Black Box ET0010A Cli User Manual Download | Manualshive

Page: 94 / 212

background image

Securing Management Port Traffic with IPsec

ETEP CLI User Guide

95

Figure 17

Management port policy example

IKE Policy Example

This example shows how to create an IKE policy to encrypt all traffic between the ETEP management
port and the management workstation. The commands in the example are grouped according to the
following tasks:

●

The first set of commands enters ipsec-config mode, makes a backup copy of the active policy set,
and then defines the pre-shared key.

●

The second set of commands defines the IKE encryption policy. The ETEP management port IP
address is 203.0.113.9 and the management workstation IP address is 192.0.2.124. The ike-ipsec
proposal uses two encryption algorithms and two authentication algorithms.

●

The last set of commands displays the pending policy changes, and then deploys the new policy.
Deploying the policy automatically restarts the IKE server.

admin>

configure

config>

management-interface

man-if>

ipsec-config

ipsec-config>

backup-policy-set

ipsec-config>

ike-params-set

ike-params-set>

ike-sa-presharedkey M1$har3dK3y

ike-params-set>

exit

ipsec-config>

policy-add MyIKEPolicy

ipsec-config>

policy-config MyIKEpolicy

policy-config>

policy-action protect

policy-config>

policy-keying ike

policy-config>

policy-ike-peer 192.0.2.124

policy-config>

policy-selector 192.0.2.124/32 203.0.113.9/32 any any any

policy-config>

policy-ike-ipsec esp aes128-cbc/aes256-cbc hmac-sha2-256/

hmac-sha2-384

policy-config>

policy-priority 64000

policy-config>

exit

ipsec-config>

show-policy-set

ipsec-config>

deploy-policy-set

«
...
92
93
94
95
96
...
»

Summary of Contents for ET0010A

Page 1: ...t including Policy Manager PM Key Management System KMS and EncrypTight Enforcement Points ETEPs ETEP Command Line Interface CLI User Guide ET0010A ET0100A ET1000A Order toll free in the U S Call 877...

Page 2: ...ord Enforcement 19 Upgrading Software 20 Removing ETEPs From Service 20 Adding Users 20 Understanding User Roles 21 User Name Conventions 22 Creating a New User Default Password Enforcement Policy 22...

Page 3: ...er 2 Point to Point Policy 58 Configuring the Policy Mode 59 Layer 2 Policy Example 60 Verifying the Policy 62 How the ETEP Encrypts and Authenticates Layer 2 Traffic 63 Creating Local Site Policies 6...

Page 4: ...Maintenance 99 Installing ETEP Software Updates 99 File System Backup and Restore 99 Restoring the Factory Configuration 100 Changing the Port Status 101 Chapter 6 Troubleshooting 103 Symptoms and Sol...

Page 5: ...35 date 135 debug shell 136 deploy policy set 137 dfbit ignore 138 dhcprelay 139 disable trusted hosts 140 exit 141 filesystem download 141 filesystem reset 143 fips mode enable 144 help 145 ike param...

Page 6: ...ority 178 policy selector 179 port enable 181 reassembly 181 reboot 182 remote interface 183 remote user cert auth mode 183 restart ike 184 restore filesystem 185 restore policy set 186 show 187 show...

Page 7: ...8 ETEP CLI User Guide Contents...

Page 8: ...ng up and maintaining network equipment Assumptions This document assumes that its readers have an understanding of the following Basic principles of TCP IP networking including IP addressing switchin...

Page 9: ...ETEP CLI User Guide Contacting Black Box Technical Support Contact our FREE technical support 24 hours a day 7 days a week Phone 724 746 5500 Fax 724 746 0746 e mail info blackbox com Web site www bl...

Page 10: ...s while it travels over untrusted networks With straightforward setup and configuration the ETEP has the flexibility to provide Ethernet frame encryption for Layer 2 networks IP packet encryption for...

Page 11: ...unctions of policy management key generation and distribution and policy enforcement As a result multiple ETEPs can use common keys This works for complex mesh hub and spoke and multicast networks as...

Page 12: ...llation tasks are complete before configuring the ETEP Install the required user supplied software on the management workstation as described in the Installation Guide Make sure that the firewalls in...

Page 13: ...lly logged in the command line prompt displays as shown below password text is not displayed pep login admin Password Last login Tue Jan 29 19 18 59 2008 on ttyS0 Welcome admin it is Tue Jan 29 19 37...

Page 14: ...ds are entered to configure the appliance Enter configuration mode by typing configure From this level you can access several additional configuration modes for interface settings policies and user ad...

Page 15: ...Getting Started 16 ETEP CLI User Guide...

Page 16: ...nto operation in the network Select the password enforcement policy Add users including assigning a user name and role to each user Change the default passwords In addition the Administrator can enabl...

Page 17: ...ings depend on the ETEP s password enforcement policy as shown in Table 3 Related topics Setting the Password Enforcement Policy on page 18 Creating a New User Default Password Enforcement Policy on p...

Page 18: ...password enforcement command Attributes are described in Table 4 password enforcement default strong Example This example enables strong password controls user config password enforcement strong Rela...

Page 19: ...rator accounts while the ETEP is out of service all users will be locked out and the ETEP must be returned to the factory Adding Users At a minimum adding a user involves creating a user name and asso...

Page 20: ...gnostics Default user names are shown in Table 5 The Administrator can manage the ETEP using the CLI or the EncrypTight software The Ops user is able to log in only to the CLI and has access to a limi...

Page 21: ...iate a common name with the ETEP user These names must match the common names used on the identity certificates included on the CACs See the EncrypTight User Guide to learn how to enable this feature...

Page 22: ...ficates included on the CACs See the EncrypTight User Guide to learn how to enable this feature across the components of your EncrypTight system To add a new user when strong password enforcement is e...

Page 23: ...last time the a user s password was changed exceeds the password expiration days the ETEP will require the password to be reset before allowing you to modify other user settings To modify a user 1 En...

Page 24: ...assword reset 1 3 Password expiration warning days 10 3 Expiration grace period days 10 Maximum login sessions 2 The following example removes a common name from an Ops user named tech1 admin configur...

Page 25: ...not yet have a password assigned An existing account that the Administrator manually disabled Accounts that are disabled because of a login failure are not flagged in the show command output Example...

Page 26: ...ited number of failed login attempts without locking the user out of the appliance Strong Password Conventions Passwords must be at least 15 characters long Standard alphanumeric characters are allowe...

Page 27: ...e terminal admin configure config user config user config password modify ops Password Retype new password Related topics Password Enforcement Options on page 17 Setting the Password Enforcement Polic...

Page 28: ...account the Administrator must first add a new user and then assign a password to the account To restore a locked account 1 Enter user configuration mode admin configure config user config user config...

Page 29: ...t with the user enable command To determine whether an account has been disabled due to login failures issue the show audit log command and review the log file for a series of login failures An accoun...

Page 30: ...access controls to protect USG interests not for your personal benefit or privacy Notwithstanding the above using this IS does not constitute consent to PM LE or CI investigative searching or monitori...

Page 31: ...vides user authorization in addition to certificate based authentication When you use a CAC EncrypTight components use the certificates installed on the card to determine if a user is authorized to pe...

Page 32: ...p the ETEP to use a CAC involves several tasks 1 Install certificates on the ETEPs This task is performed using the EncrypTight software 2 Enable strict authentication on the ETEPs 3 Enable remote use...

Page 33: ...User Administration 34 ETEP CLI User Guide...

Page 34: ...Describes commands that are common to Layer 2 and Layer 3 operation such as management port configuration date and time auto negotiation session inactivity timer and loss of signal pass through Layer...

Page 35: ...These settings can be configured by the Admin and Ops users About the management port IP address mask and gateway The management port must have an assigned IP address in order to be managed remotely...

Page 36: ...s 192 168 10 10 To send packets between the two devices the local port on Router 1 is specified as the default gateway 192 168 10 1 The gateway address must match the subnet of the management port Fig...

Page 37: ...ig prompt or type top to return to the command prompt 1000 Mbps Full duplex 3 1000 Mbps Half duplex 3 ip address Management port IP address entered in dotted decimal notation subnet mask IP subnet mas...

Page 38: ...an if exit The following example sets an IPv6 address prefix length and default gateway on the management port admin configure config management interface man if ip6 2001 DB8 211 11FF FE58 743 64 2001...

Page 39: ...k City United States UTC 5 07 00 New Delhi India UTC 5 30 17 30 To set the date and time 1 At the command prompt type configure to enter configuration mode 2 At the config prompt type date year month...

Page 40: ...ghput speed 1 At the command prompt type show throughput speed The throughput speed is also displayed in the output of the show running config command Examples The following example adds a 25 Mbps lic...

Page 41: ...in Table 16 autoneg enable disable speed flow control Table 15 Link speeds on the local and remote ports Link speed Auto negotiate Fixed Speed Fixed Speed All ETEPs ET0010A ET0100A ET1000A 10 Mbps Ha...

Page 42: ...en a loss of signal is detected on the local port the remote port transmitter is disabled Alternatively the ETEP port transmitter can be configured to always remain enabled regardless of the other por...

Page 43: ...and prompt enter the cli inactivity timer command where n is the number of minutes ranging from 0 1440 minutes 24 hours admin cli inactivity timer n Related topic cli inactivity timer on page 134 Conf...

Page 44: ...2 point to point policies the two ETEPs must be able to communicate with each other to exchange key information In some Layer 2 networks all frames must have a VLAN tag to traverse the network The ETE...

Page 45: ...icies In non transparent mode the local and remote ports have user assigned IP addresses Non transparency settings apply when the ETEP is configured for Layer 3 operation and being used in a distribut...

Page 46: ...Transparent Mode for Layer 3 Policies on page 52 Transparent mode is the ETEP s default mode of operation and is appropriate for most Layer 3 distributed key policies To use the ETEP in a Layer 3 vir...

Page 47: ...butes are described in Table 22 reassembly host gateway Table 20 Commands that control network interoperability Command Description Default Setting reassembly Specifies who performs the reassembly of...

Page 48: ...turned on You can override the default behavior by disabling the DF Bit handling on the local port The ETEP will then discard packets in which the DF bit is set and the packet length including the en...

Page 49: ...ipv6Traffic clear discard Example This example configures the ETEP to discard IPv6 traffic admin configure config policies policies ipv6Traffic discard Related topic ipv6Traffic on page 153 Using DHCP...

Page 50: ...tion mode admin configure config local interface 2 Configure the dhcprelay command Attributes are described in Table 24 dhcprelay enable ipAddress disable Example The following example assigns local a...

Page 51: ...sses To configure the ETEP for non transparent mode do the following Assign IP addresses to the local and remote ports on page 52 Disable transparent mode thereby allowing the ETEP to use the data por...

Page 52: ...pond to ARPs In non transparent mode the original source IP address in the outbound packet header is replaced with either an IP address for the remote port The ETEP port MAC address is used as the pac...

Page 53: ...is important that a proper system shutdown is performed prior to powering off the appliance The shutdown command halts all running tasks on the ETEP and prepares it for being powered off Failure to pe...

Page 54: ...the following message is displayed on the terminal Power cycle required to reboot appliance 3 Unplug the power cable from the back of the unit or from the power outlet Example In the following exampl...

Page 55: ...Configuring the ETEP 56 ETEP CLI User Guide...

Page 56: ...s Changing the clocks after the policy is established may cause traffic to be dropped Creating Layer 2 Point to Point Policies It takes only a few minutes to configure the ETEP for Layer 2 point to po...

Page 57: ...nion ETEP must be assigned the opposite role of its peer primary or secondary Table 28 layer2 p2p command description Attribute Description Traffic handling encrypt clear discard The ETEP has three op...

Page 58: ...ent is enabled and TLS traffic passes in the clear Several of these settings need to be modified for Layer 2 point to point operation Preshared key We recommend that you change the key from its defaul...

Page 59: ...rator logs in and configures the management port and then sets the date and time After entering policy configuration mode the next two commands configure the Layer 2 policy and the policy mode specify...

Page 60: ...t to the primary role as shown in Figure 7 and the local site ETEP is assigned the secondary role as shown in Figure 8 Both ETEPs are configured with the same preshared key value and group ID Figure 6...

Page 61: ...w encrypt policy Encryption policy Layer 3 EncrypTight policy management enabled true TLS is traffic in clear enabled A Layer 2 point to point policy is shown in the next example policies show Encrypt...

Page 62: ...is being exchanged The SA is a unidirectional secure tunnel through which data passes between the two appliances Each secure connection has two SAs one for each direction SAs are identified by a valu...

Page 63: ...protected using EncrypTight The local site ETEP 1 is on the same subnet as the EncrypTight management devices 2 and 3 The management devices communicate with the remote site ETEPs 4 over the same link...

Page 64: ...traffic based on Ethertype or VLAN ID At Layer 3 policies can be configured with fairly coarse traffic filters allowing access to an entire subnet or to all destinations 0 0 0 0 0 Or you can create m...

Page 65: ...d in the order in which you intend Policy keying protect policies only Encryption policies are manually keyed These keys are static and refreshed only when the policy is updated Related topics Assigni...

Page 66: ...efine a bypass or discard policy 1 Enter local site policy configuration mode admin configure config policies policies local site policies local site policy 2 Enter policy config mode As part of the c...

Page 67: ...as a hexadecimal or decimal value Hexadecimal values must be preceded by 0x VLAN ID vlanID any Enter a VLAN ID in the range of 1 4094 or enter any to accept any VLAN ID policy selector remote ip loca...

Page 68: ...inbound and outbound SAs individually or use the any attribute to create both SAs with a single command Encryption behavior is dependent on the ETEP s mode of operation as summarized in Table 36 When...

Page 69: ...nd SA You can configure the inbound and outbound SAs individually or use the any attribute to create both SAs from a single command See Table 37 for a description of the command parameters policy manu...

Page 70: ...olicy manual key direction spi encryptionAlgorithm authenticationAlgorithm encryptionKey authenticationKey direction in out any Specifies the direction of the SA The any attribute creates two bidirect...

Page 71: ...ecimal number for encryption key 1234567890123456789012345678901212345678901234567890123456789012 Please enter 40 character hexadecimal number for authentication key 1234567890123456789012345678901234...

Page 72: ...pt type backup policy set and press ENTER Related topics Viewing the Local Site Policy Set on page 72 Restoring the Local Site Policy Set on page 75 Deploying Local Site Policies The deploy policy set...

Page 73: ...nagement Policies on page 92 Deleting a Local Site Policy To delete a local site policy first issue the policy delete command using the policy name that you want to remove and then deploy the policy s...

Page 74: ...set The backup copy of the policy set is retained after a restore operation A subsequent backup overwrites the previous backup copy of the policy set To restore the backup file 1 From the local site...

Page 75: ...umber for OSPF is 89 The BypassOSPF policy uses wild carded addresses meaning that it applies to traffic from any source and to any destination The first command in the example makes a backup copy of...

Page 76: ...012345678901234567890 policy config policy priority 65400 policy config exit local site policy show policy set local site policy deploy policy set Securing Management Port Traffic with IPsec Most mana...

Page 77: ...es that will be communicating with the ETEP you will need to Configure IPsec policies on the ETEP management port see ETEP Task Summary on page 78 Configure the IPsec client See your IPsec client docu...

Page 78: ...algorithms Related topics Changing the IKE Parameters on page 79 Viewing the Current IKE Parameter Settings on page 81 Configuring an IKE Encryption Policy on page 84 Changing the IKE Parameters Befo...

Page 79: ...st be entered in the ETEP and its peer Note the following conventions when creating a preshared key The key is a case sensitive alphanumeric string from 1 255 characters in length A minimum of 8 chara...

Page 80: ...the ETEP To apply the saved settings issue the restart ike command To view the IKE parameters 1 Enter ipsec config mode admin configure config management interface man if ipsec config ipsec config 2...

Page 81: ...policy priority specifies the order in which policies are processed on the ETEP For each incoming packet the ETEP searches through the list of policies starting with the policy that has the highest p...

Page 82: ...topics Assigning Policy Names on page 83 Configuring an IKE Encryption Policy on page 84 Configuring a Manual Key Encryption Policy on page 86 Configuring a Bypass or Discard Policy on the Management...

Page 83: ...the name of a policy that has been added ipsec config policy config name 4 Set the policy action command to protect to indicate that this is an encryption policy policy action protect 5 Set the policy...

Page 84: ...t on the far side of the untrusted network in CIDR notation IP address prefix The default is set to 0 0 0 0 0 which means process all packets coming from any address local ip IPv4 or IPv6 address of t...

Page 85: ...f the two peers that form the secure tunnel endpoints such as the ETEP and management workstation The encryption and authentication keys must be entered identically on each peer Each IPSec connection...

Page 86: ...ust be different than in the inbound SA The encryption and authentication algorithms and their associated keys can be the same 9 Assign a unique priority to the policy Policies are enforced in descend...

Page 87: ...a unique SPI The SPI is a decimal value between 256 and 4096 protocol esp ah AH provides data authentication ESP provides encryption and authentication encryptionAlgorithm 3des cbc aes128 cbc aes256...

Page 88: ...low priority If a packet fails to meet the criteria of any bypass or protect policies that apply to specific subnets then it gets discarded To define a bypass policy 1 Enter IPsec configuration mode...

Page 89: ...active management policies and pending changes Make a backup copy of the active policies running on the ETEP Deploy the new policy set to the ETEP Table 48 Policy selector command Command Description...

Page 90: ...Backing Up the Policy Set Before making any changes to the management port policies it is a good practice to make a backup copy of the active policies In the event you want to return to the last known...

Page 91: ...tiating to establish SAs when policies are deployed to each peer Manual key policies should take effect upon boot up If a manual key policy is not automatically re established after a power cycle init...

Page 92: ...actory state Clearing the current policies removes all the active policies that are running on the ETEP pending policies and the backup copy of the policy set Clearing the management port policies rem...

Page 93: ...reate the following policies IKE encryption policy to encrypt all traffic between the ETEP management port and the management workstation Manual key encryption policy to encrypt all traffic between th...

Page 94: ...s two encryption algorithms and two authentication algorithms The last set of commands displays the pending policy changes and then deploys the new policy Deploying the policy automatically restarts t...

Page 95: ...er hexadecimal number for authentication key 11223344556677889900aabbccddeeff87654321 policy config policy priority 60000 Bypass Policy Example The following example defines the selectors for a policy...

Page 96: ...affic with IPsec ETEP CLI User Guide 97 policy config exit ipsec config show policy set ipsec config backup policy set ipsec config deploy policy set Figure 18 The show policy set commands lists the a...

Page 97: ...Creating Policies 98 ETEP CLI User Guide...

Page 98: ...ot authenticate the new software the upgrade process is terminated and the new software is not installed on the appliance The show upgrade status and show system log CLI commands provide status on the...

Page 99: ...on Two CLI commands are available for restoring factory settings on the ETEP The filesystem download command installs a new software image and removes the previous appliance configuration files The fi...

Page 100: ...he Admin user Related topic port enable on page 181 update filesystem on page 198 Table 51 Backup and factory image commands Command Factory Image Backup Image Running Image New appliance no command F...

Page 101: ...Maintenance 102 ETEP CLI User Guide...

Page 102: ...ions Diagnostic Commands Additional Diagnostic Tools Symptoms and Solutions The following tables provide some solutions to common problems that may occur with your ETEP Management Troubleshooting on p...

Page 103: ...g policy settings have been configured on each If you stop securing the management port with IPsec be sure to disable the IPSec client on the workstation Changing the management port IP address invali...

Page 104: ...d for Layer 2 IKE operation on the data ports you cannot deploy an IKE policy on the management port Workarounds Deploy an manual key policy on the management port or take the ETEP out of Layer 2 IKE...

Page 105: ...7 Check for a mismatch between the date and time of the policy shown in the SAD and the date and time on the appliance show date command If the dates and times don t match you may have a time sync pro...

Page 106: ...TEPs The policy mode command must be configured for Layer 2 IKE operation for the policies to take effect Layer 2 IKE traffic is being discarded If you use a time service to set the time forward on th...

Page 107: ...ssing mode is remote IP or virtual IP In the policy editor clear the check boxes for all Addressing Mode Overrides In the router Add a static route entry and static ARP entry to the WAN router to ensu...

Page 108: ...ate the Alarm LED illuminates and the appliance discards all packets it receives Depending on the error other notifications may be sent traps status messages to the ETEMS or the terminal To recover fr...

Page 109: ...15 show distkey log Displays log messages about EncrypTight distributed key functionality such as rekeys and policy deployments show dual power status Displays the operational status of the ET1000A po...

Page 110: ...s on page 111 for links to the command reference and additional examples Examples The following example pings host 192 168 1 1 from the ETEP management port The count specifies the ping operation will...

Page 111: ...d packets isn t obvious and cannot be explained by the discard counters the policy packet counters let you compare packet counts between the sending and receiving ETEPs to determine the source of the...

Page 112: ...other area to check when you are experiencing packet loss The policy packet count feature is disabled by default To minimize the impact on performance we recommend enabling the feature for troubleshoo...

Page 113: ...a concatenated file of all log messages SNMP traps To monitor ETEP events system status and warning and error conditions ETEMS lets you set up SNMP trap reporting Table 61 Tools available from the CL...

Page 114: ...rds command or click View Status in ETEMS Discard reasons are listed in Table 62 Table 62 Discard packet descriptions Reason Reason continued Fragmentation error Remote port non IP ICMP non zero fragm...

Page 115: ...ll over after reaching their maximum value To view MAC statistics From the CLI enter the show all command In ETEMS click View Statistics Counters Counters are displayed for transmitted and received pa...

Page 116: ...transmitted and received packets on each port grouped by frame size 64 byte frames 65 to 127 byte frames 128 to 255 byte frames 256 to 511 byte frames 512 to 1023 byte frames 1024 to 1518 byte frames...

Page 117: ...categorized as inbound or outbound Inbound packets arrive at the remote port from the untrusted network Outbound packets are sent from the remote port to the untrusted network Policy Type The policy t...

Page 118: ...fies the length of time that the keys and policies will be active before the EncrypTight sends new keys The lifetime specified in the distributed key policy is stored on the EncrypTight key server not...

Page 119: ...Troubleshooting 120 ETEP CLI User Guide...

Page 120: ...lowing conditions are true EncrypTight distributed key policies are installed that use non FIPS approved algorithms IKE policies are configured on the management port interface that use non FIPS appro...

Page 121: ...lays when communicating with the ETEP When the ETEP is rebooted with FIPS mode enabled the ETEP does not become operational until 30 60 seconds after the login prompt is displayed In the interim attem...

Page 122: ...the EncrypTight User Guide ETEP appliances are shipped with all encryption mechanisms disabled to allow installation test and acceptance Prior to operation encryption mechanisms should be enabled The...

Page 123: ...FIPS 140 2 Level 2 Operation 124 ETEP CLI User Guide...

Page 124: ...e the Ops user has access to a limited subset of the commands The default user names and passwords are listed in Table 67 Most commands take effect when they are issued Commands that affect the file s...

Page 125: ...onfigured the appliance will use its default value ip ip address subnet mask gateway The ip command with the optional gateway attribute might look like this ip 10 168 224 1 255 255 0 0 10 168 1 1 The...

Page 126: ...ted as the same command Table 68 Cursor movement keys Key Description CTRL A Move to the start of the line CTRL E Move to the end of the line up Move to the previous command line held in history down...

Page 127: ...full 10m full 100m half 10m half When auto negotiation is disabled the speed attribute specifies the link speed and duplex setting On the management port the speed defaults to 100m full On the local...

Page 128: ...f the other device On the management port the ETEPs support the speeds shown in Table 72 On the local and remote ports the ETEPs support the speeds shown in Table 73 NOTE If you are using copper SFP t...

Page 129: ...nterface ipsec config local site configuration mode config policies local site policies Syntax backup policy set Usage Guidelines The backup policy set command makes a backup copy of the deployed poli...

Page 130: ...moves all certificates from the appliance and generates a self signed certificate User Type Administrator Hierarchy Level Management interface configuration mode config management interface Syntax cle...

Page 131: ...s Hierarchy Level Management interface configuration mode config management interface Syntax clear known hosts ip Attributes ip IP address of the SFTP server The ETEP accepts IPv4 and IPv6 addresses U...

Page 132: ...ncrypt and drop policies currently installed on the ETEP All traffic is sent in the clear until you create and deploy new policies or until the policies are rekeyed You will be prompted for confirmati...

Page 133: ...s Clearing the current policies removes the active policies that are running on the ETEP pending policies and the backup copy of the policy set Clearing the management port policies removes the polici...

Page 134: ...ault Setting the inactivity timer does not affect the current CLI session The change is effective on all subsequent CLI sessions Example admin configure config cli inactivity timer 250 configure Descr...

Page 135: ...the appliance after changing the date and time under other circumstances If you are setting the date because of a certificate problem and cannot communicate with the appliance using ETEMS Issue the da...

Page 136: ...ll deploy policy set Description The deploy policy set command deploys policies to the ETEP This command is available when working with IPsec policies on the ETEP management interface and local site p...

Page 137: ...in the IP header or acts in accordance the DF bit setting User Type Administrator Hierarchy Level Local interface configuration mode config local interface Syntax dfbit ignore on off Attributes on The...

Page 138: ...server that is on a different subnet The DHCP relay feature is applicable in Layer 3 IP networks User Type Administrator Hierarchy Level Local interface configuration mode config local interface Synt...

Page 139: ...e 148 transparent mode enable on page 196 Example The following example assigns local and remote port IP addresses to the ETEP disables transparent mode and then enables the dhcprelay command specifyi...

Page 140: ...e ETEP The disable trusted hosts command disables the trusted hosts on the ETEP allowing it to be managed from ETEMS again Example admin configure config disable trusted hosts exit Description The exi...

Page 141: ...P user name or password After issuing the command you will be prompted to confirm that you want to continue Type yes to continue or no to cancel This command automatically reboots the appliance Upon r...

Page 142: ...you will be prompted to confirm that you want to continue Type yes to continue or no to cancel This command automatically reboots the appliance Upon reboot you will need to reset the management IP add...

Page 143: ...Psec policy has been configured to protect the SNMP traffic for each specific trap host The debug shell is in use Strict client authentication is enabled on the management port Placing the ETEP in a F...

Page 144: ...mode on the management interface From here you can define the global Phase 1 and Phase 2 negotiation settings used in IKE encryption policies These settings are applied to all IKE encryption policies...

Page 145: ...ation for the later creation of keys by the peers Group 1 is the least secure and least computationally demanding Group 18 provides the highest level of security and also involves the most processing...

Page 146: ...ess frequent renegotiations and result in fewer dropped packets The IKE SA lifetime is a global setting that will be used in all IKE encryption policies on the ETEP management port Related topic Confi...

Page 147: ...pha characters and numbers 0 9 are allowed The following special characters are not allowed The IKE preshared key is a global setting that will be used in all IKE encryption policies on the ETEP manag...

Page 148: ...address is on a different subnet the ETEP sends the packet to the designated default gateway Usage Guidelines The management port must have an assigned IP address in order to be managed remotely and c...

Page 149: ...network portion of the address The decimal value is preceded by a forward slash gateway IPv6 address of the router port that is on the same local network as the ETEP management port Usage Guidelines...

Page 150: ...6 2001 DB8 211 11FF FE58 743 64 2001 DB8 20F F7FF FE84 BFC2 man if top admin ipsec config Description The ipsec config command enters IPsec configuration mode from management interface configuration m...

Page 151: ...SA lifetime is the interval after which an SA must be replaced with a new SA or terminated This is a global setting that will be used in all IKE encryption policies on the ETEP management port Relate...

Page 152: ...he highest level of security and also involves the most processing Setting the PFS group ID to none disables perfect forward secrecy This is a global setting that will be used in all IKE encryption po...

Page 153: ...This example configures the ETEP to discard IPv6 traffic admin configure config policies policies ipv6Traffic discard layer2 p2p Description The layer2 p2p command defines a Layer 2 point to point pol...

Page 154: ...used in the process of establishing security associations SAs between a pair of ETEPs Both ETEPs must use the same preshared key and group ID The policy does not take effect until the policy mode com...

Page 155: ...ge of speeds that varies by model When you install the license you purchased ETEPs transmit traffic at the speed specified by the license You need to install a license on each ETEP that you use Licens...

Page 156: ...ype Administrator Hierarchy Level Policies mode config policies Syntax local site policies Usage Guidelines Local site policies cannot be created or deployed when the ETEP is configured for Layer 2 st...

Page 157: ...the logon banner admin configure config banner config banner config logon banner enable true management interface Description The management interface command allows configuration of the management in...

Page 158: ...password is going to expire The password command resets a user s password in compliance with the password policy enabled by the Administrator default or strong password controls After entering the pa...

Page 159: ...s Strong password controls enforce more stringent password rules and conventions than the default password controls The strong controls affect the following items Password conventions Password history...

Page 160: ...ng password controls Related topics Default Password Conventions on page 27 Enabling and Disabling Accounts on page 29 Example In this example the Administrator changes the password for a user named t...

Page 161: ...rface v Verbose output V Show version a Audible ping A Adaptive ping c count Stop after sending count ECHO_REQUEST packets With deadline option ping waits for count ECHO_REPLY packets until the timeou...

Page 162: ...ment interface to host 192 168 1 124 admin network tools network tools ping c4 192 168 1 124 PING 192 168 1 124 192 168 1 124 from 192 168 1 69 eth2 56 84 bytes of data 64 bytes from 192 168 1 124 icm...

Page 163: ...ample The following example sends 4 ICMP ECHO REQUEST packets from the ETEP management interface to host 2003 a8 124 waiting 2 seconds between sending each packet Informational options h help Display...

Page 164: ...ands which include defining a Layer 2 point to point policy defining local site policies and setting the policy mode The policy mode configures the ETEP for Layer 2 or Layer 3 operation sets its keyin...

Page 165: ...ect in a management port policy The example assumes that MyPolicy has already been added to the ETEP admin configure config management interface man if ipsec config ipsec config policy config MyPolicy...

Page 166: ...characters Valid characters are upper and lower case alpha characters a z numeric characters 0 9 _ underscore and dash Policy names must start with an alpha character or an underscore The first chara...

Page 167: ...d requires that you enter an existing policy name The policy name is entered using the policy add command Example The following example adds a management port policy named Test and enters policy confi...

Page 168: ...g ipsec config policy delete MyPolicy ipsec config deploy policy set policy ike ipsec Description The policy ike ipsec command defines the IPsec transform set which includes the IPsec protocol and enc...

Page 169: ...Level 2 Operation on page 121 Example This example defines a transform set for an IKE policy on the management port named MyPolicy The policy uses ESP AES 256 CBC as the encryption algorithm and HMAC...

Page 170: ...automatically using IKE or entered manually This command is used in IPsec encryption policies on the ETEP management interface User Type Administrator Hierarchy Level IPsec policy config mode config m...

Page 171: ...yer2 selector Description The policy layer2 selector command defines the traffic filters for a Layer 2 local site policy User Type Administrator Hierarchy Level local site policy config mode config po...

Page 172: ...ig mode config policies local site policies policy config Syntax policy manual key direction spi encryptionAlgorithm authenticationAlgorithm encryptionKey authenticationKey Attributes direction out in...

Page 173: ...tPolicy has already been added Encryption and authentication keys are displayed only until the ENTER key is pressed The example below shows the keys for demonstration purposes even though they are not...

Page 174: ...ate length according to the selected algorithm In FIPS mode you have to enter the encryption and authentication keys twice Usage Guidelines This command is valid for manually keyed encryption policies...

Page 175: ...ETEP for use in Layer 2 or Layer 3 policies Enable or disable EncrypTight policy and key generation distribution and management Enable or disable passing TLS traffic in the clear which allows TLS bas...

Page 176: ...of an in service ETEP all encrypt and drop policies currently installed on the ETEP are removed Traffic is sent in the clear until you create and deploy new policies Example The first example configur...

Page 177: ...l operation To clear the counters issue the show policy packet count clear command Related topics Determining the Cause of Dropped Packets on page 112 show on page 187 Example The following example en...

Page 178: ...the show policy set command to do this The local site policies are assigned a higher priority than the priorities available to EncrypTight distributed key policies This ensures that the local site po...

Page 179: ...all destinations 0 0 0 0 0 Or you can create more granular policies using selectors based on partial subnets individual destinations protocol types or source and destination ports Management policies...

Page 180: ...ement local and remote configuration mode Syntax port enable true false Usage Guidelines Each port is configured independently of the others This port setting is persistent after a reboot Example The...

Page 181: ...ies only when the ETEP s policy mode is set to Layer 3 When the policy mode is set to Layer 2 packets that are subject to fragmentation are encrypted prior to fragmentation Layer 2 jumbo packets that...

Page 182: ...configuration of the remote interface User Type Administrator Hierarchy Level Configuration mode Syntax remote interface Example config remote interface rem if remote user cert auth mode Description...

Page 183: ...list of authorized users EncrypTight software ETKMS and ETEP Communications that do not use an authorized common name and a valid certificate are rejected Setting up the ETEP to use a CAC involves se...

Page 184: ...ic Changing the IKE Parameters on page 79 Deploying Management Policies on page 92 Example admin restart ike restore filesystem Description The restore filesystem command restores the appliance file s...

Page 185: ...restore filesystem ATTENTION You have issued a service affecting restore command WARNING This command restores the backup copy of the appliance file system including the software image configuration f...

Page 186: ...nner config User Type Administrator and Ops have access to the show command from command mode Only the Administrator can access the config mode show commands Hierarchy Level Command mode banner config...

Page 187: ...Displays the contents of the SNMP log file spd Displays the security policy database entries system log Displays the contents of the system log file throughput speed Displays the throughput speed conf...

Page 188: ...n the ETEP The saved settings are parameters that have been edited but not yet applied on the ETEP To apply the changes issue the restart ike command or deploy the policy set Related topics Viewing th...

Page 189: ...ble 77 Related topic Viewing the Local Site Policy Set on page 72 Viewing the Policy Set on page 91 Example In the following example the Administrator displays the local site policies admin configure...

Page 190: ...id seed seed Attributes seed The engine ID seed is a string from 1 256 characters Valid values in include upper and lower case alpha characters a z numbers 0 9 spaces and most printable keyboard chara...

Page 191: ...ble Description The ssh enable command enables and disables SSH access to the management port User Type Administrator Hierarchy Level Configuration mode Syntax ssh enable true false Attributes true En...

Page 192: ...thentication from the EncrypTight software but there can be situations where you cannot communicate with the appliance from the management workstation In this case you can connect to the appliance thr...

Page 193: ...LI The syntax of the command follows Linux conventions Linux commands are case sensitive User Type Administrator and Ops Hierarchy Level Network tools mode config network tools Syntax traceroute dFInr...

Page 194: ...e default is 5 seconds z pausemsecs Minimal time interval between probes default is 0 host IP address of the network host It can be followed by the size of the probing packet that is sent to the host...

Page 195: ...arent in Ethernet networks when configured as a Layer 2 encryptor If you want to conceal the original source IP address when sending encrypted traffic configure the ETEP to operate in non transparent...

Page 196: ...port The ETEP performs this function by monitoring for loss of signal at the port s receiver For example when the loss of signal is detected on the ETEP s remote port the local port transmitter is dis...

Page 197: ...ry listing relative to the root FTP directory do not enter the entire path ftpUser User ID of a user on an FTP host ftpPassword FTP user s password ftpSecure ftp sftp Defines the file transfer protoco...

Page 198: ...rd warning password grace period maximum login sessions Attributes name Specifies the user name role admin ops Associates a user role with the user name common name The common name from the Common Acc...

Page 199: ...entity certificates included on the CACs The common name identifies an authorized user on the ETEP Passwords are optional when using common names Users without assigned passwords can access the ETEP t...

Page 200: ...t admin configure config user config user config user add dallas admin name domain com user config Description The user config command enters user configuration mode from configuration mode From here...

Page 201: ...cription The user enable command enables and disables a user account User Type Administrator Hierarchy Level User config mode config user config Syntax user enable name true false Attributes name Spec...

Page 202: ...es the user name role admin ops Associates a user role with the user name common name The common name from the Common Access Card s identity certificate By default a common name is not used password e...

Page 203: ...d Enforcement Options on page 17 Modifying Users on page 24 Enabling and Disabling Accounts on page 29 Examples This example changes the tech1 user s role from ops to admin Default password enforcemen...

Page 204: ...fault value is 0 tag id Sets the VLAN ID Valid values range from 0 4094 The default value is 1 Usage Guidelines The vlan tag command is needed when the following two conditions are met The ETEP is dep...

Page 205: ...Command Reference 206 ETEP CLI User Guide...

Page 206: ...usage tips 126 commands autoneg 128 backup policy set 130 banner config 131 clear certificates 131 clear known hosts 132 clear policies 133 clear policy set 133 cli inactivity timer 134 configure 135...

Page 207: ...ort 10 D date command 135 date changing 40 debug shell command 136 default gateway configuration management port 36 default password conventions 27 deploy policy set command 137 DF bit handling config...

Page 208: ...rough the serial port 14 logging using the audit log 32 login banner See banners 30 login failures limits and recovery 30 logon banner enable command 157 loss of signal pass through configuring 43 M M...

Page 209: ...how policy set 189 policy mode Layer 2 Layer 3 configuring 60 policy troubleshooting 107 port status enabling and disabling 101 monitoring 106 port enable command 181 R reassembly command 181 reassemb...

Page 210: ...9 MAC statistics 116 management communications 105 non transparent mode traffic 108 packet counters 116 policies 107 policy tracking tool 112 port status 115 SPD and SAD files 117 time synchronization...

Page 211: ...Index 212 ETEP CLI User Guide...

Page 212: ...ted by free live 24 7 Tech support available in 30 seconds or less Copyright 2011 All rights reserved Black Box and the Double Diamond logo are registered trademarks of BB Technologies Inc Any third p...

Reviews:

No comments

Related manuals for ET0010A

Brand: Idem Pages: 2

Brand: Datavideo Pages: 58

PIXIE Smart Switch G3

Brand: SAL Pages: 2

Brand: SMART Pages: 46

Brand: N-Tron Pages: 5

Brand: LevelOne Pages: 17

Brand: IPGARD Pages: 2

Brand: Icy Box Pages: 10

Brand: hager Pages: 3

IPES-5208T-X Series

Brand: Lantech Pages: 39

Tek-CARE NC554/8

Brand: TekTone Pages: 2

Brand: H3C Pages: 4

Brand: VNS Pages: 8

MPD-DS-WML-NFDS Series

Brand: Larson Electronics Pages: 2

Brand: Intellinet Pages: 12

ACTIVE with NETATMO

Brand: Velux Pages: 20

Brand: MTI Pages: 9

Brand: MTI Pages: 10

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands