520-0042-00 BCP Multiservice Security Gateway

Best Current Practice
Multiservice Security Gateway (MSG)
Revision History
Version Author(s) Description of Changes Date
v1.0 James Tessier Initial Draft 5/21/10
Status of this memo

Acme Packet Best Current Practices are working documents of the Professional Services department of
Acme Packet, Inc. Note that other groups may also distribute working documents as Best Current
Practices.
Best Current Practices are working documents valid until explicitly obsoleted, and may be updated,
replaced or obsoleted by other documents at any time. It is recommended to use Best Current Practices
as reference material as well as to cite them in other works in progress.
Copyright Notice
Copyright Acme Packet, Inc. (2010). All Rights Reserved.
Abstract
This document defines a series of configuration recommendations to be used when deploying a new Net-
Net Security Gateway (SG) high availablity (HA) pair as a Multiservice Security Gateway (MSG). When at
conflict with Customer requirements or desires, the Customers preference SHOULD take precedence.
Best Current Practice Multiservice Security Gateway May 2010
Table of Contents
Table of Contents ......................................................................................................................... 2
1.0 Introduction ............................................................................................................................. 4
2.0 Intended Audience ................................................................................................................ 5
3.0 Background ............................................................................................................................ 5
4.0 Design Goals.......................................................................................................................... 5
4.1 SG Architecture.................................................................................................................. 5
5.0 Notes on the Reference Configurations............................................................................. 5
5.1 ike-config............................................................................................................................. 6
5.1.1 phase1-dh-mode & phase2-exchange-mode .............................................................................. 6
5.1.2 v2-rekey ....................................................................................................................................... 6
5.1.3 dpd-time-interval ......................................................................................................................... 6
5.1.4 Overload parameters ................................................................................................................... 6
5.1.5 red-port........................................................................................................................................ 6
5.1.6 sd-authentication-method........................................................................................................... 6
5.1.7 shared-password, eap-protocol & eap-bypass-identity .............................................................. 6
5.2 ike-interface ........................................................................................................................ 7
5.2.1 realm-id........................................................................................................................................ 7
5.2.2 local-address-pool-id-list.............................................................................................................. 7
5.2.3 dpd-params-name........................................................................................................................ 7
5.3 ike-sainfo............................................................................................................................. 7
5.3.1 security-protocol.......................................................................................................................... 7
5.3.2 auth-algo ...................................................................................................................................... 7
5.3.3 encryption-algo ............................................................................................................................ 7
5.3.4 ipsec-mode................................................................................................................................... 7
5.4 local-address-pool ............................................................................................................. 7
5.4.1 dns-realm-id................................................................................................................................. 8
5.4.2 data-flow ...................................................................................................................................... 8
5.5 data-flow.............................................................................................................................. 8
5.5.1 realm-id........................................................................................................................................ 8
5.5.2 group-size..................................................................................................................................... 8
520-0042-00 Acme Packet Proprietary & Confidential Page 2

5.5.3 upstream-rate & downstream-rate ............................................................................................. 8

5.6 dpd-params......................................................................................................................... 9
5.6.1 max-loop & load-max-loop .......................................................................................................... 9
5.6.2 max-endpoints & load-max-endpoints ........................................................................................ 9
5.6.3 max-cpu-limit ............................................................................................................................... 9
5.7 ike-certificate-profile .......................................................................................................... 9
5.7.1 identity ......................................................................................................................................... 9
5.7.2 end-entity-certificate ................................................................................................................... 9
5.7.3 trusted-ca-certificates.................................................................................................................. 9
5.8 ike-key-id........................................................................................................................... 10
5.9 security-policy................................................................................................................... 10
5.9.1 name ..........................................................................................................................................10
5.9.2 network-interface ......................................................................................................................10
5.9.3 priority........................................................................................................................................10
5.9.4 action .........................................................................................................................................10
5.9.5 ike-sa-info...................................................................................................................................10
5.9.6 local-ip-addr-match, local-ip-mask & local-port-match.............................................................10
5.9.7 remote-ip-addr-match, remote-ip-mask & remote-port-match ...............................................10
5.10 ipsec-global-config ........................................................................................................ 11
5.10.1 red-ipsec-port ..........................................................................................................................11
6.0 Normative References ........................................................................................................ 11
7.0 Authors Address ................................................................................................................. 12
8.0 Disclaimer ............................................................................................................................. 12
9.0 Full Copyright Statement.................................................................................................... 12
10.0 Appendix A: Data Pass-Through, Certificate Authentication Reference
Configuration............................................................................................................................... 14

1.0 Introduction
The Net-Net SG provides for termination of IPsec tunnels from user endpoints (UE). This document
covers the data pass-through model. It provides a specific example using certificate based
authentication. Additionally, the Net-Net SG can be configured as an integrated MSG and Session
Border Controller (SBC). This will be covered in a subsequent version of this BCP.
Additionally, the Net-Net SG provides the following standards-compliant functionality.

IPsec IKEv2 tunnel termination with support of EAP-MSCHAPV2, EAP-MD5, EAP-SIM, and EAP-
AKA authentication frameworks
UDP encapsulation for NAT transversal
AES and 3DES encryption support for IKE (versions 1 and 2) and data Security Associations
(SAs)
IPsec tunnel replication and resumption when operating in HA mode
Interface to an AAA server (RADIUS) for user authentication, authorization and charging
Support for IP address assignment via either locally configured address pools, or via a RADIUS
server
Tunnel management including IKEv2 SA re-keying
Protection against tunnel-target DoS/DDoS attacks (IKE-SA-INIT flooding)
IKEv2 cookie support

2.0 Intended Audience

This document is intended for use by Acme Packet Systems Engineers, third party Systems Integrators,
and end users of the MSG. It assumes that the reader is familiar with basic operations of the Acme
Packet ACLI, and it is STRONGLY RECOMMENDED that the reader has attended the following training
courses (or can satisfactorily demonstrate equivalent experience):
EDU-CAB-C-CLI: Net-Net 4000/3000 Configuration Basics
It also presumes that the reader is familiar with standard configuration models and archetypes (e.g., those
listed in the Normative References section of this document), and is familiar with IKE and IPSec family of
protocols.
3.0 Background
The Net-Net Security Gateway (SG), Acme Packets Multiservice Security Gateway (MSG), enables
multiple fixed-mobile convergence (FMC) solutions by securing the delivery of voice and data services
over untrusted Internet and WiFi access networks to femtocells and dual-mode endpoints. The Net-Net
SG configuration is supported on the Net-Net 4500. It leverages Acme Packets Net-Net OS software
platform to offer industry-leading security gateway capabilities in terms of architectural flexibility, capacity,
performance, functionality, carrier-class availability and manageability.
4.0 Design Goals

The main goals of the configurations contained within are:
High performance IKE & IPsec processing
DoS/DDoS protection
Service reach maximization
Overload protection
Carrier class high availability
Tunnel management
4.1 SG Architecture
The Net-Net SG requires a Net-Net 4500 system with an IPSec physical interface card, Security Service
Module (SSM) card and licenses for IPSec tunnel capacity (up to 200,000 tunnels) and IKE. The IPSec
interface card contains two hardware chips that provide IPSec encryption/decryption. The two chips
correlate to the first two (M00, M01) and last two physical interfaces (M10, M11). Therefore, a major
design goal is to split the IPSec tunnels between the two chips. Each chip can support up to 100,000
tunnels.
5.0 Notes on the Reference Configurations

The configurations presented here have been entered, tested, and verified on an MSG HA pair running in
the lab at Acme Packet headquarters. The goal is not to demonstrate a full-featured configuration; rather,
each contains only the minimum number of configuration objects required to pass basic IP traffic. The
software version used for testing was MC1.0.0 P6.

IKE interfaces and Security Associations are defined on two access networks 172.16.105.2/24 and
172.16.106.2/24 which are split across network interfaces to most effectively scale the distribution of
hardware IPSec capabilities on the NIU.
Corresponding core networks are on 192.168.105.2/24 and 192.168.106.2/24 subnets.
5.1 ike-config
The ike-config element defines system wide Internet Key Exchange (IKE) settings. Settings on the ike-
interface take precedence over these. This section describes parameters that are recommended other
than the default.
5.1.1 phase1-dh-mode & phase2-exchange-mode

These describe the key exchange modes for which Diffie-Hellman group to use. These values are
only valid when using IKEv1. The most secure option for these parameters is dh-group2 which uses
Diffie-Hellman Group 2 (1024-bit prime numbers for keying) for the key exchange.
5.1.2 v2-rekey
When v2-rekey is enabled, the SD will initiate a v2 rekey at the expiration of the v2-ike-life-secs and
v2-ipsec-life-secs timers.
5.1.3 dpd-time-interval
By default, dead peer detection (DPD) initiation is disabled. Setting this to a value enables DPD and
will initiate DPD to each endpoint after each interval of inactivity. The recommended value for this is
3600.
5.1.4 Overload parameters

It is recommended to configure overload parameters to provide protection and recovery from tunnel
origination storms. Overload-threshold sets the CPU usage threshold at which point new connections
will be dropped at a rate of (currentLoad - overloadThreshold) / (100 -overloadThreshold). Similarly,
when overload-critical-threshold is exceeded, all new connections are dropped.
overload-threshold 80
overload-interval 1
overload-action drop-new-connection
overload-critical-threshold 90
overload-critical-interval 1
5.1.5 red-port
The redundancy port must be configured to support high availability. The recommended port is 1995.
5.1.6 sd-authentication-method
The sd-authentication-method must be set to certificates when using X.509 certificates for
authentication. The alternative is shared-password to use pre-shared keys for authentication.
5.1.7 shared-password, eap-protocol & eap-bypass-identity

These three parameters can be ignored in the reference scenario. Shared-password is the password
when a pre-shared-key is being used for authentication. The eap-protocol and eap-bypass-identity
parameters are used when Extensible Authentication Protocol (EAP) is being used.

5.2 ike-interface
These configuration parameters take precedence over the ike-config parameters. If a parameter is left
blank, the ike-config value will be used.
5.2.1 realm-id
Defines the realm to be associated with this interface. Specifically it maps the ike-interface to the
network-interface defined in the realm.
5.2.2 local-address-pool-id-list
Defines the local-address-pools to be used for this interface. Local address pools are described in
Section 5.4
5.2.3 dpd-params-name
Defines the dead peer detection (DPD) parameters object to be used for this interface. DPD
parameters are described in section 5.6
5.3 ike-sainfo
These configuration parameters define the IKE Security Association (SA) parameters.
5.3.1 security-protocol
Defines the IPSec security protocols supported by each SA. Esp-auth provides both encryption and
authentication services, so it is recommended.
5.3.2 auth-algo
Defines the authentication algorithms supported by each SA. SHA1 is more secure than MD5, so it is
recommended.
5.3.3 encryption-algo
Defines the authentication algorithms supported by each SA. AES is the most secure, so it is
recommended.
5.3.4 ipsec-mode
Defines whether the IPSec SA will support tunnel-mode or transport-mode. Tunnel-mode is
recommended because it encapsulates entire IP packets, while transport-mode encapsulates only the
IP packet payload.
5.4 local-address-pool
Local-address-pool objects must be defined when addresses will be managed locally by the SG. They
contain 1 or more address-ranges that may be allocated to endpoints upon their request. The maximum
number of IP addresses in a local-address-pool is 100,000. Given is an example of the maximum
100,000 addresses in a pool:
local-address-pool
name local-addr-pool-106
address-range
network-address 106.0.0.0
subnet-mask 255.255.0.0
address-range

address-range
address-range
address-range
subnet-mask 255.255.255.128
address-range
subnet-mask 255.255.255.224
address-range
subnet-mask 255.255.255.248
address-range
subnet-mask 255.255.255.248
dns-realm-id core-106
data-flow data-flow-106
5.4.1 dns-realm-id
Defines the realm where DNS lookups will be done.
5.4.2 data-flow
Defines the data-flow object, as described in the preceding section, to be associated with this address
pool.
5.5 data-flow
The data-flow configuration object defines the size of individual data-flow groups and their bandwidth
constraints. This will prevent any one group of endpoints from becoming a resource hog and denying
service to others.
5.5.1 realm-id
This defines the realm and specifically that realms network-interface to be used by the data-flow
towards the next-hop gateway(s) in the core network.
5.5.2 group-size
This defines the number of UEs to be assigned to each data-flow. A smaller value here will create
more fine grained control over individual endpoints bandwidth limitations. A higher value will create
less overhead on the SG. For maximum performance, this value is recommended to be 256.
5.5.3 upstream-rate & downstream-rate

These parameters define maximum bandwidth limits for a data-flow before dropping excess packets in
KB/s. The maximum throughput (GigE) is about 125,000 KB/s per interface. So in an example with
100,000 endpoints and 256 as a group-size, there would be a maximum of 391 data-flow groups.
Dividing the bandwidth evenly would leave each data-flow with about 320 KB/s. You may not want to
limit each data-flow to this rate, however as it is only an average. Upstream and downstream rates
should be calculated with regard to the traffic model and usage of the network.

5.6 dpd-params
The dpd-params configuration object is used to provide control over DPD events, provide protection from
DPD storms and de-prioritize DPD from other functions, such as tunnel initiation.
5.6.1 max-loop & load-max-loop

These parameters define the maximum number of endpoints examined for needing DPD during each
dpd-time-interval as defined in the ike-config. The max-loop value is used under normal conditions
and the load-max-loop value is used when the max-cpu-limit threshold is exceeded.
DPD processing does consume CPU cycles. To effectively engineer max-loop and load-max-loop
values that result in a CPU overheard that is not detrimental to the overall processing of the system it
is recommended that customer specific testing take place based on subscriber load.
5.6.2 max-endpoints & load-max-endpoints

These parameters define the maximum number of endpoints examined with DPD signaling during
each dpd-time-interval as defined in the ike-config. Only when an endpoint has been determined to
need DPD (as in the max-loop parameter) is DPD signaling sent to the endpoint. The max-endpoints
value is used under normal conditions and the load-max-endpoints value is used when the max-cpu-
limit threshold is exceeded.
DPD processing does consume CPU cycles. To effectively engineer max-loop and load-max-loop
values that result in a CPU overheard that is not detrimental to the overall processing of the system it
is recommended that customer specific testing take place based on subscriber load.
5.6.3 max-cpu-limit
This defines the CPU usage threshold of the SG to use the max-loop and max-endpoints values for
determining DPD. When this value is exceeded the values for load-max-loop and load-max-endpoints
are used. The recommended value for max-cpu-limit is 80%
5.7 ike-certificate-profile
The ike-certificate-profile configuration object is used to specify the certificates allowed on an ike-
interface.
5.7.1 identity
The IP address or fully-qualified domain name (FQDN) that uniquely identifies the ike-certificate-
profiles that may be requested by a peer. This identity is sent as the requested ID (IDr field) in the IKE
messaging and must match exactly for the SG to provide the correct certificate.
5.7.2 end-entity-certificate
References the certificate-record configuration element of the X.509 certificate offered by a local IKEv2
entity in support of its asserted identity.
5.7.3 trusted-ca-certificates
References the certificate-record configuration element(s) of the certification authorities (CA) used to
authenticate remote endpoints.

5.8 ike-key-id
The ike-keyid configuration object is used to specify a pre-shared key when pre-shared keys are the
authentication method.
5.9 security-policy
The security-policy configuration object is used to match traffic flows to specific security policies.
Separate security-policies are needed for IKE negotiation, IKE negotiation from a NATted endpoint and
IPSec data flows. Additionally, the ike-sainfo parameters are specified for IPSec traffic. Also, note that
outbound-sa-fine-grained-mask parameters are not used for IKE or IPSec traffic. In the example, each
network-interface has four security-policies. Each matches a different set of criteria to allow, discard or
perform IPSec encryption on traffic. Allow policies are setup to allow IKE and NATted IKE traffic from
valid hosts. An IPSec policy is setup to allow data pass-through when an SA is setup. Finally, a discard
policy is setup to prevent any other data from reaching the host processor. Information on specific
parameters and an example follow.
5.9.1 name
Any unique name to identify this security policy. It will not be referenced elsewhere.
5.9.2 network-interface
References the network-interface that will be used to match this security policy.
5.9.3 priority
The priority (order) to check each security-policy to see if it matches. Each priority must be unique.
Higher priority equates to a lower number, so 0 is highest priority. All priority values must be unique
between 0 and 126. By default, there are low priority (127 inbound, 128 outbound) security-policies
that would allow all traffic through the IPSec card to the host processor.
5.9.4 action
Valid actions are allow, discard or ipsec. Allow will permit the traffic to pass to the host processor
without security services (encryption, decryption, authentication) applied. Discard will drop the traffic.
Lastly, ipsec will apply security services to the traffic, as described by the ike-sainfo set referenced by
the ike-sainfo name.
5.9.5 ike-sa-info
References the ike-sa-info configuration parameters for IPSec traffic. This is only valid when the
action is ipsec.
5.9.6 local-ip-addr-match, local-ip-mask & local-port-match

These three parameters combine to define which traffic will match this policy locally. In other words,
the addresses:ports described in these settings are the ones reachable on the MSG-side of the
interface. To be specific, in the case that the direction is set to both, these settings will match traffic
based on the destination IP address and port of the packets inbound to the interface, and will match
traffic based on the source IP address and port of the packets outbound from the interface.
For an example, see the next section.
5.9.7 remote-ip-addr-match, remote-ip-mask & remote-port-match

These three parameters combine to define which traffic will match this policy remotely. It could be said
that the addresses:ports described in these settings are the ones reachable on the UE-side of the

interface. To be specific, in the case that the direction is set to both, these settings will match traffic
based on the source IP address and port of the packets inbound to the interface, and will match traffic
based on the destination IP address and port of the packets outbound from the interface.
For instance, consider a policy configured as:
local-ip-addr-match 172.16.106.2
remote-ip-addr-match 6.0.0.0
local-port-match 500
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 255.255.255.255
remote-ip-mask 255.0.0.0
action allow
When traffic arrives on the interface that references this policy, the source and destination IP
addresses and ports would be examined. If the traffic was sourced from the 6.0.0.0 subnet and
destined for 172.16.106.2:4500, it would be allowed. Also, when traffic was to be sent from the
interface configured with this policy, the source IP address and port would be examined. If the traffic
was sourced from 172.16.106.2:4500 and destined to any IP address or port on the 6.0.0.0 subnet, it
would be allowed. The 6.0.0.0 subnet would be the public IP addresses used in IKE signaling and
thus would have nothing to do with the local-address-pools.
Similarly, consider the discard example:

priority 126
local-port-match 0
remote-port-match 0
direction both
local-ip-mask 0.0.0.0
action discard
This security-policy will match any traffic from any source to any destination address and discard it
before it reaches the host processor. This is needed, because of the default security-policies to allow
traffic. It will not affect IKE, NATted IKE or IPSec traffic, because its priority is lower than those
security policies.
5.10 ipsec-global-config
The ipsec-global-config configuration object must be configured to allow high availability for the SG.
5.10.1 red-ipsec-port
The redundancy port must be configured to support high availability. The recommended port is 1994.
6.0 Normative References

RFC 2631, Diffie-Hellman Key Agreement Method
RFC 3579, RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication
Protocol (EAP)

RFC 3580, IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
RFC 3748, Extensible Authentication Protocol
RFC 3948, UDP Encapsulation of IPsec ESP Packets
RFC 4302, IP Authentication Header
RFC 4303, IP Encapsulating Security Payload (ESP)
RFC 4306, Internet Key Exchange (IKEv2) Protocol
3GPP TS 23.234, 3GPP system to Wireless Local Area Network (WLAN) interworking
7.0 Authors Address

Acme Packet, Inc.
71 Third Avenue
Burlington, MA 01803
8.0 Disclaimer
The content in this document is for informational purposes only and is subject to change by Acme Packet
without notice. While reasonable efforts have been made in the preparation of this publication to assure
its accuracy, Acme Packet assumes no liability resulting from technical or editorial errors or omissions, or
for any damages resulting from the use of this information. Unless specifically included in a written
agreement with Acme Packet, Acme Packet has no obligation to develop or deliver any future release or
upgrade or any feature, enhancement or function.
9.0 Full Copyright Statement

Copyright Acme Packet (2010). All Rights Reserved. Acme Packet, Session-Aware Networking, Net-
Net and related marks are trademarks of Acme Packet. All other brand names are trademarks or
registered trademarks of their respective companies.
This document and translations of it may be copied and furnished to others, and derivative works that
comment on or otherwise explain it or assist in its implantation may be prepared, copied, published and
distributed, in whole or in part, given the restrictions identified in section 2 of this document, provided that
the above copyright notice, disclaimer, and this paragraph are included on all such copies and derivative
works. However, this document itself may not be modified in any way, such as by removing the copyright
notice or references to Acme Packet or other referenced organizations.
The limited permissions granted above are perpetual and will not be revoked by Acme Packet or its
successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and ACME PACKET
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY

WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.

10.0 Appendix A: Data Pass-Through, Certificate

Authentication Reference Configuration
certificate-record
name CA-root
country US
state MA
locality Burlington
organization Engineering
unit
common-name
key-size 1024
alternate-name
trusted enabled
key-usage-list
digitalSignature
keyEncipherment
extended-key-usage-list
serverAuth
options
last-modified-by admin@console
last-modified-date 2009-08-13 18:33:21
certificate-record
name CA-subordinate
country US
state MA
locality Burlington
organization Engineering
unit
common-name
key-size 1024
alternate-name
trusted enabled

key-usage-list
digitalSignature
keyEncipherment
serverAuth
options
certificate-record
name SD-end-entity-106
country US
state MA
locality Burlington
organization Acme Packet
unit
common-name 172.16.106.2
key-size 1024
alternate-name
trusted enabled
key-usage-list
digitalSignature
keyEncipherment
serverAuth
options
certificate-record
name SD-end-entity-105
country US
state WA
locality Burlington
organization Acme Packet
unit
common-name 172.16.105.2
key-size 1024
alternate-name
trusted enabled
key-usage-list
options
ike-config
state enabled
ike-version 2
log-level NOTICE
udp-port 500
negotiation-timeout 15
event-timeout 60
phase1-mode main
phase1-dh-mode dh-group2
v2-ike-life-secs 86400
v2-ipsec-life-secs 28800
v2-rekey disabled

anti-replay enabled
phase1-life-seconds 3600
phase1-life-secs-max 86400
phase2-life-seconds 28800
phase2-life-secs-max 86400
phase2-exchange-mode dh-group2
shared-password <key value encrypted, not shown>
eap-protocol eap-radius-passthru
eap-bypass-identity disabled
addr-assignment local
dpd-time-interval 3600
overload-threshold 80
overload-interval 1
overload-action drop-new-connection
overload-critical-threshold 90
overload-critical-interval 1
red-port 1995
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
sd-authentication-method certificate
certificate-profile-id 172.16.106.2
id-auth-type idi
ike-interface
address 172.16.105.2
realm-id access-105
ike-mode responder
local-address-pool-id-list local-addr-pool-105
dpd-params-name dpd1
v2-ike-life-secs
v2-ipsec-life-secs
v2-rekey
shared-password
eap-protocol
addr-assignment
certificate-profile-id-list 172.16.105.2
ike-interface
address 172.16.106.2
realm-id access-106
ike-mode responder
local-address-pool-id-list local-addr-pool-106
dpd-params-name dpd1
v2-ike-life-secs
v2-ipsec-life-secs
v2-rekey
shared-password
eap-protocol
addr-assignment
certificate-profile-id-list 172.16.106.2

ike-sainfo
name ike-sainfo-105
security-protocol esp-auth
auth-algo sha1
encryption-algo aes
ipsec-mode tunnel
tunnel-local-addr 172.16.105.2
tunnel-remote-addr *
ike-sainfo
name ike-sainfo-106
security-protocol esp-auth
auth-algo sha1
encryption-algo aes
ipsec-mode tunnel
tunnel-local-addr 172.16.106.2
tunnel-remote-addr *
local-address-pool
address-range
address-range
address-range
address-range
address-range
subnet-mask 255.255.255.128
address-range
subnet-mask 255.255.255.224
address-range
subnet-mask 255.255.255.248
address-range
subnet-mask 255.255.255.248
local-address-pool
address-range

address-range
address-range
address-range
address-range
subnet-mask 255.255.255.128
address-range
subnet-mask 255.255.255.224
address-range
subnet-mask 255.255.255.248
address-range
subnet-mask 255.255.255.248
data-flow
name data-flow-105
realm-id core-105
group-size 256
upstream-rate 0
downstream-rate 0
data-flow
name data-flow-106
realm-id core-106
group-size 256
upstream-rate 0
downstream-rate 0
dpd-params
name dpd1
max-loop 100
max-endpoints 25
max-cpu-limit 60
load-max-loop 40
load-max-endpoints 5
ike-certificate-profile
identity 172.16.105.2
end-entity-certificate SGW-end-entity-105

trusted-ca-certificates
CA-root
CA-subordinate
verify-depth 3
ike-certificate-profile
identity 172.16.106.2
end-entity-certificate SD-end-entity-106
trusted-ca-certificates
CA-root
CA-subordinate
verify-depth 3
network-interface
name M00
sub-port-id 0
description
hostname
ip-address 192.168.105.2
pri-utility-addr 192.168.105.21
sec-utility-addr 192.168.105.22
netmask 255.255.255.0
gateway 192.168.105.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 192.168.105.2
ftp-address
icmp-address
snmp-address
telnet-address
network-interface
name M01
sub-port-id 0
description
hostname
ip-address 172.16.105.2
netmask 255.255.255.0
gateway 172.16.105.1
sec-gateway

gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 172.16.105.2
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin@172.30.0.46
network-interface
name M11
sub-port-id 0
description
hostname
ip-address 192.168.106.2
netmask 255.255.255.0
gateway 192.168.106.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary 192.168.106.10
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 192.168.106.2
ftp-address
icmp-address snmp-address
telnet-address
network-interface
name M10
sub-port-id 0
description
hostname
ip-address 172.16.106.2
netmask 255.255.255.0

gateway 172.16.106.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 172.16.106.2
ftp-address
icmp-address
snmp-address
telnet-address
network-interface
name wancom1
sub-port-id 0
description
hostname
ip-address
netmask 255.255.255.252
gateway
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
network-interface
name wancom2
sub-port-id 0
description
hostname
ip-address

netmask 255.255.255.252
gateway
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
phy-interface
name M00
operation-type Media
port 0
slot 0
virtual-mac 00:08:25:a1:10:6a
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed
phy-interface
name M01
port 1
slot 0
virtual-mac 00:08:25:a1:10:6b
admin-state enabled
duplex-mode FULL
speed
phy-interface
name M10
port 0
slot 1
virtual-mac 00:08:25:a1:10:6c
admin-state enabled

duplex-mode FULL
speed
phy-interface
name M11
port 1
slot 1
virtual-mac 00:08:25:a1:10:6d
admin-state enabled
duplex-mode FULL
speed
phy-interface
name wancom1
operation-type Control
port 1
slot 0
virtual-mac
wancom-health-score 8
phy-interface
name wancom2
operation-type Control
port 2
slot 0
virtual-mac
wancom-health-score 9
realm-config
identifier core-105
description
addr-prefix 192.168.105.0/24
network-interfaces
M00:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0

parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
realm-config
identifier access-105
description
addr-prefix 0.0.0.0
network-interfaces
M01:0

mm-same-ip enabled
qos-enable disabled
max-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
deny-period 30
ext-policy-svr
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restriction-mask 32
user-cac-mode none
user-cac-sessions 0
icmp-target-ip
monthly-minutes 0
codec-policy
constraint-name

qos-constraint
realm-config
identifier core-106
description
addr-prefix 192.168.106.0/24
network-interfaces
M11:0
mm-same-ip enabled
qos-enable disabled
max-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
deny-period 30
ext-policy-svr
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restriction-mask 32

user-cac-mode none
user-cac-sessions 0
icmp-target-ip
monthly-minutes 0
codec-policy
constraint-name
qos-constraint
realm-config
identifier access-106
description
addr-prefix 0.0.0.0
network-interfaces
M10:0
mm-same-ip enabled
qos-enable disabled
max-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile

deny-period 30
ext-policy-svr
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restriction-mask 32
user-cac-mode none
user-cac-sessions 0
icmp-target-ip
monthly-minutes 0
codec-policy
constraint-name
qos-constraint
redundancy-config
state enabled
log-level NOTICE
health-threshold 75
emergency-threshold 50
port 9090
advertisement-time 500
percent-drift 210
initial-time 1250
becoming-standby-time 1800000
becoming-active-time 100
cfg-port 1987
cfg-max-trans 10000
cfg-sync-start-time 5000
cfg-sync-comp-time 1000
gateway-heartbeat-interval 0

gateway-heartbeat-retry 0
gateway-heartbeat-timeout 1
gateway-heartbeat-health 0
media-if-peercheck-time 300
peer
name Jimland1
state enabled
type Primary
destination
address 169.254.1.1:9090
network-interface wancom1:0
destination
address 169.254.2.1:9090
peer
name Jimland2
state enabled
type Secondary
destination
address 169.254.1.2:9090
destination
address 169.254.2.2:9090
system-config
hostname
description MSG BCP config
location
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps enabled
enable-snmp-syslog-notify enabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level NOTICE
system-log-level NOTICE
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5
push-interval 15
boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
push-success-trap-state disabled

call-trace disabled
internal-trace disabled
log-filter all
default-gateway 172.30.0.1
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing enabled
cli-more disabled
terminal-height 24
debug-timeout 0
trap-event-lifetime 0
security-policy
name sec-policy-ike-105
network-interface M01:0
priority 10
remote-port-match 0
direction both
local-ip-mask 255.255.255.255
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0x000
security-policy
name sec-policy-ipsec-105
priority 101
local-port-match 0
remote-port-match 0
direction both
action ipsec

ike-sainfo-name ike-sainfo-105
local-port-mask 0
remote-port-mask 0
valid enabled
vlan-mask 0x000
security-policy
name sec-policy-ike-106
priority 20
remote-port-match 0
direction both
local-ip-mask 255.255.255.255
action allow
ike-sainfo-name
local-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
valid enabled
vlan-mask 0xFFF
security-policy
name sec-policy-ipsec-106
priority 102
local-port-match 0
remote-port-match 0
direction both
action ipsec
ike-sainfo-name ike-sainfo-106
local-port-mask 0
remote-port-mask 0

valid enabled
vlan-mask 0x000
security-policy
name sec-policy-ike-105-NAT
priority 11
remote-port-match 0
direction both
local-ip-mask 255.255.255.255
action allow
ike-sainfo-name
local-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
valid enabled
vlan-mask 0xFFF
security-policy
name sec-policy-ike-106-NAT
priority 21
remote-port-match 0
direction both
local-ip-mask 255.255.255.255
action allow
ike-sainfo-name
local-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
valid enabled
vlan-mask 0xFFF
security-policy
name sec-policy-deny-106

priority 126
local-port-match 0
remote-port-match 0
direction both
action discard
ike-sainfo-name
local-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
valid enabled
vlan-mask 0xFFF
security-policy
name sec-policy-deny-105
priority 125
local-port-match 0
remote-port-match 0
direction both
action discard
ike-sainfo-name
local-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
valid enabled
vlan-mask 0xFFF
ipsec-global-config
red-ipsec-port 1994
red-max-trans 10000

520-0042-00 BCP Multiservice Security Gateway

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

520-0042-00 BCP Multiservice Security Gateway

Uploaded by

Copyright:

Available Formats

Best Current Practice

Multiservice Security Gateway (MSG)

Status of this memo

520-0042-00 Acme Packet Proprietary & Confidential Page 2

5.5.3 upstream-rate & downstream-rate ............................................................................................. 8

520-0042-00 Acme Packet Proprietary & Confidential Page 3

Additionally, the Net-Net SG provides the following standards-compliant functionality.

520-0042-00 Acme Packet Proprietary & Confidential Page 4

2.0 Intended Audience

EDU-CAB-C-CLI: Net-Net 4000/3000 Configuration Basics

4.0 Design Goals

5.0 Notes on the Reference Configurations

520-0042-00 Acme Packet Proprietary & Confidential Page 5

Corresponding core networks are on 192.168.105.2/24 and 192.168.106.2/24 subnets.

5.1.1 phase1-dh-mode & phase2-exchange-mode

5.1.4 Overload parameters

5.1.7 shared-password, eap-protocol & eap-bypass-identity

520-0042-00 Acme Packet Proprietary & Confidential Page 6

520-0042-00 Acme Packet Proprietary & Confidential Page 7

5.5.3 upstream-rate & downstream-rate

520-0042-00 Acme Packet Proprietary & Confidential Page 8

5.6.1 max-loop & load-max-loop

5.6.2 max-endpoints & load-max-endpoints

520-0042-00 Acme Packet Proprietary & Confidential Page 9

5.9.6 local-ip-addr-match, local-ip-mask & local-port-match

For an example, see the next section.

5.9.7 remote-ip-addr-match, remote-ip-mask & remote-port-match

520-0042-00 Acme Packet Proprietary & Confidential Page 10

For instance, consider a policy configured as:

Similarly, consider the discard example:

6.0 Normative References

520-0042-00 Acme Packet Proprietary & Confidential Page 11

RFC 3748, Extensible Authentication Protocol

RFC 3948, UDP Encapsulation of IPsec ESP Packets

RFC 4302, IP Authentication Header

RFC 4303, IP Encapsulating Security Payload (ESP)

RFC 4306, Internet Key Exchange (IKEv2) Protocol

7.0 Authors Address

9.0 Full Copyright Statement

520-0042-00 Acme Packet Proprietary & Confidential Page 12

520-0042-00 Acme Packet Proprietary & Confidential Page 13

10.0 Appendix A: Data Pass-Through, Certificate

520-0042-00 Acme Packet Proprietary & Confidential Page 14

520-0042-00 Acme Packet Proprietary & Confidential Page 15

520-0042-00 Acme Packet Proprietary & Confidential Page 16

520-0042-00 Acme Packet Proprietary & Confidential Page 17

520-0042-00 Acme Packet Proprietary & Confidential Page 18

520-0042-00 Acme Packet Proprietary & Confidential Page 19

520-0042-00 Acme Packet Proprietary & Confidential Page 20

520-0042-00 Acme Packet Proprietary & Confidential Page 21

520-0042-00 Acme Packet Proprietary & Confidential Page 22

520-0042-00 Acme Packet Proprietary & Confidential Page 23

520-0042-00 Acme Packet Proprietary & Confidential Page 24

520-0042-00 Acme Packet Proprietary & Confidential Page 25

520-0042-00 Acme Packet Proprietary & Confidential Page 26

520-0042-00 Acme Packet Proprietary & Confidential Page 27

520-0042-00 Acme Packet Proprietary & Confidential Page 28

520-0042-00 Acme Packet Proprietary & Confidential Page 29

520-0042-00 Acme Packet Proprietary & Confidential Page 30

520-0042-00 Acme Packet Proprietary & Confidential Page 31

520-0042-00 Acme Packet Proprietary & Confidential Page 32

520-0042-00 Acme Packet Proprietary & Confidential Page 33

You might also like