AudioCodes Mediant 500L MSBR Configuration Manual Download Page 40 | Manualshive

Page: 40 / 74

background image

Mediant MSBRs

40

Document #: LTRT-31828

Security Setup

7.1.3 Configuring IPSec with RSA

It is possible to use certificates instead of pre-shared password for authentication. The device

provides its own Trusted Root Certificate store. This store lets you manage trusted CA

certificates to authenticate the remote side. You can import up to 20 certificates to the store

(this amount might be less depending on certificate file size).
This storage can also be used for trusted certificate chains. A certificate chain is a sequence

of certificates where each certificate in the chain is signed by the subsequent certificate. The

last certificate in the list of certificates is the Root CA certificate, which is self-signed. The

purpose of a certificate chain is to establish a chain of trust from a child certificate to the

trusted root CA certificate. The CA vouches for the identity of the child certificate by signing

upon it. A client certificate is considered trusted if one of the CA certificates in the certificate

chain is present in the server certificate directory. For the device to trust a whole chain of

certificates, all of them must be imported.

Figure 7-4: Configuring IPSec Using RSA

Each certificate in the file must be Base64 encoded (PEM). When copying-and-pasting the

certificates to the device, each Base64 ASCII encoded certificate string must be enclosed

between "

-----BEGIN CERTIFICATE-----

" and "

-----END CERTIFICATE-----

".

You must configure the device clock settings, preferably with an NTP server, to make sure

that the expiration date for the certificates are correctly validated.
For the IPSEC to authenticate using PKI, the CA certificate or CA chain certificates need to

be imported to the device. A certificate signing request (CSR) needs to be first generated

and then the signed certificate needs to be imported to the device. In the generation of the

signing request, a private key is used. The private key needs to be generated or imported

prior to the signing request. Using this signing request, the CA generates a certificate that

can then be imported to the device.
This "MSBR certificate" is later used to establish an IPSec connection.

7.1.3.1 Importing Certificates

This procedure describes how to import certificates.

7.1.3.1.1 Private Key

A private key needs to be generated or imported. The private key is used to generate

enrollment requests to the CA. To generate a private key, use the following command:

(config-isakmp-pki)# private-key generate 2048

Generating new 2048-bit private key, this might take some time...

New 2048-bit private key generated.

(config-isakmp-pki)#

«
...
38
39
40
41
42
...
»

Summary of Contents for Mediant 500L MSBR

Page 1: ...Configuration Guide AudioCodes Mediant Multi Service Business Routers MSBR Series Security Setup Version 7 2...

Page 2: ......

Page 3: ...Balancing using NAT 23 6 SPI Firewall 25 6 1 Configuration Example 26 7 IPSec Tunneling 29 7 1 Configuration Examples 31 7 1 1 Configuring IPSec 31 7 1 2 Configuring IPSec with GRE 35 7 1 3 Configurin...

Page 4: ...Mediant MSBRs 4 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 5: ...is product Customer Support Customer technical support and services are provided by AudioCodes or by an authorized AudioCodes Service Partner For more information on how to buy technical support for A...

Page 6: ...pdated with enabling NAT traversal 31821 Configuring IPSec with RSA added 31822 Typo in Section Configuring Port Forwarding 31823 New command config isakmp ike 31825 Typos incorrect IP addresses in Co...

Page 7: ...on of the security functionality of AudioCodes Mediant Multi Service Business Routers MSBR hereafter referred to as device using the command line interface CLI The document describes the CLI commands...

Page 8: ...Mediant MSBRs 8 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 9: ...r or word ACL can be addressed using a number or a word Note access list names are case sensitive deny or permit connection using this rule is denied or permitted using this keyword protocol connectio...

Page 10: ...tes the ACL with the name Name From Version 6 8 ACL numbering is supported Every line in the ACL has a number Every next line number is incremented by 10 To add a line between line number 10 and 20 st...

Page 11: ...192 168 120 0 0 0 0 255 log 0 matches DC Access deny ip any any log 0 matches The following example allows access from any IP to segment 192 168 199 0 24 only for SSH TCP port 22 Telnet TCP port 23 S...

Page 12: ...Mediant MSBRs 12 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 13: ...cted as a single host IP address range of IP addresses with mask or local address It also can be any address Range of IP addresses can be defined using a wildcard source port source can be matched usi...

Page 14: ...2 0 64 log config ext6 nacl exit config data exit You can view the configured ACL using the following command config data show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100...

Page 15: ...ists command config data exit show data access lists Extended IP access list 150 150 10 permit ipv6 2000 100 1 0 64 2000 100 2 0 64 log 0 matches 150 20 permit ipv6 2000 101 1 0 64 2000 100 2 0 64 log...

Page 16: ...Mediant MSBRs 16 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 17: ...e device configure data access list telnet_mgmt permit ip host mgmt_ws local log access list telnet_mgmt deny ip any any log Configure the ACL for the Telnet connection configure system cli terminal w...

Page 18: ...Mediant MSBRs 18 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 19: ...on the Gigabitethernet0 0 interface To disable NAPT per interface use the following commands Table 5 1 NAT and NAPT Commands Command Description configure data Configuration of ACLs is in the data le...

Page 20: ...that there is only one address in the NAT pool Table 5 3 NAT Rules Command Description config data ip nat inside source list tcp_nat interface gigabitethernet 0 0 pool tcp_pool Configure IP NAT trans...

Page 21: ...e supports load balancing using NAT If there are more than two servers on the LAN side of the device a connection to the WAN address can be forwarded to one of the servers in a round robin fashion To...

Page 22: ...Below is the output of the show data ip nat translations command show data ip nat translations Note static translations are not shown NAT summary 1 TCP 0 UDP 2 ICMP Total 3 NAT connections Pro Inside...

Page 23: ...output of the show data ip nat translations command displays a source address 180 1 100 20 from port 4355 that accesses IP address 180 1 100 10 on port 80 The connection is then NATed to the inside ad...

Page 24: ...Mediant MSBRs 24 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 25: ...f they do not belong to a known connection For example if a user initiates an HTTP request to a sever on the WAN anything connected to the WAN interface the device allows that server to respond to the...

Page 26: ...fic configure data Create the ACL config data ip access list extended FW_out config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 20 log config ext nacl permit tcp 192 168 0 0 0 0 0 255 any eq 21 l...

Page 27: ..._out permit tcp 192 168 0 0 0 0 0 255 any eq 22 log 0 matches FW_out permit tcp 192 168 0 0 0 0 0 255 any eq 23 log 0 matches FW_out permit udp 192 168 0 0 0 0 0 255 any eq 5000 log 2 matches FW_out p...

Page 28: ...Mediant MSBRs 28 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 29: ...nyone on the Internet are not able to read and understand the traffic between the segments This solution is also applicable to other applications that need to encrypt traffic such as protecting classi...

Page 30: ...pto map config crypto map set peer 180 1 100 21 Configure the peer IP address config crypto map set transform set crypto_set1 Configure the transform set config crypto map set security association lif...

Page 31: ...is encrypted Figure 7 2 IPSec Example IPSec configuration of the device on the right hand side Corporate Branch Users is as follows access list ipsec permit ip 192 168 0 0 0 0 0 255 10 0 0 0 0 0 0 25...

Page 32: ...et transform set crypto_set1 set security association lifetime seconds 28000 match address ipsec exit crypto isakmp key P ssw0rd address 180 1 100 20 interface GigabitEthernet 0 0 crypto map MAP1 Note...

Page 33: ...two subnets to be connected using two IPSec tunnels then in addition to the previous primary configuration the following configuration needs to be added to the device on the branch site access list i...

Page 34: ...ess 180 1 100 21 The above configuration assumes that the third router s GigabitEthernet 0 0 address is 180 1 100 40 Configuration of the third device is as follows interface gig 0 0 ip address 180 1...

Page 35: ...rnet interfaces is encrypted Figure 7 3 GRE over IPSec The following shows the MSBR1 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 1 255 255 255 0 no firewall enable exit int vla 1 i...

Page 36: ...ipsec exit interface GigabitEthernet 0 0 crypto map MAP1 The following shows the MSBR2 configuration conf d int gigabitethernet 0 0 ip address 180 1 1 2 255 255 255 0 no firewall enable exit int vla 1...

Page 37: ...0 0 S 180 1 1 2 32 1 0 is directly connected GigabitEthernet 0 0 IPSec S 192 168 1 0 24 1 1 is directly connected GRE 1 S 192 168 2 0 24 1 1 is directly connected GRE 1 S 192 168 3 0 24 1 1 is directl...

Page 38: ...h 11 10 17 24 936858 00 90 8f 89 35 a9 00 90 8f 59 4b 56 ethertype IPv4 0x0800 length 150 180 1 1 2 180 1 1 1 ESP spi 0x3647ff5a seq 0xc length 11 10 17 25 933155 00 90 8f 59 4b 56 00 90 8f 89 35 a9 e...

Page 39: ...1 ICMP echo reply id 27378 seq 1 length 40 10 21 07 702933 00 90 8f 59 4b 56 00 90 8f 89 35 a9 ethertype IPv4 0x0800 length 98 180 1 1 1 180 1 1 2 GREv0 proto IPv4 0x0800 length 64 192 168 11 1 192 16...

Page 40: ...ng RSA Each certificate in the file must be Base64 encoded PEM When copying and pasting the certificates to the device each Base64 ASCII encoded certificate string must be enclosed between BEGIN CERTI...

Page 41: ...ates a self signed certificate delete Deletes certificate detail Displays certificates export Exports certificates import Imports certificates signing request Generates signing requests status Display...

Page 42: ...wing message is displayed Enter data below Type a period on an empty line to finish 3 Paste a root certificate BEGIN CERTIFICATE MIIFxz output omitted tjkjeqG END CERTIFICATE 4 Enter dot to end root c...

Page 43: ...IFICATE REQUEST Send this request to your security administrator for signing then upload the new signed certificate to the device 4 Using the signing request obtain the device certificate and then imp...

Page 44: ...tatus Certificate subject C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes com Certificate issuer C IL ST Center L Lod O AC OU R D CN ca local emailAddress tim g audiocodes c...

Page 45: ...Configuration of MSBR 31 is as follows configure data access list IPSEC permit gre any any access list ALL_BUT_IPSEC deny gre any any access list ALL_BUT_IPSEC permit ip any any crypto isakmp policy 1...

Page 46: ...server provide host name ip dhcp server ntp server 0 0 0 0 ip dhcp server tftp server 0 0 0 0 ip dhcp server override router address 0 0 0 0 ip dhcp server next server 0 0 0 0 service dhcp ip dns ser...

Page 47: ...p set peer 10 31 2 31 set transform set crypto_set set security association lifetime seconds 3600 match address IPSEC set default route exit interface GigabitEthernet 0 0 ip address 10 4 2 86 255 255...

Page 48: ...rface GigabitEthernet 0 0 ip route 10 31 2 0 255 255 255 0 10 4 2 1 GigabitEthernet 0 0 ip route 192 168 0 0 255 255 255 0 gre 2 To check that IPSec is up use the show data crypto status command The e...

Page 49: ...ranch may be dynamic and change every time the interface PPPoE 0 reconnects In this scenario the identity of the MSBR Branch should therefore not be by IP address because it changes instead it should...

Page 50: ...2 DSL configuration is automatic Termination cpe no shutdown exit interface EFM 0 2 no ip address mtu auto desc VDSL no ipv6 enable no service dhcp ip dns server static no shutdown exit interface BVI...

Page 51: ...0 0 0 0 0 PPPOE 0 1 exit The MSBR Branch configuration defines the IKEv2 peer as an IP address It s important to note that the identity of the MSBR Branch is set to home timg pro Configuration of MSBR...

Page 52: ...rewall enable no link state monitor no ipv6 nd ra suppress ipv6 address autoconfig no shutdown exit interface BVI 100 ip address 192 168 100 1 255 255 255 0 mtu auto desc Bridge ip dhcp server network...

Page 53: ...it ip nat inside source list all_but_ipsec interface PPPOE 0 ip route 0 0 0 0 0 0 0 0 PPPOE 0 1 exit The MSBR HQ has an IKEv2 peer that is configured with an FQDN as home timg pro This DNS resolves in...

Page 54: ...Mediant MSBRs 54 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 55: ...ure data Enter the data configuration menu config data user user name password password Configure a user with a name user name and password password Some operating systems don t have NAT traversal NAT...

Page 56: ...version two protocols are selected for the authentication The key LinePass 1 is used for the IPSec encryption between the client and server The following is the user configuration for the clients vpn...

Page 57: ...Server Version 7 2 57 Security Setup 2 Click the Set up a virtual private network VPN connection link Figure 8 2 Select Connection Type 3 Select the Let me decide later option and then click Next Fig...

Page 58: ...e which will later become the dialer s name in the Network Connection window 6 Click Next Figure 8 4 L2TP Username and Password 7 Enter the user name and password that was previously configured on the...

Page 59: ...de 8 L2TP VPN Server Version 7 2 59 Security Setup Figure 8 6 Network Connections Window 9 Right click VPN Connection that you just created and then choose Properties Figure 8 7 VPN Connection Propert...

Page 60: ...Advanced Properties 11 Select the Use preshared key for authentication option and then enter the key previously configured on device and then click OK 12 Click OK until you re back at the Network Conn...

Page 61: ...etup 15 When the connection is successfully established in the device use the show data l2tp server command to view the connected users MSBR 1 show data l2tp server Conn Username IP Rx Tx Uptime 300 A...

Page 62: ...Mediant MSBRs 62 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 63: ...entication globally config data interface gigabitethernet 4 3 Configure the interface gigabitethernet 4 3 conf if GE 4 3 authentication dot1x single host multi host Configure dot1x on the interface us...

Page 64: ...Windows 7 To activate dot1x authentication on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 1 Run Window 2 In the Open field type services msc and then click OK Figur...

Page 65: ...7 2 65 Security Setup 4 Right click Wired AutoConfig and then from the shortcut menu choose Start as shown below Figure 9 3 Wired AutoConfig Service The actions above should activate dot1x authentica...

Page 66: ...dot1x on Windows 7 To configure dot1x on Windows 7 1 Press the Windows R key combination to open the Run window Figure 9 4 Run Window 2 In the Open field type ncpa cpl and then click OK the Network Co...

Page 67: ...lick an interface that dot1x needs to be configured on and then choose Properties the following dialog box appears Figure 9 6 Local Area Connection 4 Select the Enable IEEE 802 1X authentication check...

Page 68: ...the following dialog box appears Figure 9 7 Protected EAP Properties 7 Clear the Validate server certificate check box and make sure that Secured Password EAP MSCHAP v2 is selected 8 Click Configure...

Page 69: ...dot1x server is used or anytime that windows logon is not used clear the Automatically use my check box If Windows authentication is used select the check box 10 Click OK until you re back at the Auth...

Page 70: ...alog box appears Figure 9 10 Advanced Settings 12 Make sure that the Specify Authentication mode check box is selected 13 Select User authentication for user authentication You can also enter the cred...

Page 71: ...ta config data dot1x radius server local config data dot1x local user AudioCodes password P ssw0rd config data dot1x lan authentication enable config data interface gigabitethernet 4 1 conf if GE 4 1...

Page 72: ...Mediant MSBRs 72 Document LTRT 31828 Security Setup This page is intentionally left blank...

Page 73: ...de An external DNS server on the device s WAN side is advertised only the source port is randomized DNS proxy mode The device is configured as a DNS server on its LAN side Both the DNS Query ID and so...

Page 74: ...oCodes Ltd All rights reserved AudioCodes AC HD VoIP HD VoIP Sounds Better IPmedia Mediant MediaPack What s Inside Matters OSN SmartTAP User Management Pack VMAS VoIPerfect VoIPerfectHD Your Gateway T...

Reviews:

No comments

Related manuals for Mediant 500L MSBR

Brand: KAS Pages: 2

Brand: C-Bus Pages: 36

SBO500 SBO Series

Brand: Synway Pages: 72

Brand: Samsara Pages: 15

Brand: NeoGate Pages: 41

Brand: Nitgen Pages: 66

IGW1111-3IN1-DB

Brand: 3onedata Pages: 3

Response Analog IO Gateway

Brand: ETC Pages: 4

Brand: ioSelect Pages: 160

Brand: Perenio Pages: 32

Brand: ETC Pages: 5

Brand: Avid Technology Pages: 152

Brand: 4IPNET Pages: 24

Brand: QEI Pages: 47

Brand: ActionTec Pages: 4

intelligent Touch Manager BACnet DCM014A51

Brand: Daikin Pages: 148

Brand: 3Com Pages: 47

OfficeConnect 3C855

Brand: 3Com Pages: 80

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands