(Security Configuration Command) PDF

User Manual - Command Reference (Volume 3) Versatile Routing Platform
Table of Contents
Table of Contents
Chapter 1 AAA and RADIUS Configuration Commands...................................................... 1-1 1.1 aaa accounting optional............................................................................................. 1-1 1.2 aaa authentication local-first ...................................................................................... 1-2 1.3 aaa authentication login............................................................................................. 1-2 1.4 aaa authentication ppp .............................................................................................. 1-4 1.5 aaa-enable............................................................................................................... 1-6 1.6 ip local pool .............................................................................................................. 1-6 1.7 peer default ip address.............................................................................................. 1-7 1.8 radius-server dead-time............................................................................................. 1-8 1.9 radius-server host ..................................................................................................... 1-9 1.10 radius-server key .................................................................................................... 1-9 1.11 radius-server realtime-acct-timeout ........................................................................ 1-10 1.12 radius-server retransmit......................................................................................... 1-11 1.13 radius-server timeout............................................................................................. 1-11 1.14 user callback-dialstring .......................................................................................... 1-12 1.15 user calling-station-id............................................................................................. 1-13 1.16 user ftp-directory ................................................................................................... 1-13 1.17 user password ...................................................................................................... 1-14 1.18 user service-type................................................................................................... 1-15 1.19 show aaa user ...................................................................................................... 1-16 1.20 show user............................................................................................................. 1-16 1.21 debug radius......................................................................................................... 1-17 Chapter 2 Terminal Access Security Configuration Commands.......................................... 2-1 2.1 enable password....................................................................................................... 2-1 2.2 login......................................................................................................................... 2-1 Chapter 3 Firewall Configuration Commands...................................................................... 3-1 3.1 access-list................................................................................................................ 3-1 3.2 clear access-list counters .......................................................................................... 3-4 3.3 firewall ..................................................................................................................... 3-4 3.4 firewall default .......................................................................................................... 3-5 3.5 ip access-group ........................................................................................................ 3-6 3.6 settr......................................................................................................................... 3-6 3.7 timerange ................................................................................................................. 3-7 3.8 show access-list ....................................................................................................... 3-8 3.9 show firewall............................................................................................................. 3-9 3.10 show isintr............................................................................................................ 3-10 3.11 show timerange .................................................................................................... 3-10 3.12 debug filter............................................................................................................ 3-11 Chapter 4 IPSec Configuration Commands......................................................................... 4-1 4.1 ah-new hash............................................................................................................. 4-1 4.2 clear crypto sa.......................................................................................................... 4-2 4.3 clear crypto statistics ................................................................................................ 4-3 4.4 crypto ipsec sa lifetime .............................................................................................. 4-4 4.5 crypto ipsec transform ............................................................................................... 4-5 4.6 crypto map (global mode) .......................................................................................... 4-6 4.7 crypto map (interface mode)...................................................................................... 4-7 4.8 esp-new encrypt ....................................................................................................... 4-8 4.9 esp-new hash........................................................................................................... 4-9 4.10 match address...................................................................................................... 4-10 4.11 mode.................................................................................................................... 4-11
Table of Contents
4.12 4.13 4.14 4.15 4.16 4.17 4.18 4.19 4.20 4.21 4.22 4.23
set local-address................................................................................................... 4-12 set peer................................................................................................................ 4-13 set sa lifetime........................................................................................................ 4-14 set session-key ..................................................................................................... 4-15 set transform......................................................................................................... 4-17 transform.............................................................................................................. 4-18 show crypto ipsec sa............................................................................................. 4-18 show crypto ipsec sa lifetime.................................................................................. 4-20 show crypto ipsec statistics ................................................................................... 4-20 show crypto ipsec transform................................................................................... 4-21 show crypto map................................................................................................... 4-22 debug ipsec .......................................................................................................... 4-23
Chapter 5 IKE Configuration Commands............................................................................. 5-1 5.1 authentication ........................................................................................................... 5-1 5.2 clear crypto ike sa..................................................................................................... 5-2 5.3 crypto ike key ........................................................................................................... 5-2 5.4 crypto ike policy........................................................................................................ 5-3 5.5 encryption................................................................................................................. 5-4 5.6 group ....................................................................................................................... 5-5 5.7 hash......................................................................................................................... 5-6 5.8 lifetime ..................................................................................................................... 5-6 5.9 show crypto ike policy ............................................................................................... 5-7 5.10 show crypto ike sa .................................................................................................. 5-8 5.11 debug ike................................................................................................................ 5-9
ii
Chapter 1
AAA and RADIUS Configuration Commands
Chapter 1 AAA and RADIUS Configuration Commands

AAA and RADIUS configuration commands include: l l l l l l l l l l l l l l l l l l l l l aaa accounting optional aaa authentication local-first aaa authentication login aaa authentication ppp aaa-enable ip local pool peer default ip address radius-server dead-time radius-server host radius-server key radius-server realtime-acct-timeout radius-server retransmit radius-server timeout user callback-dialstring user calling-station-id user ftp-directory user password user service-type show aaa user show user debug radius
1.1 aaa accounting optional

To turn on the AAA accounting option switch, use the aaa accounting optional command. To return to the default, use the no form of this command. aaa accounting optional no aaa accounting optional
Default
no aaa accounting optional, that is, accounting must be performed on the user.
Command Mode
Global configuration mode
Usage Guideline
If the aaa accounting optional command is configured when the RADIUS accounting server is not available or communication with the RADIUS accounting server fails, then the user can continue to use the network resources. Otherwise the user will be disconnected. This command is often used in the case of authentication without accounting. If this command is configured, and if no accounting server is available after authentication is
1-1
Chapter 1
successful, then the user is still connected. In this way, this command helps achieve the purpose of authentication without accounting.
Example
! The following example turns on the AAA accounting option switch. Quidway(config)#aaa accounting optional
Related Command
aaa-enable, aaa authentication login, aaa authentication ppp
1.2 aaa authentication local-first

To enable AAA authentication local first, use the aaa authentication local-first command. To return to the default, so as to disable AAA authentication local first, use the no form of this command. aaa authentication local-first no aaa authentication local-first
Default
no aaa authentication local-first.
Command Mode
Usage Guideline
When AAA authentication local first is used, the user is authenticated locally first. If the authentication fails, then authenticate the user by the methods in the configured authentication methods table. The user having passed the authentication local first still needs to be accounted for charged via the RADIUS server. If the accounting is unnecessary, the user can achieve this by dispensing with accounting server and configuring aaa accounting optional command. When AAA authentication local first is configured, it is effective for all the applications using AAA, including ppp and login, which adopt authentication local first.
Related Command
aaa authentication login, aaa authentication ppp
1.3 aaa authentication login

To configure the AAA login method list, use the aaa authentication login command. To cancel the configured AAA login method list, use the no form of this command. aaa authentication login { default | list-name } { method1 } [ method2 ... ]
1-2
Chapter 1
no aaa authentication login { default | list-name }
Syntax Description
default Default login authentication method list name. list-name Method list name input by the user. method Authentication method. There are three authentication methods as mentioned below: l l l radius Authentication and accounting via the RADIUS server local Local authentication, and accounting via the RADIUS server none All user can access the network without any authentication and accounting
& Note: 1) Both radius and local authentication need to conduct accounting via the RADIUS server. If accounting is unnecessary, you dont need to configure the accounting server, and you use the aaa accounting optional command to achieve the authentication. 2) Only a login service authentication method list can be configured, but you can use different names. The subsequent authentication method list will cover the previous one. And the login services using AAA all adopt this method list.
When you are configuring the authentication method list, it is necessary to specify one authentication method at least. When multiple authentication methods are specified, method1 is used first during login authentication. If errors occur during the authentication (like failing to set up communication with the RADIUS server), method2 is used, and so on. If the authentication fails (resulting in illegal access) after a certain method is used, the following methods are not used any more and the authentication is terminated. In addition, the none method is meaningful only when is placed at the end.
& Note: The subsequent authentication method is used only when the authentication can not proceed normally instead of failing. Authentication unable to proceed normally means that communication with the RADIUS server fails. Only when the radius method is used will abnormality occur in authentication.
Not all the method combinations are valid. There are five combinations permitted, listed as follows: aaa authentication login default none aaa authentication login default local aaa authentication login default radius aaa authentication login default radius none aaa authentication login default radius local
1-3
Chapter 1
Default
local authentication
Command Mode
Usage Guideline
In the AAA login authentication method list, three authentication methods can be specified: local, radius and none . local is an authentication method via the local database, radius is an authentication method via the RADIUS server, while none indicates that no authentication is conducted. The local database is configured via the user command. As for non-default method lists, the no aaa authentication login command serves to delete a method list; as for default method lists, it can restore the default method to local authentication.
Example
! The following example configures the login default authentication method list with the following requirements: use the RADIUS server for authentication first; if no acknowledgement is received, then change to the local authentication. Quidway(config)#aaa authentication login default radius local
Related Command
aaa authentication local-first, user callback-dialstring user calling-station-id user ftp-directory user password user service-type
1.4 aaa authentication ppp

To configure the AAA PPP authentication method list, use the aaa authentication ppp command. To return to the default, so as to cancel the AAA PPP authentication list, use the no form of this command. aaa authentication ppp { default | list-name } { method1 } [ method2 ... ] no aaa authentication ppp { default | list-name }
Syntax Description
default PPP default authentication method list name. This method list is used by default if no authentication method is specified at the interface encapsulated with PPP. list-name Method list name input by the user. It needs to be used together with the ppp authentication command so that this list-name can be used for PPP authentication at a certain interface. method Authentication method, including the following three: l radius Authentication and accounting via the RADIUS server
1-4
Chapter 1
l l
local Authentication carried out locally ( please consult the PPP configuration), accounting via the RADIUS server none All the users can access the network without any authentication; no accounting
Both radius and local authentication need to conduct accounting via the RADIUS server. If accounting is unnecessary, you don't need to configure the accounting server, and you can use the aaa accounting optional command to achieve the authentication. Multiple PPP authentication method lists can be configured for different interfaces. When you are configuring the authentication method list, it is necessary to specify an authentication method at least. When multiple authentication methods are specified, method1 is used first during PPP authentication. If errors occur during the authentication (like failing to set up communication with the RADIUS server), method2 is used, and so on. If the authentication fails (resulting in illegal access) after a certain method is used, the following methods are not used any more and the authentication is terminated. In addition, it is meaningful only when the none method is placed at the end. The subsequent authentication method is used when the authentication can not proceed normally instead of failing. Authentication unable to proceed normally means that communication with the RADIUS server fails. Only when the RADIUS method is used will abnormality occur to authentication. Below there are five combinations permitted: aaa authentication ppp default none aaa authentication ppp default local aaa authentication ppp default radius aaa authentication ppp default radius none aaa authentication ppp default radius local
Default
default authentication method list
Command Mode
Usage Guideline
PPPs CHAP or PAP authentication is only an authentication process, via which such information as the peer username and password is authenticated. AAA determines whether the authentication succeeds. In AAAs PPP authentication method list, three authentication methods can be specified: local, radius and none . local is an authentication method via the local database, radius is an authentication method via the RADIUS server, while none indicates that no authentication is conducted. The local database is configured through the user and no user commands.
1-5
Chapter 1
As for non-default method lists, the no aaa authentication ppp command serves to delete a method list; as for a default method list, this command serves to restore the default method to a default state, that is, local authentication.
Example
! The following example configures the PPP default authentication method list with the following requirements: use the RADIUS server for authentication first; if no acknowledgement is received, then change to the local authentication. Quidway(config)#aaa authentication ppp default radius local
Related Command
aaa authentication local-first, ppp authentication, user password user callback-dialstring user calling-station-id user ftp-directory user service-type
1.5 aaa-enable
To enable AAA, use the aaa-enable command. To return to the default, so as to disable AAA, use the no form of this command. aaa-enable no aaa-enable
Default
no aaa-enable
Command Mode
Usage Guideline
Only when AAA is enabled can other parameters of AAA be configured.
Example
! The following example enables AAA. Quidway(config)#aaa-enable
1.6 ip local pool

To specify the local IP pool for allocating IP addresses for PPP users, use the ip local pool command. To return to the default, so as to cancel the local IP pool, use the no form of this command. ip local pool pool-number low-ip-address [ high-ip-address ] no ip local pool pool-number
1-6
Chapter 1
Syntax Description
pool-number Number of the IP address pool. Ranging 0 to 99, that is, 100 local IP address pools can be defined at maximum. low-ip-address and high-ip-address Start and end IP address respectively in the IP address pool.
Default
no ip local pool.
Command Mode
Usage Guideline
The IP address pool is basically configured to allocate IP addresses for PPP users. If not specifying the end IP address when an IP pool is defined, then this pool has only an IP address, that is, the start IP address.
Example
! The following example configures local IP pool 0, in which addresses range from 129.102.0.1 to 129.102.0.10. Quidway(config)#ip local pool 0 129.102.0.1 129.102.0.10
Related Command
peer default ip address
1.7 peer default ip address

To allocate IP addresses for PPP users, use the peer default ip address command. To return to the default, so as to cancel the IP address of a PPP user, use the no form of this command. peer default ip address { ip-address | pool [ pool-number ] } no peer default ip address
Syntax Description
ip-address IP address allocated for a PPP user. pool-number IP address pool allocated for a PPP user.
Default
Address in the IP address pool 0 allocated for a PPP user.
1-7
Chapter 1
Command Mode
Interface configuration mode
Usage Guideline
Only when PPP is encapsulated at the interface can you configure an IP address for the peer PPP user at this interface.
Example
! The following example encapsulates PPP at interface Serial0, and allocate 129.102.0.1. for the peer PPP user. Quidway(config-if-Serial0)#encapsulation ppp Quidway(config-if-Serial0)#peer default ip address 129.102.0.1
Related Command
encapsulation ppp, ip local pool
1.8 radius-server dead-time

To configure the resuming time after the RADIUS server fails, use the radius-server dead-time command. To return to the default, use the no form of this command. radius-server dead-time minutes no radius-server dead-time
Syntax Description
minutes Recovery time after the server fails, in minute. Ranging 1 to 255.
Default
5 minutes.
Command Mode
Usage Guideline
When the RADIUS server fails (like the line between NAS and RADIUS has a loosened screw or the RADIUS process fails to function), the system will set its status as down. After the resuming time is configured above, the system will set its status as up. If the server in service now fails, the system will auto-check whether or not the original server can be put into service.
Example
! The following example configures 10 minutes as the resuming time after the failure of the RADIUS server.
1-8
Chapter 1
Quidway(config)#radius-server dead-time 10
1.9 radius-server host

To configure the host IP address (or hostname) of the RADIUS server, authentication port number and accounting port number, use the radius-server host command. To return to the default, so as to cancel the RADIUS server with a specified host IP address or hostname, use the no form of this command. radius-server host { hostname | ip-address } [ auth-port port-number ] [ acct-port port-number ] no radius-server host { hostname | ip-address }
Syntax Description
hostname Host name of the RADIUS server. ip-address IP address of the RADIUS server, in dotted decimal. auth-port Authentication port number specified. acct-port Authentication port number specified. port-number Monitoring port number of the RADIUS server. 0 indicates not using RADIUS's authentication or accounting function.
Default
Authentication port number: 1812, and accounting port number: 1813.
Command Mode
Usage Guideline
The user can execute this command many times to configure multiple RADIUS servers. According to the time sequence configuration, the system will automatically select the next server when a certain server fails, until the last server fails. The system can configure three RADIUS servers at most.
Example
! The following example specifies the host with the IP address 129.102.0.2 as an authentication server only, and the authentication port number as 1000. Quidway(config)#radius-server host 129.102.0.2 auth-port 1000 acct-port 0
1.10 radius-server key

To configure the key for the RADIUS server, use the radius-server key command. To return to the default, so as to delete the key of the RADIUS server, use the no form of this command.
1-9
Chapter 1
radius-server key string no radius-server key
Syntax Description
string Key of the RADIUS server, ranging 1 to 16 characters.
Command Mode
Usage Guideline
The key is used to encrypt the users password and generate the Response Authenticator. The configured key must be the same as that specified in the RADIUS server.
Example
! The following example configures the key of the RADIUS server as Quidway. Quidway(config)#radius-server key Quidway
1.11 radius-server realtime-acct-timeout

To configure the timeout value for transmitting real-time accounting packet to RADIUS server use the radius-server realtime-acct-timeout command. To return to the default, use the no form of this command. radius-server realtime-acct-timeout minutes no radius-server realtime-acct-timeout
Syntax Description
minutes Timeout value for real-time accounting packet transmission, in second. Ranging 0 to 32767.
Default
0 second.
Command Mode
Usage Guideline
After the user passed authentication, NAS transfers user's real-time accounting information to the RADIUS server every specified time. If the real-time accounting request fails, the user will be processed based on the configuration condition of the aaa accounting optional command. If the aaa accounting optional command is configured, NAS will allow the user to continue using the network service, otherwise NAS will disconnect the user.
1-10
Chapter 1
Example
! The following example sets the timeout value to two minutes for transmitting RADIUS real-time accounting packet. Quidway(config)#radius-server realtime-acct-timeout 2
1.12 radius-server retransmit

To set the times of retransmitting request packet to RADIUS server, use the radiusserver retransmit command. To return to the default, use the no form of this command. radius-server retransmit retries no radius-server retransmit
Syntax Description
retries Times of retransmitting request packet to RADIUS. Ranging 1 to 255.
Default
3 times.
Command Mode
Usage Guideline
If no acknowledgement is received from the RADIUS server within the timeout value after an AAA request is sent to the RADIUS server, it is necessary to retransmit the AAA request. If the number of AAA request retries exceeds the specified number of retries, it is deemed that this server can not work normally any more.
Example
! The following example sets the number of retranmsitting request packet to RADIUS server to 2 times. Quidway(config)#radius-server retransmit 2
1.13 radius-server timeout

To set the timeout value of the RADIUS server, use the radius-server timeout command. To return to the default, use the no form of this command. radius-server timeout seconds no radius-server timeout
Syntax Description
seconds timeout value for the RADIUS server, in the second. Ranging 1 to 65535.
1-11
Chapter 1
Default
10 seconds.
Command Mode
Usage Guideline
When replies are required for sent packets (like authenticating request packets), the timeout value should be set, and packets will be retransmitted in case of timeout.
Example
! The following example sets the timeout value for the RADIUS server to 5 seconds. Quidway(config)#radius-server timeout 5
1.14 user callback-dialstring

To set the callback user and callback number, use the user callback-dialstring command. To return to the default, so as to cancel the callback user and callback number, use the no form of this command. user user [callback-dialstring telephone-number] no user user
Syntax Description
user Username. telephone-number Users callback telephone number.
Default
No user.
Command Mode
Usage Guideline
This command can be used together with the user password command.
Example
! The following example adds a user, whose name is quidway, password is huawei (encrypted when displayed), and callback number is 91882195. Quidway(config)#user quidway callback-dialstring 91882195 password 7 huawei
1-12
Chapter 1
Related Command
show user, user user password, aaa authentication ppp, ppp callback, dialer caller, dialer callback-server
1.15 user calling-station-id

To set a user with a calling id, use the user calling-station-id command. To return to the default, so as to cancel the user with a calling id, use the no form of this command. user user [calling-station-id telephone-number] [:sub-telephone-number ] no user user
Syntax Description
user Username. telephone-number, sub-telephone-number users calling id as well as calling sub-id.
Default
No user.
Command Mode
Usage Guideline
This command can be used together with the user password command. It provides the ISDN user with double authentication, that is, password and calling id authentication. If the calling-station-id is configured, this indicates that calling id authentication for the user is necessary.
Example
! The following example adds a user, whose username is quidway, password is huawei (encrypted when displayed), calling id is 91882195, and calling sub-id is 2122. Quidway(config)#user quidway calling-station-id 91882195:2122 password 7 huawei
Related Command
show user, user password, aaa authentication ppp
1.16 user ftp-directory

To set the FTP user database for authentication, use the user ftp-directory command. To return to the default, so as to delete the setting, use the no form of this command. user user [ftp-directory directory ] no user user
1-13
Chapter 1
Syntax Description
user Username. directory Directory accessible to user.
Default
No FTP user to access the directory.
Command Mode
Usage Guideline
The command is reserved temporarily future extension.
Example
! The following example adds a user, whose username is quidway, password is huawei (encrypted when displayed), and accessible directory is \huawei\lst\ . Quidway(config)#user quidway ftp-directory \huawei\lst\ password 7 huawei
Related Command
user password, aaa authentication login
1.17 user password

To set the user database for authentication, use the user password command. To return to the default, so as to delete the setting, use the no form of this command. user user [ password { 0 | 7 } password ] no user user
Syntax Description
user Username, ranging 1 to 32 characters. password User password for authentication, ranging 1 to 16, characters or figures. 0 Password displayed in plain text. 7 Password displayed in ciphered text.
Default
Authentication password.
Command Mode
1-14
Chapter 1
Usage Guideline
The users database can be used for CHAP authentication or PAP authentication. And the user password should be displayed in ciphered text.
Example
! The following example adds a user, whose name and password are both Quidway1, and password must be displayed in ciphered text. Quidway#user Quidway1 password 7 Quidway1
Related Command
show user, ppp chap host, ppp pap sent-username
1.18 user service-type

To set the user authentication and authorization service type, use the user servicetype command. To return to the default, so as to delete the setting, use the no form of this command. user user-name [ service-type { exec | ftp | ppp } ... ] ... no user user
Syntax Description
exec Authorized user can use EXEC, which means that the user can log onto the router via Telnet or other methods (like Console port, Aux port and X.25 PAD calling, etc.) to make configurations. ftp Authorized user can use FTP. ppp Authorized user can use PPP.
Default
PPP
Command Mode
Usage Guideline
This command can be used together with the user password command. To authorize a single service, configure one of the three service-type parameters, namely exec, ftp or ppp. To authorize more than one service, you shall configure the needed parameters consecutively after the service-type command, instead of using the command for several times. That is because the newly configured service type will replace the old one, instead of being added to it.
1-15
Chapter 1
Example
! The following example enables user (username: quidway, password: huawei) to log onto the router to make configurations. You need to make the following configuration. Quidway(config)#user quidway password 7 huawei service-type exec
Related Command
user password, aaa authentication login, aaa authentication ppp
1.19 show aaa user

To show the condition of a dial-in user, use the show aaa user command. show aaa user
Command Mode
Privileged user mode.
Usage Guideline
According to the information output through this command, the user can monitor the dial-in user and perform AAA fault diagnosis.
Example
Quidway#show aaa user
User Name UserID UserType IP Address Larry 2 PPP 10.110.10.100 Total User: 1 AccountingTime Calling Number 00:48:10 1234567
The above information shows the username, user id, user type, IP address of the user, accounting time, calling number, etc.
1.20 show user

To show the local user database, use the show user command. show user
Command Mode
Privileged user mode
Usage Guideline
The information shown through this command includes the username and password configured for authentication. The password can be shown in plain text or encrypted text, according to the configuration of the user user password command.
Example
Quidway# show user
1-16
Chapter 1
No. username logintimes failed times -----------------------------------------------------1 huawei 325 12
The information above displays the username, the number of the times that the local authentication has passed with the correct username, as well as the number of the the times that the authentication has failed caused by error password.
1.21 debug radius

To enable the RADIUS event debugging, use the debug radius command. debug radius { event | packet | primitive }
Syntax Description
event Enable the RADIUS event debugging. packet Enable the RADIUS debugging of sending and receiving packet conditions. primitive Enable the RADIUS primitive debugging.
Command Mode
1-17
Chapter 2
Terminal Access Security Configuration Commands
Chapter 2 Terminal Access Security Configuration Commands

Terminal access security configuration commands include: l l enable password login
2.1 enable password

To configure a password for the privileged user, use the enable password command. enable [ password password ]
Syntax Description
password Privileged user password. Ranging 1 to 16 characters or figures.
Default
None.
Command Mode
Usage Guideline
The privileged user password is configured to prevent unauthorized access. If you are to be away from the terminal screen for a long time, youd better exit the command line interface with the exit command.
Example
! The following example sets the privileged user password for the router to quidway. Quidway(config)#enable password quidway
Related Command
enable, disable
2.2 login
To turn on the authentication switch of the terminal user, use the login command. To return to the default, so as to turn off the authentication switch of the terminal user, use the no form of this command. login { async | con | hwtty | pad | telnet } no login { async | con | hwtty | pad | telnet }
2-1
Chapter 2
Terminal Access Security Configuration Commands
Default
Turn off the authentication function of the terminal user.
Command Mode
Usage Guideline
Five terminal user authentication functions can be configured to prevent unauthorized access. l l l l l Async terminal user (async): disconnected if authentication fails three times in remote configuration mode. Console port terminal user ( con): control the login authentication at the Console port and the AUX port, and require to continue authentication even if it fails. Dumb terminal access user (hwtty): dumb terminal connection shut down if authentication fails three times. Remote X.25 PAD calling user (pad): X.25 PAD connection shut down if authentication fails three times. Telnet terminal user ( telnet): Telnet connection shut down if authentication fails three times.
Example
! The following example turns on the Telnet terminal user authentication switch. Quidway(config)#login telnet
Related Command
aaa-enable , aaa authentication, user callback-dialstring user password calling-station-id user ftp-directory user service-type user
2-2
Chapter 3
Firewall Configuration Commands
Chapter 3 Firewall Configuration Commands

Firewall configuration commands include: l l l l l l l l l l l l access-list clear access-list counters firewall firewall default ip access-group settr timerange show access-list show firewall show isintr show timerange debug filter
3.1 access-list
To create access control list, use the access-list command. To return to the default, so as to delete the specified access control list, use the no form of this command. 1) Creating standard access control list access-list [ normal | special ] access-list-number1 { deny | permit } { any | sourceaddr [source-wildcard-mask ]} 2) Creating extended access control list access-list [ normal | special ] access-list-number2 { deny | permit } protocol { any | source-addr source-wildcard-mask } [ operator port1 [ port2 ] ] { any | destination-addr destination-wildcard-mask } [ operator port1 [ port2 ] ] [ icmp-type [ icmp-code ] ] [ log ] 3) 4) Configuring the matching order of access control list Deleting access control list access-list [ normal | special ] access-list-number sort [ auto | manual ] no access-list { normal | special } { all | access-list-number [ subitem ] }
Syntax Description
normal Specified rule added to normal time range. special Specified rule added to special time range. access-list-number1 Serial number of the standard access control list. Ranging 1 to 99. access-list-number2 Serial number of the extended access control list. Ranging 100 to 199. access list number Serial number of standard or extended access control list. Ranging 1 to 199. permit Qualified packets are permitted. deny Qualified packets are denied.
3-1
Chapter 3
protocol Type of protocols supported, including ICMP, TCP, and UDP, etc.; now there is no comparison of ports . source-addr Source address. source-mask A wildcard character for source address, it is an option in the standard access control list. When not input, it stands for the source mask 0.0.0.0. destination-addr Destination address; dest-mask A wildcard character for destination address. Operator Port operation sign (optional), which supports port comparison when the protocol is TCP or UDP. Comparison operations supported include eq (equal), gt (greater than), lt (less than), neq (not equal to) or range . If the operation is a range sign, then it needs to be followed by two ports. port1 Application port number when the protocol is TCP or UDP. Ranging 0 to 65535. port2 Application port number when the protocol is TCP or UDP and the operation sign is range. Ranging 0 to 65535. icmp-type Appearing when the protocol is ICMP, standing for the ICMP packet type; It can be a preset value for a key word (like echo-reply) or any value ranging 0 to 255. icmp-code Appearing when the protocol is ICMP and the specified preset value is not selected; it stands for the ICMP code and is a value in 0-255. sort Configuring the matching order of access control list. auto Indicating auto-sort of access control list according to intensive precedence rule. manual Indicating to match according to the configuration order input by the user, and the access control list rule configured first will be matched first. log A packet needs to be logged if it is eligible. Subitem Deleting the rules in access control list whose serial number is access-list-list.
Default
No access control rule
Command Mode
Usage Guideline
Before configuring the access control list, the matching order of the access control list must be configured first, then configure the specific access control list. When changing the matching order of the access control list to another mode, the specific access control list must be deleted first, then change the matching mode and reconfigure the specific access control list rules in the new mode. Access rules with the same serial number are arranged and selected according to a certain rule. This number can be shown via the show access-list command.
3-2
Chapter 3
Example
! Disable the receiving and transmitting of RIP message, with the specified serial number of the rule being 100. Quidway(config)# access-list 100 deny udp any any eq rip ! Enable to transmit WWW message from the hosts whose network segment is 129.9.0.0 to the hosts whose network segment is 202.38.160.0, with the specified serial number of the rule being 100. Quidway(config)# access-list 100 permit tcp 129.9.0.0 0.0.255.255 202.38.160.0 0.0.0.255 eq www ! Define the rule serial number is 100, disable the pass of ICMP host unreachable message sent from the network segment 1.1.0.0. Quidway(config)# access-list 100 deny icmp 1.1.0.0 0.0.255.255 any host-redirect ! Disable the connection between the hosts whose network segment is 129.9.0.0 and the WWW port (80) of the hosts whose network segment is 202.38.160.0, and log the event of disobeying the rule, with the specified serial number of the rule being 100. Quidway(config)# access-list 100 deny tcp 129.9.0.0 0.0.255.255 202.38.160.0 0.0.0.255 eq www log ! Enable the connection between the hosts whose network segment is 129.9.8.0 and the WWW port (80) of the hosts whose network segment is 202.38.160.0, with the specified serial number of the rule being 100. Quidway(config)# access-list 100 permit tcp 129.9.8.0 0.0.0.255 202.38.160.0 0.0.0.255 eq www ! Disable the telnet (23) connection between any host and the host whose IP address is 202.38.160.1, with the specified serial number of the rule being 101. Quidway(config)# access-list 101 deny tcp any 202.38.160.1 0.0.0.0 eq telnet ! Disable the UDP (user data packet protocol) connection between the hosts whose network segment is 129.9.8.0 and the hosts whose port number is greater than 128 in the network segment of 202.38.160.0. Quidway(config)# access-list 102 deny udp 129.9.8.0 0.0.0.255 202.38.160.0 0.0.0.255 gt 128 ! The following example permits WWW access with the source address 10.1.1.0 and destination address 10.1.2.0, without using FTP. Quidway(config)#access-list 100 permit tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq www Quidway(config)#access-list 100 deny tcp 10.1.1.0 0.0.0.255 10.1.2.0 0.0.0.255 eq ftp
Related Command
ip access-group
3-3
Chapter 3
3.2 clear access-list counters

To clear counters of access control list rules, use the clear access-list counters command. clear access-list counters [ access-list-number ]
Syntax Description
access-list-number Serial numbers of the a ccess rules whose counters are to be deleted. If not specified, then the counters of all the access rules are deleted.
Default
No clear access-list counters.
Command Mode
Usage Guideline
This command is used to clear the counters of all access rules currently in service. If no numbering of rules is specified, then the counters of all the access rules are deleted.
Example
! The following example clears the counters of all the access rules whose serial number is 100. Quidway#clear access-list counters 100 ! The following example clears the counters of all the access rules currently in service. Quidway#clear access-list counters
Related Command
access-list
3.3 firewall
To enable or disable the firewall, use the firewall command. firewall { enable | disable }
Syntax Description
enable For enabling the firewall. disable For disabling the firewall.
Default
Firewall disable
3-4
Chapter 3
Command Mode
Usage Guideline
This command is used to enable or disable the firewall, and the corresponding result can be shown via the show firewall command. If time-based packet filtering is adopted, then this command is shut down when the firewall is shut down. This command controls the general switch of the firewall. When the firewall disable command is used to close the firewall, the statistics of the firewall will be deleted at the same time.
Example
! The following example enables the firewall. Quidway(config)#firewall enable
Related Command
access-list, ip access-group
3.4 firewall default

To configure the default filter mode when there is no matching access rule, use the firewall default command. firewall default { permit | deny }
Syntax Description
permit Default filter attribute is permit. deny Default filter attribute is deny.
Default
Firewall permitted.
Command Mode
Usage Guideline
If none of the access rules applied at the interface can judge if a packet is permitted or denied, the default filter attribute will function. If the default filter attribute is Permitted, then the packet can pass, otherwise it will be dropped.
Example
! The following example sets the default filter attribute to Permitted. Quidway(config)#firewall default permit
3-5
Chapter 3
3.5 ip access-group
To apply the access rule at the interface, use the ip access-group command. To return to the default, so as to delete the corresponding setting, use the no form of this command. ip access-group access-list-number { in | out } no ip access-group access-list-number { in | out }
Syntax Description
access-list-number Serial number of access control lists. Ranging 1 to 199. in Access rule is used to filter the packet received from the interface. out Access rule is used to filter the packet sent from the interface.
Default
no ip access-group.
Command Mode
Interface configuration mode.
Usage Guideline
This command is used to apply access rules at the interface. To filter the packet received from the interface, the key word in is used. To filter the packet forwarded from the interface, the key word out is used. If no direction parameter is specified, the key word out is adopted. In a direction of the interface, 20 types of access rules can be applied at most. These rules are arranged in ascending order of priority. During packet filtering, obtaining the filter result by finding the matching rule is a method to expedite the filter process. So it is recommended that, when access rules are configured, the rules configured in the same network be placed in the access control list with the same number. In an access control list with the same number, the arrangement of rules and selection sequence can be shown via the show access-list command.
Example
! The following example applies access control list rule 101 to filter the packet received from the Ethernet interface. Quidway(config-if-Ethernet0)#ip access-group 101 in
Related Command
access-list
3.6 settr
To set a special time range, use the settr command. To return to the default, so as to delete the set special time range, use the no form of this command.
3-6
Chapter 3
settr { begin-time end-time }... no settr
Syntax Description
begin-time Begin time of the special time range, in the hh:mm format end-time End time of the special time range, which should be greater than the begin time, in the hh:mm format.
Default
No settr, that is, all are set to normal time ranges.
Command Mode
Usage Guideline
This command is used to set the time range. Six time ranges can be set at most at the same time, and they can be shown via the show timerange command. If a time range being used is to be modified, this modification will be take effect in a minute (the system queries the time interval for the time range). The time range should be set in the 24hour system. If you want to set a time range from 9pm to 8am, you can set it to settr 21:00 23:59 0:00 8:00. Because both ends of the set time range belong to the same time range, no switching will take place within the time range. In addition, this setting has withstood the Y2K test.
Example
! The following example sets the time range as 8:30 - 12:00, 14:00 - 17:00. Quidway(config)#settr 8:30 12:00 14:00 17:00
Related Command
timerange, show timerange
3.7 timerange
To enable or disable the timerange packet filter function, use the timerange command. timerange { enable | disable }
Syntax Description
enable For enabling the timerange packet filter function. disable For disabling the timerange packet filter function.
Default
Timerange disable.
3-7
Chapter 3
Command Mode
Usage Guideline
This function is used to enable or disable the timerange filter function. The configuration result can be shown via the show firewall command, or via the show timerange command. When this function is enabled, the system will determine if the access rules within the timerange (special) or outside the timerange (normal) are to be used, according to the current time and the set time range. The precision at which the system queries the time is 1 minute. And the two ends of the set time range belong to the time range.
Example
! The following example enables the timerange packet filter function. Quidway(config)#timerange enable
Related Command
settr, show timerange
3.8 show access-list

To show packet filter rules and their applications at the interface, use the show access-list command. show access-list [ all | access-list-number | interface type number ]
Syntax Description
all Show all the rules, including the access rules within the normal and special time ranges. access-list-number Show the access rules whose number are access-list-number in the access control lists being used currently. Interface Show the serial number of access rules to be applied at the interface. type Type of the interface. number Number of the interface.
Command Mode
Usage Guideline
This command is used to show the specified rules and the condition of packet filtered by the rule. Each rule has a corresponding counter. If a packet was filtered based on this rule, the counter will increase by 1. By observing the counter, you can see, among the configured rules, which rules are effective, and which are basically ineffective.
3-8
Chapter 3
Example
! The following example shows the currently used rule with a number of 100. Quidway#show access-list 100
Using normal packet-filtering access rules now. 100 deny icmp 10.1.0.0 0.0.255.255 any host-redirect(3 matches,252 bytes - rule 1) 100 permit icmp 10.1.0.0 0.0.255.255 any echo (no matches -- rule 2) 100 deny udp any any eq rip (no matches -- rule 3)
! The following example shows rule application at Serial0. Quidway#show access-list interface serial 0
Serial0: access-list filtering In-bound packets : 120 access-list filtering Out-bound packets: None
Related Command
access-list
3.9 show firewall

To show the status of the firewall, use the show firewall command. show firewall
Command Mode
Usage Guideline
This command is used to show the status of the firewall, for example, whether the firewall is enabled or not, the timerange packet filtering is enabled or not when the firewall is enabled, and some statistics about the firewall.
Example
! The following example shows the status of the firewall Quidway#show firewall
Firewall is enable, default filtering TimeRange packet-filtering enable. InBound packets: None; OutBound packets: 0 packets, 0 bytes, 0 packets, 0 bytes, packets, 104 bytes, 0 packets, 0 bytes, From 00:13:02 to 06:13:21: 0 packets, method is 'permit'.
0% permitted, 0% denied, 100% permitted defaultly, 100% denied defaultly. 0 bytes, permitted.
Related Command
firewall
3-9
Chapter 3
3.10 show isintr

To show whether the current time is within the special time range or not, use the show isintr command. show isintr
Command Mode
Usage Guideline
This command is used to show if the current time is within the set special timerange.
Example
! The following example shows if the current time is within the special timerange. Quidway#show isintr
It is NOT in time ranges now.
The information above shows that the current time is not within the special timerange.
Related Command
timerange, settr
3.11 show timerange

To show the information about timerange packet filtering, use the show timerange command. show timerange
Command Mode
Usage Guideline
This command is used to show if timerange packet filtering is currently enabled, and to show the set timerange.
Example
! The following example shows the information about timerange packet filtering. Quidway#show timerange
TimeRange packet-filtering enable. beginning of time range: 01:00 - 02:00 03:00 - 04:00 end of time range.
3-10
Chapter 3
Related Command
timerange, settr
3.12 debug filter

To enable the information debugging of the firewall, use the debug filter command. The no form of this command is used to disable the corresponding information debugging of the firewall. debug filter { all | icmp | tcp | udp } no debug filter { all | icmp | tcp | udp }
Syntax Description
all Enable all the information debugging of the firewall. icmp Enable the ICMP send and receive packets debugging of the firewall. tcp Enable the TCP protocol information debugging of the firewall. udp Enable the UDP protocol information debugging of the firewall.
Command Mode
3-11
Chapter 4
IPSec Configuration Commands
Chapter 4 IPSec Configuration Commands

IPSec configuration commands include: l l l l l l l l l l l l l l l l l l l l l l l ah-new hash clear crypto sa clear crypto statistics crypto ipsec sa lifetime crypto ipsec transform crypto map (global mode) crypto map (interface mode) esp-new encrypt esp-new hash match address mode set local-address set peer set sa lifetime set session-key set transform transform show crypto ipsec sa show crypto ipsec sa lifetime show crypto ipsec statistic show crypto ipsec transform show crypto map debug ipsec
4.1 ah-new hash

To set the authentication algorithm adopted by AH, use the ah-new hash command.. To return to the default, use the no form of this command. ah-new hash { md5-hmac-96 | sha1-hmac-96 } no ah-new hash
Syntax Description
md5-hmac-96 MD5 is adopted. sha1-hmac-96 SHA1 is adopted.
Default
md5-hmac-96, that is the MD5 authentication algorithm.
Command Mode
IPSec transform configuration mode
4-1
Chapter 4
Usage Guideline
AH does not have the encryption function, and is only responsible for packet authentication. HMAC algorithm uses encryption hashing function to authenticate the message, and provides the integrity check based on the secret key. HMAC technology offers a framework to insert various hashing function, such as SHA-1 and MD5, so as to implement the data source authentication and the integrity protection, and to ensure that the data in the transmission are not modified. sha1-hmac-96 algorithm performs on the basis of 64-byte data block, and produces a 160-digit authentication secret key. The security protection is provided mainly by HMAC and then SJA-1 algorithm. md5-hmac-96 algorithm also performs on the basis of 64-byte data block, and produces a 128-digit authentication secret key. The security protection is provided mainly by HMAC and then MD5 algorithm. By comparison, MD5 is faster than SHA-1, while SHA-1 is more secure than MD5. The IPSec transform method adopted by the security map set at both ends of the security tunnel must be set as using the same authentication method.
Example
! The following example sets IPSec transform using AH and SHA1. Quidway(config)#crypto ipsec transform trans1 Quidway(config-crypto-transform-trans1)#transform ah-new Quidway(config-crypto-transform-trans1)#ah-new hash sha1-hmac-96
Related Command
crypto ipsec transform set transform set session-key transform
4.2 clear crypto sa

To delete the SA (security ally), use the clear crypto sa command. clear crypto sa { all | peer ip-address | map map-name [ map-number ] | entry destaddress protocol spi }
Syntax Description
all Delete all the SAs. peer Delete an SA whose peer address is ip-address. ip-address Specify peer address, in the IP address format: A.B.C.D. map Delete the SA in a security map group whose name is map-name, with the serial number of security map being map-number. . map-name Specify the name of the security map group. entry Delete the unique SA defined by the destination address, protocol, and SPI.
4-2
Chapter 4
dest-address Specify the destination IP address in the format: A.B.C.D. protocol Specify the protocol by inputting the key word ah or esp , case insensitive. spi Specify the security parameter index (SPI), ranging 256 to 4294967295.
Command Mode
Usage Guideline
This command is used to delete an SA already set up (manually or through IKE negotiation). If a packet re-triggers IKE negotiation after an SA set up through IKE negotiation is deleted, IKE will reestablish an SA through negotiation. If an SA set up manually is deleted, the system will set up a new SA according to the parameter manually set up. To prevent the system from setting up a new SA, you can delete some parameters manually set in the map in manua l mode. (If the parameters set in MAP are not complete, the SA manually set will not be created.)
Example
! The following example deletes all the SAs. Quidway#clear crypto sa all ! The following example deletes an SA whose peer IP address is 10.1.1.2. Quidway#clear crypto sa peer 10.1.1.2 ! The following example deletes the SAs in map1. Quidway#clear crypto sa map map1 ! The following example deletes an SA whose peer IP address is 10.1.1.2, security protocol is AH, and SPI is 10000 Quidway#clear crypto sa entry 10.1.1.2 ah 10000
Related Command
show crypto ipsec sa
4.3 clear crypto statistics

To clear IPSec message statistics, use the clear crypto statistics command. clear crypto statistics
Command Mode
Usage Guideline
Clear IPSec message statistics, and all the statistics are set to zero.
4-3
Chapter 4
Example
! Clear IPSec message statistics. Quidway# clear crypto statistics
Related Command
show crypto ipsec statistics
4.4 crypto ipsec sa lifetime

To set a global crypto SA lifetime, use the crypto ipsec sa lifetime command. To return to the default, use the no form of this command. crypto ipsec sa lifetime { seconds seconds | kilobytes kilobytes } no crypto ipsec sa lifetime { seconds | kilobytes }
Syntax Description
seconds Global crypto lifetime in second. Ranging 30 to 4294967295 seconds. kilobytes Global crypto lifetime in kilobyte. Ranging 256 to 4194303 kilobytes.
Default
By default, seconds is 3600 seconds (1 hour). By default, kilobytes is 1843200.
Command Mode
Global configuration
Usage Guideline
This command is used to change the global SA lifetime. All Sas that have not been configured individually in crypto map mode will adopt this global lifetime. When IKE negotiates to set up an SA for IPSec, the lesser of the lifetime set locally and that proposed by the peer is selected. There are two types of lifetime: time-based and traffic-based lifetimes. No matter which expires first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid. Modifying the global lifetime will not affect a map that has individually set up its own lifetime, or an SA already set up. But the modified global lifetime will be used to set up a new SA in the future IKE negotiation. The secret key in the SA is invalidated when the SA is invalidated. A short lifetime will make it difficult for the attacker to break the password, as the attacker can only get less encrypted data about the same secret key. And a short lifetime will use more CPU resource to set up a new SA.
4-4
Chapter 4
The lifetime does not function for an SA manually set up, that is, the SA manually set up will never be invalidated.
Example
! The following example sets the global SA lifetime to 2 hours. Quidway(config)#crypto ipsec sa lifetime seconds 7200 ! The following example sets the global crypto SA lifetime to 10M bytes transmitted. Quidway(config)#crypto ipsec sa lifetime kilobytes 10000
Related Command
set sa lifetime, show crypto ipsec sa lifetime
4.5 crypto ipsec transform

To create or modify a transform method named transform-name, and enter the crypto transform configuration mode, use the crypto ipsec transform command. To return to the default, so as to delete the specified transform set, use the no form of this command. crypto ipsec transform transform-name no crypto ipsec transform
Syntax Description
transform-name Name of the specified transform set.
Command Mode
Usage Guideline
This transform method is a combination of the security protocol, algorithm and packet encapsulation mode for implementing IPSec protection. A crypto map determines the protocol, algorithm and encapsulation mode to be adopted by the use of the transform set. Before the crypto map uses a transform set, this transform set must have already been set up. The transform set adopted by the crypto maps at both ends of the security tunnel must be set as having the same protocol, algorithm and encapsulation mode. Each SA set up manually can only use one transform set. Each SA set up through IKE negotiation can use six transform sets at most. IKE negotiation can search for the completely matching transform set at both ends of the security tunnel.
Example
! The following example sets a transform set whose name is newtrans1. Quidway(config)#crypto ipsec transform newtrans1
4-5
Chapter 4
Related Command
ah-new hash, esp-new encrypt, esp-new hash, mode, set transform, show crypto ipsec transform, transform
4.6 crypto map (global mode)

To create or modify a crypto map, and enter the crypto map configuration mode, use the crypto map command. To return to the default, so as to delete the specified crypto map, use the no form of this command. crypto map map-name seq-num [ manual | isakmp ] no crypto map map-name [seq-num]
Syntax Description
map-name Name of the crypto map. Ranging 1 to 30 characters. seq-num Sequence number of the crypt map. Ranging 0 to 10000. manual Set up SA manually. isakmp Set up SA through IKE negotiation.
Default
No crypto map
Command Mode
Usage Guideline
This command is used to create or modify a crypto map. To create a crypto map, it is necessary to specify the negotiation mode (manual or isakmp ). To modify the crypto map, it is not necessary to specify a negotiation mode. Once the crypto map is created, its negotiation mode can not be modified. For example: if a crypto map is created in manual mode, it can not be changed to isakmp mode, and this crypto map must be deleted before a new one can be created. Crypto maps with the same name constitute a crypto map group. The name and sequence number are used together to define a unique crypto map. In a crypto map group, 100 crypto maps can be set at maximum. In a crypto map, the smaller the sequence number of a crypto map is, the higher is its preference. Apply a crypto map group at an interface means applying multiple crypto maps in the group, so that different data streams can be protected with different SAs. The no crypto map map-name command is used to delete a crypto map whose name is map-name; and the no crypto map map-name seq-num command is used to delete a crypto map whose name is map-name and sequence number is seq-num. If IKE is setting up an SA for crypto map negotiation, then the crypto map can not be deleted.
4-6
Chapter 4
If a crypto map is the only one in a crypto map group and this group has been applied at the interface, then this group must be deleted from the interface (no more applied at this interface) before the crypto map can be deleted.
Example
! The following example sets a crypto map whose name is newmap1, sequence number is 100, and negotiation mode is isakmp. Quidway(config)#crypto map newmap1 100 isakmp
Related Command
crypto map (interface mode), match address, set local-address, set peer, set sa lifetime, set session-key, set transform, show crypto map
4.7 crypto map (interface mode)

To apply a crypto map group at the interface, use the crypto map command. To cancel the crypto map group, use the no form of this command crypto map map-name no crypto map
Syntax Description
map-name Specify the name of a crypto map group applied at the interface.
Command Mode
Interface configuration mode
Usage Guideline
At an interface, only one crypto map group can be applied. A crypto map group can only be applied at one interface. When a packet is sent from an interface, it searches for every crypto map in the crypto map group by number in an ascending order. If the packet matches an access control list used by a crypto map, then this crypto map is used to process the packet; otherwise it continues to search for the next crypto map. If the packet does not match any of the access control lists used by all the crypto maps, it will be directly transmitted (that is, IPSec will not protect the packet). To prevent transmitting any unencrypted packet from the interface, it is necessary to use the firewall together with IPSec; the firewall is for dropping all the packets that do not need to be encrypted. The crypto map group being applied at the interface must be deleted before another group is applied at the interface.
Example
! The following example applies a crypto map whose name is map1 at Serial 0.
4-7
Chapter 4
Quidway(config)#crypto map map1 100 manual Quidway(config)#interface serial 0 Quidway(config-if-Serial0)#crypto map map1
Related Command
crypto map (global mode)
4.8 esp-new encrypt

To set the encryption algorithm adopted by ESP, use the esp-new encrypt command. To set the encryption algorithm to vacant, use the no form of this command. esp-new encrypt { 3des | des | blowfish | cast | skipjack } no esp-new encrypt
Syntax Description
des, 3des, blowfish, cast, skipjack Encryption algorithms popular all over the world.
Default
des, that is, data encryption standard algorithm.
Command Mode
Usage Guideline
3des can meet the requirement of high confidentiality and security, but it is comparatively slow. And other algorithms can satisfy the normal security requirements. ESP enables a packet to be encrypted and authenticated concurrently, or it enables either of encryption and authentication. The encryption and authentication algorithms used by ESP can not be set to a vacant value at the same time.
Example
! The following example sets 3des. Quidway(config)#crypto ipsec transform trans1 Quidway(config-crypto-transform-trans1)#transform esp-new Quidway(config-crypto-transform-trans1)#esp-new encrypt 3des
Related Command
crypto ipsec transform, esp-new hash, set transform, set session-key, transform
4-8
Chapter 4
4.9 esp-new hash

To set the authentication algorithm used by ESP, use the esp-new hash command. To return to the default, use the no form of this command. esp-new hash {md5-hmac-96 | sha1-hmac-96 } no esp-new hash
Syntax Description
md5-hmac-96 Setting md5. sha1-hmac-96 Setting sha1.
Default
Default is md5-hmac-96, that is, MD5.
Command Mode
Usage Guideline
HMAC algorithm uses encryption hashing function to authenticate the message, and provides the integrity check based on the secret key. HMAC technology offers a framework to insert various hashing function, such as SHA-1 and MD5, so as to implement the data source authentication and the integrity protection, and to ensure that the data in the transmission are not modified. sha1-hmac-96 algorithm performs on the basis of 64-byte data block, and produces a 160-digit authentication secret key. The security protection is provided mainly by HMAC and then SJA-1 algorithm. md5-hmac-96 algorithm also performs on the basis of 64-byte data block, and produces a 128-digit authentication secret key. The security protection is provided mainly by HMAC and then MD5 algorithm. By comparison, MD5 is faster than SHA-1, while SHA-1 is more secure than MD5. ESP enables a packet to be encrypted and authenticated concurrently, or it enables either of encryption and authentication. The encryption and authentication algorithms used by ESP can not be set to vacant at the same time. no esp-new hash is not used to restore the authentication algorithm to the default algorithm; instead it is used to set the authentication algorithm to vacant, i.e. no authentication. When the encryption algorithm is vacant, the no esp-new hash command is invalidated. The transform set used by the crypto maps set at both ends of the security tunnel must be set as having the same authentication algorithm.
Example
The following example sets a transform set that adopts ESP, is not encrypted, and uses sha1.
4-9
Chapter 4
Quidway(config)#crypto ipsec transform trans1 Quidway(config-crypto-transform-trans1)#transform esp-new Quidway(config-crypto-transform-trans1)#esp-new hash sha1-hmac-96 Quidway(config-crypto-transform-trans1)#no esp-new encrypt
Related Command
crypto ipsec transform, esp-new encrypt, set transform, set session-key, transform
4.10 match address

To set an access control list used by the crypto map, use the match address command. To return to the default, so as to delete the access control list used by the crypto map, use the no form of this command. match address access-list-number no match address
Syntax Description
access-list-number Specify the number of the access control list used by the crypto map. Ranging 1 to199.
Default
No match address.
Command Mode
Crypto map configuration mode
Usage Guideline
The access-list command is used to define the rules in an access control list. According to these rules, IPSec determines which packets need security protection and which do not. The packet permitted by the access control list will be protected, and a packet denied by the access control list will not be protected. The access control list used by the crypto map does not decide which packets are permitted or denied at an interface. Only the access control list directly applied at the interface will make such a decision.
Example
! The following example sets the crypto map as using access control list 101. Quidway(config)#access-list 101 permit tcp 10.1.1.1 0.0.0.255 10.1.1.2 0.0.0.255 Quidway(config)#access-list 101 deny ip any any Quidway(config)#crypto map beijing 100 manual Quidway(config-crypto-map-beijing-100)#match address 101
4-10
Chapter 4
Related Command
crypto map (global mode), crypto map (interface mode), set local-address, set peer, set sa lifetime, set session-key, set transform
4.11 mode
To set the encapsulation modes by which IPSec encrypts and authenticates IP packets, use the mode command. To return to the default, use the no form of this command. mode { transport | tunnel } no mode
Syntax Description
transport Setting transport mode. tunnel Setting tunnel mode.
Default
Tunnel.
Command Mode
Usage Guideline
There are two encapsulation modes where IPSec is used to encrypt and authenticate IP packets: transport mode and tunnel mode. In transport mode, IPSec protects the data part of the IP packet, and does not protect the header of the IP packet; and in tunnel mode, IPSec protects the whole IP packet, and adds a new IP header before the IP packet. The source and destination addresses of the new IP header are the IP addresses of both ends of the tunnel. Generally, the tunnel mode is used between two security gateways (routers ). A packet encrypted in a security gateway can only be decrypted in another security gateway. So an IP packet needs to be encrypted in tunnel mode, that is, a new IP header is added; the IP packet encapsulated in tunnel mode is sent to another security gateway before it is decrypted. The transport mode is suitable for communication between two hosts, or for communication between a host and a security gateway (like the network management communication between the gateway workstation and a router). In transport mode, two devices responsible for encrypting and decrypting packets must be the original sender and receiver of the packet. Most of the data traffic between two security gateways is not incurred by the security gateway itself. So the transport mode is not used between security gateways. The transform set used by the crypto maps set at both ends of the security tunnel must be set as having the same packet encapsulation mode.
4-11
Chapter 4
Example
! The following example sets the transform set whose name is trans as having the transport mode. Quidway(config)#crypto ipsec transform trans Quidway(config-crypto-transform-trans)#mode transport
Related Command
ah-new hash, crypto ipsec transform, esp-new encrypt, esp-new hash set transform, transform
4.12 set local-address

To set the local address of a security tunnel, use the set local-address command. To return to the default, so as to delete the local address set in the crypto map, use the no form of this command. set local-address ip-address no set local-address
Syntax Description
ip-address Local address.
Default
No IP address at the local end of the security tunnel.
Command Mode
Usage Guideline
It is not necessary to set a local address for a crypto map in isakmp mode, so this command is invalid in this situation. IKE can automatically obtain the local address from the interface where this crypto map is applied. As for the crypto map in manual mode, it is necessary to set the local address before the SA can be created. A security tunnel is set up between the local and peer end, so the local address and peer address must be correctly configured before a security tunnel can be set up.
Example
! The following example sets the local address for the crypto map, which is applied at serial0 whose IP address is 10.0.0.1. Quidway(config)#crypto map guangzhou 100 manual Quidway(config-crypto-map-guangzhou-100)#set local-address 10.0.0.1 Quidway(config-crypto-map-guangzhou-100)#exit
4-12
Chapter 4
Quidway(config-)#interface serial 0 Quidway(config-if-Serial0)#crypto map guangzhou
Related Command
crypto map (global mode), crypto map (interface mode), match address, set peer, set sa lifetime, set session-key, set transform
4.13 set peer

To set the peer address of a security tunnel, use the set peer command. To return to the default, so as to delete the peer address in the crypto map, use the no form of this command. set peer ip-address no set peer
Syntax Description
ip-address Peer address.
Default
No set peer.
Command Mode
Usage Guideline
For a crypto map in isakmp mode, 1-10 peer addresses can be set. As an initiator of negotiation, IKE initiates negotiation for the first peer address only. As a receiver of negotiation, IKE can receive the IKE negotiation initiated by any peer in the multiple peer addresses configured. For the crypto map in manual mode, only one peer address can be set. If a peer address is already set, this existing address must be deleted before a new one can be set. The peer address must be set correctly between both ends of the security tunnel.
Example
! The following example sets the peer address of the crypto map to 10.1.1.2 . Quidway(config)#crypto map shanghai 200 manual Quidway(config-crypto-map-shanghai-200)#set peer 10.1.1.2
Related Command
crypto map (global mode), crypto map (interface mode), match address,
4-13
Chapter 4
set local-address, set sa lifetime, set session-key, set transform
4.14 set sa lifetime

To set an individual SA lifetime of the crypto map, use the set sa lifetime command. To restore the use of the global SA lifetime, use the no form of this command set sa lifetime { seconds seconds | kilobytes kilobytes } no set sa lifetime { seconds | kilobytes }
Syntax Description
seconds Lifetime in the second. Ranging 30 to 4294967295 seconds. Kilobytes Lifetime in the kilobyte. Ranging 256 to 4194303 kilobytes.
Command Mode
Usage Guideline
This command is used to set the individual SA lifetime for the crypto map. If the individual lifetime is not set, then the global SA lifetime is adopted (consult 4.4 crypto ipsec sa lifetime command). The lifetime is only valid for the SA set up in the isakmp mode, and it has no lifetime limitation to the SA set up in the manual mode, that is, the SA manually set up will never be invalidated. When IKE negotiates to set up a SA for IPSec, the lesser of the lifetime set locally and that proposed by the peer is selected. There are two types of lifetime: time-based and traffic-based lifetimes. No matter which expires first, the SA will get invalid. Before the SA is about to get invalid, IKE will set up a new SA for IPSec negotiation. So, a new SA is ready before the existing one gets invalid. Modifying the global lifetime will not affect an SA that has individually set up its own lifetime. But the modified global lifetime will be used to set up a new SA in the future IKE negotiation. The secret key in the SA is invalidated when the SA is invalidated. A short lifetime will make it difficult for the attacker to break the password, as the attacker can only get less data encrypted by the same secret key. But a short lifetime will use more CPU resource to set up a new SA.
Example
! The following example sets the SA lifetime for the crypto map to 2 hours, that is, 7200 seconds. Quidway(config)#crypto map shenzhen 100 isakmp Quidway(config-crypto-map-shenzhen-100)#set sa lifetime seconds 7200
4-14
Chapter 4
! The following example sets the SA lifetime for the crypto map to 20M bytes, that is, 20000 kilobytes. Quidway(config)#crypto map shenzhen 100 isakmp Quidway(config-crypto-map-shenzhen-100)#set sa lifetime kilobytes 20000
Related Command
crypto map (global mode) crypto map (interface mode) match address set local-address set peer set session-key set transform crypto ipsec sa lifetime
4.15 set session-key

To set the SA parameter, use the set session-key command. To return to the default, so as to delete the SA parameter already set, use the no form of this command. set session-key { inbound | outbound } { ah | esp } spi spi-number set session-key { inbound | outbound } { ah | esp } string-key string-key set session-key { inbound | outbound } ah hex-key-string hex-key set session-key { inbound | outbound } esp authen-hex hex-key set session-key { inbound | outbound } esp cipher-hex hex-key no set session-key { inbound | outbound } { ah | esp } spi no set session-key { inbound | outbound } { ah | esp } string-key no set session-key { inbound | outbound } ah hex-key-string no set session-key { inbound | outbound } esp authen-hex no set session-key { inbound | outbound } esp cipher-hex
Syntax Description
inbound Setting the inbound SA parameter. IPSec uses the inbound SA for processing the packet in the inbound direction. (It is necessary to set the SA parameters in the inbound and outbound directions.) outbound Setting the outbound SA parameter. IPSec uses the outbound SA for processing the packet in the outbound direction. (it is necessary to set the SA parameters in the inbound and outbound directions.) ah Setting the parameter of the SA using A H. If the IPSec transform set used by the crypto map specifies to adopt AH, the ah key word is used to set the parameter of the SA. esp Setting the parameter of the SA using ESP. If the IPSec transform set used by the crypto map specified to adopt ESP, the esp key word is used to set the parameter of the SA. spi-number SPI (Security Parameter Index) in the three-element of the SA, ranging 256 to 4294967295. The three-element id of the SA, which appears as <SPI, destination address, and protocol number>, must be unique. SPI is used to identify an SA uniquely. The same SPI can be set for the SAs according to the two directions and
4-15
Chapter 4
two protocols. But if many SAs have the same destination address and protocol number, then a different SPI must be used. hex-key Specifying secret key for the SA input in the hex format. If MD5 is used, then input a 16-byte secret key; if SHA1 is used, input a 20-byte secret key; if the hardware encryption algorithm is used, then input a 16-byte secret key. As for ESP, the authenhex key word is used to set the authentication key for the authentication algorithm, and the cipher-hex key word is used to set the encryption key for the encryption algorithm. string-key Specifying the secret key for an SA input in the character string format, that is, character string composed of a-z and 0-9 (case insensitive), with a length ranging 1-150 characters. For different algorithms, you can input character strings of any length, and the system will generate secret keys meeting the algorithm requirements automatically, according to the input character strings. As for ESP, the system will automatically generate the secret key for the authentication algorithm and that for the encryption algorithm at the same time.
Command Mode
Usage Guideline
This command is used for the crypto map in manual mode. It is used to set the SA parameter manually and create a SA manually. For the crypto map in isakmp mode, it is unnecessary to set the SA parameter manually, and this command is invalid. IKE will automatically negotiate the SA parameter and create a SA. The SA parameters set at both ends of the security tunnel must be fully matching. The SPI and secret key for the SA input at the local end must be the same as those output at the peer. The SA SPI and secret key output at the local end must be the same as those input at the peer. There are two methods for inputting the secret key: hex and character string. A secret key input in the character string has a higher preference. If a secret key is input by the above two methods respectively, the key input in character string will be adopted. At both ends of a security tunnel, the secret key should be input by the same method. If it is input in character string at one end, and it is input in hex at the other end, then a security tunnel can not be set up correctly. To change the secret key, it is necessary to delete the original secret key before a new one can be set up.
Example
! The following example sets the SPI of the inbound SA to 10000, and the secret key to 0x11223344556677889900112233445566; sets the SPI of the outbound SA to 20000, and its secret key to 0x99887766554433221100998877665544 in the crypto map using AH and MD5. Quidway(config)#crypto ipsec transform trans_ah Quidway(config-crypto-transform-trans_ah)#transform ah-new Quidway(config-crypto-transform-trans_ah)#ah-new hash md5-hmac-96 Quidway(config-crypto-transform-trans_ah)#exit
4-16
Chapter 4
Quidway(config)#crypto map tianjin 100 manual Quidway(config-crypto-map-tianjin-100)#set transform trans_ah Quidway(config-crypto-map-tianjin-100)#set session-key inbound ah spi 10000 Quidway(config-crypto-map-tianjin-100)#set session-key inbound ah hex-key-string 11223344556677889900112233445566 Quidway(config-crypto-map-tianjin-100)#set session-key outbound ah spi 20000 Quidway(config-crypto-map-tianjin-100)#set session-key outbound ah hex-key-string 99887766554433221100998877665544
Related Command
crypto map (global mode), crypto map (interface mode), match address, set local-address, set peer, set sa lifetime, set transform
4.16 set transform

To set the transform set used by the crypto map, use the set transform command. To delete the transform set used by the crypto map, use the no form of this command. set transform transform-name1 [transform-name2...transform-name6] no set transform
Syntax Description
transform-name Name of a transform set.
Command Mode
Usage Guideline
If set up in manual mode, an SA can only use one transform set. And if a transform set is already set, it needs to be deleted before a new one can be set. If set up in isakmp mode, an SA can use six transform sets at maximum. IKE negotiation will search for the complete matching transform set at both ends of the security tunnel. If it fails to find such a transform set, then the SA can not be set up, and the packets need to be protected will be dropped. A crypto map defines the adopted protocol, algorithm and encapsulation mode through the transform set. Before a transform set is used, this mode must be already set up. The transform sets at both ends of the security tunnel must be set as having the same protocol, algorithm and encapsulation mode.
Example
! The following example sets a transform set whose name is trans1, adopting ESP and the default algorithm. And set a crypto map as using a transform set whose name is trans1.
4-17
Chapter 4
Quidway(config)#crypto ipsec transform trans1 Quidway(config-crypto-transform-trans1)#transform esp-new Quidway(config)#crypto map xian 100 manual Quidway(config-crypto-map-xian-100)#set transform trans1
4.17 transform
To set a security protocol used by a transform set, use the transform mode. To return to the default, use the no form of this command. transform { ah-new | ah-esp-new | esp-new} no transform
Syntax Description
ah-new Using AH protocol specified in RFC2402. ah-esp-new Using ESP and then AH on packets. esp-new Using ESP protocol specified in RFC2406.
Default
esp-new, that is, the ESP protocol specified in RFC2406.
Command Mode
Crypto transform configuration mode
Usage Guideline
The transform sets used by the crypto map set at both ends of the security tunnel must be set as having the same security protocol.
Example
! The following example sets a transform set using AH. Quidway(config)#crypto ipsec transform trans1 Quidway(config-crypto-transform-trans1)#transform ah-new
Related Command
crypto ipsec transform crypto map (global mode) crypto map (interface mode) match address set local-address set peer set session-key
4.18 show crypto ipsec sa

To show the relevant information about the SA, use the show crypto ipsec sa command.
4-18
Chapter 4
show crypto ipsec sa { all | brief | peer ip-address | map map-name | entry destaddress protocol spi }
Syntax Description
all Showing information about all the SAs. brief Showing brief information about all the SAs. peer Showing information about the peer address. ip-address Specifying the peer address whose IP address format is A.B.C.D. map Showing information about the SA in the crypto map group whose name is map-name. entry Showing information about a SA uniquely identified by the destination address, protocol, and SPI. dest-address Specifying the destination address, in the IP address format of A.B.C.D. protocol Specifying a protocol by inputting the ah or esp key word without case discrimination. spi Specifying security parameter index (SPI).
Command Mode
Usage Guideline
brief command shows brief information about all the SAs, whose display format is the brief format (see the following example). The brief command can be used to quickly show all the SAs already set up. Brief information includes source address, destination address, SPI, protocol, and algorithm. A display beginning with E in the algorithm stands for the encryption algorithm, and a display beginning with A stands for the authentication algorithm. The other four command words ( a ll , peer, map, and entry) all show the detailed information about the SA. The display mode: part of the information about the crypto map is shown first, and then the detailed information of the SA in this crypto map (see the following example).
Example
! The following example shows the brief information about all the SAs. Quidway#show crypto ipsec sa brief
Src Address 10.1.1.1 10.1.1.2 Dst Address 10.1.1.2 10.1.1.1 SPI 300 400 Protocol NEW_ESP NEW_ESP Algorithm E:Hardware; A:HMAC-MD5-96 E:Hardware; A:HMAC-MD5-96
Quidway#show crypto ipsec sa all

interface: Ethernet 0 crypto map name: map1 crypto map sequence: 100 negotiation mode: isakmp in use settings = {tunnel} local address: 10.1.1.1 peer address: 10.1.1.2
4-19
Chapter 4
inbound esp SAs: spi: 400 (0x190) transform: ESP-HARDWARE ESP-AUTH-MD5 key id: 1 sa timing: remaining key lifetime (kilobytes/seconds): 432018/90 max received sequence-number: 358 outbound esp SAs: spi: 300 (0x12c) transform: ESP-HARDWARE ESP-AUTH-MD5 key id: 2 sa timing: remaining key lifetime (kilobytes/seconds): 430257/90 max sent sequence-number: 2341
Related Command
clear crypto sa
4.19 show crypto ipsec sa lifetime

To show the global SA lifetime, use the show crypto ipsec sa lifetime command. show crypto ipsec sa lifetime
Command Mode
Usage Guideline
This command is used to show the global SA lifetime, including the time-based and traffic-based types.
Example
Quidway#show crypto ipsec sa lifetime
crypto ipsec sa lifetime: 1843200 kilobytes crypto ipsec sa lifetime: 3600 seconds
Related Command
crypto ipsec sa lifetime, show crypto ipsec sa, show crypto map
4.20 show crypto ipsec statistics

To show the IPSec packet statistics, use the show crypto ipsec statistics command. show crypto ipsec statistics
Command Mode
4-20
Chapter 4
Usage Guideline
For showing the IPSec packet statistics, including the input and output security packet statistics, bytes, packets dropped and detail of such dropped packets.
Example
! The following example shows IPSec packet statistics. Quidway#show crypto ipsec statistics
the security packet statistics: input/output security packets: 5124/8231 input/output security bytes: 52348/64356 input/output dropped security packets: 0/0 dropped security packet detail: no enough memory: 0 can't find SA: 0 queue is full: 0 authen failed: 0 invalid length: 0 replay packet: 0 too long packet: 0 invalid SA: 0
Related Command
clear crypto ipsec statistics
4.21 show crypto ipsec transform

To show information about the transform set, use the show crypto ipsec transform command. show crypto ipsec transform [transform-name]
Syntax Description
transform-name Name of the transform set.
Command Mode
Usage Guideline
This command shows the information about the transform set. If the name of the transform set is not specified, then information about all the transform sets will be shown.
Example
Quidway#show crypto ipsec transform
transform set name: ah_md5 mode: tunnel transform: ah-new algorithm: md5-hmac-96 transform set name: esp_hard_sha mode: tunnel
4-21

transform: esp-new algorithm: hash sha1-hmac-96,
Chapter 4
encrypt hardware-encrypt
Related Command
crypto ipsec transform, show crypto ipsec sa, show crypto map
4.22 show crypto map

To show information about the crypto map, use the show crypto map command. show crypto map { all | brief | name map-name [seq-num] }
Syntax Description
all Showing information about all the crypto maps brief Showing brief information about all the crypto maps. map-name Name of a crypto map. seq-num Sequence number of a crypto map. If it is not specified, then the information about all the crypto maps whose name is map-name is shown.
Command Mode
Usage Guideline
brief command is for showing brief information about all the crypto maps, whose display format is the brief format (see the following example). The brief command can be used to quickly show all the crypto maps. Brief information includes: name and sequence number, negotiation mode, access control list number, transform set, local address, and peer address. The other two command words (all and name ) are used to show the detailed information about the crypto map, whose display format is the detailed format (see the following example).
Example
! The following example shows brief information about all the crypto maps. Quidway#show crypto map brief
crypto-map-name ap1-100 test-300 mode manual isakmp match transform local-address 111 trans1 10.1.1.1 120 trans2 202.38.160.66 peer-address 10.1.1.2
! The following example shows information about all the crypto maps Quidway#show crypto map all
crypto map name: map1 crypto map sequence: 100 negotiation mode: manual match address: 111 peer address: 10.1.1.2 transform-set name: trans1 inbound ah setting: ah spi:
4-22

ah string-key: ah hex-key-string: inbound esp setting: esp spi: 400 (0x190) esp string-key: mydog5nameisclinton5 esp cipher-hex: esp authen-hex: outbound ah setting: ah spi: ah string-key: ah hex-key-string: outbound esp setting: esp spi: 300 (0x12c) esp string-key: spring2k7327 esp cipher-hex: esp authen-hex: OutBound SA has been established. InBound SA has been established.
Chapter 4
Related Command
crypto map
4.23 debug ipsec

To enable the IPSec information debugging, use the debug ipsec command. debug ipsec { misc | packet | sa }
Syntax Description
misc Enabling other information debugging of IPSec. packe t Enabling the packet debugging of IPSec. sa Enabling the SA debugging of IPSec.
Command Mode
4-23
Chapter 5
IKE Configuration Commands
Chapter 5 IKE Configuration Commands

IKE configuration commands include: l l l l l l l l l l l authentication clear crypto ike sa crypto ike key crypto ike policy encryption group hash lifetime show crypto ike policy show crypto ike sa debug ike
5.1 authentication
To specify the authentication method used by an IKE policy, use the authentication command. To return to the default, use the no form of this command. authentication {pre-share } no authentication
Syntax Description
pre-share method. Specifying the authentication method as pre-shared key authentication
Default
pre-shared key authentication.
Command Mode
IKE policy configuration mode
Usage Guideline
This command is used to specify the authentication method used by an IKE policy. Now Huaweis routers support the pre-shared key authentication method. It is necessary to set an authentication key when using the pre-shared key authentication method. For this, please consult crypto ike key.
5-1
Chapter 5
Example
! The following example specifies the authentication method for IKE policy 10 as preshared key. Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# authentication pre-share
Related Command
crypto ike key crypto ike policy show crypto ike policy
5.2 clear crypto ike sa

To delete the security tunnel set up by IKE, use the clear crypto ike sa command. clear crypto ike sa connection-id
Syntax Description
connection-id Specifying the SA to be deleted.
Command Mode
Usage Guideline
This command is used to delete a security tunnel. If ISAKMP SA at phase 1 exists when deleting the local security tunnel, a Delete Message notification is sent to the peer under the protection of this security tunnel to notify the peer to delete the SA database.
Example
! Delete the security tunnel 1 set up by IKE. Quidway# clear crypto ike sa 1
Related Command
show crypto ike sa
5.3 crypto ike key

To configure the authentication key for the pre-shared key authentication, use the crypto ike key command. To return to the default, so as to delete the authentication key, use the no form of this command. crypto ike key keystring address peer-address no crypto ike key keystring address peer-address
5-2
Chapter 5
Syntax Description
keystring Key string with a maximum length of 128 bytes . Authentication keys at both negotiation ends must be the same. peer-address IP address of the negotiation peer.
Default
No crypto ike key.
Command Mode
Usage Guideline
This command is used to configure an authentication key. It must be configured at both negotiation ends. If a crypto map uses the pre-shared key authentication method, it is necessary to configure an authentication key, otherwise this crypto map may not be used.
Example
! The following example sets the authentication key to abcde for the peer 202.38.0.1. Quidway(config)# crypto ike key abcde address 202.38.0.1
Related Command
authentication
5.4 crypto ike policy

To create an IKE policy, use the crypto ike policy command. To return to the default, so as to delete an IKE policy, use the no form of this command. crypto ike policy priority no crypto ike policy priority
Syntax Description
priority Uniquely identifying an IKE policy and giving this policy a priority, which is any integer ranging between 1 and 100. 1 stands for the highest priority, and 10000 the lowest.
Default
By default priority is 10
5-3
Chapter 5
Command Mode
Usage Guideline
The configured IKE policy is used to set up a security tunnel. After executing this command, you will enter the policy configuration mode, and you can configure parameters with such commands as authentication, encryption, group, hash and lifetime. The exit command is used to exit the policy configuration mode. Multiple policies can be configured for each end undergoing IKE negotiation, and negotiation begins with the highest priority policy, and a policy agreed by both ends will be configured during negotiation.
Example
! The following example defines IKE policy 10. Quidway(config)# crypto ike policy 10
Related Command
authentication, encryption, group, hash, lifetime, show crypto isakmp policy
5.5 encryption
To specify the encryption algorithm for an IKE policy, use the encryption command. To return to the default, use the no form of this command. encryption { des-cbc} no encryption
Syntax Description
56-bit DES-CBC.
Default
56-bit DES-CBC encryption algorithm.
Command Mode
Usage Guideline
This command is used to specify the encryption algorithm for an IKE policy.
5-4
Chapter 5
Example
! The following example specifies the encryption algorithm for IKE policy 10 as 56-bit DES-CBC. Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# encryption des
Related Command
crypto ike policy, show crypto ike policy
5.6 group
To specify the Diffie-Hellman group id for an IKE policy, use the group command. To return to the default, use the no form of this command. group {1 | 2} no group
Syntax Description
1 Specifying the 768-bit Diffie-Hellman group. 2 Specifying the 1024-bit Diffie-Hellman group.
Default
768-bit Diffie-Hellman group.
Command Mode
Usage Guideline
This command is used to specify a Diffie-Hellman group id for an IKE policy.
Example
! The following example specifies Diffie-Hellman for IKE policy 10. Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# group 1
Related Command
5-5
Chapter 5
5.7 hash
To specify the hash algorithm for an IKE, use the hash command. To return to the default, use the no form of this command. hash {md5 | sha} no hash
Syntax Description
md5 Specifying the hash algorithm as MD5. sha Specifying the hash algorithm as SHA-1.
Default
SHA-1
Command Mode
Usage Guideline
This command is used to specify a hash algorithm for an IKE policy.
Example
! The following example sets the hash algorithm for IKE policy to MD5. Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# hash md5
Related Command
5.8 lifetime
To specify the ISAKMP SA lifetime for an IKE policy, use the lifetime command. To return to the default, use the no form of this command. lifetime seconds no lifetime
Syntax Description
seconds Specifying the ISAKMP SA lifetime. Ranging 60 to 4294967295 seconds.
5-6
Chapter 5
Default
86400 seconds (one day).
Command Mode
Usage Guideline
This command can be used to set the lifetime for the security tunnel. A long lifetime can save on the time for setting IPSec SA, but a short lifetime guarantees higher security. Before the lifetime for a SA expires, a new SA will be negotiated for replacing the existing SA, and the old SA will be automatically cleared when the SA lifetime expires. Because IKE negotiation needs to undergo DH calculation, it will take a long time on the low-end router. In order to avoid the negative influence of the modification of ISAKMP SA on the security communication, it is recommended to set the lifetime to more than 10 minutes.
Example
! The following example specifies the ISAKMP SA lifetime for IKE policy 10 as 600 seconds (10 minutes ). Quidway(config)# crypto ike policy 10 Quidway(config-crypto-ike-policy-10)# lifetime 600
Related Command
crypto ike policy show crypto ike policy
5.9 show crypto ike policy

To show the IKE crypto map, use the show crypto ike policy command. show crypto ike policy
Usage Guideline
This command shows IKE policies in the sequence of the priority.
Command Mode
Example
! The following example shows the IKE security map.
5-7
Chapter 5
Quidway# show crypto ike policy

Protection suite priority 15 encryption algorithm: DES - CBC hash algorithm: MD5
authentication method:Pre-Shared Key Diffie-Hellman Group: MODP1024 Lifetime: 5000 seconds, no volume limit
Protection suite priority 20 encryption algorithm: DES - CBC hash algorithm: SHA
authentication method:Pre-Shared Key Diffie-Hellman Group: MODP768 lifetime: 10000 seconds, no volume limit
Default protection suite encryption algorithm: DES - CBC hash algorithm: SHA
authentication method:Pre-Shared Key Diffie-Hellman Group: MODP768 Lifetime: 86400 seconds, no volume limit
Related Command
authentication, crypto ike policy, encryption, hash, group, lifetime
5.10 show crypto ike sa

To show the IKE SA parameter, use the show crypto ike sa command. show crypto ike sa
Command Mode
Usage Guideline
The security tunnel and the SA are two different concepts. The former is a two-way tunnel, and IPSec SA is a one-way connection. So a security tunnel is composed of one pair or several pairs of SAs.
Example
! The following example shows the IKE SA parameter. Quidway# show crypto ike sa
conn-id 1 peer 202.38.0.2 flags RD|ST phase 1 doi IPSEC
5-8

2 202.38.0.2 RD|ST 2
Chapter 5
IPSEC
Flag meaning: RD--Ready ST--Stayalive RT--Replaced FD--Fading
Related Command
crypto ike policy
5.11 debug ike

To enable the IKE information debugging, use the debug ike command. debug ike { all | crypto | error | message | misc | sysdep | timer | transport }
Syntax Description
all Enabling all the IKE debugging. crypto Enabling information debugging related to encryption. error Enabling error information debugging. message Enabling information debugging related to message. misc Enabling other information debugging. sysdep Enabling information debugging related to system. timer Enabling information debugging related to timer. transport Enabling information debugging related to transport.
Command Mode
Privileged user mode.
5-9

(Security Configuration Command) PDF

Uploaded by

Document Information

Original Description:

Original Title

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

(Security Configuration Command) PDF

Uploaded by

Copyright:

Available Formats

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

Chapter 1 AAA and RADIUS Configuration Commands

1.1 aaa accounting optional

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.2 aaa authentication local-first

1.3 aaa authentication login

User Manual - Command Reference (Volume 3) Versatile Routing Platform

no aaa authentication login { default | list-name }

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.4 aaa authentication ppp

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.6 ip local pool

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.7 peer default ip address

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.8 radius-server dead-time

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.9 radius-server host

1.10 radius-server key

User Manual - Command Reference (Volume 3) Versatile Routing Platform

radius-server key string no radius-server key

1.11 radius-server realtime-acct-timeout

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.12 radius-server retransmit

1.13 radius-server timeout

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.14 user callback-dialstring

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.15 user calling-station-id

1.16 user ftp-directory

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.17 user password

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.18 user service-type

User Manual - Command Reference (Volume 3) Versatile Routing Platform

1.19 show aaa user

1.20 show user

User Manual - Command Reference (Volume 3) Versatile Routing Platform

No. username logintimes failed times -----------------------------------------------------1 huawei 325 12

1.21 debug radius

User Manual - Command Reference (Volume 3) Versatile Routing Platform

Chapter 2 Terminal Access Security Configuration Commands

2.1 enable password

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

Chapter 3 Firewall Configuration Commands

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

3.2 clear access-list counters

User Manual - Command Reference (Volume 3) Versatile Routing Platform

3.4 firewall default

User Manual - Command Reference (Volume 3) Versatile Routing Platform

User Manual - Command Reference (Volume 3) Versatile Routing Platform

settr { begin-time end-time }... no settr

User Manual - Command Reference (Volume 3) Versatile Routing Platform

3.8 show access-list

User Manual - Command Reference (Volume 3) Versatile Routing Platform

3.9 show firewall