options.
console Configure the default console parameters.
debug Configure debug events.
log Configure logging options.
pkttrace Enable packet trace and configure triggers.
syslog Configure the syslog client.
Arguments
no Negate the command.
buffers <number> The number of audit history buffers:• number—number of audit history buffers.Default audit buffer size: 20
168 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
Related CommandsSee the log buffers command in “Config# [no] log” on page 180.See the “Config# [no] syslog” command on page 182.
consoleUse the console command to set the level of logging to appear on the system console (serial port marked console on each Nokia IP VPN Gateway). The console audit command displays audit messages on the console. You cannot disable auditing, although you can disable the display of audit messages on the console by using the console login command. By default, console audit is enabled and the console logging command is disabled.You can enable or disable console logging from the command mode by using the log enable and log disable commands. You can also set log levels and log time stamp settings from the command mode by using the log command.
Syntax
Config# [no] console audit
Config# [no] console logging
[<level <none | emergency | alert | critical | error | warning | notice | info | debug>]
[<timestamp <microsecond> | <CR>>][<CR>]
Arguments
no Negate the command.
audit Enable or disable console auditing. Default: enabled
Nokia IP VPN Gateway Command-Line Summary v6.3 169
3 Managing the Gateway
Related CommandsSee the audit buffers command in Config# “audit” on page 168.See the log buffers command in Config# “log” on page 179.See the log enable command in “log” on page 166.See the log disable command in “log” on page 166.See the log level command in “log” on page 166.See the log timestamps enable microsecond command in “log” on page 166.
debugUse the debug command to enable or disable event logging at different levels for different gateway subsystems.
logging <level <none | emergency | alert | critical | error | warning| notice | info | debug>
Set the default minimum severity level for console logging. The audit and logging levels are similar to syslog and UNIX logging levels:• none—filter out all logging messages.• emergency—set the minimum log-severity
level to emergency.• alert—set the minimum log-severity level to
alert.• critical—set the minimum log-severity level
to critical.• error—set the minimum log-severity level to
error.• warning—set the minimum log-severity
level to warning.• notice—set the minimum log-severity level
to notice.• info—set the minimum log-severity level to
info.• debug—set the minimum log-severity level
to debug.
logging <timestamp <microsecond> | <CR>>
Control whether time stamps are presented on the local messages. • microsecond—add microsecond reporting
to time stamps.• CR—enable or disable console logging
time stamps.Default: disabled
logging <CR> Enable or disable console logging. Default: disabled
Arguments
170 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
Syntax
Config# [no] debug anti-spoofing[app-clustering <debug | error | info | none>][cluster <all | connectivity | default | event | load-balancing | membership | workspace>]
dhcp-server [all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras]
[ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify
| options | payload | policy | rekey | ring | route | saapi | state>]
[ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>]
[ipsrd]<bgp <cluster | keepalive | open | update | <CR>> <global <cluster | normal | policy | route | state | task | timer>>
<ipsec-peer <cluster | packet <<peer-id> | <CR>> | proxy | route | <CR>>
<ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>>
<rip <request | response | <CR>>[monitor <debug | default | error | info | <CR>>][nat][ntp <debug | default | error | info | none>][ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>]
[radius <accounting | all | attributes | authentication | authorization | | cluster | packets>]
[vpdn <all | cluster | detailed | l2tp | pptp>][cfg_server <all | boot | commands | communication | events | files | flow | geninfo>]
[chat <all | chat>][dgwp <all | cluster <communication | server> | communication <cluster | server> | server <cluster | communication>>]
[dhcp-client <all | misc | packet | packet-dump | parse | state>][dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>][dialupoob <all | cfg | dlpoob | err | gen | ipc | stm>][ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell |
Nokia IP VPN Gateway Command-Line Summary v6.3 171
3 Managing the Gateway
stats | stats2 | trace>][oob <all | chat | err | gen | ipc | oob | ppp | stm>][pkid <all | misc>][scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>][schedule <all | command | execution | management | startup>][sshd <all | config | events | original | scp>][ssl <all | misc>][userauth <all | common | ldap | local>][vrrp <all | event | misc | packet | state>][wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>]
Arguments
no Negate the command.
anti-spoofing Enable or disable anti-spoofing debug messages.
app-clustering <debug | error | info | none>
Configure the cluster application clustering debug level:• debug—enable cluster app server debug-
level event logging.• error—enable cluster app server error-level
event logging.• info—enable cluster app server info-level
event logging.• none—stop cluster app server event
logging.
cluster <all | connectivity | default | event | load-balancing | membership | workspace>
Configure the cluster debug level:• all—all event logging.• connectivity—cluster connectivity logging.• default—default event logging.• event—cluster event logging.• load-balancing—cluster load-balancing
logging.• membership—cluster membership logging.• workspace—cluster workspace assignment
logging.
dhcp-server <all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras>
Configure DHCP server debug level:• all—enable all event logging.• bootp-forwarder—track BOOTP forwarding
processing.• client-db—track client database processing.• communications—track communications
processing.• packets—track packet-tracing processing.• parse—track packet parsing.• ping-check—track ping-check processing.• ras—track processing of the ignore-ras
config setting.
172 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify | options | payload | policy | rekey | ring | route | saapi | state>
Select IKE debugging classes:• all—all event logging.• attribute—IKE attribute negotiation events.• basic—basic event logging.• cluster—IKE cluster processing.• cookie—ISAKMP cookie processing.• death—SA deletion events.• default—default event logging.• download—management software
download logging.• event—general event logging.• header—ISAKMP header processing.• id—ISAKMP ID payload processing.• io—send or receive message logging.• isadb—database operation events.• locking—locking operations.• notify—ISAKMP notify payload processing.• options—ISAKMP options processing.• payload—ISAKMP payload processing.• policy—policy operations.• rekey—rekey operations.• ring—public- and private-key ring
operations.• route—routing updates (PF_ROUTE).• saapi—kernel operations.• state—state machine changes.
ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>
Select IPSec debugging classes:• all—enable all event logging.• basic—enable basic event logging.• cluster—IPSec cluster processing.• death—SA deletion events.• default—enable default event logging.• event—general event logging.• mapping—IPSec SA mapping creation and
deletion events.• pending—pending entry creation and
deletion events.• rekey—IPSec rekey events.• selector—miscellaneous selector logging.
ipsrd Configure IPSRD debug activities.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 173
3 Managing the Gateway
ipsrd <bgp <cluster | keepalive | open | update | <CR>>
• bgp—trace BGP state.• bgp cluster—trace BGP clustering
messages.• bgp keepalive—trace BGP KEEPALIVE
messages.• bgp open—trace BGP OPEN messages.• bgp update—trace BGP UPDATE packets.• bgp <CR>—trace all BGP messages.
ipsrd <global <cluster | normal | policy | route | state | task | timer | <CR>>
• global—trace IPSRD state.• global cluster—trace clustering.• global normal—trace normal events.• global policy—trace policy decisions.• global route—trace routing table changes.• global state—trace state machine
transitions.• global task—trace tasks and jobs.• global timer—trace timer functions.• global <CR>—set all of above.
ipsrd ipsec-peer <cluster | packets <<peer-id> | <CR>> | proxy | route | <CR>>
• ipsec-peer—trace IPSec-peering state.• ipsec-peer cluster—trace IPSec-peer
cluster messages.• ipsec-peer packet—trace IPSec-peer
packets.• ipsec-peer packet <peer-id>—trace IPSec-
peer packets to and from the peer.• ipsec-peer packet <CR>—trace IPSec-peer
packets to and from all peers.• ipsec proxy—trace IPSec-peer proxy
routes.• ipsec route—trace IPSec-peer route routes.• ipsec <CR>—trace all IPSec-peer
messages.
ipsrd <ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>>
• ospf—trace OSPF state.• ospg ack—trace link state ack packets.• ospf cluster—trace clustering.• ospf dd—trace database descriptor
packets.• ospf drelect—trace designated router
election.• ospf hello—trace hello packets.• ospf lsa—trace link-state ACK packets.• ospf lsr—trace link-state request packets.• ospf lsu—trace link-state update packets.• ospf spf—set SPF debugging.• ospf <CR>—set all of above.
Arguments
174 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
ipsrd rip <request | response | <CR>>
• rip—trace RIP state.• rip request—set RIP request debugging.• rip response—set RIP response
debugging.
monitor <debug | default | error | info |<CR>>
Configure the monitor server debug level:• debug—enable monitor server debug-level
event logging.• default—enable monitor server event
logging to the default level.• error—enable monitor server error-level
event logging.• info—enable monitor server info-level event
logging• CR—enable monitor server event logging
to the default level.
nat Configure NAT debug activities.
ntp <debug | default | error | info | none>
Configure the NTP debug level:• debug—enable NTP debug-level event
logging.• default—enable NTP default-level event
logging.• error—enable NTP error-level event
logging.• info—enable NTP info-level event logging.• none—stop NTP event logging.
ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>
Configure the PPP debugging classes:• all—all event logging.• authentication—PPP authentication.• ccp—CCP events.• detailed—detailed information.• ipcp—IPCP events.• lcp—LCP events.• negotiations—PPP negotiations.• protocol—PPP protocol.
radius <accounting | all | attributes | authentication | authorization | | cluster | packets>
Configure the RADIUS debugging classes:• accounting—RADIUS accounting event
logging.• all—all RADIUS event logging.• attributes—RADIUS attribute event logging.• authentication—RADIUS authentication
event logging.• authorization—RADIUS authorization event
logging.• cluster—RADIUS cluster-event logging.• packets—RADIUS packet-event logging.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 175
3 Managing the Gateway
vpdn <all | cluster | detailed | l2tp | pptp>
Configure the L2TP and PPTP (VPDN) debugging classes:• all—all event logging.• cluster—L2TP and PPTP (VPDN) cluster
events.• detailed—detailed information.• l2tp—L2TP events.• pptp—PPTP events.
cfg_server <all | boot | commands | communication | events | files | flow | geninfo>
Configure server help classes:• all—enable all facility groups• boot—boot related logging.• commands—command logging.• communication—communicate specific
logging.• events—log events.• files—file-access logging.• flow—information-flow logging.• geninfo—gen_info.txt specific logging.
chat <all | chat> Modem chat debugging classes.• all—enable all facility groups.• chat—modem CHAT debug information.
dgwp <all | cluster <communication | server> | communication <cluster | server> | server <cluster | communication>>
DGW Proxy debugging classes:• all—enable all facility groups.• cluster—cluster debug information.• cluster communication—communication
events debug information.• cluster server—server debug information.• communication—communication events
debug information.• communication cluster—cluster debug
information.• communication server—server debug
information.• server—server debug information.• server cluster—cluster debug information.• server communication—communication
events debug information.
dhcp-client <all | misc | packet | packet-dump | parse | state>
DHCP client debugging classes:• all—enable all facility groups.• misc—DHCP client miscellaneous.• packet—DHCP client packet debug.• packet-dump—DHCP client packet dump.• parse—DHCP client parse packet.• state—DHCP client states.
Arguments
176 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>
Dialup stm debugging classes:• all—enable all facility groups.• chat—dialup chat debug information.• dialup—dialup debug information.• err—dialup error debug information.• gen—dialup general debug information.• ipc—dialup IPC debug information.• ppp—dialup PPP debug information.• stm—dialup state machine debug
information.
dialupoob <all | cfg | dlpoob | err | gen | ipc | stm>
DialupOOB stm debugging classes:• all—enable all facility groups.• cfg—dialupOOB configuration debug
information.• dlpoob—dialupOOB debug information.• err—dialupOOB error debug information.• gen—dialupOOB general debug
information.• ipc—dialupOOB IPC debug information.• stm—dialupOOB state machine debug
information.
ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>
LDAP application help classes:• acl—debug ACLs.• all—debug traces.• any—other debugging.• args—debug ARGS.• ber—debug BER.• config—debug config.• conns—debug connections.• daemon—LDAP daemon internal debug.• deprecated—debug deprecated.• filter—debug filters.• ipc—IPC daemon debug.• none—nonlisted debug.• packets—debug packets.• parse—debug parsing.• shell—shell debug.• stats—statistics debug.• stats2—more statistic debug.• trace—debug trace.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 177
3 Managing the Gateway
oob <all | chat | err | gen | ipc | oob | ppp | stm>
OOB stm debugging classes:• all—enable all facility groups.• chat—OOB chat debug information.• err—OOB error debug information.• gen—OOB general debug information.• ipc—OOB IPC debug information.• oob—OOB debug information.• ppp—OOB PPP debug information.• stm—OOB state machine debug
information.
pkid <all | misc> PKID application help classes:• all—enables all facility groups.• misc—miscellaneous debug information.
scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>
SCEP application help classes.• all—enables all facility groups.• bio—BIO debug information.• ca—certificate authority debug information.• cmds—commands debug information.• http—HTTP debug information.• keys—keys debug information.• misc—miscellaneous debug information.• nvdt—Nokia VPN Deployment Tool debug
information.• pkcs—PKCS management debug
information.
schedule <all | command | execution | management | startup>
Scheduler application help classes:• all—enable all facility groups.• command—specific debug information.• execution—execution debug information.• management—schedule management
debug information.• startup—startup debug information.
sshd <all | config | events | original | scp>
SSH commands:• all—enable all facility groups.• config—configuration details of the server.• events—event logging information• original—original SSH debug output• scp—secure copy (SCP) related debug
output.
ssl <all | misc> Configure SSL debugging classes:• all—enable all facility groups.• misc—miscellaneous SSL debug
information.
Arguments
178 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
ExamplesConfig# debug cluster event
Sets debugging activities on cluster events. Config# debug ipsrd ospf spf state
Turns on debugging in IPSRD OSPF subsystem for calculating the shortest path first (SPF) tree, and traces state transitions.
Related Commands
See the show debug command in “show” on page 105.
logUse the log command to configure logging options. Log messages are stored in log buffers. The buffers are used in a ring, so new messages overwrite older messages. Nokia recommends that you configure the syslog server to ensure that log messages are not lost. To display the log buffers on the terminal, enter the log enable command from the command mode.
userauth <all | common | ldap | local>
Configure user authentication debugging classes:• all—enable all facility groups.• common—common authentication events.• ldap—LDAP authentication events.• local—local authentication events.
vrrp <all | event | misc | packet | state>
Virtual router debugging classes:• all—enable all facility groups.• event—virtual router events.• misc—miscellaneous information.• packet—dropped incomming vrrp packets.• state—virtual router state change.
wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>
WAN backup debugging classes:• all—enable all facility groups.• cfg—WB configuration debug information.• err—WB error debug information.• gen—WB general debug information.• ipc—WB IPC debug information.• rt—WB routing debug information.• stm—WB state machine debug information.• wb—wanbackup debug information.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 179
3 Managing the Gateway
Syntax
Config# [no] log buffers <number>
Related CommandsSee the audit buffers command in Config# “audit” on page 168.See the Config# “syslog” on page 182.See the “log” command on page 166.
pkttraceUse the pkttrace command to:
Enable packet trace and configure triggers. Log a packet matching the configured trigger.
Packet trace configuration is not clustered.
Syntax
Config# pkttracetime <seconds>enable <trigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>>
disabletrigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>
Arguments
no Negate the command.
buffers <number> Specify number of log buffers:• number—number of log history buffers from
one to 400. Default: 20
Arguments
time <seconds> Duration after which packet trace is automatically disabled:• seconds—number of seconds. Default: 120. Enter the value zero (0) to set time to infinite duration.
180 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
enable <trigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>
Enable packet tracing:• trigger—configure triggers.
NoteIf trigger is not configured then packets are not logged. The trigger cannot be modified, the complete command has to be entered each time.
• trigger ip <A.B.C.D>—source or destination IP address.
• trigger srcip <A.B.C.D>—source IP address.
• trigger dstip <A.B.C.D>—destination IP address.
• trigger proto—protocol type field in IP packet.
• trigger proto icmp—ICMP protocol.• trigger proto udp—UDP protocol.• trigger proto udp port —source or
destination port.• trigger proto udp srcport—source port.• trigger proto udp dstport—destination port.• trigger proto tcp—TCP protocol.• trigger proto tcp port —source or
destination port.• trigger proto tcp srcport—source port.• trigger proto tcp dstport—destination port.• trigger proto <NUMBER>—specify protocol
number.
disable Disable packet processing.
trigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>
Configure triggers:• ip—source or destination IP address.• srcip—source IP address.• dstip—destination IP address.• proto—protocol type field in IP packet.• proto icmp—ICMP protocol.• proto udp—UDP protocol.• proto udp port —source or destination port.• proto udp srcport—source port.• proto udp dstport—destination port.• proto tcp—TCP protocol.• proto tcp port —source or destination port.• proto tcp srcport—source port.• proto tcp dstport—destination port.• proto <NUMBER>—specify protocol
number.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 181
3 Managing the Gateway
syslogUse the syslog command to configure the syslog client. Syslog messages can be bound to the internal address to force them through a tunnel.
Syntax
Config# [no] syslog add-server <ADDR> <all | audit | syslog>
<default | internal>delete-servers <ADDR | <CR>>facilities <enable | disable>level <none | emergency | alert | critical | error | warning | notice | info | debug>
timestamp <disable | enable>
Arguments
no Negate the command.
add-server <ADDR> <all | audit | syslog><default | internal>
Add or modify a syslog server:• ADDR—address of the syslog server to add
or modify.• all—send both types of logs.• all default—originate audit and log
messages from whichever interface is closest to the syslog server.
• all internal—originate audit and log messages from the internal interface only.
• audit—send audit log only.• audit default—originate syslog messages
from whichever interface is closest to the syslog server.
• audit internal—originate syslog messages from the internal interface only.
• syslog—send only syslog messages to this server.
• syslog default—originate syslog messages from whichever interface is closest to the syslog server.
• syslog internal—originate syslog messages from the internal interface only.
delete-servers <ADDR | <CR>>
Delete syslog servers:• ADDR—address of syslog server to delete. • CR—delete all syslog servers.
182 Nokia IP VPN Gateway Command-Line Summary v6.3
Logging and Debugging
ExamplesConfig# syslog add-server 1.1.1.1 all internal
Sends both log and audit messages to the syslog server at 1.1.1.1 from the internal interface IP address.Config# syslog timestamp enable
Attaches a local time stamp to the syslog message.Config# syslog facilities enable
Attaches a local facility string to the syslog message.
facilities <enable | disable>
Enable and disable local facility text in syslog messages:• enable—enable sending local facilities
names to syslog servers.• disable—disable sending local facility
names to syslog servers. Default: disable
level <none | emergency | alert | critical | error | warning | notice | info | debug>
Set the minimum log severity level for the syslog client:• none—disable sending syslog messages.• emergency—set the minimum log severity
level to emergency.• alert—set the minimum log-severity level to
alert.• critical—set the minimum log-severity level
to critical.• error—set the minimum log-severity level to
error.• warning—set the minimum log-severity
level to warning.• notice—set the minimum log-severity level
to notice.• info—set the minimum log-severity level to
info.• debug—set the minimum log-severity level
to debug.
timestamp <disable | enable>
Enable or disable local time stamp in syslog message:• disable—disable sending local time stamp
to syslog servers.• enable—enable sending local time stamp to
syslog servers.Default: disable
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 183
3 Managing the Gateway
Configuring User AccountsUser account configuration commands allow you to configure user accounts on a gateway so that users and clients (like PPP, L2TP, vpn-client) can login to the gateway.
Configuration Mode CommandsUse the following configuration mode commands to configure user accounts on the gateway.
loginUse the login command to configure user authentication and to identify privileges for users who are allowed to obtain a shell on the cluster. The login command configures individual users, their authentication mechanism, and their privileges.When you use RADIUS to authenticate PPP users, you need to identify the login source. One login option identifies how to authenticate various types of users and the other login option manages the local user database.You can configure the parameters for login from the console, Telnet, TTY, SSH, and PPP. For each of these access types you can disallow access altogether or require no authentication at all. Alternatively, you can configure an authentication database location to check for a user's username and password. When you use a RADIUS authentication method, include a second authentication method in the local database in case the RADIUS server is unavailable or times out. This is particularly important for console access.
Syntax
Config# [no] login user <username> <<encode type> <encoded password> | <cleartext password>> [<nfs <NFS uid> | privileges <admin | challenge-response | none>]
Config# login source <challenge-response <disallowed | ldap | local | radius | none> | console | ppp | ssh | telnet | tty> <disallowed | local | radius | none>
CautionThe login source none command (in the following table) allows anyone to connect to Nokia IP VPN Gateway or network without authentication.
Command Function
login Configure user authentication entries.
sshd Configure SSH.
184 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring User Accounts
Arguments
no Negate the command.
login Configure user authentication entries.
user <username> [<encode type> <encoded password> | <cleartext password>] [<nfs <NFS uid> | privileges <admin | challenge-response | none>
Configure a user login record:• username—username for this
authentication record.• encode type—password encoding version
number.• encoded password—encoded password.• cleartext password—cleartext password.
NotePasswords configured at the command-line must be at least three characters long. If the password contains special characters such as a space, the password must be enclosed in quotation marks.
• nfs—enter the NFS UID and GID for this user.
• nfs NFS uid—NFS user ID of this user.• privileges—enter the login privileges for this
user.• privileges admin—administrative privileges.• privileges challenge-response—challenge-
response privileges.• privileges none—no privileges.
source <challenge-response <disallowed | ldap | local | radius | none> | console | ppp | ssh | telnet | tty> <disallowed | local | radius | none>
Configure a source login record:• challenge-response—source for challenge-
response authentication access.• console—console source.• ppp—PPTP or L2TP source.• ssh—SSH source.• telnet—Telnet source.• tty—TTY source.• disallowed—disallow all logins from this
source.• ldap—logins from this source are
authenticated by LDAP server.• local—logins from this source are
authenticated by local database.• radius—logins from this source are
authenticated by RADIUS server.• none—no authentication is required from
this source.
Nokia IP VPN Gateway Command-Line Summary v6.3 185
3 Managing the Gateway
ExamplesConfig# login source ppp radius local
The cluster first tries to authenticate the user through a configured RADIUS server or servers. Should that fail, the cluster examines a local database to allow emergency access:Config# login user fred secret privileges admin
This command configures a user named fred with a password of secret and allows administrative privileges on the cluster.
sshdUse the sshd command to configure SSH. First use the ssh host-key generate command to generate a host-key pair for Nokia IP VPN Gateway. You can use the sshd command only in a CLI environment. To start the SSH daemon, enter the enable sshd command.
NoteIf you use VPN Manager to manage Nokia IP VPN Gateway, the SSH host key is generated at system installation time.
Syntax
Config# [no] sshdciphers <3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | blowfish-cbc>
[connectionsperperiod <num-connections> <seconds>][deny-password-auth <user | <CR>>][interface <eth-1 | eth-2 | eth-3 | eth-4 | all>][logingracetime <seconds>]port <port-num>public-key user <user_name> <tftp <tftp_path>> | <CR>>
Config# sshd[host-key <generate-SSL |show>]
Arguments
ciphers <3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc |blowfish-cbc>
Set cipher names for the SSH server. You can enter more than one cipher at a time. By default, all ciphers are enabled:• 3des-cbc—use 3des cipher.• aes128-cbc—use aes128 cipher.• aes192-cbc—use aes192 cipher.• aes256-cbc—use aes256 cipher.• blowfish-cbc—use blowfish cipher.
NoteYou must specify at least one cipher.
186 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring User Accounts
no sshd ciphers Removes the active cipher list and enables all of the default ciphers.
connectionsperperiod <num-connections> <seconds>
Sets the rate limit on SSH connections and configures the SSH server to allow a specified number of connections in the specified time. Default: rate limit is not applied.• num-connections—connections per
interval.• seconds—number of seconds.
NoteThis command protects the SSH server from denial of service attacks.
no sshd connectionsperperiod
Sets the number of connections and seconds parameters to zero (0).
deny-password-auth <user | <CR>>
Disable the password authentication:• user—user name to disable password
authentication.• CR—disable password authentication for
all SSH users.
no sshd deny-password-auth [<username>]
Enable password authentication for the given user. If the user name is not configured, this command enables password authentication in the SSH server.• username—user name to enable password
authentication.Default: allow password authentication for all users.
host-key <generate-SSL |show>
Options for the SSHD host identification DSA key:• generate-SSL—generate the SSL DSA key
for use with SSH.• show—show the public host DSA key.
NoteYou cannot generate the host key by using this command, if the host key was generated by using VPN Manager.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 187
3 Managing the Gateway
interface <eth-1 | eth-2 | eth-3 | eth-4 | all>
Enable SSH on the specified interface. • eth-1—name of the interface.• eth-2—name of the interface.• eth-3—name of the interface.• eth-4—name of the interface.• all—enable all interfaces.Default: SSH runs on all interfaces.
no sshd interface Disables SSHD on the specified interface and enables SSHD on all of the other interfaces.
logingracetime <seconds>
Sets the login grace time when performing the user authentication process. If the user is not authenticated within the number of seconds specified, the connection is terminated.• seconds—timeout for authentication.Default login grace time: 600 seconds
no sshd logingracetime Resets the login grace time to 600 seconds.
port <port-num> Sets the port number for SSHD to listen on:• port-num—port number. The port number
range must be between 1 and 65535.Default port number: 22
public-key user <user_name> <tftp <tftp_path>> | <CR>
Takes the user name for public key authentication.
NoteEnsure that a valid user account exists before you use this command.
• user_name—name of the user.• tftp_path—TFTP path for the public key of
the user.• CR—give the public key.
NoteTo terminate public key configuration, give the newline .newline command at the end of the configuration. The public key supplied can be in the OpenSSH or SECSH format.
no shhd public-key user Removes the specified user from the public key authentication database.
Arguments
188 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring User Accounts
ExamplesConfig# ssh ciphers blowfish-cbc
Sets SSH to use Blowfish-CBC.Config# ssh connectionsperperiod 10 20
Allows 10 connections every 20 seconds.Config# ssh host-key generate-SSL
Generates the DSA key used to secure connections. Normally a key generated for VPN Manager connection is used, but if VPN Manager is not running, a key must be generated from the command-line.Config# ssh interface eth-1
Sets SSH to accept connections on eth-1 only.Config# ssh logingrace 10
Sets 10 seconds before login timeout (must restart login).Config# ssh port 500
Sets SSH to wait on port 500 rather than standard port 22.
Related CommandsSee the login user command in Config# “login” on page 184.See the enable sshd command in Config# “enable” on page 129.
Nokia IP VPN Gateway Command-Line Summary v6.3 189
4 Configuring Public Key Infrastructure
This chapter describes how to use the Public Key Infrastructure (PKI) configuration mode, the PKI configuration mode commands, and the tasks that you can accomplish by using this mode. PKI configuration mode allows you to configure and view PKI, and public- and private-keys for Nokia IP VPN Gateway.
Entering and Exiting PKI Configuration ModeUse the following commands to enter or exit PKI configuration mode:
To enter PKI configuration mode, enter one of the following commands from the command mode prompt:
> config pki > configure pki
The prompt changes to config_pki#. To exit PKI configuration mode and return to command mode, enter the exit command at the PKI configuration the prompt. config_pki# exit
Committing PKI Configuration Commands to MemoryChanges made in the PKI configuration mode are effected immediately and remain in memory until the system is rebooted. To commit PKI configuration commands to flash memory, from the command mode, you must enter the following command: > config save
Saving Changes to a ClusterTo save changes made to a cluster, from the master node, switch to the command mode, and enter the following command:> config save cluster.
Nokia IP VPN Gateway Command-Line Summary v6.3 191
4 Configuring Public Key Infrastructure
CautionAll PKI configuration to a cluster must be performed only on the master node of the cluster.
PKI Configuration TasksTable 8 lists the tasks you can accomplish from the PKI configuration mode, and the relevant commands.
Installing CertificatesTo use public certificates to establish secure communications between Nokia IP VPN Gateway and other devices, you must:1. Generate a Certificate Signing Request (CSR) for the gateway.2. Obtain the certificate from an internal or public Certificate Authority (CA). You can
establish an internal CA on the gateway and issue your own certificate, or send the CSR to an external CA.
3. Use the certificate command to install the certificate on the gateway. For more information about the certificate command, see certificate on page 208.
You must also install certificates on the gateway to identify CAs that you trust to sign certificates. To allow remote management of the gateway, you must install another certificate to establish a remote SSL session between the gateway and VPN Manager. You can install a raw public key to establish a secure session between the gateway and another device when you do not need a public certificate to identify the owner of the public key.
Viewing Your PKI ConfigurationYou can view the current PKI configuration by using the following command mode commands:
Table 8 PKI Configuration Mode Commands
Command Task
ca Generate a public- or private-key pair and a certificate signing request (CSR), or create an internal certificate authority. This command also manages services available to the CA including CRL retrieval and management of device certificates.
certificate Install a device certificate, a trusted root certificate, a CryptoConsole management certificate, or an intermediary CA certificate.
public-key Install a raw public key.
192 Nokia IP VPN Gateway Command-Line Summary v6.3
Viewing Your PKI Configuration
show configuration pki
show key info
show configuration pkiUse the show configuration pki command to display the current running configuration, or the configuration as stored on flash memory.
Syntax
show configuration pkiactiveprivatestartup<CR>
Arguments
active Shows the current running PKI configuration including certification authority enrollment commands, certificates for devices or trusted roots, and local public keys.
NoteThe information displayed is identical to the data saved to the pki_version.dat file, if you use the configuration save command.
This command does not:• Display the private part of the public- or
private-key pair. • Parse certificates. To view PKI certificates
parsed for readability, use the show key info commands.
private Shows the:• Public- or private-key pairs known and used
by this device.• Management certificates that VPN
Manager uses to secure communications with Nokia IP VPN Gateway.
startup Shows the:• PKI configuration that is used at the next
system startup. • Contents of the pki_version.dat file,
formatted for readability.
<CR> Show the active configuration.
Nokia IP VPN Gateway Command-Line Summary v6.3 193
4 Configuring Public Key Infrastructure
show key infoThe show key info command parses the information from the digital certificates and then displays it.
Syntax
show key infoall <brief | full>blocked <brief | full>certified <brief | full>preshared <brief | full>public <local | remote> <brief | full>trusted-root <brief | full>
Arguments
all<brief | full> Show all keys:• brief—show all keys.• full—show all keys in full.
blocked <brief | full> Show certificates that are moved to the blocked certificate list:• brief—show blocked certified public keys.• full—show blocked certified public keys in
full.
certified <brief | full>
Show certificates for public keys that are certified:• brief—show certified public keys.• full—show certified public keys in full.
preshared <brief | full>
Show preshared secrets used for IKE authentication:• brief—show preshared keys.• full—show preshared keys in full.
public <local | remote> <brief | full>
Show public- or private-key pairs that are not certified:• local—show local uncertified public keys.• local brief—show local uncertified public
keys.• local full—show local uncertified public
keys in full detail.• remote—show remote uncertified public
keys.• remote brief—show remote uncertified
public keys.• remote full—show remote uncertified public
keys in full detail.
194 Nokia IP VPN Gateway Command-Line Summary v6.3
Viewing Your PKI Configuration
Differences Between configuration PKI and show keyCommands
You can show a digital certificate suitable for cut-and-paste in PKCS #10 or #12 format by using the show configuration pki active command, and show the same certificate in human-readable form by using the show key info command.To view the difference between the show configuration pki and show key info commands, consider the following partial output on a gateway called Nokia_Gateway.
show configuration pki activeCertificate as displayed by using the show configuration pki active command:Nokia_Gateway> show configuration pki active
#
# PKI configuration written at Mon Apr 22 20:36:48 2002 GMT by *Unknown*
#
version 1.1
certificate device 6febe0e0-80c8d562-ccb21bdc-80fd7959
-----BEGIN CERTIFICATE-----
MIIEHTCCA8egAwIBAgIKAwO88QABAAAAUzANBgkqhkiG9w0BAQUFADCBlzEpMCcGCSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb20xCzAJBgNVBAYTAlVTMQswCQYDVQQIEwJBWjEPMA0GA1UEBxMGVHVjc29uMREwDwYDVQQKEwhPcHVzIE9uZTERMA8GA1UECxMIVGVzdCBMYWIxGTAXBgNVBAMTEFBzeWxsYSBDQSAwMDAxMTgwHhcNMDIwMzI5MTk0OTA0WhcNMDMwMzI5MTk1OTA0WjAfMQswCQYDVQQGEwJBQTEQMA4GA1UEAxMHTWNNdXJkbzCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAvK3wbrqwfT7xTxyTTHUWdQQFa7TVqKQKKesLv5oU66M1VlxsQHyIVpKlQeXSuWDd8nR2iCrjYPohkDONZENNjhNWXvMLn4JPVFHcaoveOGeFXUZtoT5nupkHcb4zHgDttU8zm8ntnj7zMMdcfLW7+qwI3odOWPe+OML6RkCAwEAAaOCAiYwggIiMAsGA1UdDwQEAwIFoDAoBgNVHREEITAfghFtY211cmRvLm9wdXMxLmNvbYcEx0+YAYcEz7YjkjAdBgNVHQ4EFgQULA3SpTje4LzhTGZ+yfna5XXoaYYwgdMGA1UdIwSByzCByIAUYiIsOyKFNtQp8d5IgcFSqkZnR2WhgZ2kgZowgZcxKTAnBgkqhkiG9w0BCQEWGnBzeWxsYS1jYUBwc3lsbGEub3B1czEuY29tMQswCQYDVQQGEwJVUzELMAkGA1UECBMCQVoxDzANBgNVBAcTBlR1Y3NvbjERMA8GA1UEChMIT3B1cyBPbmUxETAPBgNVBAsTCFRlc3QgTGFiMRkwFwYDVQQDExBQc3lsbGEgQ0EgMDAwMTE4ghAHW3GHy4ExuETH8YZSrmouMEkGA1UdHwRCMEAwPqA8oDqGOGh0dHA6Ly9jYS52cG5kYXkuY29tL0NlcnRFbnJvbGwvUHN5bGxhJTIwQ0ElMjAwMDAxMTguY3JsMIGoBggrBgEFBQcBAQSBmzCBmDBLBggrBgEFBQcwAoYaHR0cDovL2NhLnZwbmRheS5jb20vQ2VydEVucm9sbC9wc3lsbGFfUHN5bGxhJTIwQ0ElMjAwMDAxMTguY3J0MEkGCCsGAQUFBzAChj1maWxlOi8vXFxwc3lsbGFcQ2VydEVucm9sbFxwc3lsbGFfUHN5bGxhJTIwQ0ElMjAwMDAxMTgoMSkuY3J0MA0GCSqGSIb3DQEBBQUAA0EAiPxMj1CDAVlh
trusted-root <brief | full>
Show certificates of certification authorities known as trusted roots:• brief—show trusted certification authority
root keys.• full—show trusted certification authority
root keys in full.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 195
4 Configuring Public Key Infrastructure
1IOvYyTakmDJopsmLtMQkGfHLqj807i3t01RwRLs8a+u4AbBgFjJlhQJ4cIIvf7IPEiqFLZ jg==
-----END CERTIFICATE-----
show key infoThe same certificate displayed by using the show key info command:Nokia_Gateway> show key info certified full
Certified Public Keys:
certificate id: 6febe0e0-80c8d562-ccb21bdc-80fd7959
subject name: CN=Nokia_Gateway
C=AA
issuer name: CN=Psylla CA 000118
OU=Test Lab
O=NOKIA
L=Tucson
ST=AZ
C=US
serial number: 0303bcf1000100000053
alternative name: Nokia_Gateway.NOKIA.com
alternative name: 199.79.152.1
alternative name: 207.182.35.146
not valid before: Fri Mar 29 19:49:04 2002 GMT
not valid after: Sat Mar 29 19:59:04 2003 GMT
PKI Configuration Mode CommandsTable 9 lists PKI configuration commands.Table 9 PKI Configuration Commands
Command Description
block Add or remove a certificate from the block list.
ca Certification authority commands.
certificate Add or remove a certificate.
crl Add or remove a CRL.
exit Exit configuration mode.
keypair Add, remove, or generate a public- or private-key pair.
196 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
blockUse the block command to block a certificate. The certificate is not accepted by the gateway or the cluster to which the gateway belongs. This command prevents the use of a certificate to establish a session with a specific gateway or cluster without relying on a Certificate Revocation List (CRL). If the certificate is already known to the gateway, it can be blocked by using the block <string> or block <UUID> commands. If the certificate is not installed on the gateway, then in order to block it, you must paste in the PEM encoded blob of that certificate.
Syntax
config_pki# block <string><UUID><CR>
Examplesconfig_pki# block 876b19b8-34e9a216-351d7778-5eaf329b
Blocks the certificate known by this UUID.config_pki# block
? -----BEGIN CERTIFICATE-----
? IIDxzCCAq+gAwIBAgIqMjAwMTAzMTUyMjMwNDFaLWdhdGUtMS5uZXR
? 2hlbXkuY29tMA0GCSqGSIb3DQEBBAUAMIGJMQswCQYDVQQGEwJV
? ARBgNVBAcTClNhbnRhIENydXoxFDASBgNVBAoTC05va2lhLCBJbmMu
? MRQwEgYDVQQLEwtFbmdpbmVlcmluZzEsMCoGA1UEAxMjQWxjaGVteSB
no Negate a command.
pkcs12 Add a certificate key pair from pkcs12.
public-key Add or remove a public key.
uuid Specify the configuration version UUID.
Table 9 PKI Configuration Commands
Command Description
Arguments
<string> A description of the certificate.
<UUID> The UUID of the certificate.
<CR> Paste in the certificate.
Nokia IP VPN Gateway Command-Line Summary v6.3 197
4 Configuring Public Key Infrastructure
? Y2F0aW9uIEF1dGhvcml0eSAtIDIwHhcNMDEwMzE0MDAwMDAwWhcNMj
? OTU5WjCBiTELMAkGA1UEBhMCVVMxCzAJBgNVBAgTAkNBMRMwEQYDVQ
? YSBDcnV6MRQwEgYDVQQKEwtOb2tpYSwgSW5jLjEUMBIGA1UECxMLRW
? bmcxLDAqBgNVBAMTI0FsY2hlbXkgQ2VydGlmaWNhdGlvbiBBdXRob
? MIIBIjANBgkqhkiG9w0BAQEFAAOCAQ8AMIIBCgKCAQEAyWjXO0fqFs
? gC68wmLYMT5NxgLedFFo3PrlRd1zUzgS7MtNCgBU0tuBawrzrpSmV
? Is37flJX2IAfy4tBrdG7Z2aaOJst7D4817D0lHBDVYxUP6aGwMgI
? o3j5UgvXT3qBYLzBdw7Nq5EkomoOepStbOb+dCRGokjMc/rVFtj
? 0disiAGeNiBqzquvUGkWoHL/gTMIqdTNuKl6JPbwVpiwGCKr122icdw
? JkyGeKXVYNQS2OXSxeRZoWmJPoytGVso7rxSkmnagnfwLhdQnquj
? iQIDAQABow8wDTALBgNVHQ8EBAMCAoQwDQYJKoZIhvcNAQEEBQAD
? /TvVLjl1ROJ0a8ON8PenKVbh9h7IdULWq0dsd9q+c+ZvT2UMMsIxI
? Zk9W2caD+IugPsoDfW2yo4sTT15PDJBfSE1hhE4hl44CZWvxUkQH
? Ykn+jrPaqPTxw76xcJtud838vwaxy4Z1wK8sZpNMFqRYF5J/JS27B
? Noij1k6ROvqLadUDk0KX77MNltwigd30Q0xIUdBa2GTbvQUV3t1
? 5TG+tpnp5ywlbJLw7J/kAlDNeLnAb+yzWlCvYvGVbPDYLde9X78AQjI
? 09uUOPifhZUo2sIAAAAAAAAAAAAAAAAAAAAAAAA=
? -----END CERTIFICATE-----
? config_pki#
Blocks the certificate that is not otherwise stored in the configuration.
caThe ca command allows you to:
Generate a public- or private-key pair and a Certificate Signing Request (CSR).Establish an internal certificate authority (CA).
Syntax
config_pki# [no] ca<string>
[crl-query <crl_dp_in_child | force | password <password> | period <minutes> | protocol <http | ldap> | url <URL> |username <username>>]
[enroll <string>][enrollment certificate]
[rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>][subject-alt-name <cluster-interface <eth-1 | eth-2| eth-3 | eth-4 | loop-0> | email | fqdn <string | <CR>> | eth-1 | eth-2| eth-3 | eth-4 | loop-0>]
[subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> |
198 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
city-or-locality <string> | state-or-province <string> | country <string>>]
[enrollment challenge <string>][enrollment entity <string>][enrollment protocol <pkcs10 | scep>][enrollment retry-count <count>][enrollment retry-period <minutes>][enrollment url <URL>][internal certificate]
[<lifetime <decimal>][rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>][subject-alt-name <email <string> | fqdn>][subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>]
[internal crl <enable | http_url <url> | ldap_url <url> | update_interval <decimal>>]
[internal csr <issue | lifetime <decimal>][internal generate][internal ldap <enable | server <name>][internal list_certs][internal set_cert_status <uuid>]
<active | deleted | granted | pending | revoked_aa_compromise | revoked_affiliation_changed | revoked_ca_compromise | revoked_certificate_hold | revoked_cesation_of_operation | revoked_key_compromise | revoked_priviledge_withdrawn | revoked_remove_from_crl | revoked_superseded | revoked_unspecified>]
[option <crl-optional>][uuid <uuid>]
Arguments
no Negates the command.
<string> Text description of the Certificate Signing Request (CSR) or Certificate Authority (CA).
Nokia IP VPN Gateway Command-Line Summary v6.3 199
4 Configuring Public Key Infrastructure
crl-query <crl_dp_in_child | force | password <password> | period <minutes> | protocol <http | ldap> | url <URL> |username <username>>
Enable retrieval of Certificate Revocation List (CRL) for an external CA:• crl_dp_in_child—CRLDP can be located
either in the CA certificate, or within one of the subordinate certificates that CA issues. If the CRLDP is present within a subordinate certificate. This option must be set before you issue the force command. If certificate chains are used, this option must be set at the root CA. In addition, each CA (including intermediary CAs) certificate has their CRLDP, or each CA must have been placed in a certificate that the CA issues. A mixed scenario is not supported.
• force—retrieves the CRL for the CA.This option collects the data using the other options in this command (if any other options are set) and informs the gateway to retrieve the CRL for the specified CA. If the URL that retrieves the CRL is within the certificate, no overrides are necessary. By default, the CRL Distribution Point (CRLDP—the URL where the CRL can be found), is assumed to be in the CA certificate. If the CRLDP is placed in the subordinate certificate, see the crl_dp_in_child option. If the PKI is set up by using certificate chains, and CRL checking is desired, the force command must be issued for the trusted root certificate as well as subordinate CA certificates. If not, CRL checking is not enabled (if the force command is not being issued for the top level CA) or certificates are not valid during IKE resulting in an error message (if the CRL has not been retrieved or specified for a subordinate CA).
• password—set password for LDAP login.• period <n>—override retry period where
<n> is in minutes.• protocol—indicate the protocol being used
to retrieve the CRL. This option is used if the url option is set. The URL must match the protocol type.
• protocol http—HTTP.• protocol ldap—LDAP.• url—URL where the CRL can be found.
Can be LDAP or HTTP.• username—set username for LDAP login.
Arguments
200 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
enroll <string> Generate a CSR according to the options set by using the enrollment subcommand.
enrollment certificate <rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>>
Use this subcommand to specify the options to use for generating the CSR:• rsa-with-sha1—RSA key with SHA-1 hash.• rsa-with-sha1 512—use a 512-bit RSA
modulus.• rsa-with-sha1 768—use a 768-bit RSA
modulus.• rsa-with-sha1 1024—use a 1024-bit RSA
modulus.• rsa-with-sha1 1536—use a 1536-bit RSA
modulus.• rsa-with-sha1 2048—use a 2048-bit RSA
modulus.
NoteFQDN includes the FQDN for the node, not for the cluster.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 201
4 Configuring Public Key Infrastructure
enrollment certificate <subject-alt-name <cluster-interface <eth-1 | eth-2| eth-3 | eth-4 | loop-0> | email | fqdn | eth-1 | eth-2| eth-3 | eth-4 | loop-0>>
NoteUse the following keywords with the enrollment certificate or internal certificate subcommands to identify information for a CSR or CA certificate.
Identifies optional information for a CSR or CA certificate:• cluster interface <eth-1 | eth-2| eth-3 | eth-4
| loop-0>—include a cluster interface address in subject -alt -name.
• email <string>—email address to include in the certificate.
NoteThis command is only used with device certificates.
• fqdn—FQDN currently assigned to the gateway.
• fqdn <string>—string for the FQDN.• fqdn CR—use default string.• eth-1—IP address assigned to this
interface.• eth-2—IP address currently assigned to
this interface.• eth-3—IP address currently assigned to
this interface.• eth-4—IP address currently assigned to
this interface.• loop-0—name of interface to configure.
Arguments
202 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
enrollment certificate <subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>>
Identifies required information for a CSR or CA certificate:• common-name <string>—common name to
include in the DN for the certificate.
NoteYou must enter the common name.
• organizational-unit-name <string>—organization unit name (department) to include in the DN for the certificate.
• organization-name <string>—organization name to include in the DN for the certificate.
• city-or-locality <string>—city or locality to include in the DN for the certificate.
• state-or-province <string>—state or province to include in the DN for the certificate.
• country <string>—country to include in the DN for the certificate.
enrollment challenge <string>
Configure the behavior of the enroll command:• challenge <string>—enrollment challenge
phrase for SCEP.
enrollment entity <string>
SCEP entity name.
enrollment protocol <pkcs10 | scep>
Configure the enrollment protocol:• protocol pkcs10—generate CSR by using
PKCS10 certificate signing request.• protocol scep—enroll by using online
enrollment.
enrollment retry-count <count>
Maximum number of times to poll for SCEP certificate enrollment.
enrollment retry-period <minutes>
SCEP enrollment retry frequency in minutes.
enrollment url <URL> SCEP enrollment URL.
internal certificate lifetime <decimal>
Configure the certificate validity period (in months).
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 203
4 Configuring Public Key Infrastructure
internal certificate <rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>>
Use this command to identify the options to use when generating an internal CA with the internal generate subcommand:• rsa-with-sha1—RSA key with SHA-1 hash.• rsa-with-sha1 512—use a 512-bit RSA
modulus.• rsa-with-sha1 768—use a 768-bit RSA
modulus.• rsa-with-sha1 1024—use a 1024-bit RSA
modulus.• rsa-with-sha1 1536—use a 1536-bit RSA
modulus.• rsa-with-sha1 2048—use a 2048-bit RSA
modulus.
internal certificate <subject-alt-name <email <string> | fqdn>>
Configure the certificate subject alternative name.• email <string>—email address to include in
the certificate.
NoteThis command is only used with device certificates.
• fqdn—FQDN currently assigned to the gateway.
internal certificate <subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>>
Configure the certificate subject name.• common-name <string>—common name to
include in the DN for the certificate.
NoteYou must enter the common name.
• organization-name <string>—organization name to include in the DN for the certificate.
• organizational-unit-name <string>—organization unit name (department) to include in the DN for the certificate.
• city-or-locality <string>—city or locality to include in the DN for the certificate.
• state-or-province <string>—state or province to include in the DN for the certificate.
• country <string>—country to include in the DN for the certificate.
Arguments
204 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
internal crl <enable | http_url <url> | ldap_url <url> | update_interval <decimal>>
Modify CRL publishing options:• enable—enable generation of CRL.• http_url <url>—set the HTTP URL for
retrieving the CRL.• ldap_url <url>—set the LDAP URL for
retrieving the CRL.• update_interval <decimal>—set the CRL
update interval.
internal csr <issue | lifetime>
Options and commands for generating device certificates issued by the Internal CA:• issue—issue a certificate. Paste in the CSR
generated on the destination gateway and a certificate is issued.
• lifetime—follow this keyword with the number of months before the CA certificate expires.
internal generate Use this command to generate an internal CA according to the options set by using the internal certificate subcommand.
internal ldap <enable | server <name>
Modify LDAP options:• enable—enable publishing of issued
certificates to LDAP server.• server—set the LDAP server to use for
publishing.• server name—name of the LDAP server set
up for storage.
internal list_certs List certificates that the CA issues and the cert status.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 205
4 Configuring Public Key Infrastructure
Command Usage ScenariosTo generate a CSR, use the following command:config_pki# ca <string> enroll
To set the options used when generating the CSR, use the following command:config_pki# ca <string> enrollment certificate [rsa-with-shal <number of bits>] subject-name <entry> [subject-alt-name <entry>]
internal set_cert_status <uuid> <active|deleted |granted| pending|revoked_aa_compromise|revoked_affiliation_changed|revoked_ca_compromise|revoked_certificate_hold|revoked_cesation_of_operation|revoked_key_compromise|revoked_priviledge_withdrawn|revoked_remove_from_crl|revoked_superseded|revoked_unspecified>]
Set the status of a device certificate that this CA issues:• <uuid>—UUID of the device certificate.• active—certificate is active.• deleted—certificate is deleted.• granted—certificate is granted but not yet
retrieved.• pending—certificate is pending.• revoked_aa_compromise—certificate is
revoked because of AA compromise.• revoked_affiliation_changed—certificate is
revoked because of an affiliation change.• revoked_ca_compromise—certificate is
revoked because of the CA being compromised.
• revoked_certificate_hold—certificate is on hold.
• revoked_cesation_of_operation—certificate is revoked because of a cessation of operation.
• revoked_key_compromise—certificate is revoked because of a key compromise.
• revoked_priviledge_withdrawn—certificate is revoked because of privilege being withdrawn.
• revoked_remove_from_crl—certificate is revoked and removed from CRL.
• revoked_superseded—certificate is revoked because it is superseded.
• revoked_unspecified—certificate is revoked because of unspecified reasons.
option crl-optional CRL processing not absolutely required for this CA. If the CRL was requested, but is not available for some reason, certificate processing can continue if this option is enabled, otherwise an error occurs.
uuid <string> The unique identifier for the certificate to be associated with an internal CA.
Arguments
206 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
To set the options for CA enrollment, including SCEP parameters, use the following command:config_pki# ca <string> enrollment [challenge <phrase> | entity <scep-entity> | protocol [<scep> | <pkcs 10>] | retry-count <number> | retry-period <minutes> | url <url>]
To generate an internal CA, use the following command:config_pki# ca <string> internal generate
To set the options used when generating an internal CA, use the following command:config_pki# ca <string> internal certificate subject-name <entry> [subject-alt-name <entry>]> | lifetime <number of months>> | rsa-with-shal <number-of-bits>
To associate the UUID of a certificate with an internal CA, use the following command:config_pki# ca <string> uuid <UUID>
To set options for CRL usage with CA, use the following commands:config_pki# ca <string> option crl-optional
config_pki# ca <string> crl-query [crl-dp-in-child | force | password <pw> | period <minutes> [protocol <http | ldap> | url <url | username <username>
To sign a certificate with the internal CA, use the following command:config_pki# ca <string> internal csr issue
ExamplesThe following commands generate a CSR, identified as Baltimore, for the device Baltimore EE, with a key size of 1024. The IP addresses of both gateway interfaces are included in the subject-alt-name attribute. You can deliver the CSR generated with these commands to a public CA, or use the CSR to generate your own certificate if you are using an internal CA.The following commands generate a CSR:config_pki# ca baltimore enrollment certificate rsa-with-sha7 1024config_pki# ca baltimore enrollment certificate subject-name common-name “Baltimore EE”config_pki# ca baltimore enrollment certificate subject-alt-name eth-1config_pki# ca baltimore enrollment certificate subject-alt-name eth-2config_pki# ca baltimore enrollment protocol pkcs10config_pki# ca baltimore enroll <string>
Nokia IP VPN Gateway Command-Line Summary v6.3 207
4 Configuring Public Key Infrastructure
The following commands establish the internal CA, Baltimore CA. config_pki# ca “Baltimore CA” internal certificate rsa-with-sha7 1024config_pki# ca “Baltimore CA” internal certificate lifetime 12config_pki# ca Baltimore internal certificate sha1-with-rsa 1024config_pki# ca “Baltimore CA” internal certificate subject-name common-name Baltimoreconfig_pki# ca “Baltimore CA” internal certificate subject-name organization-name mycompanyconfig_pki# ca “Baltimore CA” internal certificate subject-name organizational-unit-name engineeringconfig_pki# ca “Baltimore CA” internal certificate subject-name city-or-locality Baltimoreconfig_pki# ca “Baltimore CA” internal certificate subject-name state-or-province MDconfig_pki# ca “Baltimore CA” internal certificate subject-name country USconfig_pki# ca “Baltimore CA” internal certificate subject-alt-name fqdn
certificateUse the certificate command to add or remove a certificate used to establish secure communications between the gateway and other devices.
Syntax
config_pki# certificate[device <<string> | <UUID>>][intermediary-ca <<string> | <UUID>>][management <device <string> | trusted-root <string>>][other <<string> | <UUID>>][trusted-root <<string> | <UUID>>]
Arguments
device <<string> | <UUID>>
Install a device certificate to enable secure communications between the gateway and other devices:• string—description of the certificate.• UUID—UUID of the certificate.
208 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
ExamplesThe following command installs a device certificate to allow the gateway to establish secure communications with other devices.config_pki# certificate device “Baltimore”
-----BEGIN CERTIFICATE-----
MIICvjCCAaagAwIBAgIEOH6J+jANBgkqhkiG9w0BAQUFADBiMQswCQYDVQQGEwJVUzEfMB0GA1UEChMWQmFsdGltb3JlIFRlY2hub2xvZ2llczEUMBIGA1UECxMLRGV2ZWxvcG1lbnQxHDAaBgNVBAMTE1ZQTiBJbnRlcm9wIFJvb3QgQ0EwHhcNMDAwMTE0MDIyOTE0WhcNMDEwMTEzMDIyOTE0WjAXMRUwEwYDVQQDEwxCYWx0aW1vcmUgRUUwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMOxtkLT2yoRhe8DbCXQxMdVEkJfCmIIymgo6EpD6ufTrKJ3k3mAjHiMd7
intermediary-ca <<string> | <UUID>>
Inserts an intermediary CA certificate. This is a certificate that might be part of a certificate chain, or can issue other CA certificates as well as device certificates. However, it is not a trusted root.Intermediary CAs are used when a certificate chain is needed to provide a chain from the device certificate to a trusted root.• string—description of the certificate.• UUID—UUID of the certificate.
management <device <string> | trusted-root <string>>
Install a certificate to enable an SSL session between the the gateway and the management console:• device—install a certificate to use when
establishing a remote management connection.
• device string—description of the certificate.• trusted-root—install a certificate that allows
the gateway to accept certificates signed by a specific CA when establishing a remote management connection.
• trusted-root string—description of the certificate.
other <<string> | <UUID>>
Other certificates (that is, certificates that are not of type device, intermediary-ca, management, or trusted-root) and that do not belong to those mentioned in the other categories in the section:• string—description of the certificate.• UUID—UUID of the certificate.
trusted-root <<string> | <UUID>>
Install a trusted root certificate:• string—description of the certificate.• UUID—UUID of the certificate.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 209
4 Configuring Public Key Infrastructure
k45Jfwb1MRhhELvT6aAJh6IZlOiKoP8TuFzaPSAgP+qC7NimWKMKKydWw2ATDKNIzoXILHpuD44oUVflrBEUIZXU1+8Gug3gh50NpX5IcQwbo8uJpzAgMBAAGjSzBJMA4GA1UdDwEBIEkDAPBgNVHREECDAGhwTOr6B6MBMGA1UdIwQMMAqACEHh1ErR7lJaMBEGA1UdDgQKBAhCaK10/xIp4zAN BgkqhkiG9w0BAQUFAAOCAQEAQEsGBJVIQw9BLNHXZuoVCwzsaFzJY6secmqPXS4xT41udZXhOAV9e9YkuAon3JTFeUhBKeANemy8a2wRotJrYxt6IZX6BtlbsjKcOljKZwrN1zgvieC9EkUs3f2yiNMdbooHI8JnI4D715dovIWnGx1SeyXQPdm5qV+owbDZOZn1hzc4A3PAjzaa6RwmgYzbmo+w5xwtGnyxEMosqKZG3b7THNJWO51+bszJAz5GRxHPPjqsBUinLDLgMyrXZYbdCyHx4UBtLVI0Y+vlsQI7YVEkEgUuFVGp2CLRtmi8buFewossGxA3TJ4mVTjzKaG7Gyd58ZINiFgZA==
-----END CERTIFICATE-----
crlUse the crl command to add or remove a Certificate Revocation List (CRL) to or from the gateway. CRLs, which are issued and maintained by a Certificate Authority (CA), identify certificates that are not valid and cannot be accepted for establishing secure communications. For information about dynamic CRL retrieval, see ca on page 198.
Syntax
config_pki# crl <string> <UUID>
exitUse the exit command to exit PKI configuration mode.
keypairUse the keypair command to add, remove, or generate a public- or private-key pair.
Syntax
config_pki# keypair generate rsa [<512 <string> | 768 <string> | 1024 <string> | 1536 <string> | 2048 <string>>]
pin <string> |<UUID>
Arguments
<string> Description of the CRL.
<UUID> UUID of the CRL.
210 Nokia IP VPN Gateway Command-Line Summary v6.3
PKI Configuration Mode Commands
ExamplesThe following command generates a key pair with a length of 1024 bits and the name secret.config_pki# keypair generate rsa 1024 <string>
noUse the no command to negate a command.
pkcs12 deviceUse the pkcs12 device command to add a certificate key pair from pkcs12.
Syntax
config_pki# pkcs12 device <<string> | <UUID>>
public-keyUse the public-key command to install or remove a public key where a raw public key is needed to establish secure communications between devices.
Arguments
generate rsa <512 <string>| 768 <string> | 1024 <string> | 1536 <string> | 2048 <string>>
• Generate or replace a key pair:• 512—generate an RSA key with a length of
512 bits.• 768—generate an RSA key with a length of
768 bits.• 1024—generate an RSA key with a length
of 1024 bits.• 1536—generate an RSA key with a length
of 1536 bits.• 2048—generate an RSA key with a length
of 2048 bits.• string—description of the key pair.
pin <<string> | <UUID>> The pin used to encrypt the key pair:• string—description of the key pair.• UUID—UUID of the key pair.
Arguments
device <<string> | <UUID>>
• string—description of the pkcs12 certificate.• UUID—UUID of the certificate.
Nokia IP VPN Gateway Command-Line Summary v6.3 211
4 Configuring Public Key Infrastructure
Syntax
config_pki# public-key default <UUID>local <string> | <UUID>remote <string> | <UUID>
uuidUse the uuid command to assign a unique identifier to any certificate.
Syntax
config_pki# uuid<uuid>
Examplesconfig_pki# uuid 000000de-9bf140c5-c690c9c4-00000edeconfig_pki# uuid d4fc7441-8211d411-af720050-5a01100e
Integrating with Third-Party CAs To request a certificate from a third-party CA1. Make the trusted CA known to Nokia IP VPN Gateway.2. Match the trusted CA certificate with a UUID.3. Define parameters for the local gateway enrollment.
Arguments
default <UUID> Set the default public key:• UUID—UUID of the public key to use as
default.
local <string> | <UUID> The public key is a local device key.• string—description of the public key.• UUID—UUID of the public key.
remote <string> | <UUID>
The public key is a remote device key.• string—description of the public key.• UUID—UUID of the public key.
Arguments
uuid <uuid> Configure the configuration version UUID:• UUID—UUID of the configuration version.
212 Nokia IP VPN Gateway Command-Line Summary v6.3
Integrating with Third-Party CAs
4. Generate the public- or private-key pair, and the Certificate Signing Request (CSR).5. Have your CA sign the CSR.6. Store the signed certificate in Nokia IP VPN Gateway.
To issue a third-party CA certificate with cut-and-paste1. Make the trusted CA known to Nokia IP VPN Gateway.
Retrieve the certificate for the CA. The format supported by Nokia IP VPN Gateway is a Base-64 encoded PKCS binary large object.
2. Using cut-and-paste, and the certificate trusted-root command, name the CA and enter the certificate into Nokia IP VPN Gateway. In the following example, the CA is named Nokia_CA:Nokia_Gateway> config pki
config_pki# certificate trusted-root Nokia_CA
? -----BEGIN CERTIFICATE-----
? MIIDizCCAzWgAwIBAgIQB1txh8uBMbhEx/GUq5qLjANBgkqhkiG9w0BAQUFADCBlzEpMCcGCSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb20xCzAJ?BgNVBAYTAlVTMQswCQYDVQQIEwJBWjEPMA0GA1UEBxMGVHVjc29uMREwDwYDVQQK?EwhPcHVzIE9uZTERMA8GA1UECxMIVGVzdCBMYWIxGTAXBgNVBAMTEFBzeWxsYSBD?QSAwMDAxMTgwHhcNMDEwMTE4MjIwOTA2WhcNMDQwMzE5MjI0MDU4WjCBlzEpCcG?CSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb20xCzAJBgVBAYT?JTIwQ0ElMjAwMDAxMTguQ1JMMD6gPKA6hjhodHRwOi8vY2EudnBuZGF5LmNvbS9D?ZXJ0RW5yb2xsL1BzeWxsYSUyMENBJTIwMDAwMTE4LmNybDA3oDWgM4YxLWZpbGU6Ly9cXHBzeWxsYVxDZXJ0RW5yb2xsXFBzeWxsYSBDQSAwMDAxMTguY3JsLzAQBgkr?BgEEAYI3FQEEAwIBATANBgkqhkiG9w0BAQUFAANBAHfDL1GlvKfy52Dh3aasWnbG?UYaMHviehTiFyKjXZTOFhPOnUa2rYPcRv/xh5XdDPnvnyCxzTPPlgmsDgYxtzo=
? -----END CERTIFICATE-----
config_pki# exit
Nokia_Gateway>
3. Match the trusted CA certificate with a UUID.The trusted certificate is in the certificate store, but must be mapped to a UUID. Internally to the PKI configuration mode UUIDs are used rather than text labels.
Nokia IP VPN Gateway Command-Line Summary v6.3 213
4 Configuring Public Key Infrastructure
Use the show key info trusted brief command to view the CA certificate and capture the UUID there. Then, re-enter the PKI configuration mode to match that UUID to the Nokia_CA certification authority:Nokia_Gateway> show key info trusted-root brief
Trusted Certification Authority Root Keys:
trusted root id: f0b36979-b0f8d02a-37245ffa-f677e634
subject name: Psylla CA 000118
NOKIA
Tucson
AZ
US
Nokia_Gateway> config pki
config_pki# ca NOKIA uuid f0b36979-b0f8d02a-37245ffa-f677e634
config_pki#
4. Define parameters for the local gateway enrollment.The certification authority was matched to its certificate and can be used in the ca commands to define enrollment parameters. You can now define all of the parameters you require in the CSR for this local gateway. This means, at a minimum, a common name in the subject (as required by X.509) and one or more subject-alternative-name fields, which Nokia IP VPN Gateway uses as part of the IKE authentication process. Nokia_Gateway> config pki
config_pki# ca Nokia enrollment certificate rsa-with-sha1 1024
config_pki#
config_pki# ca Nokia enrollment certificate subject-name country AA
config_pki# ca Nokia enrollm ce subject-n organization-name “Nokia”
config_pki# ca Nokia enrollm ce subject-n city McMurdo
config_pki# ca Nokia enrollm ce subject-n common-name Nokia_Gateway.Nokia.com
config_pki#
config_pki# ca Nokia enrollm ce subject-alt-name eth-1
config_pki# ca Nokia enrollm ce subject-alt-name eth-2
config_pki#
NoteThe ca enrollment certificate subject-alt-name command does not include the real IP address of the gateway in the configure pki command, but refers to the address symbolically. The PKI configuration extracts the appropriate IP addresses from the system configuration. For a clustered gateway, you must use the symbols cluster-interface <interface name>. If you change the cluster or node address, the certificate needs to be re-enrolled and resigned by the CA.
214 Nokia IP VPN Gateway Command-Line Summary v6.3
Integrating with Third-Party CAs
5. Generate the public- or private-key pair, and the CSR.Use the ca command to generate a public- or private-key pair and the CSR. This CSR is then sent by cut-and-paste (PKCS #10 format, Base64 encoded) to the CA for signing:config_pki# ca Nokia enrollment protocol pkcs10
config_pki# ca Nokia enroll Nokia_Gateway-Nokia
-----BEGIN CERTIFICATE REQUEST-----
MIIB1jCCAT8CAQAwTjELMAkGA1UEBhMCYWExEDAOBgNVBAcTB01jTXVyZG8xETAPBgNVBAoTCE9wdXMgT25lMRowGAYDVQQDExFtY211cmRvLm9wdXMxLmNvbTCBnzANBgkqhkiG9w0BAQEFAAOBjQAwgYkCgYEAn5re9LWhIdK1NErWV3DolOiMVoJDFLhkyaXw9bWJDF2WgOtzz9lcuWKlSe/Uewuek70NBfc5dH5kONkgT62Pye9lc1Zbr8wXQC5b/cuzgxIqevgDQHO6lVy8eeeXUWxJTn3bBA15pCVoinYhhVi8VwPEe+WJAUElOn1SXCSPksUCAwEAAaBIMEYGCSqGSIb3dQEJDjE5MDcwKAYDVR0RBCEwH4IRbWNtdXJkby5vcHVzMS5jb22HBMdPmAGHBM+2I5IwCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBABWkPHvGIEwwMtxcZJYBNWgjO9FqjSyuLeINGxgJE5A0hv0PhcMu77lN9LwC9B+uShQxba22IVDJlIB+nklfXNaTgAB4J7AwPm8mwjtlN86yM6rtP3VeNn+DGKoq6F8haQ8STPPa3AX4nlTpfi/IX1xGXF64uwrAmQ5O6Eniz
-----END CERTIFICATE REQUEST-----
config_pki#
6. Have your CA sign the CSR.Consult the manager of your certification authority for the correct procedure.
7. Store the signed certificate in Nokia IP VPN Gateway.When the CSR is signed by the CA, return it to Nokia IP VPN Gateway by using cut-and-paste, and store it in the local certificate store. The format is PKCS, BASE64 encoded. Save the local certificate by using the following command: certificate device, which stores certificates for the local gateway.When the certificate is stored, you must save the PKI configuration to flash memory so that the public- or private-keys are not lost. If a significant delay occurs between the certificate enrollment generation and the actual signing, perform an intermediate configure save or
Nokia IP VPN Gateway Command-Line Summary v6.3 215
4 Configuring Public Key Infrastructure
config save cluster command in case the system is rebooted for any reason before the certificate can be signed.config_pki# certificate device Nokia_Gateway-Nokia
? -----BEGIN CERTIFICATE-----
? MIIETDCCAagAwIBAgIKESmy7gABAAAATjANBgkqhkiG9w0BAQUF
? CSqGSIb3DQEJARYacHN5bGxhLWNhQHBzeWxsYS5vcHVzMS5jb
? AlVTMQswCQYDVQQIEwJBWjEPMA0GA1UEBxMGVHVjc29uMREw
? IE9uZTERMA8GA1UECxMIVGVzdCBMYWIxGTAXBgNVBAMTEFBz
? MTgwHhcNMDIwMzI5MDMyODA1WhcNMDMwMzI5MDMzCQYDVQQGEwJh
? YTEQMANNdXJkbzERMA8GA1UEChMIT3B1cyBPbmUxGjAYBgNVBAMT
? EW1jbXVyZ29tMIGfMA0GCSqGSIb3DQEBAQUAA4GNADCBiQKBgQCf
? b2xsL3BzeWxsYV9Qc3lsbGElMjBDOC5jcnQwSQYIKwYBBQUHMAKG
? PWZpbGU6Ly9cXHBzeW5yb2xsXHBzeWxsYV9Qc3lsbGElMjBDQSUy
? MDAwMDExOCgxKS5jcJKoZIhvcBbg9oE+ag5YVnRoqPb/hsO
? E6/2ZaeFDAHzkmjA6AmXG7KnRhyB6WQPUbCqY0lt+CQbXw
? -----END CERTIFICATE-----
?
config_pki# exit
Nokia_Gateway> config save
Nokia_Gateway>
The simple certificate enrollment protocol (SCEP) process automates the process of retrieving a new device certificate.This process is similar to the cut-and-paste process. The only differences are that an enrollment protocol of SCEP is set instead of PKCS10 just before the public- or private-key pair is generated.
To use SCEP to issue a third-party CA certificate1. Follow steps 1 through 3 of To issue a third-party CA certificate with cut-and-paste on
page 213.2. Generate the public- or private-key pair, and the CSR.
Use the ca command to generate a public- or private-key pair and the CSR. This CSR is then sent by SCEP to the CA for signing. The following example lists the Microsoft Windows 2000 CA and its SCEP configuration.
NoteCertification authorities have different enrollment URL and query URL values, as well as IP addresses.
The following example is for a gateway named Nokia_GatewayOne and a CA named NOK:config_pki# ca NOK enrollment entity NOK-SCEPconfig_pki# ca NOK enrollm protocol scep
216 Nokia IP VPN Gateway Command-Line Summary v6.3
Integrating with Third-Party CAs
config_pki# ca NOK enrollm url http://10.24.12.34/certsrv/mscep/mscep.dll
http://10.24.12.34/certsrv/mscep/mscep.dll
config_pki# ca NOK enroll NOKIA-NOK
config_pki# 3. Store the signed certificate in Nokia IP VPN Gateway.
After the CA signs the CSR, it is returned to Nokia IP VPN Gateway by using the SCEP protocol and stored in the local certificate store. Use the show key info certified full command to check if the certificate is available. If the certificate is not immediately signed by the CA, Nokia IP VPN Gateway polls for it periodically. You can use the ca <> enrollment retry-count and ca <> enrollment retry-period commands to control this behavior.After the certificate is retrieved, you must save the PKI configuration to flash memory so that the public- or private-keys are not lost. If a significant delay occurs between the certificate enrollment generation and the actual signing, you must perform an intermediate configure save command in case the system is rebooted for any reason before the certificate can be signed.For example:Nokia_GatewayOne> show key info cert full
Certified Public Keys:
certificate id: ee60b819-a17ddc56-db44b6be-512beb33
subject name: CN=Nokia_GatewayOne
L=Nokia_GatewayOne
ST=NOKIA_HYD
C=UR
issuer name: CN=NOK W2K CA
O=Nokia
L=Eloy
ST=AZ
C=US
serial number: 610a3a73000100000666
alternative name: 207.182.52.1
alternative name: 207.182.35.130
not valid before: Fri Mar 29 05:57:18 2002 GMT
not valid after: Sat Mar 29 06:07:18 2003 GMT
Nokia_GatewayOne> config save
Nokia_GatewayOne>
Nokia IP VPN Gateway Command-Line Summary v6.3 217
5 Configuring Policy Configuration System
This chapter describes how to use the Policy Configuration System (PCS) configuration mode, the PCS configuration mode commands, and the tasks that you can accomplish by using this mode.PCS mode allows you to create, modify, and delete policies from the command-line interface. PCS supports IKE protection suites, IKE policy groups, gateway policies, IPSec policies, IPSec clients, and Selectors.
Entering and Exiting PCS Configuration ModeUse the commands in this section to enter or exit PCS configuration mode.
To enter PCS configuration mode, enter one of the following commands from the command mode prompt:
> config policy > configure policy
The prompt changes to config_policy#. All policies from the running system and all selectors from the security policy database (SPD) are mapped to internal PCS structures-policy templates. You can use these templates to create or modify policies.
> configure policy -map
The prompt changes to config_policy#. Selectors from the running system are not loaded into internal PCS structures and policy templates. Use this option to add a few policies or selectors to a system in which many policies and selectors are running, as this option does not use unnecessary memory allocation.
CautionPCS cannot check policy coherence. You must ensure that the selectors added by using this option have unique names and do not conflict with names of existing selectors.
To exit PCS configuration mode and return to command mode, enter the exit command at the prompt:config_policy# exit
Nokia IP VPN Gateway Command-Line Summary v6.3 219
5 Configuring Policy Configuration System
Saving Crypto Policy Configuration to Flash MemoryUse “save” on page 222 to commit changes to flash memory.
PCS Configuration Mode Commands
PCS commands are grouped into two categories: Common PCS CommandsSpecific PCS Commands
Common PCS CommandsUse the following commands to perform an individual action.
applyUse the apply command to save newly created and modified policies to the system. Newly created or modified policies are not saved to the system automatically; they are only stored in PCS templates. You must use the apply command to propagate policies into the system.
Syntax
config_policy# apply
Command Function
apply Propagate newly created and modified policies into the system.
clear Clear internal PCS policy templates.
exit Exit PCS mode.
load Load policies from the specified ASCII file.
map Map existing system policies into internal PCS templates.
save Save IKE and IPSec policies, gateway and client records, and selectors from the system into a file on flash memory.
show View internal PCS templates.
unload Store running policies and selectors to an ASCII file in the form of a commands list.
220 Nokia IP VPN Gateway Command-Line Summary v6.3
Common PCS Commands
clearUse the clear command to clear internal PCS policy templates.
Syntax
config_policy# clearipsec-mapvpn-schema<CR>
exitUse the exit command to exit PCS mode. All PCS internal templates are erased, and all temporarily used memory is released.
Syntax
config_policy# exit
loadUse the load command to load policies from a specified ASCII file. The ASCII file must be in the form of a commands list and must contain only those commands that are acceptable by PCS. You can access the files locally on flash memory or remotely from NFS or TFTP-ASCII.
Syntax
config_policy# load<filename>
Arguments
ipsec-map Clear IPSec maps.
vpn-schema Clear VPN schemas.
<CR> Clear all policies.
Arguments
<filename> Load crypto policies from the file:• filename—name of a file with crypto policy
templates.
Nokia IP VPN Gateway Command-Line Summary v6.3 221
5 Configuring Policy Configuration System
mapUse the map command to map existing system policies to internal PCS templates.
Syntax
config_policy# map[all][client][ike][ipsec][selector]
saveAll policies created during configuration remain in system memory only. Use the save command to save IKE and IPSec policies, gateway and client records, and selectors from the system into a file on a flash memory.The save command creates a new policy download file: ipsec_policy_NNN.dat (where NNN is the next version of the configuration file).
CautionThe next time you use VPN Manager to apply changes to a Nokia AOS Ver 6.3 gateway, you will lose any PCS policies that you configured using the CLI.
Syntax
config_policy# save<NAME><CR>
Arguments
all Map all system policies.
client Map IPSec client policy.
ike Map IKE policy.
ipsec Map IPSec policy.
selector Map SPD selectors.
Arguments
<NAME> File name on the NFS or TFTP site.
222 Nokia IP VPN Gateway Command-Line Summary v6.3
Common PCS Commands
showUse the show command to view internal PCS templates. To select templates for viewing, specify a pattern. The pattern must be in the form of a regular expression applied to the name, user FQDN, or IP address, depending on the template.
Syntax
config_policy# show[all][ike-gateway <ip <pattern>>| <CR>][ike-group][ike-suite][ipsec-client <name <pattern>> | user_fqdn <pattern> | <CR>][ipsec-gateway <ip <pattern>> | name <pattern> | <CR>][ipsec-selector <ip <pattern>> | name <pattern> | <CR>][ipsec-transform][vpn-node <ip <pattern>> | name <pattern>> | user_fqdn <pattern> | <CR>]
[vpn-schema]
<CR> Save policy on flash memory.
Arguments
Arguments
all Show all templates.
ike-gateway <ip <pattern>>| <CR>
Show IKE gateway.• ip—view IKE gateways by IP address.• pattern—regular expression.• CR—view all IKE gateways.
ike-group Show IKE group.
ike-suite Show IKE protection suites.
ipsec-client <name <pattern>> | user_fqdn <pattern> | <CR>
Show IPSec client policy:• name—view IPSec clients by policy name.• name pattern—regular expression.• user_fqdn—view IPSec clients by user
FQDN.• user_fqdn pattern—regular expression.• CR—view all IPSec clients.
Nokia IP VPN Gateway Command-Line Summary v6.3 223
5 Configuring Policy Configuration System
unloadThe unload command stores running policies and selectors to an ASCII file in the form of a commands list. This list can then be used with the load command. The file can be a local file on flash memory, or a remote file you access by using NFS or TFTP-ASCII.
NoteUse TFTP-ASCII to ensure that the file is not read in binary format.
Syntax
config_policy# unload<filename>
ipsec-gateway <ip <pattern>> | name <pattern> | <CR>
IPSec gateway policy:• ip—view IPSec gateways by IP address.• ip pattern—regular expression.• name—view IPSec gateways by policy
name.• name pattern—regular expression.• CR—view all IPSec gateways.
ipsec-selector <ip <pattern>> | name <pattern> | <CR>
IPSec selectors:• ip—view IPSec selectors by IP address.• ip pattern—regular expression.• name—view IPSec selectors by policy
name.• name pattern—regular expression.• CR—view all IPSec selectors.
ipsec-transform Show IPSec transform.
vpn-node <ip <pattern>> | name <pattern>> | user_fqdn <pattern> | <CR>
VPN nodes:• ip—view VPN nodes by IP address.• ip pattern—regular expression.• name—view VPN nodes by node name.• name pattern—regular expression.• user_fqdn—view VPN nodes by user
FQDN.• user_fqdn pattern—regular expression.• CR—view all VPN nodes.
vpn-schema Show VPN schemas.
Arguments
224 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
Specific PCS CommandsUse the commands in Table 10 to enter a specific configuration mode for a particular category.
Table 10 Specific PCS Commands
The IKE, IPSec, and VPN commands, subcommands, and configuration modes are described in detail in the following sections.
IKE Policy Configuration CommandsThe following are the IKE policy configuration commands:
gatewaygroupsuite
Syntax
config_policy# [no] ikegateway <<ADDR> <ike_suite> [ipsec_transform] | <CR>>group <group_policy_name> <ike_policy_name> [<ike_policy_name>]suite <NAME>
Arguments
<filename> Unload PCS templates to a file in ASCII format:• filename—name of a file with crypto policy
templates.
Table 11
Specific PCS Command Description
ike Allow creation, modification, and deletion of IKE templates.
ipsec Allow creation, modification, and deletion of IPSec templates.
vpn Allow creation, modification, and deletion of VPN schema and nodes, and link them together.
Arguments
no Negate the command.
Nokia IP VPN Gateway Command-Line Summary v6.3 225
5 Configuring Policy Configuration System
IKE Protection Suite Configuration CommandsUse the IKE suite configuration commands to set and modify any of the following:
Authentication methodEncryption algorithmOakley groupHash algorithmIKE lifetimeFlags
Syntax
ike-suite#authentication <challenge-response | pre-shared <key> <key> | rsa-encrypt | rsa-encrypt-compat | rsa-signature>
cipher <3des | aes <<128 | 192 | 256> | <CR>> | blowfish <<40-448> | <CR>> | cast <<40-128> |<CR>> |des>
flags <check-dns | deferred-delete | dynamic-peer | fqdn | initial-contact | internal-address | nomadic | vendor-id>
hash <md5 | sha>lifetime <number>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048>exit
gateway <<ADDR> <ike_suite> [ipsec_transform] | <CR>>
Assign or unassign a specific policy to a gateway:• ADDR—peer dotted-decimal address.• ike_suite—policy name.• ipsec_transform—available IPSec transform.• CR—exit.
group <NAME> <ike_policy_name> [<ike_policy_name>]
Create or delete IKE groups. • NAME—group policy name.• ike_policy_name—IKE policy name.• ike_policy_name—IKE policy name.
suite <NAME> Create, modify, or delete IKE protection suites.
NoteWhen you use the IKE suite command, PCS enters a special configuration mode and responds with the ike-suite# prompt. This mode allows you to set or modify IKE protection suite parameters.
Arguments
226 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
Arguments
authentication <challenge-response | pre-shared <key> <key>| rsa-encrypt | rsa-encrypt-compat | rsa-signature>
Set or modify an authentication method:• challenge-response—set challenge
response.• pre-shared—set preshared key.• pre-shared key—preshared key.• pre-shared key key—repeat preshared key.• rsa-encrypt—set RSA encrypt.• rsa-encrypt-compat—set RSA encrypt
compatibility mode.• rsa-signature—set digital signature.
cipher <3des | aes <<128 | 192 | 256> | <CR>> | blowfish <<40-448> | <CR>> | cast <<40-128> | <CR>> |des>
Set or modify an encryption algorithm:• 3des—set 3DES encryption algorithm.• aes <128 | 192 | 256>—set AES encryption
algorithm.• aes <CR>— use default key length (128 bits).• blowfish <40-448>—set AES encryption
algorithm.• blowfish <CR>—use default key length (128
bits).• cast <40-128>—set CAST encryption
algorithm.• cast <CR>—use default key length (128 bits).• des—set DES encryption algorithm.
flags <check-dns | deferred-delete | dynamic-peer | fqdn | initial-contact | internal-address | nomadic | vendor-id>
Set or modify IKE flags:• check-dns—do a DNS lookup on FQDN
certificates.• deferred-delete—defer the QM delete until
rekey.• dynamic-peer—mark as valid a dynamic
policy.• fqdn—use FQDN for phase 1 identity.• initial-contact—send initial-contact ISAKMP
notification. • internal-address—request an internal
address from the gateway.• nomadic—mark a client policy as valid.• vendor-id—send vendor ID payload.
hash <md5 | sha> Set a hash algorithm:• md5—set MD5 hash algorithm.• sha—set SHA hash algorithm.
lifetime <number> Set a lifetime for an IKE policy:• number—lifetime in hours.
Nokia IP VPN Gateway Command-Line Summary v6.3 227
5 Configuring Policy Configuration System
IPSec Policy Configuration CommandsThe following are the IPSec configuration commands:
cl-selectorclientgatewaygw-selectortransform
Syntax
config_policy# [no] ipseccl-selector <NAME>client <NAME>gateway <NAME>gw-selector <NAME>transform <NAME>
oakley-group <modp-768 | modp-1024 | modp-1536 |modp-2048>
Set an Oakley group:• modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.
exit Exit IKE suite configuration policy mode.
Arguments
Arguments
no Negate the command.
cl-selector <NAME> Set or modify an IPSec selector for a client:• NAME—IPSec client selector name.
client <NAME> Set or modify a client policy:• NAME—IPSec policy name.
gateway <NAME> Set or modify a gateway policy:• NAME—IPSec policy name.
gw-selector <NAME> Set or modify an IPSec selector for a gateway: • NAME—IPSec gateway selector name.
transform <NAME> Set or modify an IPSec transform:• NAME—IPSec transform name.
228 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
IPSec Client Configuration CommandUse the ipsec-client command to set a client policy. At the config_policy# prompt, enter the following command:config_policy# ipsec client <NAME>
PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-client#.
Syntax
ipsec-client#ca-idid <dn <key=value[,key=value...]> <user fqdn <user@domain_name>>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>selectortransformexit
IPSec Gateway Configuration CommandsUse the ipsec-gateway command to set gateway policy. At the config_policy# prompt, enter the following command: config_policy# ipsec gateway <NAME>
PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-gateway#.
Arguments
ca-id Specify CA ID.
id <dn <key=value[,key=value...]> <user fqdn <user@domain_name>>
Specify a client user FQDN or domain name. • dn key=value—DN value.• user fqdn <user@domain_name>—domain
name.
oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>
Select a pfs-group:• modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.• none—unset Oakley group.
selector Specify a selector for a client.
transform Specify an IPSec transform for a client.
exit Exit IPSec client configuration policy mode.
Nokia IP VPN Gateway Command-Line Summary v6.3 229
5 Configuring Policy Configuration System
Syntax
ipsec-gateway#dst-addr <ADDR> <ADDR>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>selectorsrc-addr <ADDR> <ADDR>transformidentity <FQDN> | <CR>exit
Arguments
dst-addr <ADDR> <ADDR> IP address of a remote gateway:• <ADDR>—dotted decimal address of primary
endpoint. • <ADDR>—dotted decimal address of backup
endpoint.
oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>
Select an Oakley group:• modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.• none—unset Oakley group.
selector Selector for a gateway. The node autosorts selectors to move the most specific (those with the fewest wildcard values) to the top of the list and the default filter to the bottom of the list. The node searches for port numbers, then IP addresses and subnet masks.
src-addr <ADDR> <ADDR> IP address of a local gateway:• <ADDR>—dotted decimal address of primary
endpoint. • <ADDR>—dotted decimal address of backup
endpoint.
transform IPSec transform for a gateway.
identity <FQDN> | <CR> • FQDN—identity of a dynamic peer in FQDN form.
NoteIf identity is defined, dst-addr must not be defined.
• CR—clear identity.
exit Exit IPSec gateway configuration policy mode.
230 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
IPSec CL-Selector Configuration CommandUse the ipsec cl-selector command to set a selector for a client. At the config_policy# prompt, enter the following command:config_policy# ipsec cl-selector <NAME>
PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-client-selector#.
Syntax
ipsec-client-selector#action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst| | unique-protocol | unique-sport | unique-src>
mask <NETMASK>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>exit
Arguments
action <bypass | drop | protect>
Specify an action on a packet. One of three actions can be selected:• bypass—set action to pass packets.• drop—set action to drop packets.• protect—set action to protect packets.
addr <ADDR> IP address of a protected network:• ADDR—dotted-decimal address.
flags <asymmetric |dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst| | unique-protocol | unique-sport | unique-src>
Allow the user to set selector-specific flags:• asymmetric—marks selector to be
asymmetric.• dynamic-gw—support communication to a
dynamic gateway.• local-broadcast—matches any local
broadcast (valid with local-dst or local-src).• local-dst—matches any local destination
address.• local-src—matches any local source address.• unique-dport—destination port must be
unique.• unique-dst—destination address must be
unique.• unique-protocol—protocol must be unique.• unique-sport—source port must be unique.• unique-src—source address must be unique.
Nokia IP VPN Gateway Command-Line Summary v6.3 231
5 Configuring Policy Configuration System
IPSec GW-Selector Configuration CommandUse the ipsec gw-selector command to set a selector for a gateway. At the config_policy# prompt, enter the following command:config_policy# ipsec gw-selector <NAME>PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-gateway-selector#.
Syntax
ipsec-gateway-selector#action <bypass | drop | protect>diff-serv <from-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>> <to-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>>
dst-addr <ADDR>dst-mask <NETMASK>dst-port <NUMBER>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>
protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>src-addr <ADDR>src-port <NUMBER>exit
:
mask <NETMASK> Set the netmask for a protected network:• NETMASK—dotted-decimal netmask.
port <NUMBER> Specify a port for a protected network:• NUMBER—port number.
protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>
Specify an IP protocol for a protected network:• GRE—select GRE IP protocol.• ICMP—select ICMP protocol.• IPINIP—select IPINIP protocol.• TCP—select TCP protocol.• UPD—select UPD protocol.• NUMBER—IP protocol number.
exit Exit selector-cl configuration policy mode.
Arguments
action <bypass | drop | protect>
Specify an action on packets:• bypass—set action to pass packets.• drop—set action to drop packets.• protect—set action to protect packets.
Arguments
232 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
diff-serv <from-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>> <to-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>>
Set differentiated services codepoints. The following options can be set:• from-dst—set differentiated services
codepoints from destination.• from-dst assured—set codepoint to assured.• from-dst best-effort—set codepoint to best-
effort.• from-dst default—set codepoint to default.• from-dst expedited—set codepoint to
expedited. • from-dst pass-through—set codepoint to
pass-through. • from-dst <NUMBER>—set codepoint to a
value between 0 to 63. • to-dst—set differentiated services codepoints
to destination.• to-dst assured—set codepoint to assured.• to-dst best-effort—set codepoint to best-
effort.• to-dst default—set codepoint to default.• to-dst expedited—set codepoint to expedited. • to-dst pass-through—set codepoint to pass-
through. • to-dst <NUMBER>—set codepoint to a value
between 0 to 63.
dst-addr <ADDR> Specify an IP address of a remote protected network:• ADDR—dotted-decimal address.
dst-mask <NETMASK> Set a netmask for a remote protected network: NETMASK—dotted-decimal netmask.
dst-port <NUMBER> Specify a port for a remote protected network: • NUMBER—port number.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 233
5 Configuring Policy Configuration System
IPSec Transform Configuration CommandUse the ipsec transform command to set an IPSec transform. At the config_policy# prompt, enter the following command:config_policy# ipsec-transform <NAME>PCS goes into a specific configuration mode and responds with the appropriate prompt: ipsec-transform#.
flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>
Set specific flags: • asymmetric—marks selector to be
asymmetric.• dynamic-gw—support communication to a
dynamic gateway.• local-broadcast—matches any local
broadcast (valid with local-dst/src).• local-dst—matches any local destination
address.• local-src—matches any local source address.• unique-dport—destination port must be
unique. • unique-dst—destination address must be
unique.• unique-protocol—protocol must be unique.• unique-sport—source port must be unique.• unique-src—source address must be unique.
protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>
Specify an IP protocol for a selector:• GRE—select GRE IP protocol.• ICMP—select ICMP protocol.• IPINIP—select IPINIP protocol.• TCP—select TCP protocol.• UPD—select UPD protocol.• <NUMBER>—IP protocol number.
src-addr <ADDR> Specify an IP address of a local protected network:• ADDR—dotted-decimal address.
src-mask <NETMASK> Set a netmask for a local protected network: • NETMASK—dotted-decimal netmask.
src-port <NUMBER> Specify a port for a local protected network:• NUMBER—port number.
exit Exit selector-gw policy configuration mode.
Arguments
234 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
Syntax
ipsec-transform#authenticator <hmac-md5 | hmac-ripemd | hmac-sha | null>cipher <3des | aes <128 | 192 | 256> | blowfish <40-448> | cast <40-128> | des | null>
flags <commit-bit | replay-status | responder-lifetime>lifetime <kbyte <NUMBER> | minutes <NUMBER>>mode <transport | tunnel>protocol <ah | ah-esp | esp>exit
Arguments
authenticator <hmac-md5 | hmac-ripemd | hmac-sha | null>
Select an authenticator: • hmac-md5—set hmac-md5.• hmac-ripemd—set hmac-ripemd.• hmac-sha—set hmac-sha.• null—no authentication is required.
cipher <3des | aes <128 | 192 | 256> | blowfish <40-448> | cast <40-128> | des | null>
Select a secrecy algorithm. Set this parameter only if the IPSec protocol is set to ESP. • 3des—set 3DES encryption algorithm.• aes <128 | 192 | 256>—set AES encryption
algorithm.• blowfish <40-448>—set Blowfish encryption
algorithm.• cast <40-128>—set CAST encryption
algorithm.• des—set DES encryption algorithm.• null—set a null encryption algorithm.
flags <commit-bit | replay-status | responder-lifetime>
Specify IPSec flags:• commit-bit—use commit bit when
responding. • replay-status—send replay status in QM.• responder-lifetime—send responder lifetime
in QM.
lifetime <kbyte <NUMBER> | minutes <NUMBER>>
Set an IPSec lifetime:• kbyte <NUMBER>—set lifetime in kilobytes.• minutes <NUMBER>—set lifetime in
minutes.
mode <transport | tunnel>
Set the IPSec mode:• Transport—set transport mode.• Tunnel—set tunnel mode.
protocol <ah | esp | ah-esp>
Select an IPSec protocol:• ah—select AH protocol.• esp—select ESP protocol.• ah-esp—select both AH and ESP.
Nokia IP VPN Gateway Command-Line Summary v6.3 235
5 Configuring Policy Configuration System
VPN Configuration CommandsTo simplify the configuration of many peering relationships with similar policy elements, VPN commands are used to create a template. First, create a schema, which identifies all elements of the local side of the policy, as well as IPSec transforms, IKE suite, and selector for the local net. Second, configure nodes where the only information you need to insert is the node name and the remote subnets it protects.The following are VPN configuration commands:
linknodeschema
These commands support negation when no proceeds a VPN command.
Syntax
config_policy# vpnlinknodeschema
VPN Link CommandUse link command to link VPN nodes to VPN schema. When the command is negated, the specified nodes are unlinked from VPN.
link
Links designed VPN nodes with VPN schema.
vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>]
no vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>]
exit Exit IPSec transform configuration policy mode.
Arguments
Arguments
link Links designed VPN nodes with VPN schema.
node Designs VPN nodes.
schema Designs VPN schema.
236 Nokia IP VPN Gateway Command-Line Summary v6.3
Specific PCS Commands
VPN Node Configuration CommandsUse the vpn_node command to design a VPN node. Enter the following command from the config_policy# prompt:config_policy# vpn_node <NAME>
PCS goes into a specific configuration mode and responds with the appropriate prompt: vpn_node#.
Syntax
vpn_node#addr <ADDR>ca-idgw-addr <ADDR>mask <NETMASK>port <NUMBER>id <dn | user-fqdn>exit
:
VPN Schema Configuration CommandsUse the vpn schema <name> command to design a VPN schema. Enter the following command from the config_policy# prompt: config_policy# vpn schema <NAME>
PCS goes into a specific configuration mode and responds with the appropriate prompt: vpn-schema#.
Arguments
addr <ADDR> IP address of a remote protected network for gateway nodes.
ca-id CA ID (only for client).
gw-addr <ADDR> IP address of a remote gateway.
mask <NETMASK> Netmask for a remote protected network for gateway nodes.
port <NUMBER> Port for a remote protected network for gateway nodes.
id <dn <key=value[,key=value...]> | user-fqdn <user@domain_name>>
Client user FQDN or domain name for client nodes.• dn <key=value[,key=value...]>—DN.• id user-fqdn <user@domain_name>—user
FQDN.
exit Exit VPN node configuration policy mode.
Nokia IP VPN Gateway Command-Line Summary v6.3 237
5 Configuring Policy Configuration System
Syntax
vpn-schema#action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>
gw-addr <ADDR>ike-suitemask <NETMASK>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UDP | <NUMBER>>transformexit
Arguments
action <bypass | drop | protect>
Specify an action on packets:• bypass—set action to pass packets.• drop—set action to drop packets.• protect—set action to protect packets.
addr <ADDR> IP address of a local protected network.
flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>
Allow user to set specific flags. The following flags can be set:• asymmetric—set asymmetric flag.• dynamic-gw—support communication to a
dynamic gateway.• local-broadcast—matches any local
broadcast (valid with local-dst/src).• local-dst—matches any local destination
address. • local-src—matches any local source address. • unique-dport—destination port must be
unique. • unique-dst—destination address must be
unique. • unique-protocol—protocol must be unique. • unique-sport—source port must be unique. • unique-src—source address must be unique.
gw-addr <ADDR> IP address of a local gateway.
ike-suite IKE suites for a VPN.
mask <NETMASK> Netmask for the local protected network.
238 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
IPSec Configuration with PCSThe following sections provide an introduction to configuring Internet Protocol Security (IPSec) and Internet Key Exchange (IKE) policy by using the CLI, and presents an example of the commands required to configure a typical scenario.PCS separates policy configuration into units, and these units must be designed and combined in a specific order to complete IPSec configuration. The units of configuration follow:
IKE protection suites—a policy statement that denotes acceptable policies for an IKE SA. These policies are negotiated with the peer.A group of IKE protection suites—a compound of singular IKE protection suites. Each suite defines the policy for an SA, while a group defines all possible policies to negotiate. For example: group = (suite1, or suite2, or suite3).IKE policy to a gateway—IKE is a point-to-point protocol and a remote peer must be defined. This construct combines an IKE protection suite or group of protection suites with the IP address of the remote peer.IPSec selectors—a policy statement that defines a particular flow of traffic and the action to perform on packets that belong to that flow. For example, TCP packets from A.B.C.D to W.X.Y.Z should be dropped.IPSec transforms—a definition of how to protect packets in a particular flow.A group of IPSec transforms—a compound of IPSec transforms that denote all the possible transforms that can be negotiated to protect a particular flow.
oakley_group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>
Select a pfs-group: • modp-768—set modp-768 group.• modp-1024—set modp-1024 group.• modp-1536—set modp-1536 group.• modp-2048—set modp-2048 group.• none—unset Oakley group.
port <NUMBER> Port for the local protected network.
protocol <GRE | ICMP | IPINIP | TCP | UDP | <NUMBER>>
Specify an IP protocol for a VPN:• GRE—select GRE IP protocol.• ICMP—select ICMP protocol.• IPINIP—select IPINIP protocol.• TCP—select TCP protocol.• UPD—select UPD protocol.• <NUMBER>—IP protocol number.
transform IPSec transformations for a VPN.
exit Exit VPN schema configuration policy mode.
Arguments
Nokia IP VPN Gateway Command-Line Summary v6.3 239
5 Configuring Policy Configuration System
IPSec policy to a gateway—a construct that combines the following: Selector—whose action is protect.What to protect—with a transform or group of transforms.How to protect it—the remote IP address of a peer.To whom the protected packets are sent.Local IP address of the device—from whom the protected packets are sent.
Before you enter PCS mode, break up the desired configuration into parts that correspond to the units in the preceding lists. The two systems to configure are IKE and IPSec, and each system is configured independently. A policy to an IKE peer does not depend on the policy configured for IPSec, and vice versa. IPSec policy defines how to protect (or drop, or pass) IP packets; IKE policy defines how the two peers communicate the IKE protocol, the authentication method to use, the Diffie-Hellman group to use for key generation, and so on.You enter PCS mode by using the config policy command from the command mode prompt. This command enters a mode and the prompt changes to config_policy#. The PCS mode maintains a template of configuration units. You can transfer the template into the system by applying changes and save the template to flash memory by using the save command. Only policies that can be applied or saved, are applied or saved. You can create certain units that by themselves do not consist of a complete policy representation. For more information, see “Requirements and Limitations” on page 249. The template is not shared.Each entry into the PCS system creates a new template. If two users simultaneously attempt to configure IPSec by using PCS, they cannot access each other’s configuration until one of them uses an apply command. Simultaneous configuration should not be attempted as each side would overrule the other.
IKE PolicyBefore you define the IKE gateway, you must define an IKE protection suite. The protection suite defines how to perform IKE, while the gateway defines to whom and which protection suites to use.You define IKE protection suites by using the ike suite command:config_policy# ike suite <suite-name>
Set the following options: ike-suite# authentication <pre-shared | rsa-encrypt | rsa-signature | challenge-response>
Arguments
pre-shared Specify preshared key authentication with the specific preshared key following the command.
rsa-encrypt Specify encrypted nonce authentication.
240 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
NoteThis is for clients only.
ike-suite# cipher <3des | aes |blowfish | cast | des>
ike-suite# flags <initial-contact | nomadic | vendor-id>
ike-suite# hash <md5 | sha>
ike-suite# lifetime <number of hours>
rsa-signature Specify authentication with digital signatures.
challenge-response Specify challenge response authentication.
Arguments
Arguments
3des Use the 3DES cipher.
aes Use the AES cipher.
blowfish Use the Blowfish cipher.
cast Use the CAST cipher.
des Use the DES cipher.
Arguments
initial-contact Specify that the initial-contact notice should be sent to peers the first time communication is attempted.
nomadic Specify that the policy is for a client coming from an unspecified IP address.
vendor-id Specify that a vendor ID payload identifying a Nokia IP VPN Gateway should be sent upon completion of IKE.
Arguments
md5 Use the MD5 hash algorithm.
sha Use the SHA hash algorithm.
Nokia IP VPN Gateway Command-Line Summary v6.3 241
5 Configuring Policy Configuration System
ike-suite# oakley-group <modp-768 | modp-1024 | modp-1536>
NoteAll the groups are defined in RFC2409.
You can form groups of IKE policies by combining multiple IKE protection suites into a group using the IKE group command:config_policy# ike group <name> <suite1> <suite2> [<suite3> ...]
Once you define the how of IKE policy, you can define the to whom. Use the ike gateway command:config_policy# ike gateway <name> <suite | group-of-suites>
NoteOnly one policy parameter is allowed, either a singular protection suite or the single name of a group of protection suites.
IPSec PolicyIPSec policy defines the packets that should be:
IPSec-protectedDroppedAllowed to pass in the clear
For example, you can write a policy with rules that allow HTTP traffic to 10.0.1/24 in the clear, protect all other TCP traffic between 10.0.1/24 and 10.1.1/24, and drop all UDP traffic between 10.0.1/24 and 10.1.1/24.These rules form selectors. A selector is an abstraction that identifies a particular flow of traffic (for example, TCP between 10.0.1/24 and 10.1.1/24) and how to handle that particular flow (for
Arguments
<number of hours> Define the maximum life of the SA.
Arguments
modp-768 IKE group 1.
modp-1024 IKE group 2.
modp-1536 IKE group 5.
242 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
example, protect it by using IPSec). Selectors identify traffic by specifying source and destination addressing and optionally an upper-layer protocol and port.Selectors are specified as either gateway selectors or client selectors. The difference is that with gateway selectors, the local and remote addressing is known, while with client selectors, the remote portion of the addressing is unknown (the client usually obtains random DHCP addresses, which make it impossible to assign policy to them).
Defining Gateway SelectorsYou can define gateway selectors by using the ipsec gw-selector command:
config_policy# ipsec gw-selector <name>
Specifying Selector Components
You can specify the components of a selector by using the following commands:ipsec-gateway-selector# action <bypass | drop | protect>
ipsec-gateway-selector# protocol <protocol name or number>
ipsec-gateway-selector# dst-addr <dotted decimal address>ipsec-gateway-selector# dst-mask <dotted decimal netmask>ipsec-gateway-selector# dst-port <port number>
Define the destination of the packets by using an address and netmask (for a particular host the netmask is 255.255.255.255) and port (if it exists in the protocol).ipsec-gateway-selector# src-addr <dotted decimal address>ipsec-gateway-selector# src-mask <dotted decimal netmask>ipsec-gateway-selector# src-port <port number>
Define the source of the packets by using an address and netmask (for a particular host the netmask is 255.255.255.255) and port (if it exists in the protocol).
Arguments
name Name that identifies the selector.
Arguments
bypass Allow specified traffic to pass in the clear.
drop Drop specified traffic.
protect Protect specified traffic with IPSec.
Arguments
<protocol name or number>
Select protocol or define it by using its IANA-assigned number.
Nokia IP VPN Gateway Command-Line Summary v6.3 243
5 Configuring Policy Configuration System
Creating Client Selectors
Create client selectors:config_policy# ipsec cl-selector <name>
Specifying the Components of a Selector You can specify the components of a selector by using the following steps. Because the client originates from an unknown IP address, you can configure the local side of the selector. The other side of a selector is a wildcard.
ipsec-client-selector# action <bypass | drop | protect>
ipsec-client-selector# protocol <protocol name or number>
ipsec-client-selector# addr <dotted decimal address>ipsec-client-selector# mask <dotted decimal netmask>ipsec-client-selector# port <port number>
Define the locally protected network by using an address and netmask (for a particular local host the netmask is 255.255.255.255) and port (if it exists in the protocol).
When a selector is either bypass or drop, the action ends. But when the action is protect, some manner of protection is needed and a definition of the remote gateway (when using gateway selectors) is needed. The selector defines what to protect, a transform defines how to protect it, and a gateway defines with whom the traffic should be protected. When using a client selector, the to whom is a little different than when using a gateway selector.
Defining IPSec Transforms
IPSec transforms are defined by using the ipsec transform command:config_policy# ipsec transform <name>
Arguments
name Name that identifies the selector.
Arguments
bypass Allow specified traffic to pass in the clear.
drop Drop specified traffic.
protect Protect specified traffic with IPSec.
Arguments
<protocol name or number>
Select protocol or define it by using its IANA-assigned number.
244 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
Specifying Components of the Transform
Use the following commands to specify the components of the transform:ipsec-transform# authentication <hmac-sha | hmac-md5 | hmac-md5>
ipsec-transform# cipher <3des | aes | blowfish | cast | des>
ipsec-transform# flags <commit-bit | replay-status | responder-lifetime>
ipsec-transform# lifetime <kbyte | minutes>
Arguments
name Name that identifies the transform.
Arguments
hmac-sha Select the HMAC-SHA authentication algorithm.
hmac-md5 Select the HMAC-MD5 authentication algorithm.
hmac-md5 Select the HMAC-MD5 authentication algorithm.
Arguments
3des Select the 3DES encryption algorithm.
aes Select the AES encryption algorithm.
blowfish Select the Blowfish encryption algorithm.
cast Select the CAST encryption algorithm.
des Select the DES encryption algorithm.
Arguments
commit-bit Ensure SAs are in place before being used.
replay-status Sends a notification to the remote peer that replay detection is used.
responder-lifetime A notification of the locally configured lifetime is sent to the peer if the peer’s SA offer contains a lifetime greater than the configured lifetime.
Nokia IP VPN Gateway Command-Line Summary v6.3 245
5 Configuring Policy Configuration System
ipsec-transform# mode <transport | tunnel>
ipsec-transform# protocol <esp | ah | ah-esp>
As what to protect is defined with selectors and how to protect it is defined with transforms, the to whom can be defined, which incorporates both selectors and transforms. IPSec policy to a known gateway protecting a known network, where the selector is a gateway selector, is specified by using the ipsec gateway command:
config_policy# ipsec gateway <name>
Use the following commands to specify the components of the policy mapping:ipsec-gateway# dst-addr <dotted decimal address>
ipsec-gateway# src-addr <dotted decimal address>
Arguments
kbyte Denote an SA lifetime in kilobytes of protected traffic.
minutes Denote an SA lifetime in time.
Arguments
transport Indicate transport mode IPSec.
tunnel Indicate tunnel mode IPSec.
Arguments
esp Denote that the ESP protocol is used to protect traffic.
ah Denote that the AH protocol is used to protect traffic (note that a cipher cannot be defined for this type of protocol).
ah-esp Denote that both protocols is used to protect traffic.
Arguments
name Name of the policy mapping.
Arguments
dotted decimal address IP address of the remote peer.
246 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
ipsec-gateway# oakley-group <modp-768 | modp-1024 | modp-1536 | none>
NoteSpecifying a group enables Perfect Forward Secrecy for the negotiated SAs.
ipsec-gateway# selector <name>
ipsec-gateway# transform <name>
IPSec policy for unknown clients, where the selector is a client selector, is specified by using the ipsec client command:config_policy# ipsec client <name>
Use the following commands to specify policy mapping:ipsec-client# user-fqdn <user@domain_name>
Arguments
dotted decimal address Local IP address.
Arguments
modp-768 Denote IKE group 1.
modp-1024 Denote IKE group 2.
modp-1536 Denote IKE group 5.
Arguments
name Name assigned to the selector when it was created.
Arguments
name Name assigned to the transform when it was created.
Arguments
name Name of the policy mapping.
Nokia IP VPN Gateway Command-Line Summary v6.3 247
5 Configuring Policy Configuration System
ipsec-client# oakley-group <modp-768 | modp-1024 | modp-1536>
NoteSpecifying a group enables Perfect Forward Secrecy for the negotiated SAs.
ipsec-client# selector <name>
ipsec-client# transform <name>
When IKE and IPSec policies are completely configured, you can apply these changes to the running configuration and save them to the flash file system. If you apply changes but do not save them, the policies are not saved if you reboot.You can apply a policy using the apply command:config_policy# apply
Policy is saved on flash memory using the save command:config_policy# save
Arguments
user@domain_name Describe the client’s identity. This information is extracted from the client’s certificate during the IKE exchange.
Arguments
modp-768 Denote IKE group 1.
modp-1024 Denote IKE group 2.
modp-1536 Denote IKE group 5.
Arguments
name Name assigned to the selector when it was created.
Arguments
name Name assigned to the transform when it was created.
248 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
Other PCS CommandsDefine policies off line by using any standard editor and saving to an ASCII file. You can copy this file to the system flash memory and load it into the system by using the load command:config_policy# load <filename>
Use the clear command to clear everything from the virtual template that is not applied. To remove selected configuration units from the template, apply the no option to the unit specification. For example, the following command creates an IKE gateway to 198.81.129.99 by using the protection suite named suite_1:config_policy# ike gateway 198.81.129.99 suite_1The following command removes the gateway:config_policy# no ike gateway 198.81.129.99 suite_1
If you use the apply command before you attempt to remove the IKE gateway specification, the specification is not removed as it has left the template and become part of the system.
Requirements and LimitationsPCS templates names (such as IKE and IPSec policy names and selector names) must be fewer than 32 characters (a maximum of 31 characters).An orphan protect selector (one that is not bound to an IPSec gateway) is not saved or applied.The name of a protect selector that is bound to an IPSec gateway inherits the name of that gateway when you use an apply command.You cannot save changes performed in the PCS unless you first use an apply command.Changes to the configuration by using PCS do not become part of the system unless you use an apply command. Even then those changes are lost after a reboot if you do not use a save command.
SummaryIPSec and IKE configuration must be performed in a logical sequence. By following the steps described, in the order described, you can avoid problems. IKE policy is defined in two steps. First define the policy that governs an IKE SA with any peer. Then, define a map of the policy to a particular peer.IPSec policy is defined in three steps. First define what to protect with a selector. If the selector is protect, define how to protect it with a transform. Finally, (and also if the selector is protect) define a map for the appropriate selector: gateway or client. This map combines the selector and
Arguments
file Name of the file on flash memory.
Nokia IP VPN Gateway Command-Line Summary v6.3 249
5 Configuring Policy Configuration System
transform, and information about the local peer and remote peer. This information includes the address (if a gateway) or the fully qualified domain name identity (if a client).
ExampleIn this example, the device has an internal protected network of 172.21.14/24, the internal interface is 172.21.14.1, and the external interface is 10.1.1.1. One remote peer is 10.2.87.1 and the internal protected network is 172.16.8/24. A remote peer at 10.47.1.1 with protected network is 172.16.10/24, and a remote client policy [email protected] is also present. It is assumed that the user is familiar with specifics of the policy (the algorithm, Diffie-Hellman group, and so on).First, define the IKE protection suites and then IKE gateways to the peers by using these protection suites. Then, define IPSec selectors and IPSec transforms, and combine them all into gateway and client maps. # the first IKE protection suite
ike suite first
auth RSA-SIG
cipher cast 128
oakley-group modp-1536
hash sha
lifetime 180
exit
# the second IKE protection suite
ike suite second
auth pre-shared mnbvcxz mnbvcxz
cipher 3des
oakley-group modp-1024
hash sha
lifetime 180
exit
#the third IKE protection suite
ike suite third
cipher blowfish 448
oakley-group modp-1024
hash md5
lifetime 360
auth pre-shared 1234567 1234567
exit
250 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
# an IKE group that is “first OR second OR third”
ike group bunch second third
# IKE gateways for two VPNs and one for the client
ike gateway 10.2.87.1 bunch
ike gateway 10.47.1.1 second
# 0.0.0.0 denotes “all” since the client IP address is unknown
# This becomes the “default” client
# policy
ike gateway 0.0.0.0 first
# IPSec transform of AH by using hmac-md5 and ESP by using Blowfish
ipsec transform blow_md5
authenticator hmac-md5
cipher blowfish 128
mode tunnel
protocol ah-esp
lifetime kbyte 50
lifetime min 600
exit
# IPSec transform of ESP by using HMAC-SHA and CAST
ipsec transform cast_sha
authenticator hmac-sha
cipher cast 64
protocol esp
lifetime kbyte 10
exit
# IPSec transform of ESP by using hmac_md5 and 3DES
ipsec transform 3des_md5_esp
authenticator hmac-md5
cipher 3des
mode tunnel
protocol esp
exit
Nokia IP VPN Gateway Command-Line Summary v6.3 251
5 Configuring Policy Configuration System
# selector for the first VPN from Santa Cruz to Seattle
# protect TCP from 172.21.14/24 to 172.16.8/24
ipsec gw-selector scz-to-seattle
src-addr 172.21.14.0
src-mask 255.255.255.0
dst-addr 172.16.8.0
dst-mask 255.255.255.0
action protect
protocol TCP
exit
# selector for the second VPN from Santa Cruz to Minneapolis
# protect all traffic from 172.21.14/24 to 172.16.10/24
ipsec gw-selector scz-to-minneapolis
src-addr 172.21.14.0
src-mask 255.255.255.0
dst-addr 172.16.10.0
dst-mask 255.255.255.0
action protect
exit
# client selector for someone from an unknown IP address
# protect TCP from anywhere to 172.21.14/24
ipsec cl-selector to-bob
addr 172.21.14.0
mask 255.255.255.0
action protect
protocol TCP
exit
# client policy map for Bob ([email protected]). Combine
# his client selector and a transform described above.
ipsec client bob
selector to-bob
transform blow_md5
oakley-group modp-1536
user-fqdn [email protected]
exit
252 Nokia IP VPN Gateway Command-Line Summary v6.3
IPSec Configuration with PCS
# gateway policy map for the VPN to Seattle. Combine the
# seattle selector with a transform and specify the VPN endpoints.
ipsec gateway seattle
selector scz-to-seattle
transform cast_sha
dst-addr 10.2.87.1
src-addr 10.1.1.1
oakley-group modp-1536
exit
# gateway policy map for the VPN to Minneapolis. Similar
# to the preceding Seattle policy map.
ipsec gateway minneapolis
selector scz-to-minneapolis
transform cast_sha 3des_md5_esp
src-addr 10.1.1.1
dst-addr 10.47.1.1
oakley-group modp-1024
exit
# propogate these policies to the system
apply
# if you like how it works, save it to flash memory
save
Nokia IP VPN Gateway Command-Line Summary v6.3 253
6 Configuring Firewall and Network Address Translation
This chapter describes the firewall and Network Address Translation (NAT) subsystem in the Nokia IP VPN Gateway, and provides a summary of the command-line interface (CLI) commands that you can use to configure and control the behavior of the firewall. The firewall configuration mode allows you to control some of the timeouts associated with the firewall as well as define the firewall rules.
NoteTo view the current state of the firewall and NAT subsystems, and to clear and reset the firewall and NAT state tables, from the command mode (>), use the following commands: show firewall and nat.
When you configure the firewall by using the Nokia VPN Manager software, you can define the Advanced Mode firewall rules by using the same syntax for rules as in the CLI. For more information about defining Advanced Mode firewall rules from VPN Manager, see the Nokia IP VPN Gateway Configuration Guide v6.3.
OverviewThe firewall and NAT subsystem in the Nokia IP VPN Gateway:
Provide a stateful firewall with a limited set of application layer gateways and full NAT capabilities. Is fully cluster-aware, providing a very high-availability solution by sharing firewall and NAT state information across all nodes in a cluster.
From VPN Manager, you can define firewall and NAT rules by using Basic, Intermediate, and Advanced modes. The Advanced mode of VPN Manager gives you the same power and flexibility for firewall and NAT behavior as is available in the CLI. The Basic and Intermediate modes provide less flexibility, but are designed to handle the majority of firewall configuration environments.You can use the CLI to:
Monitor and control the state of the firewall and NAT subsystem.
Nokia IP VPN Gateway Command-Line Summary v6.3 255
6 Configuring Firewall and Network Address Translation
Display the firewall state table and rules, along with statistics and other performance information. Clear the firewall and NAT state tables from the command line for debugging purposes.
In an environment that uses the CLI entirely for configuration and does not use VPN Manager, you can also use the CLI to define firewall rules and manage the firewall rule sets.Figure 1 presents a simplified version of the flow of a new session packet through the VPN gateway, and shows the relationship between the firewall and NAT function and the VPN function.
Figure 1 Packet Flow for VPN Designers
The firewall and NAT capabilities of VPN gateway are fully integrated into an ordered, rule-based configuration. When the firewall and NAT subsystem is enabled, each IP datagram is inspected by the firewall and NAT subsystem. A set of ordered rules, evaluated from first to last, match against the IP datagrams. When a rule matches a datagram, the action of the rule is taken. Available actions are:
pass—allow the datagram throughdrop—do not allow the datagram to passtranslate—allow the datagram through, also applying NAT
The VPN firewall is a first match firewall, that is, the first rule that matches a datagram determines the action that the firewall and NAT subsystem take on that datagram.Because the firewall and NAT subsystem is fully stateful, the firewall and NAT state tables are consulted before the rule base and will pass or translate datagrams that match existing flows through the firewall. The firewall and NAT subsystem is stateful for TCP connections, as well as for UDP and ICMP traffic. Non-IP traffic (such as Novell IPX or DECnet) is not recognized or passed by the firewall.
256 Nokia IP VPN Gateway Command-Line Summary v6.3
Managing the Firewall Using the CLI
Managing the Firewall Using the CLIYou can use the CLI to manage and monitor the firewall and NAT subsystem, and to provide configuration information for the firewall and NAT subsystem.
NoteYou must use either the CLI or VPN Manager for configuration, but not both. When you apply changes by using VPN Manager, configuration changes you made by using the CLI are overwritten in the configuration files. If you change the configuration of the firewall and NAT subsystem by using the CLI, the next time you apply changes from VPN Manager, changes made by using the CLI are lost, and the configuration of the firewall and NAT subsystem is determined by VPN Manager.
However, you can use the CLI for certain basic firewall debugging and management even when VPN Manager handles the configuration. You might not use the CLI for daily operations, but the CLI commands are useful for debugging and monitoring the operation of the firewall and the NAT subsystem.Table 12 lists the CLI commands that you can use to manage the firewall and NAT subsystem.
Default Firewall BehaviorWhen a VPN gateway is first booted, and before it is configured, the firewall and NAT subsystem is enabled. A set of automatic rules are applied when the firewall is enabled and
Table 12 Firewall and NAT Subsystem Commands
Command Description
clear nat <link-id> For more information about this command, see nat clear-state <link-id>.
firewall clear-state Clears all firewall and NAT state table entries.
firewall disable Disables the firewall and NAT subsystem.
firewall enable Enables the firewall and NAT subsystem.
firewall rate-limit Enables or displays firewall rate-limiting features.
nat clear-state <link-id> Clears a single NAT state table entry.
show firewall Shows the state of the firewall, statistics about the firewall, and the firewall rule set and configuration.
show nat Shows the NAT state table, statistics about NAT processing, and other NAT-related information.
configure firewall Enter firewall configuration mode.
Nokia IP VPN Gateway Command-Line Summary v6.3 257
6 Configuring Firewall and Network Address Translation
before you load your own rule set into the firewall. Automatic rules are deleted as soon as you load a rule set into the firewall, either by using the CLI or VPN Manager. Although it is not always shown in all displays, whenever the firewall is enabled, there is an implicit drop all rule that always is the final rule in the firewall. There is no way to delete this final rule (although you can add a pass all rule before the final rule that effectively negates this behavior).Once a VPN gateway is installed by using VPN Manager, the firewall is either immediately disabled, or if it is enabled, the configuration of the firewall is determined by the rule set selected in VPN Manager. The choice of whether the firewall is enabled or disabled is made by the network manager installing the gateway.The default firewall rule set can be examined by using the following CLI command:> show firewall For more information about the show firewall command, see the show firewall command in show on page 105.This rule set can and will change slightly from version to version of the Nokia AOS Kernel. The automatic rule set will also change depending on the features that are enabled in the gateway, such as clustering or DHCP client. However, the default firewall (and NAT) rule set is only designed to allow communications to and from the VPN gateway (or cluster, if a cluster is being installed). The default rule set never allows traffic through the gateway, only to or from the gateway. The automatic rule set cannot be changed by the network manager. It can only be deleted by adding new rules to the firewall. The goal of the automatic rule set is to protect the gateway and the networks behind it during installation, and before the firewall is fully configured.The default firewall rule set includes rules that allow traffic to the VPN gateway for:
Monitoring and management purposes.Establishing and maintaining IPSec and L2TP tunnels (including tunnels over NAT using NAT traversal ports).Responding to ICMP PING (echo request) packets.Allowing Nokia-proprietary cluster communications.
When you manage the firewall by using the CLI, you also have the option of specifying a particular IP address for a VPN Manager management station automatically when enabling the firewall. The syntax for this command is:firewall enable policy-manager <dotted.ip.address>
For example:firewall enable policy-manager 10.245.12.222
When you use this variation of the enable firewall command, the firewall and NAT subsystem add two fixed rules to the firewall configuration specifically to allow communication with VPN Manager using the standard Nokia management ports (TCP port 9876). Unlike other automatic rules created by the firewall when it is first enabled, these rules (allowing communication to and from the VPN gateway and a particular VPN Manager IP address) are not disabled when other firewall rules are added.
258 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Configuring the FirewallFirewall management using the CLI operates at three different levels, each with its own mode, as shown in Table 13.
Command mode (>)—enable and disable the firewall, view statistics, and clear state tables.Firewall configuration mode—define the rule sets used in the firewall as well as manage certain timeouts. You can also import and export rules, apply rules to the current firewall, and save the configuration to the FLASH memory so that it is accessible the next time the gateway boots.Rule definition mode—define the actual rules used in the firewall.
The following sections describe the three configuration modes and the commands that you can use in each of them.
Command Mode CommandsUse the command mode commands to manage the firewall and NAT subsystem. Table 14 summarizes and discusses these commands.
Table 13 Configuration Modes
CLI Mode and Prompt Capabilities
Command mode (>) Enable, disable firewall; clear firewall state; display firewall statistics, state tables, and rules.
Configuration mode: config_firewall#Enter using the command: configure firewallExit to CLI mode using the command: exit
Define and clear rules; apply rules to running firewall; define timeouts; save rules to FLASH; import and export rules; display rules.
Rule definition mode: rule-list#Enter using the command: rule-listExit to Configuration mode using the command: end
Define firewall and NAT rules.
Nokia IP VPN Gateway Command-Line Summary v6.3 259
6 Configuring Firewall and Network Address Translation
.
Table 14 CLI Command Descriptions
Command Description
clear nat <link-id> For more information about this command, see nat clear-state <link-id>.
firewall clear-state Clears all firewall and NAT state table entries. This has the effect of disabling any existing TCP connections (or UDP flows) both to and through the VPN gateway.
CautionUse this command with care, especially if you are connected to the gateway through a TELNET or SSH session.
firewall disable Disables the firewall and NAT subsystem. All packets flow through the VPN gateway without firewalling. However, all packets are still subject to the Security Policy database rules, which may include drop, bypass, and protect options.
firewall enable Enables the firewall and NAT subsystem.
firewall rate-limit <CR>firewall rate-limit <number> <CR>
Enables or displays firewall rate-limiting features.If entered as firewall rate-limit, displays the current rate limiting set for the firewall (Default: unlimited).If entered as firewall rate-limit <number>, sets a maximum rate at which new state entries can be added to the firewall, per second. This can be used to provide a simple rate limiting or Denial of Service protection to networks protected by the VPN gateway.
nat clear-state <link-id> Clears a single NAT state table entry. This deletes the NAT state table entry, which has the effect of disabling any existing TCP or UDP flows that use this state table entry. There is no form to delete all NAT state table entries; use the firewall clear-state command to clear all NAT and firewall state table entries.
show firewall Shows the state of the firewall, statistics about the firewall, and the firewall rule set and configuration.
show firewall full Shows the state of the firewall, each of the firewall rules, and both the number of times each rule has been matched as well as the number of bytes of traffic each rule has passed or blocked. The count of state table hits and passed traffic (in bytes) is also given.
260 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
In addition, you can use the following command mode commands to enable and disable the firewall and NAT subsystems in saved configurations:
enable firewall disable firewall
Firewall Configuration ModeIn the firewall configuration mode, you can clear and define firewall rules, apply rule sets to the running firewall, define firewall timeouts, show and save rule sets, and import and export rule sets from the local flash storage or from a network file server.In firewall configuration mode, you work with a workspace of firewall rules that is separate and distinct from the set of rules in the running firewall. When you first enter firewall configuration mode, the running configuration is copied to the configuration rule workspace. Changes you make to the configuration rule workspace do not affect the running firewall, until you apply them (which pushes them to the running firewall) or save them (which saves them to FLASH to be used the next time the VPN gateway boots). You can also clear the configuration rule workspace, as well as import and export rules between the workspace and either local FLASH files or files on TFTP or NFS file servers. If you exit without saving or applying the changes, changes are lost.
show firewall state Displays the firewall state table, as well as counters on the number of state table hits and misses, maximum counts, and errors caused by insufficient memory.
show firewall statistics Displays statistics on firewall actions, including drop and pass rules, logging, subdivided into several categories.
show nat arp Displays the mapping between NAT entries and MAC addresses.
show nat state Displays the NAT state table.
show nat statistics Displays statistics on the operation of the NAT subsystem.
configure firewall Enter firewall configuration mode.
debug nat Enables debugging on the NAT subsystem. You will need to use other commands, such as log enable, to actually see debugging messages, depending on the system configuration and how you are connected to the VPN gateway.
Table 14 CLI Command Descriptions
Command Description
Nokia IP VPN Gateway Command-Line Summary v6.3 261
6 Configuring Firewall and Network Address Translation
NoteChanges to the firewall rule sets do not take effect immediately. To make changes affect the running firewall, you must use the following command: apply.
To enter firewall configuration mode, enter the following command at the CLI command mode (>):> configure firewallTo exit firewall configuration mode and return to command mode, enter the following command at the config_firewall# prompt:config_firewall# exit
When you exit firewall configuration mode, you will be prompted by the gateway if you have not saved your changes to flash. If you wish to discard changes you have made, type the following command:config_firewall# exit Otherwise to save changes to flash enter the following command:config_firewall# apply
To exit firewall configuration mode enter the following command:config_firewall# exit
The following CLI fragment shows ending rule definition mode, and then the gateway prompt when you attempt to exit without saving changes:rule-list# end
config_firewall# exit
WARNING! Changes were done to the packet filter rules and have not been applied to the system yet.
Type 'exit' (changes will be lost) or 'apply' (to apply the changes).
config_firewall# exit
>
Table 15 lists the commands available in firewall configuration mode.Table 15 Firewall Configuration Mode Commands
Command Description
apply Applies configured rules to the currently running firewall.
clear Deletes the configured rules. Does not affect the currently running firewall.
clear icmp-timeoutclear tcp-timeoutclear udp-timeout
Deletes the configured ICMP (or TCP or UDP) timeout parameter, replacing it with the default.
262 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
applyUse the apply command to copy newly designed rules from the configuration rule workspace to the currently running firewall. When you apply rules, you have the choice to either clear all firewall state tables (which will disrupt any current connections, possibly including your SSH or Telnet console connection being used to define the firewall rules) or to leave the firewall state tables intact, allowing all existing stateful TCP, UDP, and ICMP sessions to terminate gracefully.
NoteThe apply command does not save the configuration to flash, therefore if the gateway is rebooted, the configuration is lost. To save configuration to flash, you must use the save command.
Syntax
config_firewall# apply
config_firewall# apply keep-state
export <filename> Exports the configured rules to a file, either on the local flash or to a network file server (using tftp:// or nfs:// syntax).
import <filename> Imports a file of firewall rules to the configured rules, either from a local or network drive.
icmp-timeout <value>tcp-timeout <value>udp-timeout <value>
Defines the firewall's global ICMP timeout parameter.
rule-list Enter firewall rule configuration mode, appending any rules to the existing rule set.
save Save the configured firewall rules to the local system configuration. These rules are used on the next system boot.
show Show the configured rule set, which may not match the currently running firewall rules
Table 15 Firewall Configuration Mode Commands (continued)
Command Description
Nokia IP VPN Gateway Command-Line Summary v6.3 263
6 Configuring Firewall and Network Address Translation
clear Use the clear command to clear all firewall rules from the configuration rule workspace. Because the configuration rule workspace is copied from the running firewall, when you enter firewall configuration mode, you may want to clear the workspace before you enter new rules or import rules from a file. If you do not clear the workspace, any rules you enter using the rule-list command are appended to the existing set of rules in the configuration rule workspace.You can also use the clear command to remove configuration information for the ICMP, TCP, and UDP timeout parameters. If these configuration entries are removed, the Nokia-defined defaults apply.
Syntax
config_firewall# clear
config_firewall# clear icmp-timeout
config_firewall# clear tcp-timeout
config_firewall# clear udp-timeout
Exampleconfig_firewall# clear icmp-timeout
config_firewall# clear tcp-timeout config_firewall# clear udp-timeout config_firewall# clear config_firewall# apply
firewall: 'apply' aborted due to empty ruleset.
firewall: failed to apply firewall config.
config_firewall# saveconfig_firewall#
Arguments
keep-state • If keep-state is specified, all existing connections are retained and allowed to complete whether they satisfy the new rule set being applied or not.
• If keep-state is not specified, all existing state table entries for firewall and NAT are cleared and the rules are copied from the configuration rule workspace to the running firewall.
264 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Arguments
export Use the export command to export the configuration rule workspace to a file. Rules are written in normal ASCII. To export the file to a remote file server, you may use the tftp:// or nfs:// forms of file names supported by the gateway CLI.
Syntaxconfig_firewall# export <filename> <CR>
Exampleconfig_firewall# export flash:my-test-rules.txt
config_firewall# export tftp://10.245.12.222/firewall.rulesconfig_firewall# export pccard1:ginger.firewall-rules
import Use the import command to import firewall rules from an ASCII file. The file must be in the form of a sequence of rules that are accepted by the firewall configuration mode (that is, as if you were to type them in to the rule-list command). To import a file from a remote file server, use the tftp:// or nfs:// forms of file names supported by the gateway CLI.
clear icmp-timeout ICMP timeout value is cleared from the configuration and the defined default of 60 seconds is used by the firewall.
clear tcp-timeout TCP timeout value is cleared from the configuration and the defined default of 432,000 seconds (5 days) is used by the firewall.
clear udp-timeout UDP timeout value is cleared from the configuration and the defined default of 120 seconds is used by the firewall.
Arguments
<filename> May refer to any file system and filename recognized by the local CLI. Depending on the hardware available, this may include one or more flash memory cards. Remote file servers accessible through NFS or TFTP may also be part of the file system.
Nokia IP VPN Gateway Command-Line Summary v6.3 265
6 Configuring Firewall and Network Address Translation
NoteBefore you import firewall rules from a file using the import command, you may want to clear the existing firewall rules from the configuration rule workspace using the clear command. If you do not use the clear command, the rules you import are appended to the existing rules in the configuration workspace.
Syntax
config_firewall# import <filename>
Exampleconfig_firewall# import flash:my-test-rules.txt
config_firewall# import tftp://10.245.12.222/firewall.rulesconfig_firewall# import pccard1:ginger.firewall-rules
icmp-timeout, tcp-timeout, and udp-timeoutUse the icmp-timeout, tcp-timeout, and udp-timeout commands to set the firewall timeouts for established connections. ICMP and UDP do not have true connections in the same sense that TCP does. Therefore, the timeouts for ICMP and UDP are applied to any connection set up by the firewall that is idle. When a connection state entry for a UDP or ICMP session is idle for the timeout value, it is removed from the state table. Because there is no graceful session teardown for ICMP or UDP, the timeout is the only way that ICMP or UDP state will be removed from the firewall state tables.TCP timeout is also used on idle connections. However, TCP does have a graceful teardown mechanism. The TCP timeout is only used when a TCP connection is not torn down (or reset), but is idle with no traffic in either direction.
Syntax
config_firewall# icmp-timeout <timeout>
config_firewall# tcp-timeout <timeout>
config_firewall# udp-timeout <timeout>
Arguments
<filename> May refer to any file system and filename recognized by the local CLI. Depending on the hardware available, this may include one or more flash memory cards. Remote file servers accessible through NFS or TFTP may also be part of the file system.
266 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Exampleconfig_firewall# icmp-timeout 117
config_firewall# tcp-timeout 555
config_firewall# udp-timeout 10
rule-listThe rule-list command allows you to define new firewall rules. To enter rule definition mode from firewall configuration mode (config_firewall#), use the following command:config_firewall# rule-list
When you enter rule definition mode, the CLI prompt of the gateway changes to: rule-list#.
NoteBefore you begin with the rule definition mode, you may want to clear the existing firewall rules in the configuration rule workspace using the clear command. If you do not use the clear command, any rules entered in rule definition mode are appended to the end of the existing rules in the workspace.
To exit rule definition mode, enter the following command:rule-list# end
For more information about the rule-list command, see “Rule Definition Mode” on page 269.
Syntax
config_firewall# rule-list
Arguments
icmp-timeout <timeout> ICMP timeout for pseudo-connections. The timeout value must be in the range of 1 second to 86400 seconds (1 day).Default value: 60 seconds
tcp-timeout <timeout> TCP timeout for the connections.The timeout value must be in the range of 1 second to 86400 seconds (1 day).Default value: 432000 seconds (5 days), which cannot be set.
udp-timeout <timeout> UDP timeout for pseudo-connections. The timeout value must be in the range of 1 second to 86400 seconds (1 day).Default value: 120 seconds
Nokia IP VPN Gateway Command-Line Summary v6.3 267
6 Configuring Firewall and Network Address Translation
Exampleconfig_firewall# rule-list
rule-list# match all target drop log
rule-list# end
config_firewall#
saveUse the save command to save the current configuration rule workspace to the flash configuration. The firewall rules are stored in the gen_info.txt file, with an associated version number within the file itself. Upon rebooting, the gateway loads the most recently saved rule list from the gen_info.txt file.
NoteThe save command does not affect the currently running firewall rule set. You can only save firewall rules that have been applied to the currently running firewall. To apply the current configuration rule workspace and replace the firewall rules currently in operation, use the apply command before saving.
Syntax
config_firewall# save
Exampleconfig_firewall# save
firewall: WARNING!Modified rules have not been applied to the system yet.
firewall: type 'apply' first and then 'save'.
config_firewall# apply
config_firewall# save
config_firewall#
show Use the show command to display the firewall rules currently in the configuration rule workspace. The show command also displays any non-default ICMP, TCP, and UDP timeout values.
NoteThe show command does not show the running rules in the firewall, although the running firewall rules are copied to the configuration rule workspace when you first enter firewall configuration mode.
268 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Syntax
config_firewall# show
Exampleconfig_firewall# show
Firewall Connection Time out Table
Tcp Timeout :555
Udp Timeout :10
Icmp Timeout :117
Firewall Rules:
1 match from any to broadcast target pass
2 match all target drop log
# DEFAULT match from any to any target drop
config_firewall#
Rule Definition ModeYou can enter firewall rules by using a console terminal session and rule definition mode or you can import firewall rules into the configuration rule workspace by using the import command in firewall configuration mode. The same syntax is used for firewall rules whether they are part of a CLI-based firewall configuration or are used in the Advanced configuration part of the VPN Manager. The three ways of defining firewall and NAT rules are summarized in Table 16..
No matter how firewall and NAT rules are defined, they are all evaluated in the same way. The firewall matches the rules in the same order in which the rules are added.The following sections use the rule definition mode (using the rule-list command to define new firewall rules) in the examples. However, the rules in these examples and all of the syntax of firewall and NAT rules applies equally no matter what mode is used to add the rules to the gateway. To enter rule definition mode from firewall configuration mode (config_firewall#), use the following command:config_firewall# rule-list
Table 16 Defining Firewall and NAT Rules
Rule definition mode Enter the rule definition mode, from the firewall configuration mode, using the following command: rule-list. Enter the rules one at a time and exit using the following command: end.
Firewall configuration mode Import rules by using the import command to pull from a file on flash or a remote file server (tftp or NFS).
VPN Manager Enter the rules by using a simple text editor in VPN Manager when Advanced firewall configuration mode is selected.
Nokia IP VPN Gateway Command-Line Summary v6.3 269
6 Configuring Firewall and Network Address Translation
When you enter rule definition mode, the CLI prompt of the gateway changes to rule-list#. To exit rule definition mode, enter the following command:rule-list# end The following example illustrates entering rule definition mode, adding a single rule to the end of the current firewall list, and exiting rule definition mode:config_firewall# rule-list
rule-list# match all target drop logrule-list# end
config_firewall#
NoteWhen you enter the firewall configuration mode, the existing running firewall rules are copied from the firewall into the configuration rule workspace. This means that any import commands in firewall configuration mode, or rule-list commands entering rule definition mode will add new rules to the end of the list of existing rules. If you want to clear the configuration rule workspace before adding rules, use the clear command.
Figure 2 gives an overview of how rules move in and out of the configuration rule workspace and the running firewall and NAT subsystem.
270 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Figure 2 Overview
Overview of Firewall Rule SyntaxYou can define firewall rules to match certain types of TCP/IP flows, and qualify those flows based on other traffic characteristics, such as the source interface or tunnel or IP or TCP options. When you have matched a TCP/IP flow, you can specify three general actions: pass (allow this flow to continue), drop (block this flow), and translate (pass this flow and apply Network Address Translation transformations). Firewall rules have some additional parameters to assist in management, such as logging options, that are optional.Both firewall pass and drop rules and NAT translate rules are intermixed in the same rule base. As the firewall and NAT subsystem evaluates rules, it takes the action based on the first matching rule, whether NAT translation, or pass or drop. When a rule specifies that stateful firewalling or NAT translation should be performed, the firewall creates a state table entry ahead of the rule base that will pass through (and possibly NAT) traffic within defined and permitted flows. Figure 3 shows the general structure of all firewall and NAT rules.
Nokia IP VPN Gateway Command-Line Summary v6.3 271
6 Configuring Firewall and Network Address Translation
Figure 3 Structure of Firewall and NAT Rules
Every rule must have two main parts:A MATCH clause that specifies the interfaces, source IP and port, destination IP and port, and other IP options to match the flow with.A TARGET clause that specifies the action to take on the flow.
Within the MATCH and TARGET clauses, there are a large number of options that can be used to provide more specific or less specific matches and actions.
Optionally, any rule can also have a LOG clause that gives you the ability to log both rule matches and the actual traffic within them. Figure 4 breaks up firewall rules into more specific sections, highlighting the MATCH, TARGET, and LOG clauses separately. The following three sections detail each of the three clauses and the complete syntax of each component of the firewall rule.
Figure 4 Sections of Firewall Rules
MATCH Clauses in Firewall RulesYou use the MATCH clause in a firewall rule to indicate the flow (or what single IP datagram, if you are not using the stateful features of the firewall in a rule) you want this rule to match. A flow is described by attributes of the first packet, including source and destination addresses and ports, along with other flow attributes, such as the interface or tunnel the flow will use. You also have the ability to be very specific with some IP and TCP options in defining flows in the MATCH clause, although these are less common.
272 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
To understand the MATCH clause, it is helpful to divide it into four parts: interface source, source IP and port, destination IP and port, and other qualifiers. Figure 5 displays these further qualifiers.
Figure 5 Match Clause
Source Interface Matching in MATCH Clauses
The first part of the MATCH clause is the optional source interface. This is the interface that the first IP datagram of the flow originates on. This qualifier to the clause is optional; if it is omitted, then an implicit ON ANY is assumed which means that any interface can match this subclause. Because most flows are bi-directional, the source interface only applies to the first datagram in the flow. Any datagrams that are permitted by a stateful flow in the reverse direction will have a destination interface as specified by the MATCH clause.If you want to specify a destination interface rather than a source interface, this is also possible, but you must specify the destination interface as part of the destination matching part of the rule (the TO qualifier of the MATCH clause).The actual interfaces allowed in a source interface match subclause are dependent on the exact hardware model of the Nokia IP VPN Gateway, because different models of the Nokia IP VPN Gateway support different sets of interfaces. Table 17 provides a list of the most common interfaces and other interfaces that may be specified in the ON qualifier.Table 17 Common Interfaces
ON <intf-spec> Description
ON eth-1ON eth-2ON eth-3
Packets arriving on the ETH-1 (or ETH-2, ETH-3) interface of the VPN gateway.
ON internal Packets arriving on an interface marked as internal (that is, inside the protected network).
ON external Packets arriving on an interface marked as external (that is, outside the protected networks, towards the Internet).
ON local Packets that are originated from the VPN gateway itself (For example, management traffic).
ON tunnel Packets coming over a tunnel that terminates on the VPN gateway. These are typically encrypted packets.
ON any Packets coming over any interface, including local and tunnel interfaces. This is the default if no ON subclause is given.
Nokia IP VPN Gateway Command-Line Summary v6.3 273
6 Configuring Firewall and Network Address Translation
Source IP Matching in MATCH Clauses
The source IP of the first datagram of the flow can be specified to include (or exclude) IP addresses and subnets, as well as groups of addresses. The source IP matching optionally can include the UDP or TCP port number of the datagram.The Source IP matching subclause (the subclause beginning with FROM) is not required. However, if no FROM subclause is present, then the keyword ALL must be used to specify all source and destination IP addresses and ports.Any IP address can also be qualified by NOT, meaning that the source IP matches all IP addresses except those specified in the rule.The syntax of the FROM clause is:FROM [NOT] <ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | <ip/mask> | <host> > [PORT < EQ | NE | LT | GT | LE | GE> <port>]
Table 18 provides additional explanation of the pieces of the Source IP matching subclause..
Table 18 Source IP Matching
Source IP matching Subclause Part Description
FROM Constant, always present, starts all source IP matching subclauses.
NOT Optional; negates the rest of the subclause, matching all IP addresses and ports except those listed.
<ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | <ip/mask> | <host> >
Specifies the IP address or subnet to match. One of the following formats must be present:• ANY—any IP address.• ANY-INSIDE—any IP address that would be routed to
an internal interface for transmission.• ANY-OUTSIDE—any IP address that would be routed
to an external interface for transmission.• BROADCAST—any IP broadcast (but not multicast)
address.• LOCAL—IP addresses considered local to the VPN
gateway (i.e., all the physical interfaces as well as the loopback interface).
• <ip/mask>—an A.B.C.D/E format subnet.• <host>—an A.B.C.D IPv4 address.
274 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Destination IP Matching in MATCH Clauses
You use the Destination IP matching subclause in a MATCH clause to specify where the flow is going. The destination IP of the first datagram of the flow can be specified to include (or
<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming an IPv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255). You may also specify a subnet <ip/mask> using the format A.B.C.D MASK E.F.G.H where A.B.C.D is the dotted-quad IP address, MASK is the constant word MASK, and E.F.G.H is the network mask in traditional dotted-quad format, such as 255.255.255.0.
<host> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad IPv4 address. For example, 10.245.12.50.
PORT Signifies that a port qualifier follows. Optional, but required if a port qualifier is to be included. The port qualifier does not specify whether the port is UDP or TCP.
<EQ | NE | LT | GT | LE | GE>
Required in a PORT qualifier (but optional in a FROM subclause), gives the Boolean operator to compare the TCP or UDP port in the datagram against for matching purposes:• EQ—equal to (that is, the port in the datagram is
equal to the one in the PORT qualifier).• NE—not equal to.• LT—less than (that is, the port in the datagram is
numerically less than the one in the PORT qualifier).• LE—less than or equal to.• GT—greater than (that is, the port in the datagram is
numerically greater than the one in the PORT qualifier).
• GE—greater than or equal to.
<port> Required in a PORT qualifier (but optional in a FROM subclause), the port number to match. Port numbers are in the range of 0 to 65535.
Table 18 Source IP Matching
Source IP matching Subclause Part Description
Nokia IP VPN Gateway Command-Line Summary v6.3 275
6 Configuring Firewall and Network Address Translation
exclude) IP addresses and subnets, as well as groups of addresses, and whether or not the traffic is to be sent to a VPN tunnel. The destination IP matching optionally can include the UDP or TCP port number of the datagram.If a source IP subclause is present, a Destination IP subclause (a subclause beginning with the keyword TO) must also be present. If no Source IP subclause (FROM subclause) is present, then you must use the keyword ALL to specify all source and destination IP addresses and ports (and no destination IP subclause can be present).
NoteThe ALL keyword indicates all source IP addresses and all ports going to all destination IP addresses and all ports. The ANY keyword is used positionally to mean either all source IP addresses or all destination IP addresses, depending on whether it is in a source IP subclause or destination IP subclause. The ALL keyword replaces both source and destination IP subclauses and means all IP traffic, while the ANY keyword is used within a subclause to indicate all addresses in the context of that subclause.
Any IP address can also be qualified by NOT, meaning that the destination IP matches all IP addresses except those specified in the rule.The syntax of the TO clause is:TO [NOT] <ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | VPN-TUNNEL | <ip/mask> | <host> > [PORT < EQ | NE | LT | GT | LE | GE> <port>] [ON <phys-intf>]
Table 19 provides additional explanation of the pieces of the Destination IP matching subclause.Table 19 Destination IP Matching
Destination IP Subclause Part Description
TO Constant, always present, starts all destination IP matching subclauses.
NOT Optional; negates the rest of the subclause, matching all destination IP addresses and ports except those listed.
<ANY | ANY-INSIDE | ANY-OUTSIDE | BROADCAST | LOCAL | VPN-TUNNEL | <ip/mask> | <host> >
Specifies the IP address or subnet to match. One of these formats must be present:• ANY—any IP address.• ANY-INSIDE—any IP address that will be routed to an
internal interface for transmission.• ANY-OUTSIDE—any IP address that will be routed to an
external interface for transmission.• BROADCAST—any IP broadcast (but not multicast) address.• LOCAL—IP addresses considered local to the VPN gateway
(that is, all the physical interfaces as well as the loopback interface; any datagram destined for the gateway itself).
• VPN-TUNNEL—IP addresses reachable through VPN tunnels (IPSec only).
• <ip/mask>—an A.B.C.D/E format subnet.• <host>—an A.B.C.D Ipv4 address.
276 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming a standard dotted-quad Ipv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255).You may also specify a subnet <ip/mask> using the format A.B.C.D MASK E.F.G.H where A.B.C.D is the dotted-quad IP address, MASK is the constant word MASK, and E.F.G.H is the network mask in traditional dotted-quad format, such as 255.255.255.0.
<host> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad Ipv4 address. For example, 10.245.12.50.
PORT Signifies that a port qualifier follows. Optional, but required if a port qualifier is to be included. The port qualifier does not specify whether the port is UDP or TCP.
<EQ | NE | LT | GT | LE | GE>
Required in a PORT qualifier (but optional in a TO subclause), gives the Boolean operator to compare the TCP or UDP port in the datagram against for matching purposes:• EQ—equal to (that is, the port in the datagram is equal to the
one in the PORT qualifier).• NE—not equal to.• LT—less than (that is, the port in the datagram is numerically
less than the one in the PORT qualifier).• LE—less than or equal to.• GT—greater than (that is, the port in the datagram is
numerically greater than the one in the PORT qualifier).• GE—greater than or equal to.
<port> Required in a PORT qualifier (but optional in a TO subclause), the port number to match. Port numbers are in the range of 0 to 65535.
Table 19 Destination IP Matching
Destination IP Subclause Part Description
Nokia IP VPN Gateway Command-Line Summary v6.3 277
6 Configuring Firewall and Network Address Translation
Additional Matching in MATCH Clauses
In addition to matching flows based on the incoming interface, source, and destination information, you can also use a large number of additional options to further qualify or match frames and flows. Many of these additional qualifiers within the additional matching subclause can be specified multiple places within a MATCH clause; they do not have to be placed at the end of the clause. However, all of these additional qualifiers are position-independent within the frame. For example, the PROTO qualifier specifies the IP protocol number in the datagram. Since this only occurs once in a datagram, it is not a FROM or TO qualifier.Some additional matching qualifiers related to IP options can also be combined using WITH, AND, and NOT logic. This can be used to match flows that have some options present, but do not have other options present.
ON Signifies that a destination interface qualifier follows. Optional, but required if a destination interface is included. The destination interface specified in this subclause can only be a physical interface name. To match on flows going to a tunnel, use the TO VPN-TUNNEL form of the destination IP matching subclause.
<phys-intf> Required in an ON qualifier (but optional in a TO subclause), gives the physical interface name for the destination of the flow.Examples of physical interfaces are eth-1, eth-2, and eth-3. You cannot specify other types of interfaces (such as internal, external, local, or tunnel) in an ON qualifier to a TO subclause.
Table 19 Destination IP Matching
Destination IP Subclause Part Description
278 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Table 20 list the several broad categories additional matching qualifiers.Table 20 Additional Matching Qualifiers
Option Name Description
tcp-flags Matches on the presence of particular control bits in the fourth longword in the header of a TCP segment. TCP control bits are specified using the first letter of the control bit as defined in RFC 793. These are:• U—URG, Urgent pointer valid flag• A—ACK, Acknowledgement number valid flag• P—PSH, Push flag• R—RST, Reset connection flag• S—SYN, Synchronize sequence numbers flag• F—FIN, End of data flagFlags to match on are listed without separation, such as tcp-flags SAP to match flags that have the SYN, ACK, and PSH flags all set.
icmp-type Matches on a particular ICMP type in the first longword in the header of an ICMP packet. The ICMP type is an 8-bit number and can be specified as an integer from 0 to 255, or the following types are pre-defined: • echorep—0, echo reply• unreach—3, destination unreachable• squench—4, source quench• redir—5, redirect• echo—8, echo request• routerad—9, router advertisement• routersol—10, router solicitation• timex—11, time exceeded• paramprob—12, parameter problem• timest—13, timestamp request• timestrep—14, timestamp reply• inforeq—15, information request• inforep—16, information reply• maskreq—17, address mask request• maskrep—18, address mask reply
proto Matches on the IP protocol number in the third longword in the header of an IP packet. The IP protocol is an 8-bit number and can be specified as an integer from 0 to 255, or the following types are pre-defined: icmp (0), tcp (6), udp (17).
tos Matches on the IP Type of Service bits in the first longword in the header of an IP packet. The IP TOS is an 8-bit number and is specified as a hexadecimal number from 0 to FF. This field includes the Precedence, D, T, R, and M bits as well as the reserved low order bit 0. Not for beginners.
TTL Matches on the TTL field in the third longword in the header of an IP datagram. The IP TTL is an 8-bit number and is specified as an integer from 0 to 255. You cannot specify TTL ranges or Boolean qualifiers such as less than.
Nokia IP VPN Gateway Command-Line Summary v6.3 279
6 Configuring Firewall and Network Address Translation
The syntax supported in this part of the MATCH clause is fairly complex. However, the following BNF provides a minimum set of legal operations that should be sufficient to express any firewall rule.additional-matches := [<tcp-flags>] [<icmp-type>] [<proto>] [<tos>] [<ttl>] [<ip-opts>][<length>]
tcp-flags := "tcp-flags" [A][P][U][S][F][R]
8-bit-hex-number := 0x00 .. 0xFF
8-bit-decimal-number := 0 .. 255
icmp-type := "icmp-type" < <8-bit-decimal-number> | "echorep"| "unreach" | "squench" | "redir" | "echo" | "routerad' | "routersol" | "timex" | "paramprob" | "timest" | "timestrep" | "inforeq" | "inforep" | "maskreq" | "maskrep" >
proto := "proto" < <8-bit-decimal-number> | "tcp" | "udp" | "icmp">
tos := "tos" <8-bit-hex-number>
ttl := "ttl" <8-bit-decimal-number>
ip-opts-single-option := "nop" | "rr" | "zsu" | "mtup" | "mtur" | "encode" | "ts" | "tr" | "sec" | "e-sec" | "cipso" | "satid" | "addext" | "visa" | "imitd" | "eip" | "finn"> ["sec-class" < "unclass" |
IP Options Matches on IP options that may be present in the IP header. The IP options that can be specified include:• nop—1, NOP• rr—7, record route• zsu—10, experimental measurement• mtup—11, MTU probe• mtur —12, MTU reply• encode• ts—4, timestamp• tr—18, traceroute• sec—2, security• e-sec—5, extended security• cipso—6, commercial security• satid—8, stream identifier• addext—19, address extension• visa—14, experimental access control• imitd—16, IMI traffic descriptor• eip—17, extended internet protocol• finn—13, experimental flow controlThe presence of any IP options can also be specified using the ipopts keyword.
length Matches IP datagrams that are too short to contain a valid IP header (less than 20 octets long) with the with short keyword.
Table 20 Additional Matching Qualifiers
Option Name Description
280 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
"confid" | "reserv-1" | "reserv-2" | "reserv-3" | "reserv-4" | "secret" | "topsecret"> ]
ip-opts := "with" < "ipopts" | ["not"] "opt" <ip-opts-single-option> [, <ip-opts-single-option>] >
length := "with short"
TARGET Clauses in Firewall RulesYou use the TARGET clause in a firewall rule to indicate the action that the firewall should take for the datagram or flow matched. The TARGET clause consists of the word TARGET followed by one of three actions (PASS, DROP, or TRANSLATE) and optionally other qualifiers.The firewall and NAT subsystem supports three different target actions as described in Table 21.
Figure 6 displays the part of a firewall rule after the MATCH clause, which includes both the TARGET and optional LOG clauses.
Figure 6 A Part of a Firewall Rule after the Match Clause
PASS Qualifiers in TARGET Clauses in Firewall Rules
The syntax for a PASS qualifier is in the target clause is:target pass [open-channel <alg-name>] [keep-state]
Table 22 describes PASS qualifiers in the TARGET clause.
Table 21 TARGET Action
Action Description
PASS Allow this datagram to pass through the firewall. If keep-state is specified, then also set up a translation so that the stateful packet flow for TCP, UDP, or ICMP is maintained. PASS can also invoke an application layer gateway for protocols that require ALG support, such as FTP.
DROP Do not allow this datagram to pass through the firewall. The firewall can either silently drop the datagram, or return one of three error responses. Not all responses are appropriate for all protocols.
TRANSLATE Same as PASS, but with the addition of either source or destination IP address NAT. Because NAT is also inherently stateful, TARGET action of TRANSLATE implies keep-state as well. TRANSLATE can also invoke application layer gateways.
Nokia IP VPN Gateway Command-Line Summary v6.3 281
6 Configuring Firewall and Network Address Translation
.
DROP Qualifiers in TARGET Clauses in Firewall Rules
The syntax for a DROP qualifier is:target drop [ return-icmp <icmp-type> | return-icmp-as-dest <icmp-type> | return-rst ]
If none of the return-x keywords are given after the drop qualifier, then the packet is silently discarded by the firewall and no indication is given back to the sender that the datagram was dropped.Table 23 describes DROP qualifiers in a TARGET clause.
Table 22 PASS Qualifier
PASS Qualifier Keyword Description
PASS Required. Indicates that this is a pass qualifier.
OPEN-CHANNEL <alg-name>
Optional. Indicates that this rule should call the application layer gateway to open additional ports and channels to support the application. Four application layer gateways are supported, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia). If OPEN-CHANNEL is used, then KEEP-STATE should also be used.
KEEP-STATE Optional. Indicates that the packet matched is part of a flow, and the firewall should make an entry into the firewall state table to allow return packets for this flow to pass. When you use the PASS qualifier in a TARGET clause, you must use KEEP-STATE to activate the stateful part of the firewall. If you do not use KEEP-STATE, only the single packet matched will be allowed through the firewall, not the rest of the flow. The timeouts for the stateful inspection are defined by the ICMP-TIMEOUT, TCP-TIMEOUT, and UDP-TIMEOUT firewall configuration values.
Table 23 DROP Qualifiers
DROP qualifier keyword or part Description
target Required. Starts all target clauses.
drop Required. Indicates that this is a drop clause. If no return-x keyword is present, the datagram is silently dropped with no response to the sender.
return-icmp <icmp-type>
Optional. Indicates that an ICMP error message is returned to the sender. For more information on return-icmp and the icmp-type, see the discussion below this table.
282 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
Use the three return-x keywords to vary the behavior of the firewall and return different types of error messages.The return-rst keyword indicates that the firewall should send back a TCP message with the RST flag bit set, telling the connecting system to reset and tear down the TCP connection.The return-rst flag is only valid for TCP protocol messages and has no additional action if it is used on a rule that matches UDP or ICMP (or other IP protocol) protocols.Use the return-icmp keyword to configure the firewall to send back an ICMP error message to the originator. In the return-icmp case, this ICMP error message comes from the firewall; in the return-icmp-as-dest case, the ICMP is sent as if it came from the destination of the original packet (such as, simulating the presence of the unreachable system). When a return-icmp or return-icmp-as-dest is sent back, the DROP qualifier in the rule must also indicate which of the ICMP error codes are to be returned. The ICMP message that will be sent is an ICMP type 3, Destination Unreachable. You must also then specify the 8-bit code. This can be specified as a decimal number (from 0 to 255) or one of a set of symbolically defined ICMP error codes from Table 24. In most cases, the most appropriate response is filter-prohib (error code 13).
return-icmp-as-dest <icmp-type>
Optional. Indicates that an ICMP error message is returned to the sender, from the apparent destination of the message. For more information on return-icmp-as-dest and the icmp-type, see the discussion below this table.
return-rst Optional. Indicates that a TCP RST message should be send to the sender. For more information on return-rst, see the discussion below this table.
Table 24 ICMP Error Codes
ICMP Error CodeEquivalent Value Description of the Error Code
net-unr 0 Network unreachable error.
host-unr 1 Host unreachable error.
proto-unr 2 Protocol unreachable error. When the designated transport protocol is not supported.
port-unr 3 Port unreachable error. When the designated transport protocol (for example, UDP) is unable to demultiplex the datagram but has no protocol mechanism to inform the sender.
needfrag 4 The datagram is too big. Packet fragmentation is required but the DF bit in the IP header is set.
srcfail 5 Source route failed error.
net-unk 6 Destination network unknown error.
Table 23 DROP Qualifiers
DROP qualifier keyword or part Description
Nokia IP VPN Gateway Command-Line Summary v6.3 283
6 Configuring Firewall and Network Address Translation
TRANSLATE Qualifiers in TARGET Clauses in Firewall Rules
The translate qualifier is a PASS-and-NAT action. The firewall and NAT subsystem supports both destination NAT and source NAT operations. The syntax of the translate qualifier is to the target clause is:target translate < <destination < <ip/mask> | <ip> > [ port <port-number>]> | <source < external | <ip/mask> | <ip> > > [open-channel <alg-name>]
For outgoing connections from a protected network where the gateway is providing the NAT function towards the general Internet, source NAT is the most common operation. This changes the source IP address of datagrams that are emitted from the gateway to hide the internal IP addresses behind the gateway. Because NAT is a stateful operation, enabling NAT for a flow automatically allows the reverse NAT procedure for datagrams within the same TCP, UDP, or ICMP flow. Both source NAT using the external IP address of the VPN gateway (technically NAPT) and source NAT using additional addresses or a range of addresses are supported. When using NAT with IP addresses other than the VPN gateway's own IP address, the gateway will automatically proxy ARP for the additional IP addresses.For incoming connections to a protected network where the gateway is providing the NAT function towards the general Internet, a destination NAT is used. This changes the destination IP
host-unk 7 Destination host unknown error.
isolate 8 Source host isolated error. Obsolete.
net-prohib 9 The destination network is administratively prohibited.
host-prohib 10 The destination host is administratively prohibited.
net-tos 11 The network is unreachable for Type Of Service.
host-tos 12 The host is unreachable for Type Of Service.
filter-prohib 13 Communication Administratively Prohibited. This is generated if a router cannot forward a packet due to administrative filtering.
host-preced 14 Host precedence violation. Sent to indicate that a requested precedence is not permitted for the particular combination of source/destination host or network, upper layer protocol, and source/destination port.
preced-cutoff 15 Precedence cutoff in effect. The network operators have imposed a minimum level of precedence required for operation, the datagram was sent with a precedence below this level.
Table 24 ICMP Error Codes (continued)
ICMP Error CodeEquivalent Value Description of the Error Code
284 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Firewall
address in the datagram to be one hidden by the VPN gateway, such as to an internal email or web server. As with source translation, destination translation is fully stateful. Because destination translation is done on a port-by-port basis, destination translation often has a port number. For example, if you wanted to allow connections to a non-standard web server running on port 88 protected by a VPN gateway on IP address 192.245.12.80, the translate qualifier might look like: translate destination 10.10.10.25 port 88. This would allow external users to connect to port 80 using their web browser, and have that translated to port 88. When open-channel is used with the translate qualifier, the same set of application layer gateways (ALGs) is supported as with the pass qualifier, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia).Table 25 provides more information on the syntax and qualifiers, when translating the destination address of the target of a flow.Table 25 TRANSLATE Destination Qualifiers
TRANSLATE destination qualifier keyword Description
target Required. Always present in target clause to indicate start of target clause.
translate Required. Indicates that this is a translate qualifier with source or destination address translation (NAT).
destination Required. Indicates that the destination IP address of the flow target (and possibly the port number) should be translated. Normally used for connections coming from the public Internet (or other public address space) to the internal network protected by the gateway.
<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming an IPv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255).
<ip> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad IPv4 address. For example, 10.245.12.50.
Nokia IP VPN Gateway Command-Line Summary v6.3 285
6 Configuring Firewall and Network Address Translation
Table 26 provides more information on keywords and qualifiers, when translating the source IP address of a flow (such as when allowing outbound connections from a protected private network to the general Internet).
port <port-number> Optional. Indicates that this destination translation should also change the destination port number. This would be used to change from the indicated port number in the match clause to a different port number. If you do not want to change the port number (i.e., if the external address connection is to port 80, and you want this to be translated internally to a system listening on port 80), then you do not need to specify the port keyword. <port-number> is an integer in the range 0 to 65535.
open-channel <alg-name>
Optional. Indicates that an application layer gateway is needed to further open additional ports (and perform additional network address translation) as part of this flow. Four application layer gateways are supported, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia).
Table 26 TRANSLATE Source Qualifiers
TRANSLATE source qualifier keyword Description
target Required. Always present in target clause to indicate start of target clause.
translate Required. Indicates that this is a translate qualifier with source or destination address translation (NAT).
source Required. Indicates that the source IP address originating a particular matched flow should be translated. Normally used for connections from a private network protected by the gateway to the general Internet. Source is followed by one of external or an <ip/mask> or a single <ip>.
external Optional. Indicates that the outgoing source IP address should be translated to the external IP address of the VPN gateway. This allows the creation of firewall NAT rules without actually having to know the IP address of the gateway.
Table 25 TRANSLATE Destination Qualifiers (continued)
TRANSLATE destination qualifier keyword Description
286 Nokia IP VPN Gateway Command-Line Summary v6.3
NAT Before IPSec Translations
NAT Before IPSec TranslationsNAT before IPSec is required when the same private address space is needed for the protected networks on both ends of a VPN gateway. To NAT traffic to the VPN (192.168/16 in this example) using a statically defined address but also NAT TCP traffic to the Internet, the configuration might be the following:…match proto tcp from any-inside to 192.168/16 target translate source 10.10/16
match proto tcp from any-inside to any-outside target translate source external
…It is assumed that a selector 10.10/16 < > 192.168/16 protect through IPSec-peer exists. When the destination address is to the Internet, the first rule does not match and the second rule matches. The current external IP address of the gateway is used as the alias address. It is assumed that this NATed packet hits the default selector of bypass and travels to the Internet.When the destination address is to the VPN (192.168/16), the first rule matches and 10.10/16 is used as the alias network address. When the NATed packet is run against the selectors, the protect selector matches and the NATed packet gets tunneled.
<ip/mask> An IP address in the form A.B.C.D/E where A, B, C, and D are integers in the range 0 to 255 forming an IPv4 address and E is an integer in the range 0 to 32, specifying a contiguous subnet mask. For example 10.245.12.0/24 specifies the 24-bit subnet 10.245.12.0 (network mask 255.255.255.0, addresses in the range 10.245.12.0 through 10.245.12.255), while 10.35.195.192/26 specifies the 26-bit subnet 10.35.195.192 (network mask 255.255.255.192, addresses in the range 10.35.195.192 through 10.35.195.255).
<ip> An IP address in the form A.B.C.D where A, B, C, and D are integers in the range 0 to 255 forming a dotted-quad IPv4 address. For example, 10.245.12.50.
open-channel <alg-name>
Optional. Indicates that an application layer gateway is needed to further open additional ports (and perform additional network address translation) as part of this translated flow. Four application layer gateways are supported, for the FTP protocol (open-channel ftp), for the TFTP protocol (open-channel tftp), for the Internet Relay Chat Direct Client Connection protocol (open-channel irc-dcc), and for the Progressive Networks RealMedia RTSP/PNA protocols (open-channel realmedia).
Table 26 TRANSLATE Source Qualifiers
TRANSLATE source qualifier keyword Description
Nokia IP VPN Gateway Command-Line Summary v6.3 287
6 Configuring Firewall and Network Address Translation
Application Level Gateways
Firewall supports the following Application Level Gateways (ALGs):FTPIRC Direct Client ConnectionsReal MediaTFTP
Any firewall rule defined using the ALGs listed above are useful to allow the corresponding protocol, that use more than one connection for peer-to-peer communication.
Examples rule-list# match proto tcp from any-inside to any-outside port eq 21 tcp-flags S target pass keep-state open-channel ftp
This rule allows FTP connections initiated from the internal network to external network. The FTP ALG creates a channel in the firewall automatically to allow the FTP data connection, as the FTP data connection is initiated by the client or server, on a different port number, negotiated in the respective control connection.
LOG Clauses in Firewall RulesThe LOG clause is an optional part of each firewall rule that allows you to log firewall rule matches and, if you want, the actual packet data either of the first datagram to match or of the entire session. Logging is handled through the SYSLOG facility defined in other parts of the VPN gateway configuration. For more information about the syslog, see “syslog” on page 182. For more information about defining SYSLOG serversr syslog options from the VPN Manager, see the Nokia IP VPN Gateway Configuration Guide v6.3.The syntax of the LOG clause is:LOG [body] [entire-session] [level facility <facility> priority <priority>]
Table 27 describes the LOG clause in more detail.Table 27 LOG Clauses
LOG clause keyword Description
LOG Required. Indicates that this rule match is to be logged. If no other qualifiers are provided, will only log the rule match and no other data.
BODY Optional. Indicates that the first 128 octets of packet data are to be logged when this rule matches. This has the potential to generate a high volume of traffic and should be used with care.
288 Nokia IP VPN Gateway Command-Line Summary v6.3
Firewall Rule Examples
Firewall Rule Examplesrule-list# match proto tcp from any-inside to any-outside port eq 23 tcp-flags S target pass keep state
This rule allows Telnet connections to be initiated from a host in the internal network to the external network. rule-list# match proto tcp from any-outside to 192.245.12.100 port eq 80 tcp-flags S target pass keep-state
This rule allows HTTP connections initiated from any host in the Internet to a specific host in the protected inside network.match proto tcp from any-inside to any-outside target translate source external This NAT rule translates the source address of all outgoing TCP traffic to the current IP address of the external interface.match proto tcp from any-inside to any-outside target translate source 192.245.12.3
This NAT rule translates all outgoing TCP traffic to the address 10.10.12.3. Any packet that is part of the internal network and that is destined for the external network encounters the NAT rule and its source address changes to 10.10.12.3.match proto tcp from any-outside to local port eq 80 target translate destination 192.168.100.1/32
ENTIRE-SESSION Optional. When a stateful rule is matched (either through explicit KEEP-STATE on a PASS rule or implicitly in a TRANSLATE rule), all matches of the rule and all matches of the state created for a flow will be logged. This has the potential to generate a high volume of traffic. When combined with the BODY qualifier, this can generate a very high volume of traffic and should be used with extreme caution.
LEVEL FACILITY <facility> PRIORITY <priority>
Optional. Used to apply a particular SYSLOG facility and severity to logged firewall rules. The level supplied here will override the default facility and severity in the VPN gateway configuration, allowing you to isolate firewall rule matches from other logging. When LEVEL is specified, both a FACILITY and a PRIORITY must be specified.FACILITY codes supported are auth, authpriv, cron, daemon, ftp, kern, local0 through local7, lpr, mail, news, syslog, user, and uucp. PRIORITY codes supported are emerg, alert, crit, err, warn, notice, info, and debug.
Table 27 LOG Clauses
LOG clause keyword Description
Nokia IP VPN Gateway Command-Line Summary v6.3 289
6 Configuring Firewall and Network Address Translation
This NAT rule translates the destination address of all incoming HTTP requests destined to the gateway, to 192.168.100.1/32 (which belongs to a HTTP server in the internal network).match proto tcp from any-outside to local port eq 80 target translate destination 192.168.100.1/32 port 8080
This NAT rule translates the destination address and the destination port of all the incoming HTTP traffic to the gateway from the external network as 192.168.100.1 and 8080 (which belongs to the HTTP server running on port 8080 on the internal network).
290 Nokia IP VPN Gateway Command-Line Summary v6.3
A PCS and Crypto Command Diagrams
This appendix presents the following diagrams:“IPSec CLI Configuration Map” on page 292 shows the IPSec CLI configuration map.
Note* For more information about the commands in the illustration “IPSec CLI Configuration Map” on page 292, see “Configuring Policy Configuration System” on page 219.
“Policy Diagram” on page 293 shows the policy diagram.“Crypto Command Diagram” on page 294 shows the crypto command diagram.
Nokia IP VPN Gateway Command-Line Summary v6.3 291
A PCS and Crypto Command Diagrams
IPSec CLI Configuration Mapco
nfig
pol
icy
oakl
ey-
grou
p*
oakl
ey-
grou
p
lifet
ime*
auth
en*
actio
n*
flags
addr
*
mas
k*
port*
ciph
er*
auth
*
ciph
er
hash
*
flags
*
exit
exit
prot
ocol
*
actio
n*
dst_
mas
k*
flags
*
flags
*
mod
e
dst_
addr
*
exit
exit
exit
exit
prot
ocol
lifet
ime
sele
ctor
*
trans
form
*
user
_fqd
n*
dst_
addr
*
src_
addr
*
sele
ctor
*
trans
form
*
dst-p
ort*
src_
addr
*
src_
mas
k*
src_
port*
grou
p*su
ite*
gate
way
*
save
map
*un
load
*sh
ow*
ipse
clo
ad*
clea
r*ap
ply
ike
Not
e: T
hese
cha
rts d
o no
t sho
w e
very
opt
ion
avai
labl
e.
oakl
ey-
grou
p
prot
ocol
*
0010
2
cl-s
elec
tor*
gw-s
elec
tor
trans
form
clie
ntga
tew
ay
292 Nokia IP VPN Gateway Command-Line Summary v6.3
Policy Diagram
Policy Diagram
IKE Gateways
Peer IP Address
IKE Group
IKE Suite
authentication method
cipher
flags
integrity hash
sa lifetimeoakley-group
IKE Suite
IKE Group
IKE Suite
IKE Suite
IKE Gateways
IPSec Gateway
tunnel src addresstunnel dst addressoakley-group
Note: These charts do not show every option available.
IPSec GW Selector
action
destination addressdestination maskdestination portsource addresssource masksource portflags
IP protocol
IPSec GW Selector
action
destination addressdestination maskdestination portsource addresssource masksource portIP protocol
IPSec Transform
authenticator
cipher
flags
lifetime
mode
protocol
IPSecGateways
Packet FilterSelectors
Config Policy
IPSec Transform(s)
IPSec GatewaySelector
00104
pre-sharedrsa public keyrsa digital cert
aes3DESBlowfishCastDES
initial contactnomadicvendor id
md5sha
modp-768modp-1024modp-1536modp-2048
protect
asymmetriclocal-broadcastlocal-dstlocal-srcunique-dstunique-srcunique-dportunique-sportunique-protocol
modp-768modp-1024modp-1536modp-2048
hmac-md5hmac-shahmac-ripend
aes3DESBlowfishCastDES
commit-bitreplay-statusresponder-lifetm
kbytesminutes
tunneltransport
ahespah-esp
dropbypass
Nokia IP VPN Gateway Command-Line Summary v6.3 293
A PCS and Crypto Command Diagrams
Crypto Command Diagram
brieffull
condorcopy-dfdisplay
hifnhost-icmp
inlinenat-traversal
replaysa-cache
serverstable<cr>
keys
delete [<#>]lifetime <#>
ikeipsec<cr>
ikeipsec<cr>
rekey <#> brieffull
localremote
disable
enable
ike
ipsec
policy reload
show
shutdown
Crypto
ahespinput
outputqueue
brieffull<#>
allchains
identitiesnamespublic<cr>
-nbriefclientfull
gatewayike
ipsecmatched
spd<cr>
public<cr>all
blockedcertified
presharedtrusted-root
automagicclusterdeadoption
pendingreplay
selectoruuid<cr>
-nstatistics
clear
flush
cachedoptionspolicy
activeall
deadexpiredipsec
pendingike
cluster
00103
294 Nokia IP VPN Gateway Command-Line Summary v6.3
B Dynamic Gateway Deployment
This appendix describes how to configure a simple dynamic gateway deployment, when two dynamic (spoke) gateways, and a hub pass traffic among one another. The gateways communicate between themselves (spoke-to-spoke through the hub), and with the hub (spoke-to-hub). This appendix is organized into the following sections:
OverviewConfiguring the GatewayTopology of the Deployed GatewayConfiguring Network SettingsCreating and Installing CertificatesSetting Gateway SelectorsDynamic Hello
NoteThis appendix assumes that you are familiar with the CLI modes and navigation between the modes. For more information about CLI modes and navigating between them, see “Introducing the Command-Line Interface” on page 15.
OverviewDynamic gateway deployment refers to a scenario where one or more deployed gateways have an IP address that is not known during deployment, or might change over time. Gateways that receive IP addresses from a DHCP server, or use PPPoE to connect, are classified as dynamic gateways. To connect to the dynamic gateways, an intermediary (deployment proxy) is required. A simple method to accomplish this is to use a hub-and-spoke configuration where the hub is also the deployment proxy. Traffic that is destined for any protected host group of a dynamic gateway first passes through the hub gateway.The deployment hub passes the relevant traffic to the dynamic gateways. To pass traffic, it must learn the dynamic IP address of the dynamic gateway. This is handled by the dynamic gateway itself. In this topology all traffic destined for the dynamic gateway must pass through the hub. Therefore, when the dynamic gateway obtains a new IP address, it updates the hub.
Nokia IP VPN Gateway Command-Line Summary v6.3 295
B Dynamic Gateway Deployment
Configuring the GatewayAll gateways must be in a newly provisioned state. If you already configured a gateway, use the configure wizard command to erase existing configuration. For more information about the configure wizard command, see “configure” on page 77.
To set up the hub and spoke gateways1. Configure basic gateway interface information.2. Create and install certificates.3. Configure policies.4. Set up the appropriate deployment_hub commands (for dynamic gateways).5. Reboot the gateways to turn on the appropriate subsystems, and allow traffic to pass.
NoteThe following sections describe each of these steps in detail by using an example scenario, with two dynamic spoke gateways (A and B) each protecting a subnet, and obtaining dynamic external IP addresses issued from a DHCP server. The deployment hub gateway hub functions as both the hub and the deployment proxy.
Topology of the Deployed GatewayThe topology consists of two dynamic spoke gateways that each protect a subnet and obtain the dynamic external IP addresses that a DHCP server issues.Table 28 Topology of the Deployed Gateway
Topology Description
Host and domain information All gateways are part of the test.net domain.
External IP address subnet Represents the external IP address range for all gateways.• IP range—10.0.1.0/24• Default gateway—10.0.1.1• Dynamic address range offered from
DHCP server—10.0.1.100 to 10.0.1.120
hub gateway • External interface—eth-2• Internal interface—eth-1• External IP address—10.0.1.10• Protected host group—10.0.10/24• Internal IP address—10.0.10.1• Host name—hub
296 Nokia IP VPN Gateway Command-Line Summary v6.3
Configuring the Gateway
Configuring Network SettingsThe following section describes how to set up the gateway topology.
Setting Up the Gateway TopologyFrom the configuration mode (Config#), use the commands listed in Table 29 to set up each gateway. For more information about the configuration mode, see “Configuration Mode” on page 17.
Dynamic gateway A • External dynamic interface—eth-2• Internal interface—eth-1• Protected host group—10.0.100/24• Internal IP address—10.0.100.1• Host name—dynamo1
Dynamic gateway B • External dynamic interface—eth-2• Internal interface—eth-1• Protected host group—10.0.200/24• Internal IP address—10.0.200.1• Host name—dynamo2
Table 28 Topology of the Deployed Gateway (continued)
Topology Description
Table 29 Commands to Set Up Each Gateway
Command Description
hostname Set the host name for the gateway. Use the hostname command with the dns domain-name command to generate the fully qualified domain name (FQDN). For more information about the host name command, see “hostname” on page 130.
dns domain-name Set the domain name. For more information about the dns domain-name command, see “dns” on page 61.
Notedns domain name refers to the name of the domain in which the gateway participates. For example, name.cips.nokia.com has a host name of name and a domain-name of cips.nokia.com.
Nokia IP VPN Gateway Command-Line Summary v6.3 297
B Dynamic Gateway Deployment
Based on the topology defined in Table 28, and the commands listed in Table 29, set up the gateways as described in Table 30.
interface <eth-1 |eth-2> <address> <netmask> <external> <dhcp>
Use the interface command to set the following options for each Ethernet interface:• eth-1 | eth-2—select the interface to
configure.• address—assign the static IP address.• netmask—netmask of the subnet that the
interface is a part of.• external—designate the interface as
external (not a protected host group) interface.
• dhcp—assign a dynamic IP address through DHCP.
For more information about the interface command, see “Configuring Gateway Interfaces” on page 28.
route Assign a default route to the gateway hub. A default route has the source address default and the source mask 0.0.0.0. For more information about the route command, see “Config# [no] route” on page 46.
disable firewall Disable the firewall. For more information about disabling the firewall, see “firewall” on page 53.
Table 30 Gateway Setup
Gateway Interface configuration
deployment hub • hostname hub• dns domain-name test.net• interface eth-1 address 10.0.10.1 netmask
255.255.255.0• interface eth-2 address 10.0.1.10 netmask
255.255.255.0 external• route default 0.0.0.0 10.0.1.1• disable firewall
Table 29 Commands to Set Up Each Gateway (continued)
Command Description
298 Nokia IP VPN Gateway Command-Line Summary v6.3
Creating and Installing Certificates
NoteTo save the configuration on each gateway, from the command mode (>), use the config save command. For more information about the config save command, see “configure” on page 77.
Creating and Installing CertificatesThis example uses an internal Certificate Authority (ICA) in the Nokia IP VPN Gateways. The ICA is a simplified Certificate Authority (CA) that meets the basic needs of using certificates between Nokia IP VPN gateways. Only one CA is required in a VPN deployment, and in Nokia IP VPN gateways, the CA is located on one of the gateways. For this example, the internal CA is located on the hub gateway. You must create the ICA from the PKI configuration mode (pki_config#) on the hub gateway. The minimum information that must be defined for the internal CA is lifetime, size of the public-
Dynamic gateway A • hostname dynamo1• dns domain-name test.net• interface eth-1 address 10.0.100.1 netmask
255.255.255.0• interface eth-2 dhcp external• disable firewall
NoteRoutes are not defined for dynamic gateways. The DHCP server provides a default route to each of the dynamic interfaces in addition to the dynamic IP address.
Dynamic gateway B • hostname dynamo2• dns domain-name test.net• interface eth-1 address 10.0.200.1 netmask
255.255.255.0• interface eth-2 dhcp external• disable firewall
NoteRoutes are not defined for dynamic gateways. The DHCP server provides a default route to each of the dynamic interfaces in addition to the dynamic IP address.
Table 30 Gateway Setup (continued)
Gateway Interface configuration
Nokia IP VPN Gateway Command-Line Summary v6.3 299
B Dynamic Gateway Deployment
and private-keys, subject-name, and alternative name (using the FQDN of the gateway). For more information about ICA, see “Configuring Public Key Infrastructure” on page 191.
NoteAll commands that pertain to the internal CA are of the form ca <label> internal.
To generate and install a certificate1. Generate the certificate request on the appropriate gateway.2. Sign the certificate request by using the internal CA, which is configured on the hub
gateway.3. Import the new certificate as a device certificate to the gateway that generated the request.
NoteDynamic gateways require the subject-alt-name of fqdn, as the external IP address is dynamic. Static gateways (the hub gateway) require the subject-alt-name to use the external interface, in this case eth-2. All three gateways must have the trusted root certificate and a device certificate, after which the selectors are set up.
Generating the Internal CAThe following sections describe how to generate the internal CA.
To generate the internal CA1. From the PKI configuration mode (config_pki#) enter the commands listed in Table 31.
NoteCommands that begin with ca hub-ca internal certificate set up the details of the CA certificate.
Table 31 CA Commands
Command Description
ca hub-ca internal certificate lifetime 24
lifetime specifies the time period that the certificate is valid, in months. In this case a request is made for a certificate that is valid for two years.
ca hub-ca internal certificate rsa-with-sha1 1024
rsa-with-sha1 specifies both the type and length of the public and private keys required. rsa is the algorithm, sha1 the hash function, and the length 1024 bits. (1024 bits is the minimum key size used).
300 Nokia IP VPN Gateway Command-Line Summary v6.3
Creating and Installing Certificates
NoteYou can access the commands listed in Table 31 by using the hub-ca label.
To validate device certificates that a CA issues, each gateway requires that the certificate of the CA be installed as a trusted root. You do not need to install the CA certificate because the certificates are generated by using the hub gateway as the internal CA, and the CA certificate is always present. However, the certificate needs to be displayed to install it on both dynamic gateways.
2. From the command mode (>) enter the command: show config pki. The current PKI configuration is listed as show in the following example:hub> show config pki
#
# PKI configuration written at Thu Jul 15 01:45:37 2004 GMT by *Unknown*
#
version 1.1
ca hub-ca internal certificate subject-name common-name hub-ca
ca hub-ca internal certificate subject-alt-name fqdn
ca hub-ca internal certificate lifetime 24
ca hub-ca internal certificate rsa-with-sha1 1024
ca hub-ca uuid 2d8911a1-7681b2a7-efcb1ef3-a89c3671
# trusted root id 2d8911a1-7681b2a7-efcb1ef3-a89c3671
certificate trusted-root hub-ca
-----BEGIN CERTIFICATE-----
MIIBwjCCASugAwIBAgIcMjAwNDA3MTUwMTM1MDJaLWh1Yi50ZXN0Lm5ldDANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNMDQwNzE0MDEzNDU4WhcNMDYwNzI5MDEzNDU4WjARMQ8wDQYDVQQDEwZodWItY2EwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBAMzWzTi3Xk0uXLKBr
ca hub-ca internal certificate subject-name common-name hub-ca
subject-name is a series of possible fields that define the identity in the certificate. In this case, only the common-name field that is set to hub-ca is used.
ca hub-ca internal certificate subject-alt-name fqdn
subject-alt-name is a set of possible alternative identities that can be included in a certificate. fqdn indicates that for the hub, only the FQDN of the hub (or the concatenation of host name and domain-name which is hub.test.net) must be included.
ca hub-ca internal generate generate generates the key pair and a certificate for the internal CA.
Table 31 CA Commands (continued)
Nokia IP VPN Gateway Command-Line Summary v6.3 301
B Dynamic Gateway Deployment
Udq+CMnjVM3471U3Wd1KN6tazeNFRfhNZKwJhMjc9WG491NcIg868kz3SK65nJeMYqjKqlIjYE6r/M+0FDfO8nEdGu4knT9 j4y9AmLkEq42hHdDiQp8zjronr3SCfKGJZoqcl/bkZMscm51qtC5FERccLoHAgMBAAGjDzANMAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQUFAAOBgQCHQx8C201U8++6 N8we4Qu1IyyQpUsUJKRawogaDeAl/dnGAZxzON0EXbmzLXNplf0Mi5uMFrPW6mSAuM5wRpOV3ggjzSPb6RNNiP3yleu3cYltplVXWU6awm10d9uqBS9pGgSIA8d+H vWPgS1CC1K22pVLlIeHcP=
-----END CERTIFICATE-----
uuid e6891dc9-fdd5d811-90c700a0-8e7204d8
------------------------------------------------------------
3. Copy the data beginning from certificate trusted-root hub-ca to END CERTIFICATE.4. On each dynamic gateway, paste the data copied in step 3 in the PKI configuration mode
(pki_config#). For example, on dynamic gateway A, the result of the process displays as:dynamo1> config pkiconfig_pki# certificate trusted-root hub-ca
? -----BEGIN CERTIFICATE-----
? MIIBwjCCASugAwIBAgIcMjAwNDA3MTUwMTM1MDJaLWh1Yi50ZXN0Lm
? hkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNDEzNDU4WhcN
? MDYwNzI5MDEzNDU4WjARMQ8wDQYDVQQDEtY2EZ8wDQYJKoZIhvcNAQEB
? BQADgY0AMIGJAoGBAMzWzTi3Xk0uXLq+CMn471U3Wd1KN6tazeNFRfh
? NZKwJhMjc9WG491NcIg868kz3SK6qjKqlIjYE6rM+0FDfO8nEdGu4kn
? j4y9AmLkEq42hHdDiQpSCfKGJZoqclbkZMscm51qtC5FERccLoHAgMB
? AAGjDzANMAsGA1UdDwQEAwIBpjANBgkqhkiG9w0BAQUFAAOBgQC8++6
? N8we4Qu1IyyQpUsUJKRawogaDeAl/dnGAZxzON0EXbm/zLXNplf0M/
? SAuM5wRpOV3ggjzSNiP3yleucYltplV10d9uqBS9pGgSIA8d+H
? vWP/gS1CC1K22pVLlIeHcPm/xrtW2Q==
? -----END CERTIFICATE-----
?
config_pki#
NoteThere are now three gateways that communicate, an internal CA on the hub gateway, and a common trusted root (CA) certificate installed on all three gateways. You need to generate device certificates for each gateway.
Creating Device CertificatesTo create certificates for each gateway, first generate a certificate request on each gateway in sequence. This process generates data that is encapsulated in the text of the certificate request.
302 Nokia IP VPN Gateway Command-Line Summary v6.3
Creating and Installing Certificates
The internal CA uses this data and signs the request, and the resulting certificate is encapsulated in text of the certificate request to be pasted back into the gateway.The requirements for the device certificates differ between the hub gateway (a static gateway) and the dynamic gateways (they have an unknown external IP address). The minimum amount of information needed for a certificate for a static gateway are a common-name, an alternative name that is the external IP address (in this case, interface eth-2), and a key-length for the certificate. The alternative-name is used during the IKE negotiation phase to identify the hub gateway.
Creating the Hub Gateway Certificate
The base of each command ca hub-ca enrollment indicates that the rest of the command is related to process of enrolling a certificate related to the CA certificate configured previously (hub-ca certificate).When the base is followed by the key word certificate the entries specify the contents of the certificate request. From the PKI configuration mode (config_pki#) enter the following commands.
The certificate request for the hub gateway is listed as shown in the following example:-----BEGIN CERTIFICATE REQUEST-----
MIIBfDCB5gIBADAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwX35QZTZoLUkG2aiqToqLj3KEGDkRodKmeJp5s9V4dT8SMthZ8zwMe1LWN0Y3650+kNQnZl22dZbxeP4+nEboKXgNG0vihyDETjt0ttxvi/0S3xfFSqrZevmclMDT22ZI9OQtaBC3iM3roDwqjVIWk7MXWfB9XAnuTxb9BxAgMBAAGgLzAtBgkqhkiG9w0BCQ4xIDAeMA8GA1UdEQQIMAaHBAoABwowCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAJb6dah7Qe1i3c+kv1jKaFuycvxqMAnt24ZyM4jOMf1Bn4Oj0ANG/e9g/
Command Description
ca hub-ca enrollment certificate subject-name common-name hub
subject-name is a textual name that can have a variety of fields. common-name typically refers to the name associated with the entity that uses the certificate. For the hub gateway, hub is selected.
ca hub-ca enrollment certificate subject-alt-name eth-2
subject-alt-name allows for different names to be placed in the certificate. The external IP address of the hub gateway is associated with eth-2.
ca hub-ca enrollment certificate rsa-with-sha1 1024
rsa-with-sha1defines the type of public or private key required and the size of the key (minimum of 1024 bits).
ca hub-ca enrollment protocol pkcs10
protocol is the type of certificate request required. pkcs10 is a manual method that uses data binary large objects.
ca hub-ca enroll hub enroll command notifies the hub gateway to generate a key pair and the certificate request.
Nokia IP VPN Gateway Command-Line Summary v6.3 303
B Dynamic Gateway Deployment
5ibihmou32EhGR49MDN5nLNaUsO+Vbw8F0iTW2aRVdqg9xPqC1Nmo3Qxsak8ERzqsHLwG4NptfSJBRzx6vYwdvB4+06ZJZgA+NhGZyVrBDwA4+wDDUY
-----END CERTIFICATE REQUEST-----
Signing Device CertificatesWhen the hub gateway generates the certificate request, the CA must sign the request to obtain a certificate. Certificates must be signed for both the hub gateway and the dynamic gateways. The CA created (the internal CA) is present on the hub gateway.
To sign a certificate1. From the PKI configuration mode (config_pki#), enter the following commands:
ca hub-ca internal csr lifetime 12
ca hub-ca internal csr issue
2. The question mark (?) prompt appears. 3. Copy and paste the certificate request for the gateway that requires the internal CA signature
and issuance of certificate.
The resulting certificate, including the certificate request, appears as follows:?-----BEGIN CERTIFICATE REQUEST-----
? MIIBfDCB5gIBADAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQ
? MIGJAoGBALwX35QZTZoLUkg2aiqToqLj3KEGDkRodKms9VthZ8zN
? wMe1LWN0Y3650+kNQnZl22dZbxeP4+nENG0vihy0ttxvi/0S3xfFSq
? rZevmclMDT22ZI9OQtaBC3iM3roDwqjVIWk7MXWxAgMBAAGgLzAt
? BgkqhkiG9w0BCQ4xUdEQQIMAaHBAoABwowCwYDVR0PBAQDAgWgMA0G
? CSqGSIb3DQ4GBAJb6dah7Qe1i3c+kv1jKaFuycvxqMAnt24ZyM4jOMf1B
? n4Oj0ANG/e9g/5ibihmou32EhGR49MDN5nLNaUsO+Vbw8F0iTW2aN
? mo3Qxsak8ERzqsHLwG4NptfSJBRzx6vYwdvBA4+wDDUY
? -----END CERTIFICATE REQUEST-----
?
Two new commands are based on the ca hub-ca internal csr command. The commands that begin with this base indicate that the internal CA is used to configure the options for signing certificate signing requests (CSRs). lifetime sets the duration that the certificates issued are valid. issue triggers the process that signs and issues the certificate. The result appears as follows:---------------------------------------------------------------
Certificate Request:
Data:
Version: 0 (0x0)
Subject: CN=hub
Subject Public Key Info:
Public Key Algorithm: rsaEncryption
304 Nokia IP VPN Gateway Command-Line Summary v6.3
Creating and Installing Certificates
RSA Public Key: (1024 bit)
Modulus (1024 bit):
00:bc:17:df:94:19:4d:9a:0b:52:41:bf:83:66:a2:
a9:3a:2a:2e:3d:ca:10:60:e4:46:87:4a:99:e2:69:
e6:cf:55:e1:d4:fc:48:cb:61:67:cc:cd:c0:c7:b5:
2d:63:74:63:7e:b9:d3:e9:0d:42:76:65:db:67:59:
6f:17:8f:e3:e9:c4:6e:82:97:80:d1:b4:be:28:72:
0c:44:e3:b7:4b:6d:c6:f8:bf:d1:2d:f1:7c:54:aa:
ad:97:af:99:c9:4c:0d:3d:b6:64:8f:4e:42:d6:81:
0b:78:8c:de:ba:03:c2:a8:d5:21:69:3b:31:75:9f:
07:d5:c0:9e:e4:f1:6f:d0:71
Exponent: 65537 (0x10001)
Attributes:
Requested Extensions:
X509v3 Subject Alternative Name:
IP Address:10.0.7.10
X509v3 Key Usage:
Digital Signature, Key Encipherment
Signature Algorithm: sha1WithRSAEncryption
96:fa:75:a8:7b:41:ed:62:dd:cf:a4:bf:58:ca:68:5b:b2:72:
fc:6a:30:09:ed:db:86:72:33:88:ce:31:fd:41:9f:83:a3:d0:
03:46:fd:ef:60:ff:98:9b:8a:19:a8:bb:7d:84:84:64:78:f4:
c0:cd:e6:72:cd:69:4b:0e:f9:56:f0:f0:5d:22:4d:6d:9a:45:
57:6a:83:dc:4f:a8:2d:4d:9a:8d:d0:c6:c6:a4:f0:44:73:aa:
c1:cb:c0:6e:0d:a6:d7:d2:24:14:73:c7:ab:d8:c1:db:c1:e3:
ed:3a:64:96:60:03:e3:61:19:9c:95:ac:10:f0:03:8f:b0:0c:
35:18
UUID: dce93636-8345cc49-fa3f48e1-f7104f63
-----BEGIN CERTIFICATE-----
MIIBxDCCAS2gAwIBAgIQD38DOqivtJwG4UsrGPLwvTANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNMDQwNzE0MTYyOTIwWhcNMDUwNzIyMTYyOTIwWjAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwX35QZTZoLUkGg2aiqToqLj3KEGDkRodKmeJp5s9V4dT8SMthZ8zNwMe1LWN0Y3650+kNQnZl22dZbxeP4+nEboKXgNG0vihyDETjt0ttxvi0S3xfFSqrZevmclMDT22ZI9OQtaBC3iM3roDwqjVIWk7MXWfB9XAnuTxb9BxAgMBAAGjIDAeMA8GA1UdEQQIMAaHBAoABwowCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAIARqjaQjdmvxiYCSAoHImusNMYhPFxz+beOSmJPu8IIN03w2qvByCNQ6Dr81aoHZszk0KFZ9OnACxSduXw0i2Jaz87qRTx3PsYMRN8jkUNArcergMjEHotaAtkbFwxCDB+LU2b+/H9JYN7qZpIX47fDGgFJrlMWE5k8OeU0JeB
-----END CERTIFICATE-----
Nokia IP VPN Gateway Command-Line Summary v6.3 305
B Dynamic Gateway Deployment
Installing Device CertificatesThough a certificate is obtained, the device certificate must be installed in the gateway. To import the device certificate to the hub gateway from the PKI configuration mode (config_pki #) enter the following command:config_pki# certificate device hub-dev
NoteDevice certificates are used to establish IKE communications. The command certificate device <label> specifies that certificate with the specified type device is imported. The <label> is a tag that is meaningful to the user.
The gateway prompts with a question mark prompt (?). Paste the text of the certificate request onto the certificate text between the BEGIN and END CERTIFICATE lines. -----BEGIN CERTIFICATE-----
MIIBxDCCAS2gAwIBAgIQD38DOqivtJwG4UsrGPLwvTANBgkqhkiG9w0BAQUFADARMQ8wDQYDVQQDEwZodWItY2EwHhcNMDQwNzE0MTYyOTIwWhcNMDUwNzIyMTYyOTIwWjAOMQwwCgYDVQQDEwNodWIwgZ8wDQYJKoZIhvcNAQEBBQADgY0AMIGJAoGBALwX 35QZTZoLUkG/g2aiqToqLj3KEGDkRodKmeJp5s9V4dT8SMthZ8zNwMe1LWN0Y365 0+kNQnZl22dZbxeP4+nEboKXgNG0vihyDETjt0ttxvi/0S3xfFSqrZevmclMDT22 ZI9OQtaBC3iM3roDwqjVIWk7MXWfB9XAnuTxb9BxAgMBAAGjIDA1UdEQQI MAaHBAoABwowCwYDVR0PBAQDAgWgMA0GCSqGSIb3DQEBBQUAA4GBAIARqjaQjdmvxiYCSAoHImusNMYhPFxz+beOSmJPu8IIN03w2qvByCNQ6Dr81aoHZszk0KFZ9OnACxSduXw0i2Jaz87qRTx3PsYMRN8jkUNArcergMjEHotaAtkbFwxCDB+LU2b+/H9JYN7qZpIX47fDGgFJrlMWE5k8OeU0JeB
-----END CERTIFICATE-----
NoteCertificate requests must also be generated on the dynamic gateways, the internal CA must sign these requests, and then the resulting device certificates must be imported into the appropriate gateways. The process is the same as described for the hub gateway, but the requirements need to be modified for the certificate request for dynamic gateways. This is necessary as the hub gateway (a static gateway) has a static external IP address. For the dynamic gateways, you must use the FQDN.
To generate the certificate request for dynamic gateways A and B1. From the configuration mode (config_pki#) prompt, enter the following commands:
ca hub-ca enrollment certificate subject-name common-name dynamo1
ca hub-ca enrollment certificate subject-alt-name fqdn
ca hub-ca enrollment certificate rsa-with-sha1 1024
ca hub-ca enrollment protocol pkcs10
ca hub-ca enroll dynamo1
306 Nokia IP VPN Gateway Command-Line Summary v6.3
Setting Gateway Selectors
NoteYou must apply these commands to both the gateways. (For gateway B, replace the value dynamo1 with dynamo2).
The resulting certificate request is similar to the certificate generated for the hub gateway. 2. Sign the certificate request by using the internal CA configured on the hub gateway.3. Import the certificate request as a device certificate to the dynamic gateway in which you
generated the request in step 1.
NoteFollow the steps in sequence when you generate the certificate request. Dynamic gateways require the subject-alt-name of the fqdn because the external IP address is dynamic and might change. The hub gateway (a static gateway) requires that the subject-alt-name is set to use the external interface (eth-2 in this example).
All three gateways now have the trusted root certificate and a device certificate. The next step is to set the gateway selectors.
Setting Gateway SelectorsYou must configure the following gateway selectors to ensure that gateways establish secure communications:
IKE—authenticates the gateways and initiates the Security Association (SA). For more information about IKE, see “IKE Policy Configuration Commands” on page 225.IPSec—sets rules for traffic to be protected based on origination and destination, and the path that traffic takes. For more information about IPSec,“IPSec Policy Configuration Commands” on page 228.
NoteYou must use the apply command to execute commands, and the save command to write changes to flash memory. For more information about the apply and save commands, see “apply” on page 220 and “save” on page 222.
Configuring IKE SettingsIKE policy parameters must match the gateways that establish secure traffic with the gateway that the policy is configured on.
Nokia IP VPN Gateway Command-Line Summary v6.3 307
B Dynamic Gateway Deployment
To configure IKE settings1. Set up a suite that determines the properties used for IKE negotiation. 2. Based on the IP address, specify a gateway that uses the configured suite.
NoteYou must configure IKE settings from the PCS configuration mode (config_policy#). For more information about how to access the PCS configuration mode (config_policy#), see “Entering and Exiting PCS Configuration Mode” on page 219.
SuitesSuites specify the following:
authentication—how authentication is handled.cipher—encryption algorithm to use.oakley-group—Diffie-Helman group to use as part of Oakley.hash—hash algorithm to use.flags—any additional or special flags that you need to use.
The IKE suites of the gateways that you want to communicate with each other must have the same cryptographic parameters.
Command Value
authentication Certificate authentication
cipher AES
oakley-group modp-1536
hash SHA
flags Set the following flags:• initial-contact—when a gateway
establishes contact, if any data associated with that gateway exists it is removed and the connection is treated as a new connection.
• vendor-id—the gateway sends data that indicates the type of gateway.
• fqdn—use the FQDN as the identity during IKE.
• dynamic peer—the gateway that initiates the communication.
308 Nokia IP VPN Gateway Command-Line Summary v6.3
Setting Gateway Selectors
GatewaysSuites are associated with gateways. The gateway command specifies the suite to use with an external gateway IP address, and a suite pair. In the case of dynamic gateways where the IP address is not known, use the IP address 0.0.0.0. For static gateways, use the IP address that contacts the gateway on which the policy is being configured (the external IP address).Because dynamic gateways communicate with each other through the hub, only IKE gateway associations for the hub need to be set. The hub communicates directly with the dynamic gateways (spokes). You need to set only one IKE gateway association on the hub to handle dynamic gateways.
Defining IKE SuitesIKE suites are defined from the IKE protection suite mode. For more information on IKE suites and how to access the IKE protection suite mode, see “IKE Protection Suite Configuration Commands” on page 226. Define the following IKE suite on the hub (and IKE gateway association) to allow communication with the dynamic gateways:ike suite dynamic-defaultflags dynamic-peer vendor-id initial-contactauthentication rsa-signature hub_cacipher aes 256oakley-group modp-1536hash shaexitike gateway 0.0.0.0 dynamic-default
The IKE gateway is for dynamic peers. The 0.0.0.0 address on the gateway association indicates that initial communication uses this IKE suite. On dynamic gateways, the IKE suite (and IKE gateway association) to allow communication with the hub is defined as follows:ike suite static-defaultflags fqdn vendor-id initial-contactauthentication rsa-signature hub_cacipher aes 256oakley-group modp-1536hash shaexitike gateway 10.0.7.10 static-default
This IKE suite does not support dynamic peers. When the hub contacts the dynamic gateways, the gateway association with the IP address 10.0.7.10 (the external address of the hub) matches the static-default IKE suite defined.
Nokia IP VPN Gateway Command-Line Summary v6.3 309
B Dynamic Gateway Deployment
Configuring IPSec SettingsIPSec settings determine how traffic is protected based on the type of traffic, where it originates from, and the destination. IPSec selectors determine what traffic is acted on, and the parameters that you can use to include the source and destination addresses (and netmasks), source and destination ports, what action to take if a match occurs, and flags that provide additional controls or context to the rule set up.The IPSec gateway determines the path that the traffic protected by a selector takes. Each IPSec gateway setting also needs a transform that indicates how to exactly protect traffic that needs to be protected.For more information about IPSec and how to access the IPSec mode, see “IPSec Policy Configuration Commands” on page 228.
SelectorsYou can use selectors to protect traffic as well as to enable a bypass for certain types of traffic based on IP address, port, or both. Each of the dynamic gateways rely on a DHCP server to provide their external IP address. Therefore, each gateway needs a bypass selector to allow them to retrieve the address. On each dynamic gateway enter the following:ipsec gw-selector dhcp_clientdst-port 68action bypassexit
This command informs the gateway to allow all traffic coming in on port 68 (the port that the DHCP client uses to receive its information from the DHCP server).Selectors are also used to protect traffic between two points. On the dynamic gateways it is necessary to protect all traffic originating from its protected host group regardless of the destination. For dynamic gateway A with protected host group 10.0.100/24, the selector to be entered on that gateway is:ipsec gw-selector dynamo1_protectedsrc-addr 10.0.100.0src-mask 255.255.255.0dst-addr 0.0.0.0dst-mask 0.0.0.0action protectexit
310 Nokia IP VPN Gateway Command-Line Summary v6.3
Setting Gateway Selectors
For dynamic gateway B with protected host group 10.0.200/24, the selector is:ipsec gw-selector dynamo2_protectedsrc-addr 10.0.200.0src-mask 255.255.255.0dst-addr 0.0.0.0dst-mask 0.0.0.0action protectexit
The src-addr and the src-mask entries indicate the IP address range of traffic that the selector must act upon. dst-addr and dst-mask indicate the destination of protocol traffic. Thus, traffic that originates from the src-addr and src-mask range destined to the dst-addr and dst-mask range have the action applied to it, in this case protect. destination address and destination mask are set to 0.0.0.0. This indicates to the gateway that the destination is any.
TransformTo determine how traffic is protected, IPSec needs a transform that specifies relevant parameters. This transform must be the same on each gateway.Each dynamic gateway (and the hub gateway) needs the following transform:ipsec transform aes_shacipher aes 256authenticator hmac-shamode tunnelprotocol espexit
For this transform, traffic is encrypted with 256-bit AES, using HMAC/SHA1 to authenticate the data, while using tunneling mode with the ESP protocol.The IPSec gateway handles how to route traffic that matches a particular selector. The IPSec gateway setting provides a start and end point for moving traffic that matches a selector; it also specifies the way the traffic is protected (that is the IPSec transform used). This data is similar for each dynamic gateway, but refers to the gateway-specific selector.
NoteAs each dynamic gateway goes through the same hub, dynamic gateways have the same destination.
For dynamic gateway A, enter the following:ipsec gateway dynamo1-hubdst-addr 10.0.7.10selector dynamo1_protectedtransform aes_shaoakley-group modp-1536exit
Nokia IP VPN Gateway Command-Line Summary v6.3 311
B Dynamic Gateway Deployment
For dynamic gateway B, enter the following:ipsec gateway dynamo2-hubdst-addr 10.0.7.10selector dynamo2_protectedtransform aes_shaoakley-group modp-1536exit
The dst-addr is set to the external IP address of the hub gateway. This is a common reachable address between each of the three gateways. The external IP addresses for the dynamic gateways are dynamically assigned through DHCP from a server on the same (10.0.7/24) subnet. The transform refers to the ipsec transform aes_sha which was defined previously. oakley-group specifies a parameter used to establish a public- or private-keypair during the establishment of IPSec security associations. The selector refers to the selector for the gateways.On each dynamic gateway, apply and then save the changes. The process is complete for the dynamic gateways. For more information about how to apply and save changes, see “apply” on page 220 and “save” on page 222. Selectors and IPSec gateway settings require two sides to operate properly. Two dynamic gateways with policies point to a hub gateway. The hub must be configured with the appropriate IPSec policy. The only IPSec policy that should be present on the hub is the IPSec transform. To communicate with the dynamic gateways from the hub, you must mirror the selectors that were defined on them. From the hub gateway enter the following for traffic destined to dynamic gateway A:ipsec gw-selector to_dynamo1_protectedsrc-addr 0.0.0.0src-mask 0.0.0.0dst-addr 10.0.100.0dst-mask 255.255.255.0action protectexit
For traffic destined to dynamic gateway B, enter the following:ipsec gw-selector to_dynamo2_protectedsrc-addr 0.0.0.0src-mask 0.0.0.0dst-addr 10.0.200.0dst-mask 255.255.255.0action protectexit
These selectors protect all traffic destined for the dynamic gateways. Each selector requires a gateway setting.
312 Nokia IP VPN Gateway Command-Line Summary v6.3
Setting Gateway Selectors
Gateway SettingsFor traffic destined to dynamic gateway A, enter the following gateway settings:ipsec gateway hub-dynamo1src-addr 10.0.7.10identity dynamo1.test.netselector to_dynamo1_protectedtransform aes_shaoakley-group modp-1536exit
For traffic destined to dynamic gateway B, enter the following gateway settings:ipsec gateway hub-dynamo2src-addr 10.0.7.10identity dynamo2.test.netselector to_dynamo2_protectedtransform aes_shaoakley-group modp-1536exit
The difference between this gateway setting and the gateway setting on the dynamic gateway is the way the source and destination tunnels are handled. The tunnel source in this case is the external IP address of the hub gateway, which is the opposite of the dynamic gateways. The new option included in these gateway settings is the identity option. This informs the hub gateway that the tunnel is established by a gateway with the identity specified in the identity entry.To set up tunnels between the dynamic gateways and the hub and pass protected traffic, enter the commands apply and save. In dynamic gateway deployments, the hub gateway cannot contact the dynamic gateways (the IP address is not known as it is assigned through DHCP). To circumvent this obstacle, dynamic gateways require a deployment hello. For more information about the deployment hello, see “Dynamic Hello” on page 315.To communicate between two spoke gateways (through a hub) you must add additional policies on the hub using asymmetric selectors. Traffic destined for dynamic gateway A from dynamic gateway B does not have a path that is symmetric to the way traffic travels from dynamic gateway A to dynamic gateway B.
Nokia IP VPN Gateway Command-Line Summary v6.3 313
B Dynamic Gateway Deployment
For traffic that originates from dynamic gateway A and that is destined for dynamic gateway B, the selector and corresponding gateway entry are the following:ipsec gw-selector dynamo1_to_dynamo2_protectedsrc-addr 10.0.100.0src-mask 255.255.255.0dst-addr 10.0.200.0dst-mask 255.255.255.0action protectflags asymmetricexit
ipsec gateway dynamo1_to_dynamo2src-addr 10.0.7.10identity dynamo2.test.netselector dynamo1_to_dynamo2_protectedtransform aes_shaoakley-group modp-1536exit
For traffic that originates from dynamic gateway B and is destined for dynamic gateway A, the selector and corresponding gateway entry are the following:ipsec gw-selector dynamo2_to_dynamo1_protectedsrc-addr 10.0.200.0src-mask 255.255.255.0dst-addr 10.0.100.0dst-mask 255.255.255.0action protectflags asymmetricexitipsec gateway dynamo2_to_dynamo1src-addr 10.0.7.10identity dynamo1.test.netselector dynamo2_to_dynamo1_protectedtransform aes_shaoakley-group modp-1536exit
The selectors and the gateway settings are similar to the selectors defined. The asymmetric flag is necessary because, while the selectors are essentially symmetric, the path that the data takes from A to B differs from the path from B to A. The identity for a destination indicates that the dynamic gateways must contact the hub so that proper information is present in the hub for it to pass traffic to the dynamic gateways.Use the apply and save commands on the hub gateway to ensure that all relevant policies are configured. For more information about the apply and save commands, see “apply” on page 220 and “save” on page 222.
314 Nokia IP VPN Gateway Command-Line Summary v6.3
Dynamic Hello
NoteFor more information about enabling the firewall, see “Configuring Firewall and Network Address Translation” on page 255.
Dynamic HelloIn dynamic gateways, the external IP address associated with the gateway is not known (and might change). The dynamic gateway must provide information to the hub so that the two can pass traffic between one another. The deployment_hub command allows the dynamic gateway to provide the IP address to the hub by negotiating a VPN connection.
deployment_hubUse the deployment_hub command to generate Hello packets to maintain an IPSec connection with the hub, thereby informing the hub of the current external IP address of the dynamic gateway, and maintaining continuous management and VPN connectivity.For more information about the deployment_hub command, see “deployment_hub” on page 128.For each dynamic gateway, enter the commands from the configuration mode (Config#). In the following example, the dynamic gateways contact the internal IP address of the hub gateway, and attempt to communicate every five minutes.
When you enter the commands, save the configuration on each gateway and reboot each of the gateways. This procedure ensures that proper tunnels are activated and enables communication between each of the nodes.
Gateway Command
On dynamic gateway A
deployment_hub source 10.0.100.1 destination 10.0.10.1deployment_hub hellointerval 5
On dynamic gateway B
deployment_hub source 10.0.200.1 destination 10.0.10.1deployment_hub hellointerval 5
Nokia IP VPN Gateway Command-Line Summary v6.3 315
C List of Commands
Config# interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32<eth-1 | eth-2 | eth-3 | eth-4 | loop-0>
[-alias][-backup][-dhcp][-external][-primary][address <A.B.C.D>][alias][backup priority <value>][broadcast <A.B.C.D>][clear][destination <A.B.C.D>][dhcp][down][external][family <inet>][flowcontrol <active | default | none | passive>][media <autoselect | 10 | 10-Full-Duplex | 100 | 100-Full-Duplex>][mtu <72-16366>][netmask <A.B.C.D>][primary][up]
Config# dialup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 34disconnectmode <dynamic | independent | wan-backup back-up priority <priority>>profile <1-5>
auth <any | chap | none | pap>dns1 <A.B.C.D>dns2 <A.B.C.D>mtu <56-1500>preferred_address <A.B.C.D>username <XXXXXX> password <XXXXXX> phone_number <XXXXXX>
Config# wanbackup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36backup_interface <eth-1 | eth-2 | eth-3 | eth-4> default_route <A.B.C.D>
Nokia IP VPN Gateway Command-Line Summary v6.3 317
C List of Commands
failover-timeout <timeout>fallback-timeout <timeout>mode <dialup | none | simple>tcp-check <A.B.C.D> port <value> interval <interval>
Config# pppoe. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39profile <name> eth-interface <eth-1 | eth-2 | eth-3 | eth-4> user <user name> passwd <<passwd> | <CR>>
[acname <name>][auth <chap | mschap | noauth | pap>][debug <all | info>][dns <primarydns | secondarydns>][external][ifroute <ip_address/masklen>][mode <demand | keepalive>][mtu <number>][nodefaultroute][nonstandard <0xABCD:0xABCD>][service <name>][timeout <number>][type <static srcaddr <source-ip-address/masklen> dstaddr <pppoe-peer-ip-address/masklen>> | <dynamic>][wins <primarywins | secondarywins>][<CR>]
Config# [no] pppoe profile <name> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Config# pppoe interface profilename <profile> . . . . . . . . . . . . . . . . . . . . . . 39Config# [no] pppoe interface <name> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39Config# [no] vrrp interface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44Config# vrrp interface <eth-1 | eth-2 | eth-3 | eth-4> <address> <priority <backup | master | <1-255>>> vrid <1-255> . . . . . . . . . . . . . . . 44
Config# [no] vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44[advertisement-interval <1-255>][auth-passwd][no-preempt][while-backup <allow-forwarding | allow-ipsec | call-dialup>]
vrrp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46[disable][enable]
Config# [no] route . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46<ADDR> <NETMASK> <ADDR> <[blackhole | cloning | expire <decimal> | genmask <ADDR> | inet | mtu <decimal> | nostatic | static]>
ipsrd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48[dump][reconfigure][restart]
cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
318 Nokia IP VPN Gateway Command-Line Summary v6.3
reboot <now>reset <now>
Config# [no] cluster . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50external
address <A.B.C.D> | family inet address <A.B.C.D><interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]
internaladdress <A.B.C.D> | family inet address <A.B.C.D>
<interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>[netmask <A.B.C.D> <interface <eth-1 | eth-2 | eth-3 | eth-4>> <referee <A.B.C.D>>]
mode <forward | unicast | multicast>name <STRING>
arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 52-a-f-n-<options><HOST>
firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53clear-global-logclear-statedisableenable <policy-manager <ADDR> | <CR>>global-lograte-limit <<NUMBER> | <CR>>
Config# [no] arp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55add <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>change <ADDR> <auto | proxy | MAC ADDR> <publish | temporary>delete <ADDR> <proxy>
Config# [no] bootp-forwarder . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56[interface <eth-1 | eth-2 | eth-3 | eth-4> servers <ADDR> <ADDR>]
Config# [no] dhcp-server <eth-1 | eth-2 |eth-3 | eth-4> . . . . . . . . . . . . 58[default-route <A.B.C.D>][dns-servers <A.B.C.D>][domain-name <domainname>]dynamic <A.B.C.D> <A.B.C.D>[exclude <A.B.C.D>][ignore-ras][lease <number-of-seconds>][nbt-dd-servers <A.B.C.D>][nbt-name-servers <A.B.C.D>][nbt-node-type <broadcast | hybrid | mixed | peer>]
Nokia IP VPN Gateway Command-Line Summary v6.3 319
C List of Commands
[nbt-scope <scope>][netmask <A.B.C.D>][non-authoritative]static <A.B.C.D> <client-id <Client ID> | <MAC ADDR>>
Config# diff-serv . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61codepoint
[assured <AF11 | AF12 | AF13 | AF21 | AF22 | AF23 | AF31 | AF32 | AF33 | AF41 | AF42 | AF43>][best-effort][expedited][pass-through][<NUMBER>]
Config# [no] dns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62[domain-name <domain name>][retrans <1-60 (seconds)>][retry <1-10>][servers <A.B.C.D>]
Config# [no] ip-address-pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62<name> <A.B.C.D> <A.B.C.D>
Config# [no] lns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63<client name>
<authentication <chap | mschap | pap>><basic <local name> <secret> <decimal number>><require <ipsec | mppe40 | none>>
Config# [no] mss-clamp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64<val>
Config# [no] ntp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65[auth-key md5 <md5-key>][interval <seconds>][servers <ADDR> <ADDR>][version <1 | 2 | 3>]
Config# [no] pns. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66authentication <chap | mschap | pap>require <ipsec | mppe40 | none>
Config# [no] ppp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67user <username> <[<address <allow-selection> | <A.B.C.D>> | group <group> | password <passwd>]>
Config# ppp. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67group <PPP group name> <[address pool <address pool name> | dns <A.B.C.D> <A.B.C.D> | wins <A.B.C.D> <A.B.C.D>]>
Config# [no] snmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68access <<address/netmask> <community string>>authentrapsbindtointernalcpuutil <percentage>group <NAME> <usm> <User Name>ioload <pkts/sec>
320 Nokia IP VPN Gateway Command-Line Summary v6.3
ipdrop <percentage>logtrapsmemusage <percentage>pollrate <seconds>syscontact <sysContact value>syslocation <sysLocation value>trap2sink <A.B.C.D> <community_string>trapdelay <seconds>trapsink <A.B.C.D> <community_string>udpdrop <percentage>user <NAME> <MD5 | SHA> <<encode type> <encoded password> <DES> | <cleartext passphrase> <DES>>v3access <<groupName> <usm> <<authnopriv> | <authpriv> | <noauthnopriv>> <readView> <writeView> <notifyView>>view <NAME> included <OID> [<mask>]
aosinfo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74-h<filename><CR>
backup . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75[list <NAME>][restore <NAME> <NAME>][save <NAME> <NAME>]
clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 76[arp][dns-resolver][ike][ipsec][nat <link-id>][queue][route <all | dynamic | static>][vpdn <all | tunnel <NUMBER>>]<CR>
configure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77[firewall][pki][policy][save <cluster | <CR>>][wizard][<CR>]
crypto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79[clear <ike | ipsec | <CR>>][disable]
<copy-df><dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>>
Nokia IP VPN Gateway Command-Line Summary v6.3 321
C List of Commands
<deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>><diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>><display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>><host-icmp><inline><nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>><replay><sa-cache><sec-proc><server <ah | esp | input | output | queue>><spd-sorting><stable><CR>
[enable]<brief><copy-df><dead-peer-detection <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>><deferred-delete <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>><diff-serv <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>><display <automagic | cluster | dead | option | pending | replay | selector | uuid | <CR>>><full><host-icmp><inline><nat-traversal <all | attribute | basic | cluster | cookie | death | download | event | header | id | io | isadb | locking | mapping | notify | option | payload | pending | policy | rekey | ring | route | saapi | selector | state | <CR>>><replay><sa-cache><sec-proc><server <ah | esp | input | output | queue>><spd-sorting>
322 Nokia IP VPN Gateway Command-Line Summary v6.3
<stable><CR>
[flush <ike | ipsec | <CR>>][ike <delete <NUMBER>> | lifetime <NUMBER>>][ipsec <delete <NUMBER> <ADDR> <ah | esp>> | lifetime <NUMBER> | rekey <NUMBER> <ADDR> <ah | esp>][policy reload <NAME>][show]
<active <brief | full | <SPI> | <CR>>>address-cacheall <brief | full>cached <all <brief | full> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>clusterdead <brief | full>expired <brief | full>ike <-n | brief | full | statistics | <SEQ> | <ADDR> | <fqdn> | <rfc822> | <CR>>ipsec <brief | full | <SPI> | <CR>>keys <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root <brief | full>optionspending <brief | full>policy <-n | brief | client <brief | full | matched | <CR>> | full | gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>statistics <ah | esp | ike | random | replay | sa | sec-proc | <CR>>
date . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98[[[yyyy]mm]dd]HH]MM[.ss]][<CR>]
examine . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98any | gre | icmp | ipinip | tcp | udp | <NUMBER>
<SRC-ADDR> <any | SRC-PORT> <DST-ADDR> <any | DST-PORT>
flash . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99[duplicate <<NAME> | <CR>> <<NAME> | <CR>>][format <-d <<NAME> | <CR>> | <NAME>>]
kernel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 100[check <filename>][commit][upgrade <filename>]
nat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 101clear-state
pin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 102[set <generate | none | <HEX>>]
Nokia IP VPN Gateway Command-Line Summary v6.3 323
C List of Commands
[show][update <none | <HEX>>][zero]
reboot . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 103schedule . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 104
[backup <<date/time> <PATH> <seconds>>][bump][cancel][commit <date/time> <version>][kernel <kernel_filename>][list][reboot <date/time>][resume][rollupgrade <date/time> <#nodes>][session <date/time>][stagreboot <date/time>][suspend][upgrade <date/time> <#nodes>]
show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 106address-poolarp <-a | -n | -<options> | <HOST>>bootp-forwardercluster <-n | aggregation | keepalive | workspace>configuration <active | pki <active | private | startup | <CR>> | startup | <CR>>cryptodatedebugdhcp-clientdhcp-server <client <A.B.C.D> | full | <CR>>dialupfastpath <-n | <CR>>filter-cachefirewall <full | state | statistics | <CR>>flashfruhardwareike <-n | brief | full | statistics | <SEQ> | <ADDR> <brief | full | <CR>> | <fqdn> | <rfc822> | <CR>>interface <statistics <eth-1 | eth-2 | eth-3 | eth-4 | loop-0> | status <eth-1 | eth-2 | eth-3 | eth-4 | loop-0>>ip <anti-spoofing | connections | forwarding | icmp | nat <all | <CR>> | routes <<ADDR> | <CR>>ipsec <brief | full | <SPI> | <CR>>ipsrd
<bgp <errors | groups | memory | paths | peers <detailed | <A.B.C.D> <advertised | detailed | received> | <CR>> | statistics | <CR>><configuration>
324 Nokia IP VPN Gateway Command-Line Summary v6.3
<ipsec-peer <not-allowed-networks | peers <<A.B.C.D> <received> <CR> | <CR>> | protected-networks | <CR>><memory><ospf>
<database <area | asbr-summary | checksum | database-summary | external | network | router | summary | type | <CR>> | errors <brief | dd | hello | ip | lsack | lsr | lsu |proto | <CR>>><events><interface <detail | <CR>>><neighbor <detail | <A.B.C.D> | <CR>>><packets><CR>
<rip <errors | interfaces | neighbors | packets | <CR>>><route>
<aggregate><all <aggregate | bgp | direct | ipsec-peer | ospf | rip | static | <CR>>><bgp <aspath | communities | detailed | metrics | suppressed | <CR>>><destination <A.B.C.D>><direct><exact-match <A.B.C.D>><inactive <aggregate | bgp | direct | ospf | rip | static | <CR>>><ipsec-peer><less-specific <A.B.C.D>><more-specific <A.B.C.D>><ospf><rip><static><summary><CR>>
key <cache <all <full |brief> | chains <local | remote> <brief | full> | identities <local | remote> <brief | full> | names <brief | full> | public <local | remote> <brief | full>>>key <info <all <brief | full> | blocked <brief | full> | certified <brief | full> | preshared <brief | full> | public <local | remote> <brief | full> | trusted-root <brief | full>>>locksloggermemorymodemnat <arp | state | statistics>ntpdateoobpacket-tracepending <brief | full>policy <-n | brief | client <brief | full | matched> | full | gateway | ike | ipsec | matched | protnet | spd <brief | dynamic | full | matched | routing | static | <CR>> | <CR>>
Nokia IP VPN Gateway Command-Line Summary v6.3 325
C List of Commands
pppoe <interface <CR> | profile <CR>>processesschedulesensor <all | fan | ps | temp | volt>snmpssh <[config | public-key auth]>statistics <ah | esp | icmp | igmp | ike | ip | ipsec | nat | queue | random | replay | sa | sec-proc | tcp | udp | <CR>>subsystemsyslogterminalversionvpdn <all | brief | ip-address <HOST> | username | <CR>>vrrpwanbackup
tcpdump . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120<tcpdump options> tcpdump [-aAdeflLnNOpqRStuvxX] [-c count] [-C filesize] [-F file] [-i interface] [-r file] [-s snaplen] [-T type] [-w file] [expression]Can also type 'tcpdump -h' for usage.Visit http://www.tcpdump.org/tcpdump_man.html, or consult product documents for more information.[disable][enable <<A.B.C.D> | <CR>>][port <port>][secret <secret>]<CR>
terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123[editing-style <emacs | vms>][idle-timeout <seconds>][length <0-512>][more <enable | disable>][width <0-512>]
validate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124any | gre | icmp | ipinip | tcp | udp | <NUMBER>
<SRC-ADDR> <any | <SRC-PORT>> <DST-ADDR> <any | <DST-PORT>>
Config# [no] crypto . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126[copy-df][dead-peer-detection][deferred-delete][diff-serv][dpd-interval <seconds>][dpd-retries <count>][host-icmp][ike-retries <count>][nat-traversal][replay][spd-sorting][stable]
326 Nokia IP VPN Gateway Command-Line Summary v6.3
[<CR>]
Config# [no] deployment_hub . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 128hellointerval <minutes>source <A.B.C.D> destination <A.B.C.D>timeout <seconds>
Config# disable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129[dhcp][dialup][firewall][ipsec][ipsrd][l2tp][oob][pptp][sshd]<CR>
Config# enable . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 129[dhcp][dialup][firewall][ipsec][ipsrd][l2tp][oob][pptp][sshd]<CR>
Config# [no] hostname . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131<hostname>
Config# [no] icmp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 131[allow][bmcast][bypass][ignore][prohibit][rate-limit <rate-limit>][redirects][source-filter][stealth][unreach <filter | host | net>][CR]
Config# [no] ipsec-client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133wins <A.B.C.D> [<A.B.C.D>] [<A.B.C.D>] | <CR>
Config# [no] ldap-server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 133<server name | id> <LDAP server address> <LDAP server port> <as_active_directory | as_openldap> <LDAP search timeout> <LDAP base DN> <base | onelevel | tree> <initial bind DN> <<0|1|2|3> <encoded bind password> | <bind password in clear text>>
Nokia IP VPN Gateway Command-Line Summary v6.3 327
C List of Commands
<<attribute> | <CR>>
Config# modem. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 135dialmode <pulse | tone>initstring <XXX...XXX>speed <9600 | 19200 | 38400 | 57600 | 115200 | 230400 | 460800>type <standard | custom>
Config# oob. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136localip <A.B.C.D> remoteip <A.B.C.D> idletimeout <value> vjcomp <yes | no>
Config# [no] panic . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 136haltreboot
Config# [no] radius . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 137<radius server address> <<encode type> <encoded secret>> | <<secret> <port number>>
Config# [no] terminal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138editing-style <emacs | vms>idle-timeout <1-10000000>length <number-of-rows>logging <level <none | emergency | alert | critical | error | warning | notice | info | debug> | <timestamp <microsecond> | <CR>> | <CR>>moretype <terminal-type>width <number-of-columns>
Config# [no] uuid <uuid> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139finger . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140flowbee . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 140
[-I <ADDR> | -L | -P <number> | -Q | -R | -T <number> | -a | -c <number> | -d | -f | -i <number> | -l <number> | -n | -p <pad> | -q | -r | -s <number> | -v | <HOST>]
netstat . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 142[-A | -I <eth-1 | eth-2 | eth-3 | eth-4> | -a | -b | -d | -f <INET> | -g | -i | -m | -n | -o | -p <ICMP | IGMP | IP | LOCAL | RAW | TCP | UDP> | -r | -s | -t | -u | -w <seconds> | <-options>]
ping . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 144[-I <ADDR>][-L][-Q][-R][-T <NUMBER>][-a][-c <NUMBER>][-d][-f][-i <NUMBER>]
328 Nokia IP VPN Gateway Command-Line Summary v6.3
[-l <NUMBER>][-n][-p <PAD>][-q][-r][-s <NUMBER>][-v]<HOST>
telnet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 147<HOST> <<PORT> | <CR>>
traceroute . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148[-F][-I][-d][-f <NUMBER>][-g <HOST>][-i <eth-1 | eth-2 | eth-3 | eth-4>][-m <NUMBER>][-n][-p <NUMBER>][-q <NUMBER>][-r][-s <HOST>][-t <NUMBER>][-v][-w <NUMBER>][-x][<HOST>]
Config# [no] tftp . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150default server <ADDR>
copy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152[<NAME> <NAME>]
create . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152<NAME>
delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152<NAME>
differences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<NAME> <NAME>
directory . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153<NAME> | <CR>
rename . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<NAME> <NAME>
source . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154<filename>
type . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155<NAME>
Nokia IP VPN Gateway Command-Line Summary v6.3 329
C List of Commands
Config# [no] nfs. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155default <[gid <NFS GID> | server <ADDR> | uid <NFS UID>]>
[no] debug. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 157anti-spoofing[app-clustering <debug | error | info | none>][cluster <all | connectivity | default | event | load-balancing | membership | workspace>][dhcp-server <all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras>][ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify | options | payload | policy | rekey | ring | route | saapi | state>][ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>][ipsrd]
<bgp <cluster | keepalive | open | update | <CR>>><global <cluster | normal | policy | route | state | task | timer |<CR>>><ipsec-peer <cluster | packet <<peer-id> | <CR>> | proxy | route | <CR>><ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>><rip <request | response | <CR>>
[monitor <debug | default | error | info | <CR>>][nat][ntp <debug | default | error | info | none>][ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>][radius <accounting | all | attributes | authentication | authorization | cluster | packets>][vpdn <all | cluster | detailed | l2tp | pptp>][cfg_server <all | boot | commands | communication | events | files | flow | geninfo>][chat <all | chat>dgwp <all | cluster | communication | server | <CR>>[dhcp-client <all | misc | packet | packet-dump | parse | state>]dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>dialupoob <all | cfg | dlpool | err | gen | ipc | stm>[ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>]oob <all | chat | err | gen | ipc | oob | ppp | stm | <CR>>[pkid <all | misc>][scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>][schedule <all | command | execution | management | startup>][sshd <all | config | events | original | scp>][ssl <all | misc>][userauth <all | common | ldap | local>]
330 Nokia IP VPN Gateway Command-Line Summary v6.3
[vrrp <all | event | misc | packet | state>]wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>
log . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166[audit <enable <nobacklog | <CR>> | disable>][backlog <audit | <CR>>][disable][duplicate <enable | disable>][enable <nobacklog | <CR>>][flush <audit | <CR>>][level <none | emergency | alert | critical | error | warning | notice | info | debug>][timestamps <enable <microsecond> | disable>]
Config# [no] audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 168buffers <number>
Config# [no] console audit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169Config# [no] console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 169
logging[<level <none | emergency | alert | critical | error | warning | notice | info | debug>][<timestamp <microsecond> | <CR>>][<CR>]
Config# [no] debug . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 171anti-spoofing[app-clustering <debug | error | info | none>][cluster <all | connectivity | default | event | load-balancing | membership | workspace>]dhcp-server [all | bootp-forwarder | client-db | communications | packets | parse | ping-check | ras][ike <all | attribute | basic | cluster | cookie | death | default | download | event | header | id | io | isadb | locking | notify| options | payload | policy | rekey | ring | route | saapi | state>][ipsec <all | basic | cluster | death | default | event | mapping | pending | rekey | selector>][ipsrd]
<bgp <cluster | keepalive | open | update | <CR>><global <cluster | normal | policy | route | state | task | timer>><ipsec-peer <cluster | packet <<peer-id> | <CR>> | proxy | route | <CR>><ospf <ack | cluster | dd | drelect | hello | lsa | lsr | lsu | spf | <CR>><rip <request | response | <CR>>
[monitor <debug | default | error | info | <CR>>][nat][ntp <debug | default | error | info | none>][ppp <all | authentication | ccp | detailed | ipcp | lcp | negotiations | protocol>]
Nokia IP VPN Gateway Command-Line Summary v6.3 331
C List of Commands
[radius <accounting | all | attributes | authentication | authorization | | cluster | packets>][vpdn <all | cluster | detailed | l2tp | pptp>][cfg_server <all | boot | commands | communication | events | files | flow | geninfo>][chat <all | chat>][dgwp <all | cluster <communication | server> | communication <cluster | server> | server <cluster | communication>>][dhcp-client <all | misc | packet | packet-dump | parse | state>][dialupd <all | chat | dialup | err | gen | ipc | ppp | stm>][dialupoob <all | cfg | dlpoob | err | gen | ipc | stm>][ldap <acl | all | any | args | ber | config | conns | daemon | deprecated | filter | ipc | none | packets | parse | shell | stats | stats2 | trace>][oob <all | chat | err | gen | ipc | oob | ppp | stm>][pkid <all | misc>][scep <all | bio | ca | cmds | http | keys | misc | nvdt | pkcs>][schedule <all | command | execution | management | startup>][sshd <all | config | events | original | scp>][ssl <all | misc>][userauth <all | common | ldap | local>][vrrp <all | event | misc | packet | state>][wanbackup <all | cfg | err | gen | ipc | rt | stm | wb>]
Config# [no] log. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180buffers <number>
Config# pkttrace. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 180time <seconds>enable <trigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>>disabletrigger [ip <A.B.C.D> | srcip <A.B.C.D> | dstip <A.B.C.D> | proto <icmp | udp <port | srcport | dstport | <CR>> | tcp <port | srcport | dstport | <CR>> | <NUMBER>] | <CR>
Config# [no] syslog . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 182add-server <ADDR> <all | audit | syslog>
<default | internal>delete-servers <ADDR | <CR>>facilities <enable | disable>level <none | emergency | alert | critical | error | warning | notice | info | debug>timestamp <disable | enable>
Config# [no] login . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184user <username> <<encode type> <encoded password> | <cleartext password>> [<nfs <NFS uid> | privileges <admin | challenge-response | none>]
Config# login. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 184source <challenge-response <disallowed | ldap | local | radius
332 Nokia IP VPN Gateway Command-Line Summary v6.3
| none> | console | ppp | ssh | telnet | tty> <disallowed | local | radius | none>
Config# [no] sshd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186ciphers <3des-cbc | aes128-cbc | aes192-cbc | aes256-cbc | blowfish-cbc>[connectionsperperiod <num-connections> <seconds>][deny-password-auth <user | <CR>>][interface <eth-1 | eth-2 | eth-3 | eth-4 | all>][logingracetime <seconds>]port <port-num>public-key user <user_name> <tftp <tftp_path>> | <CR>>
Config# sshd . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 186[host-key <generate-SSL |show>]
show configuration pki . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 193activeprivatestartup<CR>
show key info . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 194all <brief | full>blocked <brief | full>certified <brief | full>preshared <brief | full>public <local | remote> <brief | full>trusted-root <brief | full>
config_pki# block . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 197<string><UUID><CR>
config_pki# [no] ca . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 198<string>
[crl-query <crl_dp_in_child | force | password <password> | period <minutes> | protocol <http | ldap> | url <URL> |username <username>>][enroll <string>][enrollment certificate]
[rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>][subject-alt-name <cluster-interface <eth-1 | eth-2| eth-3 | eth-4 | loop-0> | email | fqdn <string | <CR>> | eth-1 | eth-2| eth-3 | eth-4 | loop-0>][subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>]
[enrollment challenge <string>][enrollment entity <string>][enrollment protocol <pkcs10 | scep>][enrollment retry-count <count>]
Nokia IP VPN Gateway Command-Line Summary v6.3 333
C List of Commands
[enrollment retry-period <minutes>][enrollment url <URL>][internal certificate]
[<lifetime <decimal>][rsa-with-sha1 <512 | 768 | 1024 | 1536 | 2048>][subject-alt-name <email <string> | fqdn>][subject-name <common-name <string> | organizational-unit-name <string> | organization-name <string> | city-or-locality <string> | state-or-province <string> | country <string>>]
[internal crl <enable | http_url <url> | ldap_url <url> | update_interval <decimal>>][internal csr <issue | lifetime <decimal>][internal generate][internal ldap <enable | server <name>][internal list_certs][internal set_cert_status <uuid>]
<active | deleted | granted | pending | revoked_aa_compromise | revoked_affiliation_changed | revoked_ca_compromise | revoked_certificate_hold | revoked_cesation_of_operation | revoked_key_compromise | revoked_priviledge_withdrawn | revoked_remove_from_crl | revoked_superseded | revoked_unspecified>]
[option <crl-optional>][uuid <uuid>]
config_pki# certificate . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 208[device <<string> | <UUID>>][intermediary-ca <<string> | <UUID>>][management <device <string> | trusted-root <string>>][other <<string> | <UUID>>][trusted-root <<string> | <UUID>>]
config_pki# crl. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210<string><UUID>
config_pki# keypair . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 210generate rsa [<512 <string> | 768 <string> | 1024 <string> | 1536 <string> | 2048 <string>>]pin <string> |<UUID>
config_pki# pkcs12 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 211device <<string> | <UUID>>
config_pki# public-key . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212default <UUID>local <string> | <UUID>remote <string> | <UUID>
config_pki# uuid. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 212<uuid>
config_policy# apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 220
334 Nokia IP VPN Gateway Command-Line Summary v6.3
config_policy# clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221ipsec-mapvpn-schema<CR>
config_policy# exit . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221config_policy# load . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 221
<filename>
config_policy# map . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222[all][client][ike][ipsec][selector]
config_policy# save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 222<NAME><CR>
config_policy# show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223[all][ike-gateway <ip <pattern>>| <CR>][ike-group][ike-suite][ipsec-client <name <pattern>> | user_fqdn <pattern> | <CR>][ipsec-gateway <ip <pattern>> | name <pattern> | <CR>][ipsec-selector <ip <pattern>> | name <pattern> | <CR>][ipsec-transform][vpn-node <ip <pattern>> | name <pattern>> | user_fqdn <pattern> | <CR>][vpn-schema]
config_policy# unload . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224<filename>
config_policy# [no] ike . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 225gateway <<ADDR> <ike_suite> [ipsec_transform] | <CR>>group <group_policy_name> <ike_policy_name> [<ike_policy_name>]suite <NAME>
ike-suite# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 226authentication <challenge-response | pre-shared <key> <key> | rsa-encrypt | rsa-encrypt-compat | rsa-signature>cipher <3des | aes <<128 | 192 | 256> | <CR>> | blowfish <<40-448> | <CR>> | cast <<40-128> |<CR>> |des>flags <check-dns | deferred-delete | dynamic-peer | fqdn | initial-contact | internal-address | nomadic | vendor-id>hash <md5 | sha>lifetime <number>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048>exit
config_policy# [no] ipsec . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 228
Nokia IP VPN Gateway Command-Line Summary v6.3 335
C List of Commands
cl-selector <NAME>client <NAME>gateway <NAME>gw-selector <NAME>transform <NAME>
ipsec-client#. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 229ca-idid <dn <key=value[,key=value...]> <user fqdn <user@domain_name>>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>selectortransformexit
ipsec-gateway#. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 230dst-addr <ADDR> <ADDR>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>selectorsrc-addr <ADDR> <ADDR>transformidentity <FQDN> | <CR>exit
ipsec-client-selector# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 231action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst| | unique-protocol | unique-sport | unique-src>mask <NETMASK>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>exit
ipsec-gateway-selector# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 232action <bypass | drop | protect>diff-serv <from-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>> <to-dst <assured | best-effort | default | expedited | pass-through | <NUMBER>>dst-addr <ADDR>dst-mask <NETMASK>dst-port <NUMBER>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>protocol <GRE | ICMP | IPINIP | TCP | UPD | <NUMBER>>src-addr <ADDR>src-port <NUMBER>exit
ipsec-transform# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 235
336 Nokia IP VPN Gateway Command-Line Summary v6.3
authenticator <hmac-md5 | hmac-ripemd | hmac-sha | null>cipher <3des | aes <128 | 192 | 256> | blowfish <40-448> | cast <40-128> | des | null>flags <commit-bit | replay-status | responder-lifetime>lifetime <kbyte <NUMBER> | minutes <NUMBER>>mode <transport | tunnel>protocol <ah | ah-esp | esp>exit
config_policy# vpn . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236linknodeschema
link . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 236vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>] . . . . . . . 236no vpn link <schema_name> <vpn_node> [<vpn_node>...<vpn_node>] . . . . 236vpn_node# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 237
addr <ADDR>ca-idgw-addr <ADDR>mask <NETMASK>port <NUMBER>id <dn | user-fqdn>exit
vpn-schema# . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 238action <bypass | drop | protect>addr <ADDR>flags <asymmetric | dynamic-gw | local-broadcast | local-dst | local-src | unique-dport | unique-dst | unique-protocol | unique-sport | unique-src>gw-addr <ADDR>ike-suitemask <NETMASK>oakley-group <modp-768 | modp-1024 | modp-1536 | modp-2048 | none>port <NUMBER>protocol <GRE | ICMP | IPINIP | TCP | UDP | <NUMBER>>transformexit
config_policy# ipsec gw-selector <name>. . . . . . . . . . . . . . . . . . . . . . . . . . . 243config_firewall# apply . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263config_firewall# apply keep-state. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 263config_firewall# clear . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264config_firewall# clear icmp-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264config_firewall# clear tcp-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264config_firewall# clear udp-timeout. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 264
Nokia IP VPN Gateway Command-Line Summary v6.3 337
C List of Commands
config_firewall# import <filename> . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# icmp-timeout <timeout> . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# tcp-timeout <timeout> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# udp-timeout <timeout> . . . . . . . . . . . . . . . . . . . . . . . . . . . . 266config_firewall# rule-list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 267config_firewall# save . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 268config_firewall# show . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 269
338 Nokia IP VPN Gateway Command-Line Summary v6.3
Index
Numerics1000BASE-T 32100BASE-T 3210BASE-T 32
Aaccess CLI
console port 15SSH 16telnet 16
application server, debug (configuration mode) 172apply command
firewall configuration mode 263PCS mode 220
arp commandcommand mode 52configuration mode 55
arp, show command (command mode) 108audit command 168audit messages 169authentication 184
Bbackup command 74block command 197bootp-forwarder command 56
Cca command 198certificate authority 198certificate command 208clear command
command mode 76PCS mode 221
CLIconnect to CLI 15features 20modes 16
CLI modescommand mode 16
Nokia IP VPN Gateway Command-Line Summary v6.3
configuration mode 17firewall mode 18navigate between modes 18PCS mode 18PKI mode 18save changes 19
clientIPSec 133IPSec configuration 229
clusterconfiguration 50configuration file 23debug (command mode) 158debug (configuration mode) 172NFS server 155NTP server 65referees 50save changes (configuration mode) 17save changes (PKI mode) 191show command (command mode) 108
cluster commandcommand mode 49configuration mode 50
command mode commandsaosinfo 74arp 52backup 74clear 76cluster 49configure 77copy 151crypto 78date 97debug 156delete 152differences 153directory 153examine 98finger 140firewall 53flash 99flowbee 140
Index - 339
kernel 100log 166nat 101netstat 142pin 102ping 144reboot 103rename 154schedule 103show 105source 154tcpdump 119telnet 147terminal 123traceroute 148type 155validate 124
command-line, help 21community strings 70configuration files
boot 23cluster 23IPSec 23keys 23node 23PKI 23
configuration modeenter 17exit 17FLASH 17
configuration mode commandsarp 55audit 168bootp-forwarder 56cluster 50console 169crypto 126debug 170deployment_hub 128dhcp-server 57dialup 34diff-serv 60disable 128dns 61enable 129hostname 130icmp 131interface 32ip-address-pool 62ipsec-client 133log 179
login 184modem 135mss-clamp 63nfs 155ntp 65oob 135panic 136pkttrace 180ppp 66pppoe 37radius 137route 46snmp 68sshd 186syslog 182terminal 138tftp 150uuid 139VRRP 44wanbackup 35
configuration server, debug 176configuration wizard 20, 78configure
interface 32configure command 77configuring firewall 255configuring NAT 255connect to CLI 15console
audit messages 169logging levels 169
console command 169console port 15copy command 151crl command 210crypto command
command mode 78configuration mode 126
Ddate command 97debug (command mode)
IKE 159IPSec 159NAT 161PKID 164PPP 161SCEP 164scheduler 165SSH 165
Index - 340 Nokia IP VPN Gateway Command-Line Summary v6.3
debug (configuration mode)application server 172configuration server 176event logging 170IKE 173L2TP 176ldap 177monitor server 175nat 175PKID 178PPP 175RADIUS 175scheduler 178SECP 178SSH 178tunneling 176VPDN 176
debug commandcommand mode 156configuration mode 170
delete command 152deployment_hub command 128dhcp relay. See bootp-forwarderdhcp-server command 57dialup 34differences command 153diff-serv command 60directory command 153disable command 128display
statistics 142traffic 142
display information 105dns command 61DNS, clear 76document conventions
command-line 10notices 10text conventions 12
documentationconventions 10related 13structure 9
dynamic routing 47
Eedit command 20editing style
command mode 123configuration mode 138
emacs 20VMS 20
enable command 129enter
configuration mode 17firewall 259PCS mode 219PKI mode 191
Ethernet 32Ethernet Autonegotiation 29event logging 170examine command 98exit
command mode 19configuration mode 17current session 19firewall 259PCS mode 219PKI mode 191
exit commandPCS mode 221PKI mode 210
external IP address 51
Ffinger command 140firewall
command mode commands 259configuration mode 261configure 259default behavior 257
firewall command 53firewall configuration mode commands
apply 263clear 264export 265icmp-timeout 266import 265log clause 288match clause 272rule definition mode 269rule-list 267save 268show 268target clause 281tcp-timeout 266udp-timeout 266
FLASHfiles 22restore 74
Nokia IP VPN Gateway Command-Line Summary v6.3 Index - 341
save 74save configuration changes 23, 24
flash command 99flowbee command 140FQDN 130
Ggraphic user interface 24
Hhelp, command-line 21hostname command 130
IICMP
examine command 98packets 131validate command 124
icmp command 131IKE
clear 76debug (command mode) 159debug (configuration mode) 173policy configuration commands 225show (command mode) 109
ike command (PCS mode) 225ike-suite command 226interface command 32internal addressing, WINS server 133internal IP address 51IP
addressing 51show (command mode) 110
ip-address-pool command 62IPSec 133
clear 76client configuration 229configuration file 23configure a cluster 78debug (command mode) 159IPSecIPPool 62parameters 92policy configuration commands 228show (command mode) 110WINS 133
ipsec command 228IPSec configuration commands
cl-selector 231, 232gateway 229, 230
gateway selector 232, 234transform 234, 236
ipsec-client command 133, 229ipsec-client-selector command 231ipsec-gateway command 230ipsec-gateway-selector command 232ipsec-transform command 235
Kkernel
check 101commit 101upgrade 101
kernel command 100keypair command 210
LL2TP
debug (command mode) 162show (command mode) 119
ldap, debug (configuration mode) 177link command 236load command 221lock, show command (command mode) 116log clause 288log command
command mode 166configuration mode 179
logging levels 169login command 184
Mmap command 222match clause 272MD5 65mode
command 16PCS 219
modem 135monitor server, debug (configuration mode) 175mss-clamp 63
NNAT
clear 76debug (command mode) 161debug (configuration mode) 175
NAT before IPSec translations 287
Index - 342 Nokia IP VPN Gateway Command-Line Summary v6.3
nat commandcommand mode 101
netstat command 142network address translation 101network management 68NFS 25nfs command 155no command
PKI mode 211ntp command 65
Ooob 135
Ppanic command 136passwords 184PCS mode
common commands 220ipsec 228ipsec cl-selector 231ipsec gateway 229ipsec gw-selector 232ipsec-client 229ipsec-client-selector 231ipsec-gateway 230ipsec-gateway-selector 232ipsec-transform 235link 236vpn 236vpn schema 238vpn_node 237
PCS mode commandsapply 220clear 221exit 221ike 225ike-suite 226IPSec policy 228load 221map 222save 222show 223unload 224
PCS. See policy configuration systempin command 102ping command 144PKI mode
save changes 191view PKI configuration 192
PKI mode commandsblock 197ca 198certificate 208crl 210exit 210keypair 210no 211public-key 211uuid 212
PKIDdebug (command mode) 164debug (configuration mode) 178
pkttrace 180policy configuration commands
ike 225ipsec 228, 229ipsec cl-selector 231, 232ipsec gateway 230ipsec gateway configuration 229ipsec gateway selector 232, 234ipsec transform configuration 236ipsec-transform 234VPN configuration 236VPN link 236VPN node configuration 237VPN schema 237
policy configuration system 219policy manager software 24policy, show command (command mode) 117PPP
address allocation 62debug (command mode) 161debug (configuration mode) 175
ppp command 66pppoe command 37PPTP, show command (command mode) 119private-key pair 198proxy ARP 56public-key command 211public-key pair 198
RRADIUS
authentication 184debug (configuration mode) 175
radius command 137RADIUS server 137reboot 105reboot command 103
Nokia IP VPN Gateway Command-Line Summary v6.3 Index - 343
recall command 20related documentation 13rename command 154route command 46
Ssave changes
configuration mode 17PKI mode 191
save commandfirewall 268PCS mode 222
save configuration 78SCEP
debug (command mode) 164debug (configuration mode) 178
schedule command 103scheduler
debug (command mode) 165debug (configuration mode) 178
show commandcommand mode 105firewall 268PCS mode 223
snmp command 68source command 154SSH 16, 186
debug (command mode) 165debug (configuration mode) 178
sshd command 186staggered reboot 105static roots 46static routing 46statistics, show command (command mode) 118syslog 70syslog command 182syslog server 179system date and time 97
Ttarget clause 281TCP
examine command 98validate command 125
tcpdump command 119telnet 16telnet command 147terminal command
command mode 123configuration mode 138
TFTP 25tftp command 150TFTP server 150timestamps, log command 167traceroute command 148traffic statistics 142tunneling
clear 77debug (command mode) 162
type command 155
UUDP
examine command 98validate command 125
unload command 224upgrade nodes 105usernames 184UUID 139uuid command
configuration mode 139PKI mode 212
Vvalidate command 124version
configuration 24show (command mode) 118
view files 155VPDN
debug (command mode) 162show (command mode) 119
VPNconfiguration commands 236link commands 236node configuration commands 237schema configuration commands 237
vpn command 236vpn schema command 238vpn_node command 237VRRP 44VT100 terminal type 138
Wwanbackup 35WINS server, internal addressing 133
Index - 344 Nokia IP VPN Gateway Command-Line Summary v6.3
Top Related