manualshive.com logo in svg

H3C S5830V2 series, Руководство по настройке безопасности, Страница: 264 / 332

Поделиться
Скачать
H3C S5830V2 series Скачать руководство пользователя страница 264

 

250 

 

Configuring an IKE-based IPsec policy 

In an IKE-based IPsec policy, the parameters are automatically negotiated through IKE. 
To configure an IKE-based IPsec policy, use one of the following methods:  

 

Directly configure it by configuring the parameters in IPsec policy view. 

 

Configure it by referencing an existing IPsec policy template with the parameters to be negotiated 
configured. 
A device referencing an IPsec policy that is configured in this way cannot initiate an SA 
negotiation, but it can respond to a negotiation request. The parameters not defined in the 

template are determined by the initiator. When the remote end's information (such as the IP 
address) is unknown, this method allows the remote end to initiate negotiations with the local end. 

Configuration restrictions and guidelines 

To guarantee successful SA negotiations, make sure the IPsec configurations at the two ends of an IPsec 

tunnel meet the following requirements: 

 

The IPsec policies at the two tunnel ends must have IPsec transform sets that use the same security 
protocols, security algorithms, and encapsulation mode. 

 

The IPsec policies at the two tunnel ends must have the same IKE profile parameters. 

 

An IKE-based IPsec policy can reference up to six IPsec transform sets. During an IKE negotiation, 

IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel. If no match 
is found, no SA can be set up, and the packets expecting to be protected will be dropped. 

 

The remote IP address of the IPsec tunnel is required on an IKE negotiation initiator and is optional 
on the responder. The remote IP address specified on the local end must be the same as the local 

IP address specified on the remote end. 

For an IPsec SA established through IKE negotiation: 

 

The IPsec SA uses the local lifetime settings or those proposed by the peer, whichever are smaller. 

 

The IPsec SA can have both a time-based lifetime and a traffic-based lifetime. The IPsec SA expires 
when either lifetime expires. 

Directly configuring an IKE-based IPsec policy 

 

Step Command 

Remarks 

1.

 

Enter system view. 

system-view 

N/A 

2.

 

Create an IKE-based IPsec 
policy entry and enter its view. 

ipsec

 { 

ipv6-policy

 | 

policy

 } 

policy-name

 

seq-number

 

isakmp

 

By default, no IPsec policy exists. 

3.

 

(Optional.) Configure a 
description for the IPsec 

policy. 

description 

text

 

By default, no description is 
configured. 

4.

 

Specify an ACL for the IPsec 
policy. 

security acl 

ipv6 

] { 

acl-number 

name

 acl-name } 

aggregation 

|

 

per-host

 ]

 

By default, no ACL is specified for 
the IPsec policy. 
An IPsec policy can reference only 
one ACL. 

Содержание S5830V2 series

Страница 1: ...H3C S5830V2 S5820V2 Switch Series Security Configuration Guide Hangzhou H3C Technologies Co Ltd http www h3c com Software version Release 22xx Document version 6W100 20131105...

Страница 2: ...re Secware Storware NQA VVG V2 G Vn G PSPT XGbus N Bus TiGem InnoVision and HUASAN are trademarks of Hangzhou H3C Technologies Co Ltd All other trademarks that may be mentioned in this manual are the...

Страница 3: ...ection This preface includes Audience Added and modified features Conventions About the H3C S5830V2 S5820V2 documentation set Obtaining documentation Technical support Documentation feedback Audience...

Страница 4: ...eatures Password control Public key management N A PKI Added features PKI SSH Added features Configuring the service type as SCP for SSH users Configuring the device as an SCP client Specifying the ou...

Страница 5: ...choice multiple choices or none 1 n The argument or keyword and argument combination before the ampersand sign can be entered 1 to n times A line that starts with a pound sign is comments GUI convent...

Страница 6: ...n assemblies installation manual Describes the appearance specifications and installation and removal of hot swappable fan assemblies Power modules user manual Describes the appearance specifications...

Страница 7: ...Technical support service h3c com http www h3c com Documentation feedback You can e mail your comments about product documentation to info h3c com We appreciate your comments...

Страница 8: ...nabling the session control feature 44 Displaying and maintaining AAA 44 AAA configuration examples 44 AAA for SSH users by an HWTACACS server 44 Local authentication HWTACACS authorization and RADIUS...

Страница 9: ...guration procedure 75 Verifying the configuration 77 Configuring MAC authentication 78 Overview 78 User account policies 78 Authentication methods 78 Configuration prerequisites 79 Configuration task...

Страница 10: ...ontrol parameters 110 Displaying and maintaining password control 111 Password control configuration example 111 Network requirements 111 Configuration procedure 112 Verifying the configuration 113 Ma...

Страница 11: ...ion example 149 Troubleshooting PKI configuration 155 Failed to obtain the CA certificate 155 Failed to obtain local certificates 155 Failed to request local certificates 156 Failed to obtain CRLs 157...

Страница 12: ...Configuring an SSL server policy 198 Configuring an SSL client policy 199 Displaying and maintaining SSL 200 Configuring IP source guard 202 Overview 202 Static IP source guard binding entries 202 Dy...

Страница 13: ...delines 223 Configuration procedure 223 Configuration example 224 Configuring ARP filtering 224 Configuration guidelines 224 Configuration procedure 225 Configuration example 225 Configuring uRPF 227...

Страница 14: ...guring IKE 264 Overview 264 IKE negotiation process 264 IKE security mechanism 265 Protocols and standards 266 FIPS compliance 266 IKE configuration prerequisites 266 IKE configuration task list 266 C...

Страница 15: ...ormation centrally See Figure 1 Figure 1 AAA network diagram A user who wants to access networks or resources beyond the NAS sends its identity information to the NAS which transparently passes the us...

Страница 16: ...s performs user authentication authorization or accounting and returns user access control information for example rejecting or accepting the user access request to the clients In addition the RADIUS...

Страница 17: ...he authentication succeeds the server sends back an Access Accept packet that contains the user s authorization information If the authentication fails the server returns an Access Reject packet 4 The...

Страница 18: ...t From the server to the client If any attribute value included in the Access Request is unacceptable the authentication fails and the server sends an Access Reject response 4 Accounting Request From...

Страница 19: ...ttributes No Attribute No Attribute 1 User Name 45 Acct Authentic 2 User Password 46 Acct Session Time 3 CHAP Password 47 Acct Input Packets 4 NAS IP Address 48 Acct Output Packets 5 NAS Port 49 Acct...

Страница 20: ...ets 90 Tunnel Client Auth id 44 Acct Session Id 91 Tunnel Server Auth id Extended RADIUS attributes The RADIUS protocol features excellent extensibility Attribute 26 Vendor Specific an attribute defin...

Страница 21: ...their primary differences Table 3 Primary differences between HWTACACS and RADIUS HWTACACS RADIUS Uses TCP providing more reliable network transmission Uses UDP providing higher transport efficiency...

Страница 22: ...ntication response requesting the login password 8 Upon receipt of the response the HWTACACS client asks the user for the login password Host HWTACACS client HWTACACS server 1 The user tries to log in...

Страница 23: ...suitable for storing data that does not often change LDAP is typically used to store user information For example LDAP server software Active Directory Server is used in Microsoft Windows operating s...

Страница 24: ...quirements the client sends an administrator bind request to the LDAP server to obtain the right to search for authorization information about users on the user DN list Basic LDAP packet exchange proc...

Страница 25: ...s fail to be bound If all user DNs fail to be bound the LDAP client notifies the user of the login failure and denies the user s access request 9 The LDAP client and server perform authorization excha...

Страница 26: ...ot available The device supports the following authorization methods No authorization The NAS performs no authorization exchange After passing authentication non login users can access the network FTP...

Страница 27: ...deploy AAA across VPNs to enable forwarding of RADIUS and HWTACACS packets across MPLS VPNs For example in the network shown in Figure 9 you can deploy the AAA across VPNs feature so that the multi V...

Страница 28: ...d MTU MTU for the data link between the user and NAS For example this attribute can be used to define the maximum size of EAP packets allowed to be processed in 802 1X EAP authentication 14 Login IP H...

Страница 29: ...this attribute is 201 79 EAP Message Used to encapsulate EAP packets to allow RADIUS to support EAP authentication 80 Message Authenticator Used for authentication and verification of authentication p...

Страница 30: ..._Host_Addr User IP address and MAC address included in authentication and accounting requests in the format A B C D hh hh hh hh hh hh A space is required between the IP address and the MAC address 61...

Страница 31: ...d the related attributes including the usernames and passwords for the users to be authenticated Remote authentication Configure the required RADIUS HWTACACS and LDAP schemes 2 Configure AAA methods f...

Страница 32: ...ied into the following types Device management user User who logs in to the device for device management Network access user User who accesses network resources through the device Configurable local u...

Страница 33: ...ing password control Local user configuration task list Tasks at a glance Required Configuring local user attributes Optional Configuring user group attributes Optional Displaying and maintaining loca...

Страница 34: ...ices 6 Optional Configure binding attributes for the local user bind attribute ip ip address location port slot number subslot number port number mac mac address vlan vlan id By default no binding att...

Страница 35: ...longs to the default user group system and bears all attributes of the group To assign a local user to a different user group use the user group command in local user view To configure user group attr...

Страница 36: ...ptional Specifying the RADIUS accounting servers and the relevant parameters Optional Specifying the shared keys for secure RADIUS communication Optional Specifying a VPN for the scheme Optional Setti...

Страница 37: ...pv6 ipv6 address port number key cipher simple string vpn instance vpn instance name Configure at least one command By default no authentication server is specified Two authentication servers in a sch...

Страница 38: ...r password encryption They must use the same key for each type of communication A key configured in this task is for all servers of the same type accounting or authentication in the scheme and has a l...

Страница 39: ...name is included in a username 4 Optional Set the data flow and packet measurement units for traffic statistics data flow format data byte giga byte kilo byte mega byte packet giga packet kilo packet...

Страница 40: ...the server changes back to active but the device does not check the server again during the authentication or accounting process If no server is found reachable during one search process the device co...

Страница 41: ...NAS If yes the server processes the packet If not the server drops the packet The source address of outgoing RADIUS packets is typically the IP address of an egress interface on the NAS to communicate...

Страница 42: ...accounting packets to the accounting server for online users When you set RADIUS timers follow these guidelines When you configure the maximum number of RADIUS packet transmission attempts and the RAD...

Страница 43: ...f retries The RADIUS server must run on IMC to correctly log out users when a card reboots on the distributed device to which the users connect To configure the accounting on feature for a RADIUS sche...

Страница 44: ...pecifying the HWTACACS authentication servers Optional Specifying the HWTACACS authorization servers Optional Specifying the HWTACACS accounting servers Required Specifying the shared keys for secure...

Страница 45: ...pn instance name Specify a secondary HWTACACS authentication server secondary authentication ipv4 address ipv6 ipv6 address port number key cipher simple string vpn instance vpn instance name Configur...

Страница 46: ...e primary accounting server of one scheme and as the secondary accounting server of another scheme at the same time HWTACACS does not support accounting for FTP users To specify HWTACACS accounting se...

Страница 47: ...public network Setting the username format and traffic statistics units A username is typically in the format userid isp name where isp name represents the user s ISP domain name By default the ISP do...

Страница 48: ...ed with the VRRP for stateful failover the source IP address of outgoing HWTACACS packets can be the virtual IP address of the uplink VRRP group You can specify the source IP address for outgoing HWTA...

Страница 49: ...communicates when the current servers are no longer available You can specify one primary HWTACACS server and multiple secondary HWTACACS servers with the secondary servers functioning as the backup...

Страница 50: ...ting precision but requires many system resources When there are 1000 or more users set a longer interval 5 Set the server quiet timer timer quiet minutes By default the server quiet timer is 5 minute...

Страница 51: ...ifying the LDAP version Specify the LDAP version on the NAS The device supports LDAPv2 and LDAPv3 and the LDAP version specified on the device must be consistent with that specified on the LDAP server...

Страница 52: ...is specified Configuring LDAP user attributes To authenticate a user an LDAP client must establish a connection to the LDAP server obtain the user DN from the LDAP server and use the user DN and the...

Страница 53: ...rks 1 Enter system view system view N A 2 Create an LDAP scheme and enter its view ldap scheme ldap scheme name By default no LDAP scheme is defined Specifying the LDAP authentication server Step Comm...

Страница 54: ...ice each user belongs to an ISP domain If a user provides no ISP domain name at login the device considers the user belongs to the default ISP domain To delete the ISP domain functioning as the defaul...

Страница 55: ...a RADIUS scheme is specified the device uses the username enabn on the RADIUS server for role authentication where n is the same as that in the target user role level n Configuration procedure To conf...

Страница 56: ...ntication and reference the same RADIUS scheme for RADIUS authentication and authorization If the RADIUS authorization configuration is invalid or RADIUS authorization fails the RADIUS authentication...

Страница 57: ...uidelines Login users who use FTP services do not support accounting Local accounting does not provide statistics for charging It only counts and controls the number of concurrent users who use the sa...

Страница 58: ...mmand Remarks 1 Enter system view system view N A 2 Enable the session control feature radius session control enable By default the session control feature is disabled Displaying and maintaining AAA E...

Страница 59: ...ting 10 1 1 1 49 Set the shared keys for secure HWTACACS communication to expert in plain text Switch hwtacacs hwtac key authentication simple expert Switch hwtacacs hwtac key authorization simple exp...

Страница 60: ...hentication for SSH servers use the HWTACACS server and RADIUS server for SSH user authorization and accounting respectively and to assign the default user role network operator to SSH users after the...

Страница 61: ...ice type ssh Set a password for the local user to hello in plain text Switch luser manage hello password simple hello Switch luser manage hello quit Create ISP domain bbb and configure AAA methods for...

Страница 62: ...access device Log in to IMC click the Service tab and select User Access Manager Access Device Management Access Device from the navigation tree Then click Add to configure an access device as follow...

Страница 63: ...ser from the navigation tree Then click Add to configure a device management account as follows a Enter the account name hello bbb and specify the password b Select the service type SSH c Specify 10 1...

Страница 64: ...vlan interface 3 Switch Vlan interface3 ip address 10 1 1 2 255 255 255 0 Switch Vlan interface3 quit Create local RSA and DSA key pairs Switch public key local create rsa Switch public key local crea...

Страница 65: ...sp bbb accounting login none Switch isp bbb quit Verifying the configuration When the user initiates an SSH connection to the switch and enter the username hello bbb and the correct password the user...

Страница 66: ...and double click Active Directory Users and Computers to display the Active Directory Users and Computers window b From the navigation tree click Users under the ldap com node c Select Action New User...

Страница 67: ...s password e Click OK Add user aaa to group Users f From the navigation tree click Users under the ldap com node g On the right pane right click aaa and select Properties h In the dialog box click th...

Страница 68: ...field and click OK User aaa is added to group Users Figure 20 Adding user aaa to group Users Set the administrator password to admin 123456 a From the user list on the right pane right click Administ...

Страница 69: ...he default user role network operator after passing authentication Switch role default role enable Configure an LDAP server Switch ldap server ldap1 Specify the IP address of the LDAP authentication s...

Страница 70: ...ct The RADIUS server and the NAS are configured with different shared keys Solution Check that The NAS and the RADIUS server can ping each other The username is in the userid isp name format and the I...

Страница 71: ...address configured on the NAS is incorrect For example the NAS is configured to use a single server to provide authentication authorization and accounting services but in fact the services are provide...

Страница 72: ...number of the LDAP server configured on the NAS match those of the server The username is in the correct format and the ISP domain for the user authentication is correctly configured on the NAS The u...

Страница 73: ...ion services for the network access device The authentication server authenticates 802 1X clients by using the data sent from the network access device and returns the authentication results to the ne...

Страница 74: ...cation server EAP is an authentication framework that uses the client server model It supports a variety of authentication methods including MD5 Challenge EAP Transport Layer Security EAP TLS and Prot...

Страница 75: ...4 MD5 challenge are two examples for the type field EAPOL packet format Figure 24 shows the EAPOL packet format Figure 24 EAPOL packet format PAE Ethernet type Protocol type It takes the value 0x888E...

Страница 76: ...3 bytes RADIUS encapsulates it in multiple EAP Message attributes Figure 25 EAP Message attribute format Message Authenticator RADIUS includes the Message Authenticator attribute in all packets that h...

Страница 77: ...t if no response has been received within a certain time interval 802 1X authentication procedures 802 1X authentication provides two methods EAP relay and EAP termination You choose either mode depen...

Страница 78: ...ge Authenticator attributes and the EAP authentication method used by the client EAP termination Works with any RADIUS server that supports PAP or CHAP authentication Supports only MD5 Challenge EAP a...

Страница 79: ...enge to encrypt the password in the entry and sends the challenge in a RADIUS Access Challenge packet to the network access device 6 The network access device relays the EAP Request MD5 Challenge pack...

Страница 80: ...handshake attempts fail the device logs off the client 12 Upon receiving a handshake request the client returns a response If the client fails to return a response after a certain number of consecutiv...

Страница 81: ...nation mode the network access device rather than the authentication server generates an MD5 challenge for password encryption The network access device then sends the MD5 challenge together with the...

Страница 82: ...tely authenticated on a port When a user logs off no other online users are affected Configuration prerequisites Configure an ISP domain and AAA scheme local or RADIUS authentication for 802 1X users...

Страница 83: ...ted by the 802 1X client and the RADIUS server If the client is using only MD5 Challenge EAP authentication or the username password EAP authentication initiated by an H3C iNode 802 1X client you can...

Страница 84: ...e to allow only EAPOL packets to pass After a user passes authentication sets the port in the authorized state to allow access to the network You can use this option in most scenarios To set the autho...

Страница 85: ...view N A 2 Set the maximum number of attempts for sending an authentication request dot1x retry max retry value The default setting is 2 Setting the 802 1X authentication timeout timers The network de...

Страница 86: ...3 Enter Ethernet interface view interface interface type interface number N A 4 Enable the online handshake function dot1x handshake By default the function is enabled Configuring the authentication t...

Страница 87: ...ce view interface interface type interface number N A 4 Enable an authentication trigger dot1x multicast trigger unicast trigger By default the multicast trigger is enabled and the unicast trigger is...

Страница 88: ...authentication interval is user configurable The periodic online user re authentication timer can also be set by the authentication server in the session timeout attribute The server assigned timer o...

Страница 89: ...thentication and accounting servers and the host at 10 1 1 2 24 as the secondary authentication and accounting servers Assign all users to the ISP domain aabbcc net Configure the shared key as name fo...

Страница 90: ...and accounting RADIUS servers Device radius radius1 secondary authentication 10 1 1 2 Device radius radius1 secondary accounting 10 1 1 2 Specify the shared key between the access device and the authe...

Страница 91: ...terface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 dot1x port method macbased Specify aabbcc net as the mandatory domain Device Ten GigabitEthernet1 0 1 dot1x mandatory domain aabbcc ne...

Страница 92: ...policies One MAC based user account for each user The access device uses the source MAC addresses in packets as the usernames and passwords of users for MAC authentication This policy is suitable for...

Страница 93: ...is disabled For more information about port security see Configuring port security Configuration task list Tasks at a glance Required Enabling MAC authentication Optional Specifying a MAC authenticat...

Страница 94: ...tication chooses an authentication domain for users on a port in this order the port specific domain the global domain and the default domain For more information about authentication domains see Conf...

Страница 95: ...evice must wait before it can perform MAC authentication for a user who has failed MAC authentication All packets from the MAC address are dropped during the quiet time This quiet mechanism prevents r...

Страница 96: ...authentication configuration examples Local MAC authentication configuration example Network requirements As shown in Figure 32 configure local MAC authentication on port Ten GigabitEthernet 1 0 1 to...

Страница 97: ...imer offline detect 180 Device mac authentication timer quiet 180 Configure MAC authentication to use MAC based accounts The MAC address usernames and passwords are hyphenated and in lower case Device...

Страница 98: ...Network diagram Configuration procedure 1 Make sure the RADIUS server and the access device can reach each other 2 Create a shared account for MAC authentication users on the RADIUS server and set th...

Страница 99: ...ication users Device mac authentication user name format fixed account aaa password simple 123456 Verifying the configuration Display MAC authentication settings and statistics Device display mac auth...

Страница 100: ...require only 802 1X authentication or MAC authentication H3C recommends you use the 802 1X authentication or MAC authentication feature rather than port security For more information about 802 1X and...

Страница 101: ...cation mode in use allows whichever is smaller For example if 802 1X allows more concurrent users than port security s limit on the number of MAC addresses on the port in userLoginSecureExt mode port...

Страница 102: ...ess dynamic and mac address static commands to pass When the number of secure MAC addresses reaches the upper limit the port transitions to secure mode secure MAC address learning is disabled on a por...

Страница 103: ...s mode supports multiple 802 1X and MAC authentication users macAddressElseUserLoginSecure This mode is the combination of the macAddressWithRadius and userLoginSecure modes with MAC authentication ha...

Страница 104: ...the number of secure MAC addresses on a port You can set the maximum number of secure MAC addresses that port security allows on a port for the following purposes Controlling the number of concurrent...

Страница 105: ...ddress oui value By default no OUI value is configured for user authentication This command is required for the userlogin withoui mode You can set multiple OUIs but when the port security mode is user...

Страница 106: ...iew interface interface type interface number N A 3 Configure the NTK feature port security ntk mode ntk withbroadcasts ntk withmulticasts ntkonly By default NTK is disabled on a port and all frames a...

Страница 107: ...comparison of static and sticky secure MAC addresses Type Address sources Aging mechanism Can be saved and survive a device reboot Static Manually added Not available They never age out unless you ma...

Страница 108: ...not be specified as both a static secure MAC address and a sticky MAC address Ignoring authorization information from the server You can configure a port to ignore the authorization information receiv...

Страница 109: ...If any frame with an unknown MAC address arrives intrusion protection starts and the port shuts down and stays silent for 30 seconds Figure 34 Network diagram Configuration procedure Enable port secu...

Страница 110: ...ernet1 0 1 display this interface Ten GigabitEthernet1 0 1 port security max mac count 64 port security port mode autolearn port security mac address security sticky 0002 0000 0015 vlan 1 port securit...

Страница 111: ...The following configuration steps cover some AAA RADIUS configuration commands For more information about the commands see Security Command Reference Make sure the host and the RADIUS server can reac...

Страница 112: ...thOUI Device interface ten gigabitethernet 1 0 1 Device Ten GigabitEthernet1 0 1 port security port mode userlogin withoui Device Ten GigabitEthernet1 0 1 quit Verifying the configuration Display the...

Страница 113: ...ode Disabled Intrusion protection mode NoAction Max number of secure MAC addresses Not configured Current number of secure MAC addresses 1 Authorization is permitted After an 802 1X user goes online y...

Страница 114: ...ty enable Configure the username and password for MAC authentication as aaa and 123456 Device mac authentication user name format fixed account aaa password simple 123456 Specify the MAC authenticatio...

Страница 115: ...Offline detect period is 60s Quiet period is 5s Server response timeout value is 100s Max number of users is 1024 per slot Current number of online users is 3 Current authentication domain is sun Sil...

Страница 116: ...ed EAPOL Start Packets 6 EAPOL LogOff Packets 2 EAP Response Identity Packets 80 EAP Response Challenge Packets 6 Error Packets 0 1 Authenticated user MAC address 0002 0000 0011 Controlled Users 1 Bec...

Страница 117: ...a port security mode other than autoLearn Solution Set the port security mode to autoLearn Device Ten GigabitEthernet1 0 1 undo port security port mode Device Ten GigabitEthernet1 0 1 port security ma...

Страница 118: ...m the following types Uppercase letters A to Z Lowercase letters a to z Digits 0 to 9 Special characters For information about special characters see the password control composition command in Securi...

Страница 119: ...ssword expiration Password expiration imposes a lifecycle on a user password After the password expires the user needs to change the password If a user enters an expired password when logging in the s...

Страница 120: ...Limiting the number of consecutive failed login attempts can effectively prevent password guessing If an FTP or VTY user fails authentication the system adds the user to a password control blacklist...

Страница 121: ...ll user groups if you do not configure password policies for these users in both local user view and user group view For local user passwords the settings with a smaller application scope have higher...

Страница 122: ...not take effect on users that have been logged in or passwords that have been configured To set global password control parameters Step Command Remarks 1 Enter system view system view N A 2 Set the pa...

Страница 123: ...n idle time idle time The default setting is 90 days Setting user group password control parameters Step Command Remarks 1 Enter system view system view N A 2 Create a user group and enter user group...

Страница 124: ...ed for the user group the global setting applies to the local user 5 Configure the password composition policy for the local user password control composition type number type number type length type...

Страница 125: ...cklist reset password control blacklist user name name Clear history password records reset password control history record user name name super role role name NOTE The reset password control history...

Страница 126: ...swords to expire after 30 days Sysname password control aging 30 Globally set the minimum password length to 16 Sysname password control length 16 Set the minimum password update interval to 36 hours...

Страница 127: ...ser in interactive mode Sysname luser manage test password Password Confirm Updating user information Please wait Sysname luser manage test quit Verifying the configuration Display the global password...

Страница 128: ...name local user test class manage Sysname luser manage test display this local user test class manage service type telnet authorization attribute user role network operator password control aging 20 p...

Страница 129: ...public key The security applications use the asymmetric key algorithms for the following purposes Encryption and decryption Any public key receiver can use the public key to encrypt information but o...

Страница 130: ...pair The key pairs are automatically saved and can survive system reboots Table 8 A comparison of different types of asymmetric key algorithms Type Number of key pairs Modulus length H3C recommendati...

Страница 131: ...blic key Exporting a host public key in a specific format to a file Use this method if you can import public keys from a file on the peer device Displaying a host public key in a specific format and s...

Страница 132: ...nd copy it to an unformatted file You must literally enter the key on the peer device Perform the following tasks in any view Task Command Display local RSA public keys display public key local rsa pu...

Страница 133: ...ight be incorrect If the key is not in the correct format the system discards the key and displays an error message If the key is valid for example the key displayed by the display public key local pu...

Страница 134: ...As shown in Figure 38 to prevent illegal access Device B authenticates Device A through a digital signature Before configuring authentication parameters on Device B configure the public key of Device...

Страница 135: ...1A49ACE E1362A4371549ECD85BA04DEE4D6BB8BE53B6AED7F1401EE88733CA3C4CED391BAE633028A AC41C80A15953FB22AA30203010001 2 Configure Device B Enter the host public key of Device A in public key view The key...

Страница 136: ...PS mode Network requirements In Figure 39 Device B authenticates Device A through a digital signature Before configuring authentication parameters on Device B configure the public key of Device A on D...

Страница 137: ...028A AC41C80A15953FB22AA30203010001 Export the RSA host public key to the file devicea pub DeviceA public key local export rsa ssh2 devicea pub DeviceA quit Enable the FTP server function create an FT...

Страница 138: ...fy that the host public key is the same as it is on Device A DeviceB display public key peer name devicea Key name devicea Key type RSA Key modulus 1024 Key code 30819F300D06092A864886F70D010101050003...

Страница 139: ...e international standards of ITU T X 509 of which X 509 v3 is common This chapter covers the following types of certificates CA certificate Certificate of a CA Multiple CAs in a PKI system form a CA t...

Страница 140: ...fines the certificate validity periods and revokes certificates by publishing CRLs RA In a PKI system with complex CA hierarchical structures RAs which are trusted by CAs manage registration requests...

Страница 141: ...otocols for example IPsec in conjunction with PKI based encryption and digital signature technologies for confidentiality Secure emails PKI can address the email requirements for confidentiality integ...

Страница 142: ...uesting a certificate Configuring automatic certificate request Manually requesting a certificate Optional Aborting a certificate request Optional Obtaining certificates Optional Verifying PKI certifi...

Страница 143: ...efault no PKI entities exist To create multiple PKI entities repeat this step 3 Set a common name for the entity common name common name sting By default the common name is not set 4 Set the country c...

Страница 144: ...d CA is specified To obtain a CA certificate the trusted CA name must be provided The trusted CA name is in SCEP messages and the CA server does not use this name unless the server has two CAs configu...

Страница 145: ...tions including SSL clients and SSL server The extension of a certificate depends on the certificate user and it is not limited by PKI The extension options contained in an issued certificate depend o...

Страница 146: ...re sending a certificate request Configuration guidelines Make sure the system time is synchronized with the CA server Otherwise the certificate request process might fail because the certificate migh...

Страница 147: ...sed a PKI domain can have only one local certificate If RSA is used a PKI domain can have one local certificate for signature and one for encryption If a local certificate exists do not request a cert...

Страница 148: ...btain the CA certificate local certificates and peer certificates related to a PKI domain from a CA and save them locally for higher lookup efficiency To do so use either the offline mode or the onlin...

Страница 149: ...rocedure To obtain certificates Step Command Remarks 1 Enter system view system view N A 2 Import or obtain certificates Import certificates in offline mode pki import domain domain name der ca local...

Страница 150: ...i retrieve crl domain domain name The newly obtained CRL overwrites the old one if any The obtained CRL must be issued by a CA certificate in the CA certificate chain in the current domain 8 Verify th...

Страница 151: ...the PKI domain must have at least one local certificate Otherwise the export operation fails To back up or import certificates you can export the CA certificate and the local certificates in a PKI dom...

Страница 152: ...ting with a certificate attribute group A certificate attribute group contains multiple attribute rules each defining a matching criterion for the issuer name subject name or alternative subject names...

Страница 153: ...multiple statements for a certificate access control policy Displaying and maintaining PKI Execute display commands in any view Task Command Display the contents of a certificate display pki certifica...

Страница 154: ...uding the common name CN organization unit OU organization O and country C You can use the default values for the other attributes 2 Configure extended attributes Enter the management interface for th...

Страница 155: ...is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully 5 Request a l...

Страница 156: ...01 X509v3 extensions X509v3 CRL Distribution Points Full Name DirName CN myca Signature Algorithm sha1WithRSAEncryption b0 9d d9 ac a0 9b 83 99 bf 9d 0a ca 12 99 58 60 d8 aa 73 54 61 4b a2 4c 09 bb 9f...

Страница 157: ...icates issued by the CA to the RA b Right click the CA server in the navigation tree and select Properties Policy Module c Click Properties and then select Follow the settings in the certificate templ...

Страница 158: ...public key local create rsa name abc The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1...

Страница 159: ...3e c3 af fa 33 2c fc c2 ed b9 ee 60 83 b3 d3 e5 8e e5 02 cf b0 c8 f0 3a a4 b7 ac a0 2c 4d 47 5f 39 4b 2c 87 f2 ee ea d0 c3 d0 8e 2c 80 83 6f 39 86 92 98 1f d2 56 3b d7 94 d2 22 f4 df e3 f8 d1 b8 92 27...

Страница 160: ...e c7 57 9d 7f 82 c7 46 06 7d 7c 39 c4 94 41 bd 9e 5c 97 86 c8 48 de 35 1e 80 14 02 09 ad 08 To display detailed information about the CA certificate use the display pki certificate domain command Cert...

Страница 161: ...length 1024 bits Device pki domain openca public key rsa general name abc length 1024 Device pki domain openca quit 4 Generate a local RSA key pair Device public key local create rsa name abc The ran...

Страница 162: ...5 f3 21 4d 3c 8e 63 8d f8 71 7d 28 a1 15 23 99 ed f9 a1 c3 be 74 0d f7 64 cf 0a dd 39 49 d7 3f 25 35 18 f4 1c 59 46 2b ec 0d 21 1d 00 05 8a bf ee ac 61 03 6c 1f 35 b5 b4 cd 86 9f 45 Exponent 65537 0x1...

Страница 163: ...7f d2 50 ac a0 a3 9e 88 48 10 0b 4a 7d ed c1 03 9f 87 97 a3 5e 7d 75 1d ac 7b 6f bb 43 4d 12 17 9a 76 b0 bf 2f 6a cc 4b cd 3d a1 dd e0 dc 5a f3 7c fb c3 29 b0 12 49 5c 12 4c 51 6e 62 43 8b 73 b9 26 2a...

Страница 164: ...ains the private key for signature and one is the local certificate file pkilocal pem encryption which contains the private key for encryption Display the local certificate file pkilocal pem signature...

Страница 165: ...ample assumes CRL checking is not required DeviceB system view DeviceB pki domain importdomain DeviceB pki domain importdomain undo crl check enable Specify the RSA key pair for signature as sign and...

Страница 166: ...98 db a7 c2 36 e2 86 90 55 c7 8c c5 ea 12 01 31 69 bf e3 91 71 ec 21 Exponent 65537 0x10001 X509v3 extensions X509v3 Basic Constraints CA FALSE Netscape Cert Type SSL Client S MIME X509v3 Key Usage Di...

Страница 167: ...1e 18 fb df 56 cb 6f a2 56 35 0d 39 94 34 6d 19 1d 46 d7 bf 1a 86 22 78 87 3e 67 fe 4b ed 37 3d d6 0a 1c 0b Certificate Data Version 3 0x2 Serial Number 08 7c 67 01 5c b3 5a 12 0f 2f Signature Algori...

Страница 168: ...ture Algorithm sha256WithRSAEncryption 53 69 66 5f 93 f0 2f 8c 54 24 8f a2 f2 f1 29 fa 15 16 90 71 e2 98 e3 5c c6 e3 d4 5f 7a f6 a9 4f a2 7f ca af c4 c8 c7 2c c0 51 0a 45 d4 56 e2 81 30 41 be 9f 67 a1...

Страница 169: ...of the device with the CA server 5 Specify the correct source IP address for PKI protocol packets that the CA server can accept 6 Verify the fingerprint information on the CA server Failed to obtain...

Страница 170: ...ectly specified The required parameters are not configured for the PKI entity or are mistakenly configured No key pair is specified for the PKI domain for certificate request or the key pair is change...

Страница 171: ...orrect in the PKI domain The CA does not issue CRLs The PKI domain is not specified with the source IP address of the PKI protocol packets that the CA server can accept or is specified with an incorre...

Страница 172: ...e system time is wrong Solution 1 Obtain or import the CA certificate 2 Use undo crl check enable to disable CRL checking or obtain the proper CRLs 3 Make sure the format of the imported file is prope...

Страница 173: ...he device Failed to set the storage path Symptom The storage path for certificates or CRLs cannot be set Analysis The specified storage path does not exist The specified storage path is illegal The di...

Страница 174: ...e transfer The device can serve as an SFTP server allowing a remote user to log in to the SFTP server for secure file management and transfer The device can also serve as an SFTP client enabling a use...

Страница 175: ...hentication request and sends the request to the server After receiving the request the SSH server decrypts the request to get the username and password in plain text examines the validity of the user...

Страница 176: ...ed Enabling the SSH server function Required for Stelnet and SCP servers Required Enabling the SFTP server function Required for SFTP server Required Configuring the user interfaces for Stelnet client...

Страница 177: ...encrypt the session key before transmitting the session key Because SSH2 uses the DH algorithm to separately generate the session key on the SSH server and the client no session key transmission is re...

Страница 178: ...heme authentication mode scheme By default the authentication mode is password For more information about this command see Fundamentals Command Reference Configuring a client s host public key If the...

Страница 179: ...public key view public key peer keyname N A 3 Configure a client s host public key Enter the content of the host public key When you enter the contents for a host public key you can use spaces and car...

Страница 180: ...ept password authentication the other authentication methods require a client s host public key or digital certificate to be specified If a client directly sends the user s public key information to t...

Страница 181: ...users When the number of online SSH users reaches the upper limit the system refuses new SSH connection requests To set the SSH management parameters Step Command Remarks 1 Enter system view system v...

Страница 182: ...ageability of Stelnet clients in the authentication service H3C recommends that you specify a loopback interface as the source interface To specify a source IP address or source interface for the Stel...

Страница 183: ...hentication by default When the device accesses an Stelnet server for the first time but it is not configured with the host public key of the SSH server it can access the server and locally save the s...

Страница 184: ...eyname source interface interface type interface number ip ip address Establish a connection to an IPv6 Stelnet server In non FIPS mode ssh2 ipv6 server port number vpn instance vpn instance name i in...

Страница 185: ...specify a loopback interface as the source interface To specify a source IP address or source interface for the SFTP client Step Command Remarks 1 Enter system view system view N A 2 Specify a source...

Страница 186: ...erface number ip ip addres In FIPS mode sftp server port number vpn instance vpn instance name identity key rsa prefer compress zlib prefer ctos cipher aes128 aes256 prefer ctos hmac sha1 sha1 96 pref...

Страница 187: ...ir remote path Available in SFTP client view Working with SFTP files Task Command Remarks Change the name of a file on the SFTP server rename old name new name Available in SFTP client view Download a...

Страница 188: ...ection describes how to configure the device as an SCP client and transfer files with an SCP server When an SCP client accesses an SCP server it uses the locally saved host public key of the server to...

Страница 189: ...96 publickey keyname source interface interface type interface number ip ip address Connect to the IPv6 SCP server and transfer files with this server In non FIPS mode scp ipv6 server port number vpn...

Страница 190: ...eers display public key peer brief name publickey name Stelnet configuration examples This section provides examples of configuring Stelnet Unless otherwise noted devices in the configuration examples...

Страница 191: ...ode for the user interfaces to AAA Switch user interface vty 0 15 Switch ui vty0 15 authentication mode scheme Switch ui vty0 15 quit Create a local device management user client001 with the plaintext...

Страница 192: ...of the Stelnet server Figure 47 Specifying the host name or IP address c Click Open to connect to the server If the connection is successfully established the system asks you to enter the username an...

Страница 193: ...procedure In the server configuration the client s host public key is required Use the client software to generate RSA key pairs on the client before configuring the Stelnet server There are differen...

Страница 194: ...the green progress bar shown in Figure 50 Otherwise the progress bar stops moving and the key pair generating progress stops Figure 50 Generating process c After the key pair is generated click Save p...

Страница 195: ...erate the RSA key pairs Switch system view Switch public key local create rsa The range of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to...

Страница 196: ...ey import sshkey key pub Create an SSH user client002 with the authentication method publickey and assign the public key switchkey to the user Switch ssh user client002 service type stelnet authentica...

Страница 197: ...52 Specifying the host name or IP address c Select Connection SSH from the navigation tree The window shown in Figure 53 appears d Select 2 for the Preferred SSH protocol version Figure 53 Specifying...

Страница 198: ...lished the system asks you to enter the username After entering the username client002 you can enter the CLI of the server Password authentication enabled Stelnet client configuration example Network...

Страница 199: ...t client will use this address as the destination address of the SSH connection SwitchB interface vlan interface 2 SwitchB Vlan interface2 ip address 192 168 1 40 255 255 255 0 SwitchB Vlan interface2...

Страница 200: ...next time after entering the correct password If you configure the host public key of the server on the client perform the following configurations In public key view enter the host public key of ser...

Страница 201: ...192 168 1 40 s password After you enter the correct password you successfully log in to Switch B Publickey authentication enabled Stelnet client configuration example Network requirements As shown in...

Страница 202: ...he key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair successfully Generate a DSA key pair Switc...

Страница 203: ...ion to the Stelnet server 192 168 1 40 SwitchA ssh2 192 168 1 40 Username client002 The server is not authenticated Continue Y N y Do you want to save the server public key Y N n You can log in to Rou...

Страница 204: ...destination for SSH connection Switch interface vlan interface 2 Switch Vlan interface2 ip address 192 168 1 45 255 255 255 0 Switch Vlan interface2 quit Create a local device management user named cl...

Страница 205: ...d SFTP client configuration example Network requirements As shown in Figure 59 you can log in to Switch B through the SFTP client that runs on Switch A and are assigned the user role network admin to...

Страница 206: ...chA public key local export rsa ssh2 pubkey SwitchA quit Transmit the public key file pubkey to the server through FTP or TFTP Details not shown 2 Configure the SFTP server Generate the RSA key pairs...

Страница 207: ...client001 authorization attribute user role network admin work directory flash SwitchB luser manage client001 quit 3 Establish a connection to the SFTP server Establish a connection to the SFTP serve...

Страница 208: ...pubkey2 from the server and save it as a local file public sftp get pubkey2 public Fetching pubkey2 to public pubkey2 100 225 1 4KB s 00 00 Upload the local file pu to the server save it as puk and ve...

Страница 209: ...ange of public key size is 512 2048 If the key modulus is greater than 512 it will take a few minutes Press CTRL C to abort Input the modulus length default 1024 Generating Keys Create the key pair su...

Страница 210: ...ype password 2 Configure an IP address for VLAN interface 2 on the SCP client SwitchA system view SwitchA interface vlan interface 2 SwitchA Vlan interface2 ip address 192 168 0 2 255 255 255 0 Switch...

Страница 211: ...tegrity SSL uses the message authentication code MAC to verify message integrity It uses a MAC algorithm and a key to transform a message of any length to a fixed length message Any change to the orig...

Страница 212: ...nds alert messages to the receiving party An alert message contains the alert severity level and a description FIPS compliance The device supports the FIPS mode that complies with NIST FIPS 140 2 requ...

Страница 213: ...ode ciphersuite dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha rsa_aes_256_cbc_sha rsa_des_cbc_sha rsa_rc4...

Страница 214: ...e for the SSL client policy In non FIPS mode prefer cipher dhe_rsa_aes_128_cbc_sha dhe_rsa_aes_256_cbc_sha exp_rsa_des_cbc_sha exp_rsa_rc2_md5 exp_rsa_rc4_md5 rsa_3des_ede_cbc_sha rsa_aes_128_cbc_sha...

Страница 215: ...201 Task Command Display SSL server policy information display ssl server policy policy name Display SSL client policy information display ssl client policy policy name...

Страница 216: ...n be statically configured or dynamically added NOTE IP source guard is a per interface packet filter The IP source guard function configured on one interface does not affect packet forwarding on anot...

Страница 217: ...cation Such binding entries do not filter packets directly but help other modules such as the ARP detection module to provide security services For information about DHCP snooping DHCP relay and DHCP...

Страница 218: ...packet s source IP address matches a dynamic binding entry If no match is found the packet is dropped To implement dynamic IPv4 source guard make sure the DHCP snooping or DHCP relay function operate...

Страница 219: ...loopback group Enabling IPv6 source guard on an interface You must first enable the IPv6 source guard function on an interface before the interface can use static IPv6 binding entries to filter packet...

Страница 220: ...entries display ip source binding static vpn instance vpn instance name dhcp relay dhcp server dhcp snooping ip address ip address mac address mac address vlan vlan id interface interface type interf...

Страница 221: ...rnet1 0 2 ip verify source ip address mac address On Ten GigabitEthernet 1 0 2 configure a static IPv4 source guard binding entry to allow only IP packets with the source MAC address of 0001 0203 0405...

Страница 222: ...ay static IPv4 source guard binding entries on Switch A The output shows that the static IPv4 source guard binding entries are configured successfully SwitchA display ip source binding static Total en...

Страница 223: ...gabitEthernet1 0 2 quit 3 Configure IPv4 source guard on the switch Enable IPv4 source guard on port Ten GigabitEthernet 1 0 1 to filter packets based on both the source IP address and the MAC address...

Страница 224: ...to filter packets based on both the source IP address and the MAC address Switch system view Switch interface vlan interface 100 Switch Vlan interface100 ip verify source ip address mac address Switch...

Страница 225: ...t1 0 1 ipv6 verify source ip address mac address On port Ten GigabitEthernet 1 0 1 configure a static IPv6 source guard binding entry to allow only IPv6 packets with the source IPv6 address of 2001 1...

Страница 226: ...t a glance Flood prevention Configuring unresolvable IP attack protection configured on gateways Configuring ARP source suppression Enabling ARP blackhole routing Configuring ARP packet rate limit con...

Страница 227: ...ARP source suppression is disabled 3 Set the maximum number of unresolvable packets that the device can receive from a host within 5 seconds arp source suppression limit limit value By default the max...

Страница 228: ...n and set the threshold to 100 Device system view Device arp source suppression enable Device arp source suppression limit 100 Enable ARP blackhole routing Device arp resolving route enable Configurin...

Страница 229: ...ate limit is 100 pps NOTE If you configure ARP packet rate limit on an aggregate interface log messages are sent when the ARP packet receiving rate on a member interface exceeds the limit Configuring...

Страница 230: ...NOTE When an ARP attack entry expires ARP packets sourced from the MAC address in the entry can be processed normally Displaying and maintaining source MAC based ARP attack detection Execute display c...

Страница 231: ...ttack entries 4 Exclude the MAC address of the server from this detection Configuration procedure Enable source MAC based ARP attack detection and specify the handling method as filter Device system v...

Страница 232: ...e acknowledgement Step Command Remarks 1 Enter system view system view N A 2 Enable the ARP active acknowledgement function arp active ack enable By default ARP active acknowledgement function is disa...

Страница 233: ...ggregate interface view interface interface type interface number N A 6 Optional Configure the interface as a trusted interface excluded from ARP detection arp detection trust By default an interface...

Страница 234: ...validity check as follows If the packets are ARP requests they are forwarded through the trusted interface If the packets are ARP replies they are forwarded according to their destination MAC address...

Страница 235: ...view SwitchA dhcp enable SwitchA dhcp server ip pool 0 SwitchA dhcp pool 0 network 10 1 1 0 mask 255 255 255 0 3 Configure Host A DHCP client and Host B Details not shown 4 Configure Switch B Enable...

Страница 236: ...a cybercafe With ARP automatic scanning enabled on an interface the device automatically scans neighbors on the interface sends ARP requests to the neighbors obtains their MAC addresses and creates d...

Страница 237: ...ed gateway If yes it discards the packet If not it handles the packet normally Configuration guidelines Follow these guidelines when you configure ARP gateway protection You can enable ARP gateway pro...

Страница 238: ...tethernet 1 0 2 SwitchB Ten GigabitEthernet1 0 2 arp filter source 10 1 1 1 After the configuration is complete Ten GigabitEthernet 1 0 1 and Ten GigabitEthernet 1 0 2 discard the incoming ARP packets...

Страница 239: ...efault ARP filtering is disabled Configuration example Network requirements As shown in Figure 72 the IP and MAC addresses of Host A are 10 1 1 2 and 000f e349 1233 respectively The IP and MAC address...

Страница 240: ...binding 10 1 1 3 000f e349 1234 After the configuration is complete Ten GigabitEthernet 1 0 1 permits ARP packets from Host A and discards other ARP packets Ten GigabitEthernet 1 0 2 permits ARP pack...

Страница 241: ...ltaneously to block connections or even break down the network uRPF can prevent these source address spoofing attacks It checks whether an interface that receives a packet is the output interface of t...

Страница 242: ...dress validity Discards packets with a source broadcast address Discards packets with an all zero source address but a non broadcast destination address A packet with source address 0 0 0 0 and destin...

Страница 243: ...ntry If yes proceeds to step 8 If not proceeds to step 9 5 uRPF checks whether the source IP address matches an ARP entry If yes proceeds to step 8 If not proceeds to step 9 6 uRPF checks whether the...

Страница 244: ...le the uRPF function on the switch the routing table size might decrease by half If the number of routes exceeds half the routing table size of the switch the uRPF function cannot be enabled to avoid...

Страница 245: ...s shown in Figure 76 a client Switch A directly connects to an ISP switch Switch B Enable strict uRPF check on Switch A and Switch B to prevent source address spoofing attacks Figure 76 Network diagra...

Страница 246: ...evice through a console port and then create a key pair for the SSH server The password for entering the device in FIPS mode must comply with the password control policies such as password length comp...

Страница 247: ...non FIPS devices to create an IRF fabric To enable FIPS mode for an IRF fabric you must reboot the entire IRF fabric Configuring FIPS mode Entering FIPS mode After you enable FIPS mode and reboot the...

Страница 248: ...thod 8 Save the configuration file and specify it as the startup configuration file 9 Delete the startup configuration file in binary format an mdb file 10 Reboot the device The system enters FIPS mod...

Страница 249: ...trigger a self test If the power up self test fails the device where the self test process exists reboots If the conditional self test fails the system outputs self test failure information NOTE If a...

Страница 250: ...oots To trigger a self test Step Command 1 Enter system view system view 2 Trigger a self test fips self test Displaying and maintaining FIPS Execute the display command in any view Task Command Displ...

Страница 251: ...started login root Password First login or password reset For security reason you need to change your pass word Please enter your password old password new password confirm Updating user information P...

Страница 252: ...the storage medium and specify it as the startup configuration file Sysname save The current configuration will be written to the device Are you sure Y N y Please input the file name cfg flash startup...

Страница 253: ...239 confirm Updating user information Please wait Sysname Display the current FIPS mode state Sysname display fips status FIPS mode is enabled...

Страница 254: ...ion Header AH Encapsulating Security Payload ESP Internet Key Exchange IKE and algorithms for authentication and encryption AH and ESP are security protocols that provide security services IKE perform...

Страница 255: ...supports the following encapsulation modes Transport mode The security protocols protect the upper layer data of an IP packet Only the transport layer data is used to calculate the security protocol h...

Страница 256: ...ESP header An SA can be set up manually or through IKE Manual mode Configure all parameters for the SA through commands This configuration mode is complex and does not support some advanced features...

Страница 257: ...rameters used for the protection Apply the IPsec policy to an interface When you apply an IPsec policy to an interface you implement IPsec based on the interface Packets received and sent by the inter...

Страница 258: ...ts Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode IPsec tunnel establishment The switch supports establishing only ACL based IPsec tunnel...

Страница 259: ...the IPsec policy to an interface Complete the following tasks to configure ACL based IPsec Tasks at a glance Required Configuring an ACL Required Configuring an IPsec transform set Required Configure...

Страница 260: ...scope and matching order relative to permit statements The policy entries in an IPsec policy have different match priorities ACL rule conflicts between them are prone to cause mistreatment of packets...

Страница 261: ...tication algorithm for AH in non FIPS mode ah authentication algorithm md5 sha1 Specify the authentication algorithm for AH in FIPS mode ah authentication algorithm sha1 Configure at least one command...

Страница 262: ...mary IPv4 address of the interface applied with the IPsec policy at the remote end The remote IPv6 address configured on the local end must be the same as the first IPv6 address of the interface appli...

Страница 263: ...SA sa spi outbound ah esp spi number By default no SPI is configured for the inbound or outbound IPsec SA 8 Configure keys for the IPsec SA Configure an authentication key in hexadecimal format for AH...

Страница 264: ...ers An IKE based IPsec policy can reference up to six IPsec transform sets During an IKE negotiation IKE searches for a fully matched IPsec transform set at the two ends of the IPsec tunnel If no matc...

Страница 265: ...the local IKE identity 8 Specify the remote IP address of the IPsec tunnel remote address ipv6 host name ipv4 address ipv6 ipv6 address By default the remote IP address of the IPsec tunnel is not spec...

Страница 266: ...ost By default no ACL is specified for the IPsec policy template An IPsec policy template can reference only one ACL 5 Specify the IPsec transform sets for the IPsec policy template to reference trans...

Страница 267: ...remove the application of the IPsec policy In addition to VLAN interfaces you can apply an IPsec policy to tunnel interfaces to protect GRE flows For each packet to be sent out of an interface applied...

Страница 268: ...against anti replay attacks by using a sliding window mechanism called anti replay window This function checks the sequence number of each received IPsec packet against the current IPsec packet seque...

Страница 269: ...a core device is usually connected to an ISP through two links which operate in backup or load sharing mode The two interfaces negotiate with their peers to establish IPsec SAs respectively When one i...

Страница 270: ...eq number isakmp manual To enter IPsec policy template view ipsec policy template ipv6 policy template template name seq number Use either command 3 Enable QoS pre classify qos pre classify By default...

Страница 271: ...s 1 Enter system view system view N A 2 Enter interface view interface interface type interface number N A 3 Configure the DF bit of IPsec packets on the interface ipsec df bit clear copy set By defau...

Страница 272: ...ckets Network requirements As shown in Figure 80 establish an IPsec tunnel between Switch A and Switch B to protect data flows between the switches Configure the tunnel as follows Specify the encapsul...

Страница 273: ...tbound SA keys for ESP SwitchA ipsec policy manual map1 10 sa string key outbound esp simple abcdefg SwitchA ipsec policy manual map1 10 sa string key inbound esp simple gfedcba SwitchA ipsec policy m...

Страница 274: ...gfedcba SwitchB ipsec policy manual use1 10 sa string key inbound esp simple abcdefg SwitchB ipsec policy manual use1 10 quit Apply the IPsec policy use1 to interface VLAN interface 1 SwitchB interfa...

Страница 275: ...lan interface1 ip address 2 2 2 1 255 255 255 0 SwitchA Vlan interface1 quit Define an ACL to identify data flows from Switch A to Switch B SwitchA acl number 3101 SwitchA acl adv 3101 rule 0 permit i...

Страница 276: ...akmp map1 10 ike profile profile1 SwitchA ipsec policy isakmp map1 10 quit Apply the IPsec policy map1 to interface VLAN interface 1 SwitchA interface vlan interface 1 SwitchA Vlan interface1 ipsec ap...

Страница 277: ...policy isakmp use1 10 security acl 3101 Apply the IPsec transform set tran1 SwitchB ipsec policy isakmp use1 10 transform set tran1 Specify the local and remote IP addresses of the IPsec tunnel as 2 2...

Страница 278: ...e shared keys making sure each SA has a key independent of other keys Automatically negotiates SAs when the sequence number in the AH or ESP header overflows making sure IPsec can provide the anti rep...

Страница 279: ...tion mechanisms and supports secure identity authentication key distribution and IPsec SA establishment on insecure networks Identity authentication The IKE identity authentication mechanism is used t...

Страница 280: ...irements Support for features commands and parameters might differ in FIPS mode see Configuring FIPS and non FIPS mode IKE configuration prerequisites Determine the following parameters prior to IKE c...

Страница 281: ...responder it uses the IKE negotiation mode of the initiator 4 Specifies the IKE proposals that the device can use as the initiator An IKE proposal specified earlier has a higher priority When the devi...

Страница 282: ...I domain used to request a certificate for digital signature authentication To specify the keychain for pre shared key authentication keychain keychain name To specify the PKI domain used to request a...

Страница 283: ...ou can create multiple IKE proposals with different priorities The priority of an IKE proposal is represented by its sequence number The lower the sequence number the higher the priority Two peers mus...

Страница 284: ...1 the 768 bit DH group is used in non FIPS mode and DH group 14 2048 bit DH group is used in FIPS mode 7 Set the IKE SA lifetime for the IKE proposal sa duration seconds By default the IKE SA lifetime...

Страница 285: ...nterface or IP address 5 Optional Specify a priority for the IKE keychain priority number The default priority is 100 Configuring the global identity information Follow these guidelines when you confi...

Страница 286: ...ve function unless IKE DPD is not supported on the peer The IKE keepalive function sends keepalives at regular intervals which consumes network bandwidth and resources The keepalive timeout time confi...

Страница 287: ...aximum of two retries 4 If the local device receives no response after two retries the device considers the peer is dead and deletes the IKE SA along with the IPsec SAs it negotiated 5 If the local de...

Страница 288: ...ery is disabled Setting the maximum number of IKE SAs You can set the maximum number of half open IKE SAs and the maximum number of established IKE SAs The supported maximum number of half open IKE SA...

Страница 289: ...erface 1 SwitchA system view SwitchA interface vlan interface 1 SwitchA vlan interface1 ip address 1 1 1 1 255 255 255 0 SwitchA vlan interface1 quit Configure ACL 3101 to identify traffic from Switch...

Страница 290: ...ipsec policy isakmp map1 10 security acl 3101 Reference IPsec transform set tran1 for the IPsec policy SwitchA ipsec policy isakmp map1 10 transform set tran1 Specify IKE profile profile1 for the IPse...

Страница 291: ...1 1 1 1 255 255 255 0 SwitchB ike profile profile1 quit Create an IPsec policy entry and specify the IPsec policy name as use1 the sequence number as 10 and the IPsec SA setup mode as IKE SwitchB ips...

Страница 292: ...roposal settings are incorrect Solution 1 Examine the IKE proposal configuration to see whether the two ends have matching IKE proposals 2 Modify the IKE proposal configuration to make sure the two en...

Страница 293: ...eeded and the IKE SA is in RD state but the display ipsec sa command shows that the expected IPsec SA has not been negotiated yet 2 The following IKE debugging message appeared The attributes are unac...

Страница 294: ...e Transmitting entity Responder Local IP 192 168 222 5 Local ID type IPV4_ADDR Local ID 192 168 222 5 Remote IP 192 168 222 71 Remote ID type IPV4_ADDR Remote ID 192 168 222 71 Authentication method P...

Страница 295: ...0 0 0 0 255 On the responder Sysname display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip source 192 168 222 71 0 destination 192 168 222 5 0 3 Verify that the IPsec...

Страница 296: ...s ACL so the ACL defines a flow range equal to or greater than that of the initiator s ACL For example Sysname display acl 3000 Advanced ACL 3000 named none 2 rules ACL s step is 5 rule 0 permit ip so...

Страница 297: ...e 86 port security client macAddressElseUserLoginSecure configuration 99 port security client userLoginWithOUI configuration 96 port security configuration 86 89 95 port security feature configuration...

Страница 298: ...units 25 RADIUS username format 25 scheme configuration 18 SSH user local authentication HWTACACS authorization RADIUS accounting 46 troubleshooting HWTACACS 57 troubleshooting LDAP 57 troubleshooting...

Страница 299: ...AAA HWTACACS scheme configuration 30 security AAA LDAP administrator attribute configuration 38 security AAA LDAP scheme configuration 36 security AAA LDAP user attribute configuration 38 security AAA...

Страница 300: ...104 107 1 1 1 security SSH configuration 160 security SSH methods 161 security SSH SCP file transfer with password authentication 194 security SSH server configuration 162 security SSH SFTP client pu...

Страница 301: ...802 1X authentication 63 security 802 1X authentication access device initiated 63 security 802 1X authentication client initiated 62 security 802 1X authentication client timeout timer 71 security 80...

Страница 302: ...curity IPsec IKE main mode pre shared key authentication 275 security IPsec IKE DPD 273 security IPsec IKE global identity information 271 security IPsec IKE keepalive function 272 security IPsec IKE...

Страница 303: ...eme 39 security AAA RADIUS scheme 22 security LDAP server 37 security local key pair 1 16 CRL security PKI 125 security PKI architecture 126 security PKI CA policy 126 security PKI certificate access...

Страница 304: ...rs 109 security password setting 104 security SFTP server function enable 164 security SSH SCP client configuration 174 security SSH server configuration 162 security SSH server function enable 163 se...

Страница 305: ...uthentication domain 73 security AAA ISP domain accounting methods configuration 43 security AAA ISP domain authentication methods 41 security AAA ISP domain authorization methods 42 security AAA ISP...

Страница 306: ...rity IPsec encryption algorithm AES 243 security IPsec encryption algorithm DES 243 security IPsec IKE based tunnel for IPv4 packets configuration 261 security IPsec tunnel for IPv4 packets configurat...

Страница 307: ...171 security SSH SFTP client publickey authentication 191 security SSH SFTP client source IP address interface 171 security SSH SFTP configuration 189 security SSH SFTP directories 173 security SSH S...

Страница 308: ...configuration 272 negotiation 264 negotiation failure no proposal or keychain referenced correctly 278 negotiation failure troubleshooting no proposal match 278 PFS 266 profile configuration 267 propo...

Страница 309: ...n algorithms 243 FIPS compliance 244 IKE configuration 264 266 IKE configuration main mode pre shared key authentication 275 IKE DPD configuration 273 IKE global identity information configuration 271...

Страница 310: ...AAA ISP domain authorization methods 42 security AAA ISP domain creation 40 security AAA ISP domain methods configuration 39 security AAA ISP domain status configuration 40 K keepalive security IPsec...

Страница 311: ...See MAC address authentication See MAC authentication security SSL services 197 MAC address MAC local authentication configuration 82 MAC RADIUS based authentication configuration 84 security 802 1X a...

Страница 312: ...ecure mode 86 port security macAddressWithRadius authentication 89 port security secure MAC learning control mode 88 security 802 1X EAP relay termination comparison 64 security 802 1X multicast trigg...

Страница 313: ...DAP implementation 9 security AAA LDAP scheme configuration 36 security AAA local user configuration 18 security AAA MPLS L3VPN implementation 13 security AAA network access user configuration 18 secu...

Страница 314: ...ecurity SSH management parameters 167 security SSH SCP client device configuration 174 security SSH server configuration 162 security SSH server function enable 163 security SSH SFTP client device con...

Страница 315: ...SH SCP file transfer with password authentication 194 security SSH SFTP client publickey authentication 191 security SSH SFTP configuration 189 security SSH SFTP server password authentication 189 sec...

Страница 316: ...sword control user group parameters 109 security super password control parameters 1 10 setting security SSH management parameters 167 password security SSH password authentication 161 security SSH pa...

Страница 317: ...2003 CA server certificate request configuration 142 policy security AAA RADIUS security policy server IP address configuration 29 security IPsec application to interface 253 security IPsec configurat...

Страница 318: ...68 configuring security 802 1X authentication 75 configuring security 802 1X online user handshake function 72 configuring security 802 1X quiet timer 74 configuring security AAA 17 configuring securi...

Страница 319: ...et DF bit 256 configuring security IPsec policy IKE based 250 configuring security IPsec policy IKE based direct 250 configuring security IPsec policy IKE based template 251 configuring security IPsec...

Страница 320: ...aying security AAA RADIUS 30 displaying security ARP detection 220 displaying security ARP source MAC based attack detection 216 displaying security ARP unresolvable IP attack protection 213 displayin...

Страница 321: ...y AAA HWTACACS traffic statistics unit 33 setting security AAA HWTACACS username format 33 setting security AAA LDAP server timeout period 37 setting security AAA RADIUS max request transmission attem...

Страница 322: ...rifying PKI certificate verification CRL checking 135 verifying security PKI certificate 135 verifying security PKI certificate verification without CRL checking 136 working with SSH SFTP directories...

Страница 323: ...e Authentication attribute 62 security MAC authentication 78 security MAC RADIUS based authentication configuration 84 security policy server IP address configuration 29 server quiet timer 28 server r...

Страница 324: ...application 160 secure shell Use SSH Secure Sockets Layer Use SSL security 802 1X access control method 70 802 1X authentication configuration 75 802 1X authentication request max number attempts 71...

Страница 325: ...lic key save to file 1 18 IP 240 See also IPsec IP source guard configuration 202 203 206 IP source guard static binding entry 202 IPsec ACL de encapsulated packet check 254 IPsec ACL based implementa...

Страница 326: ...rt from file 1 19 peer public key entry 1 19 120 PKI applications 127 PKI architecture 126 PKI CA certificate failure 155 PKI CA certificate import failure 157 PKI CA policy 126 PKI CA storage path sp...

Страница 327: ...ng AAA RADIUS packet delivery failure 56 troubleshooting LDAP 57 uRPF configuration 227 230 231 server port security authorization information 94 security 802 1X authentication configuration 75 securi...

Страница 328: ...counting server parameters 23 security AAA RADIUS authentication server 23 security AAA RADIUS outgoing packet source IP address 27 security AAA RADIUS scheme VPN 24 security AAA RADIUS shared keys 24...

Страница 329: ...ffic statistics units 25 status security AAA ISP domain status configuration 40 Stelnet client device configuration 168 client password authentication 184 client publickey authentication 187 client so...

Страница 330: ...ACS 57 security AAA LDAP 57 security AAA RADIUS 56 security AAA RADIUS accounting error 57 security AAA RADIUS authentication failure 56 security AAA RADIUS packet delivery failure 56 security IPsec I...

Страница 331: ...rity password history 106 security password max user account idle time 106 security password not displayed 106 security password setting 104 security password updating 105 105 security password user f...

Страница 332: ...128 security PKI entity configuration 128 Windows 2003 security PKI CA server certificate request 142 WLAN port security client macAddressElseUserLoginSecure configuration 99 port security client use...

Отзывы:

Нет отзывов