manualshive.com logo in svg

Perle P1705, User And System Administration Manual

Share
Download
Perle P1705 User And System Administration Manual Download Page 69

61

Internet Key Exchange (IKE)

The IKE  feature is designed to automatically negotiate IPsec security associations (SAs) and

enables IPsec secure communications without costly manual preconfiguration. IKE provides

also authentication of the IPsec peers and generate keys to be used by IPsec. Phase 1 is to

establish a secure and authenticated tunnel with which to communicate further IKE

negotiations. Phase 2 is to establish security associations (SA) on behalf of other protocols

like IPSec which require key and parameter negotiation.

In order for IPSec to be negotiated dynamically across an IKE connection  the IPSec policy

item must be linked to IKE protection suite. An IKE protection suite defines the IPSec SA

parameters which are negotiated

To initially configure the IKE parameters for Phase 1 negotiation, you need to configure the

router as follows. NOTE: Phase 1 can support up to 3 proposals negotiated during IKE

negotiation with proposal 1 considered the first to negotiate:

ª

 Configuration

ª

 Packet Services Set-up

ª

 IP Security Set-up

ª

 IKE peer setup

ª

 Peer alias

ª

 

Peer name

ª

 Peer IP Address

ª

 

xxx.xxx.xxx.xxx

ª

 Peer Pre Shared Key *

ª

 Peer Pubic Key *

ª

 IKE Phase 1 Negotiation

ª

 

Authentication Method

ª

 

Integrity

ª

 

Encryption

ª

 

DH Group

ª

 

Lifetime

ª

 

Proposal

*Note - Either Pre-Shared Key or Public Key can be used for implementation but not both.

To configure the router for IPSec to be negotiated through IKE you must defined the IKE

protection suite to be establish during Phase 2:

ª

 Configuration

ª

 Packet Services Set-up

ª

 IP Security Set-up

ª

 Protection Set-up

ª

 Edit Protection Suite

ª

 Suite Alias

ª

 

Protection Suite name

ª

 SA mode

ª

 

IPSEC SA mode

ª

 Lifetime for SA (seconds) OR

ª

 Lifetime for SA (data)

ª

 

Lifetime value

Summary of Contents for P1705

Page 1: ...Perle 1700 Series Perle 1700 Series Perle 1700 Series Perle 1700 Series Bridge Routers With VPN User And System Administration Guide Part number 5500074 16 Copyright 2003 by Perle Systems Ltd...

Page 2: ...imply third party authority to import distribute or use encryption Importers distributors and users are responsible for compliance with all local country laws Perle strongly recommends that importers...

Page 3: ...declares that the product conforms with the requirements of the Low Voltage Directive 73 23 EEC and with the requirements of the EMC Directive 89 336 EEC for radiated emissions at the Class A level T...

Page 4: ...the configuration is performed using the options provided in the menu system The Menu Tree is like an index to the menu options Octet Locations on Ethernet Frames provides a graphical representation o...

Page 5: ...Addressing 16 Masks 17 IP Subnets 17 IP Default Gateway 19 IP Static Route 19 IPX Routing 20 Novell Servers in Both Locations 20 Novell Servers in One Location Only 21 Novell Server with Dual LANs 23...

Page 6: ...Simple Network Time Protocol SNTP 73 3 INTRODUCTION TO FILTERING 75 MAC Address Filtering 75 Pattern Filtering 75 Popular Filters 77 Bridge 77 IP Related Traffic 77 Novell IPX Frames 77 NetBIOS NetBE...

Page 7: ...E PINOUTS 95 Pinout Information 95 Link Clocking Information 95 ATL CSU DSU Link Module Information 95 Console Pinouts 97 T1 E1 Module 98 V 24 RS232C Link Pinouts 99 V 11 X 21 Link Pinouts 100 RS442 R...

Page 8: ......

Page 9: ...physical wide area network WAN links that may operate at speeds up to 2 048 Mbps Frame Relay units provide bridging and IP IPX routing and support 1 to 128 Permanent Virtual Circuit PVC across two ph...

Page 10: ...ole under the front right corner of the faceplate is used in case a hardware reset is required The end of a paper clip is sufficient to toggle the small switch behind the hole Front View Bottom View R...

Page 11: ...one or two optional interface modules The optional modules may be a second LAN 10 BaseT a second LAN plus one WAN module a single WAN module or two WAN modules Important If a second LAN module is inst...

Page 12: ...ks are configured as permanent DTE interfaces The clocking for each link will be provided by the DCE device connected to each link The V 35 link modules require interface converters that convert from...

Page 13: ...inimum configuration parameters required when setting up the P1705 P1730 Each of the configuration scenarios requires setting of operational parameters on the P1705 P1730 The built in menu system of t...

Page 14: ...margin indicates that this is information that the user will have to enter for configuration The note icon is used to provide miscellaneous information on the configuration and set up of the router Co...

Page 15: ...ishing Telnet connections to a partner bridge router across the WAN This is accomplished by selecting the Telnet option Location Main Configuration Access Set up Telnet Set up Telnet Specify the name...

Page 16: ...ational Remote Site Profile Frame Relay enabled International only Frame Relay disabled North America only The configuration options required for proper initial operation are described in Section 2 Ty...

Page 17: ...SF ESF Line encoding AMI INV_AMI B8ZS HDB3 Select the service channel speed framing format and encoding as designated by the service provider T1 service requires the specification of a Line Build Out...

Page 18: ...20to330ft TS330to440ft TS440to550ft TS550to660ft If fractional T1 E1 service is being provided you will need to specify the channels timeslots to be used Set Link Interface Type Location Main Configur...

Page 19: ...is connected and NOT forwarding i e Listening Learning or Blocking Red Bridge Router is NOT connected to the LAN LAN Off Module is not installed or is configured to be down Disabled Green Connection i...

Page 20: ...a combination of the three When operating the router as a combination bridge router simply configure each of the components separately Note The configuration options described within this section are...

Page 21: ...address is the same at both locations bridging is simpler and requires less configuration If the locations are to be routed together the network numbers will have to be different in both cases this c...

Page 22: ...k congestion The P1705 P1730 are pre configured to operate as an Ethernet bridge compatible with the IEEE 802 1d Spanning Tree Protocol definitions This means that without configuration modifications...

Page 23: ...WAN connections if the destination IP network is found in the routing tables the IP router sends the IP frame to the remote partner router that is connected to the appropriate remote IP network If no...

Page 24: ...tion of the address there can be over 16 million 224 host devices on each class A network Class B uses the first two fields for network addresses and can address approximately 16 000 networks The two...

Page 25: ...ay be divided into smaller networks by a process called sub netting A subnet is specified using some of the high order bits of the host field of the IP address for sub network addressing The portion o...

Page 26: ...es The subnet mask for the above example networks will be 255 255 255 192 So setting a subnet mask size of 26 will generate two sub networks with up to 62 host addresses each 64 potential addresses mi...

Page 27: ...es on the network through RIP messages In some instances it may be desirable to have a predetermined or static route that will always be used to reach certain devices such as when one specific router...

Page 28: ...both sides IPX routers forward IPX frames based upon their IPX destination address and an internal routing table The router maintains the internal routing table with the network IPX addresses and the...

Page 29: ...remote site LAN In the following diagram the router connected to LAN 2 must be configured with IPX network number 1500 or any other valid unique IPX network number using the appropriate frame type The...

Page 30: ...appropriate frame type Note that IPX network numbers must be unique If more than one frame type is to be used each frame type must have a unique IPX network number There must be no duplicate IPX netw...

Page 31: ...uting and server tables Novell Server with Dual LANs If an P1730 is configured with two LAN interface modules the setup will be similar to the above configuration the difference being that rather than...

Page 32: ...f the WAN connection In a numbered link configuration the WAN connection may be viewed as another LAN network with the two PPP routers simply routing information between their local LANs and the commo...

Page 33: ...outer that is the IP address of its LAN connection If the peer IP address is not specified the router will attempt to determine it when negotiating the IPCP connection When an IPXCP link is set to unn...

Page 34: ...eration option of the remote site profile for a connection is enabled by default When a Multilink connection is established the Multilink MP options within the PPP set up and Advanced PPP set up menus...

Page 35: ...on to another ISDN router the ISDN information must be defined The ISDN switch type must be defined for the ISDN interface and the phone numbers must be defined Refer to the following diagram that sho...

Page 36: ...type may be different on each of the units Directory Numbers SPIDs Location Main Configuration Interfaces Set up WAN Set up Link Set up ISDN Set up Directory Number SPID The directory number will be...

Page 37: ...switch type it must be re entered after a configuration reload It is strongly recommended that the entire configuration set of the router be saved Dump config txt to the console then reloaded Restore...

Page 38: ...r of the remote site IPX PPP router and an ISDN call will be placed IP Router Manual Call Connection To establish an IP PPP direct dial connection the IP addresses must be supplied for this device bef...

Page 39: ...other frame relay units Before the P1730 or P1705 can establish a PVC connection to another frame relay router at least one PVC must be defined The router is pre configured to query the frame relay se...

Page 40: ...ation Interfaces Set up WAN Set up Link Set up Link Speed 56 Auto Learning the Frame Relay Configuration The P1705 P1730 are pre configured to query the frame relay service to auto learn the LMI type...

Page 41: ...ws you to manually specify the type of Link Management Interface in use by the Frame Relay service provider for the Frame Relay service When the LMI type is set to none the router simply creates frame...

Page 42: ...ers the P1705 P1730 will bridge and IPX route data without any user configuration Because an IP router requires an IP address the router must be configured with an IP address before IP routing is full...

Page 43: ...led Frame Relay disable Location Main Configuration Interfaces Set up WAN Set up Link Set up Frame Relay disabled The router will request confirmation of the change enter yes Quick Start PPP Leased Li...

Page 44: ...up Link Set up Link Speed Bridge Connection Once the link speeds have been configured the router will attempt to establish the link connection to the remote site PPP router The Bridge connection does...

Page 45: ...mbers are assigned automatically in ascending order as the site profiles are created ID numbers 129 130 and 131 are templates for creating remote site profiles with ISDN Frame Relay or Leased Line con...

Page 46: ...the user name prompt receives the name Calgary it will look in the remote site list for a profile with the alias Calgary If the Calgary profile is found the parameters in it will be used for password...

Page 47: ...uter starts up Location Main Configuration Connections up Remote Site Set up Edit Remote Site Connection Set up Auto call Enabled 1 d Setting up an activation schedule with times the connection is to...

Page 48: ...created remote site profiles may be renamed for easier identification or usage by changing the Remote Site Alias Remote Site Profile Alias Location Main Configuration Connections up Remote Site Set u...

Page 49: ...site profiles are fully configured the CIR and EIR The Committed Information Rate CIR option specifies the data rate that the Frame Relay service has guaranteed to provide The Excess Information Rate...

Page 50: ...Parameters and CCP Parameters menus note compression over frame relay is only available if PPP encapsulation is enabled If either the Bridge portion or the IP or IPX router portion of the connection i...

Page 51: ...for PPP negotiations after the security authentication process has passed In other words when this router receives a link connection attempt it will prompt the remote device for a user name and passwo...

Page 52: ...ill be removed from any remote site profile that originally was defined to use the link The link will then be used within the newly defined remote site profile When this remote site profile is defined...

Page 53: ...y schedule with times the connection is to be activated and deactivated Activation Schedule Location Main Configuration Connections up Remote Site Set up Edit Remote Site Connection Set up Activation...

Page 54: ...ps must be performed in order for the router to be configured for PPPoE connection The remote site set up for the PPPoE should refer to the section for Configure Remote Site Profiles for Leased Line P...

Page 55: ...up Remote Site Set Up Edit Remote Site Protocol Set Up IP Set up NAT enabled enabled Access to some web pages is a common problem experienced when running a PPPoE client on a router By design PPPoE p...

Page 56: ...an outgoing username and password and to authenticate with their services The PPPoE remote site configuration needs to have the security section configured with this ISP parameters to authenticate th...

Page 57: ...ed to the PPPoE connection the router must be configured to have the default IP gateway setup to your newly created PPPoE remote site connection Location Main Configuration Packet Services IP Routing...

Page 58: ...s a DHCP Server IP Address Pool Location Main Configuration Applications Set up DHCP Set up Server IP address pool IP address pool IP Address number of addresses The IP address pool option requires se...

Page 59: ...re 2 10 Local External DNS Server Configuration The configuration options described here are only for initial set up and configuration purposes For more complete information on all of the configuratio...

Page 60: ...es to be sent to the Internet via the router using a single global IP address A global IP address must be assigned to the WAN link upon which NAPT is enabled for port translation to work The global IP...

Page 61: ...et Service Provider Private Network Addresses Global IP Address 199 87 65 43 NAPT mapping 1 1 1 2 199 87 65 43 25 1 1 1 3 199 87 65 43 23 1 1 1 4 199 87 65 43 80 e mail server 1 1 1 2 telnet server 1...

Page 62: ...s that will be used between the two routers Many of the settings define source and destination parameters These settings will be mirror images on the partner routers i e the source value for a paramet...

Page 63: ...action determined by the outcome of the test is then performed on the packet such as IPSec processing discard etc The first step in setting up IPSec is to define the local address that the router will...

Page 64: ...t Policy Item menu will be displayed Under this menu the Encapsulating Security Payload SA parameters and policy rules are set IPSec ESP SA Location Main Configuration Packet Services Set up IP Securi...

Page 65: ...pairs must be mirrored on the peer router set up IPSec ESP SA Location Main Configuration Packet Services Set up IP Security Set up Policy Set up Edit Item item_name Manual ESP SA Keys Outbound encry...

Page 66: ...e source and destination specified by the local IP addresses with masks All protocols will be allowed between all ports Then the policy item must be activated IPSec ESP SA Location Main Configuration...

Page 67: ...item for RIP packets first set the action to bypass IPSec so the packets are not processed IPSec ESP SA Location Main Configuration Packet Services Set up IP Security Set up Policy Set up Edit Item pa...

Page 68: ...et Once the IPSec configuration has been completed and tested this should be changed so that only those packets matching the IPSec conditions are passed IPSec Policy Set up Location Main Configuration...

Page 69: ...iated To initially configure the IKE parameters for Phase 1 negotiation you need to configure the router as follows NOTE Phase 1 can support up to 3 proposals negotiated during IKE negotiation with pr...

Page 70: ...ch IKE protection suites are to be used Configuration Packet Services Set up IP Security Set up Policy Set up Local IP Address IP Address of this router Configuration Packet Services Set up IP Securit...

Page 71: ...63 Configuration Packet Service Set up IP Security Set up Policy Set up Edit Item Menu Selection Rules Menu Edit Service Source IP Address Destination IP Address Protocol Source Port Destination Port...

Page 72: ...ing a group of routers that have security levels set Default outgoing user name for each remote site when it is defined is the same as the default device name Default PAP password and CHAP secret are...

Page 73: ...er expects to receive from the remote partner in response to authentication requests For a pair of partner routers with security enabled the outgoing user name in the security parameters entry of one...

Page 74: ...t access from less trusted sources such as the Internet or dial up ISDN links The following diagram shows a corporate head office network which is connected to the Internet with an router There is als...

Page 75: ...e network FTP WWW Designated Servers Location Main Configuration Applications Set up Firewall Set up WAN Firewall Set up ID 1 for ISP remote site Designated Servers FTP Server 195 100 1 12 WWW HTTP Se...

Page 76: ...ource Address 195 100 2 0 Source Mask 255 255 255 0 Protocol Type TCP Entry Direction outbound Finally holes are provided in the LAN firewall to allow Internet access to the FTP and WWW servers Firewa...

Page 77: ...o and from a network Please see section 3 Introduction to Filtering for details on how to set up various filtering operations Compression Compressing data allows data throughput rate considerably grea...

Page 78: ...shold before the secondary is activated or below threshold before it is brought down This prevents activation or deactivation of the secondary link due to momentary peaks or drops in traffic Bandwidth...

Page 79: ...iority list which contains the criteria items for the outbound packets Each packet will be compared to item 1 in the Priority List and then progress down the list of items in order until a match is fo...

Page 80: ...figuration Interfaces Set up Lan Set up QOS Set up Queuing Strategy Priority Priority List Number To assign a Priority List to a Remote Site Connection Location Main Configuration Connections Set up R...

Page 81: ...NTP server with the current time Once the router receives an NTP packet from the server it will then synchronize its internal clock with the current time In anycast mode the router will send out a re...

Page 82: ...device setup menu To configure for Eastern Standard Time EST and have daylight saving time implemented for this year only implement the following steps Location Configuration Access Set up Device Set...

Page 83: ...the Programmable Filtering section of the P1705 P1730 Reference Manual located on the accompanying CD ROM MAC Address Filtering MAC address filtering is provided by three built in functions The first...

Page 84: ...fset location in the data frame matches the HEX string of the filter pattern there is a positive filter match The data frame will be filtered according to the filter operators being used in the filter...

Page 85: ...octet equals 80 the filter pattern will match Popular Filters Shown here are some of the more commonly used pattern filters Bridge Bridge pattern filters are applied to Ethernet frames that are bridg...

Page 86: ...er pattern filters IP routed frames are unaffected by the bridge pattern filters and the IPX router pattern filters NetBIOS over TCP NetBIOS over TCP NETBIOS Name Service 22 0089 NETBIOS Datagram Serv...

Page 87: ...each of the menu trees is explained in the accompanying P1705 P1730 VPN Menus Manual located on the accompanying CD ROM Menu names are displayed in boxes The numbers on the left side of the boxes indi...

Page 88: ...2 Show address pool 3 Dynamic IP pool 4 Add static entry 5 Remove static entry 6 NAT enable LAN NAT set up 2 1 1 Edit Secondary 2 Show Secondary Entry 3 Remove Secondary Entry 1 Secondary IP 2 Mask Si...

Page 89: ...PPPoE 1 Incoming PAP password 2 Incoming CHAP secret 3 Outgoing user name 4 Outgoing PAP password 5 Outgoing CHAP secret Protocol Set Up Security Parameters 3 4 2 Bridge enabled 3 Tinygram 4 FCS prese...

Page 90: ...s 5 1 Status 2 Location 3 Filter If Source 4 Filter If Destination 5 Permanent 6 Remove Edit MAC Address Filter 1 MAC Address Filters 2 Filter Operation 3 Broadcast Address 4 Show Bridging Table 5 Sho...

Page 91: ...Default export 4 Show services 5 Clear services 1 Syslog 2 Syslog IP 3 Events 4 Security 5 Activation 6 Firewall 1 Other Services menu 2 E mail 3 POP 2 3 4 FTP 5 WWW HTTP 6 Telnet 7 DNS Edit Services...

Page 92: ...ns Note the differences in the TCP IP and Novell frames when bridging and when routing When routing the TCP IP and Novell frames are examined after the Level 2 Ethernet portion of the frame has been s...

Page 93: ...806 ARP 0807 XNS Compatibility 6001 DEC MOP Dump Load 6002 DEC MOP Remote Console 6003 DEC DECNET Phase IV Route 6004 DEC LAT 6005 DEC Diagnostic Protocol 6006 DEC Customer Protocol 6007 DEC LAVC SCA...

Page 94: ...Octet Locations 86 Octet Locations on an IP Routed TCP IP Frame Octet Locations on an IPX Routed Novell Netware Frame...

Page 95: ...Configuration Pages 87 Octet Locations on a Bridged XNS Frame...

Page 96: ...er cabling 2 Turn the bridge router over and place it on a flat cushioned surface 3 Remove the six Phillips head screws that fasten the case together 4 across the front and 1 on each rear side 4 Hold...

Page 97: ...own in the following illustration Link 2 Interface Module ISDN BRI DSU G 703 RS232 V 35 RS422 or V 11 Primary LAN Console Interface Module Link 1 LAN 2 or Module ISDN BRI DSU G 703 RS232 V 35 RS422 or...

Page 98: ...change the password as desired Changing LAN or WAN Interfaces 1 Remove power from the bridge router 2 Remove the screw securing the interface module to the rear of the bridge router 3 Remove the inter...

Page 99: ...n this device CONSOLE Slot1 Slot 2 LAN Console module Remove these screws to remove the modules LINE ISDN U 10 100 BT LAN MDI X MDI Figure C 2 Rear View with the ISDN U Module Installed Processor sett...

Page 100: ...hain connection to the ISDN circuit by using the ISDN AUX connector Figure C 5 ISDN S T Module Termination setting jumpers Connecting to the ISDN U Link Module The connection to the central office is...

Page 101: ...y using the newly upgraded software In some upgrade situations the Directory Numbers and SPIDs may be corrupted after the upgrade and will need to be re entered The router may take up to two 2 minutes...

Page 102: ...ablished only if autocall is enabled on router B The TFTP transfer of the upgrade code may now be performed from the PC to Router C Once Router C has completed programming the flash and has restarted...

Page 103: ...to the transmit clock pins on the DCE interface This clock is then received by the router link interface By using this method the router may be in control of the link speed The link speed may also be...

Page 104: ...ch 1 is down on the normal position the module receives clock signals from the connected network When switch 1 is up up the module will generate clocks When a pair of routers are connected back to bac...

Page 105: ...end X 6 107 CC Data Set Ready X 7 102 AB Signal Ground NA 8 109 CF Received Line Signal Detector CD X 20 108 2 CD Data Terminal Ready X 22 125 CE Ring Indicator X Figure D 3 Console Pinouts The connec...

Page 106: ...8C Figure D 5 Rear View of the T1 E1 Connector When two T1 E1 routers are to be connected in a back to back set up a null modem crossover cable used for the connection A T1 E1 crossover cable would be...

Page 107: ...ta Set Ready X 7 102 AB Signal Ground NA 8 109 CF Received Line Signal Detector CD X 9 10 11 12 13 14 15 114 DB Transmit Signal Element Timing DCE Source X 16 17 115 DD Receive Signal Element Timing D...

Page 108: ...A X 7 8 Ground Signal Ground NA 9 T B Transmitted Data B X 10 C B Control B X 11 R B Received Data B X 12 I B Indication B X 13 S B Signal Element Timing B X 14 15 Figure D 6 V 11 x 21 Link Pinouts Th...

Page 109: ...F B Received Line Signal Detector X 11 DA B Transmit Signal Element Timing DTE Source X 12 DB B Transmit Signal Element Timing DCE Source X 13 CB B Clear to Send X 14 BA B Transmitted Data X 15 DB A T...

Page 110: ...nal Element Timing B X 17 18 U Transmitter Signal Element Timing A DTE X 19 W Transmitter Signal Element Timing B DTE X 20 H Data Terminal Ready X 21 Local Loopback X 22 J Calling Indicator X 23 Y Tra...

Page 111: ...nector on each unit The link speed must be defined for each of the two units Shield Signal Ground DB25 MALE 1 20 7 8 15 17 24 DB25 MALE 1 8 7 20 24 17 15 Signal Ground Shield Transmitted Data Received...

Page 112: ...A Transmitted Data B Received Data B Receiver Signal Element Timing A Receiver Signal Element Timing B Transmitter Signal Element Timing B Transmitter Signal Element Timing A Transmitter Signal Elemen...

Page 113: ...ata A Transmitted Data B Received Data B DCE Ready A DCE Ready B Clear To Send B Request To Send A Request To Send B Received Line Signal Detector A Received Line Signal Detector B DTE Ready A DTE Rea...

Page 114: ...Timing DTE Source A Data Set Ready B Transmit Signal Element Timing DTE Source B Request to Send A Signal Ground Request to Send B Shield Clear to Send A Clear to Send B DB25 MALE 2 20 14 23 3 17 16...

Page 115: ...is necessary to connect two units back to back and a set of modems is not available Note that this cable specifies DB15 connectors on each end to allow direct connection to the link interface connect...

Reviews:

No comments

Brands by name

Popular brands

Load more brands