Professional Documents
Culture Documents
Revision History
Version Author(s) Description of Changes Date
v1.0 James Tessier Initial Draft 5/21/10
Best Current Practices are working documents valid until explicitly obsoleted, and may be updated,
replaced or obsoleted by other documents at any time. It is recommended to use Best Current Practices
as reference material as well as to cite them in other works in progress.
Copyright Notice
Copyright Acme Packet, Inc. (2010). All Rights Reserved.
Abstract
This document defines a series of configuration recommendations to be used when deploying a new Net-
Net Security Gateway (SG) high availablity (HA) pair as a Multiservice Security Gateway (MSG). When at
conflict with Customer requirements or desires, the Customers preference SHOULD take precedence.
Best Current Practice Multiservice Security Gateway May 2010
Table of Contents
Table of Contents ......................................................................................................................... 2
1.0 Introduction ............................................................................................................................. 4
2.0 Intended Audience ................................................................................................................ 5
3.0 Background ............................................................................................................................ 5
4.0 Design Goals.......................................................................................................................... 5
4.1 SG Architecture.................................................................................................................. 5
5.0 Notes on the Reference Configurations............................................................................. 5
5.1 ike-config............................................................................................................................. 6
5.1.1 phase1-dh-mode & phase2-exchange-mode .............................................................................. 6
5.1.2 v2-rekey ....................................................................................................................................... 6
5.1.3 dpd-time-interval ......................................................................................................................... 6
5.1.4 Overload parameters ................................................................................................................... 6
5.1.5 red-port........................................................................................................................................ 6
5.1.6 sd-authentication-method........................................................................................................... 6
5.1.7 shared-password, eap-protocol & eap-bypass-identity .............................................................. 6
5.2 ike-interface ........................................................................................................................ 7
5.2.1 realm-id........................................................................................................................................ 7
5.2.2 local-address-pool-id-list.............................................................................................................. 7
5.2.3 dpd-params-name........................................................................................................................ 7
5.3 ike-sainfo............................................................................................................................. 7
5.3.1 security-protocol.......................................................................................................................... 7
5.3.2 auth-algo ...................................................................................................................................... 7
5.3.3 encryption-algo ............................................................................................................................ 7
5.3.4 ipsec-mode................................................................................................................................... 7
5.4 local-address-pool ............................................................................................................. 7
5.4.1 dns-realm-id................................................................................................................................. 8
5.4.2 data-flow ...................................................................................................................................... 8
5.5 data-flow.............................................................................................................................. 8
5.5.1 realm-id........................................................................................................................................ 8
5.5.2 group-size..................................................................................................................................... 8
1.0 Introduction
The Net-Net SG provides for termination of IPsec tunnels from user endpoints (UE). This document
covers the data pass-through model. It provides a specific example using certificate based
authentication. Additionally, the Net-Net SG can be configured as an integrated MSG and Session
Border Controller (SBC). This will be covered in a subsequent version of this BCP.
It also presumes that the reader is familiar with standard configuration models and archetypes (e.g., those
listed in the Normative References section of this document), and is familiar with IKE and IPSec family of
protocols.
3.0 Background
The Net-Net Security Gateway (SG), Acme Packets Multiservice Security Gateway (MSG), enables
multiple fixed-mobile convergence (FMC) solutions by securing the delivery of voice and data services
over untrusted Internet and WiFi access networks to femtocells and dual-mode endpoints. The Net-Net
SG configuration is supported on the Net-Net 4500. It leverages Acme Packets Net-Net OS software
platform to offer industry-leading security gateway capabilities in terms of architectural flexibility, capacity,
performance, functionality, carrier-class availability and manageability.
4.1 SG Architecture
The Net-Net SG requires a Net-Net 4500 system with an IPSec physical interface card, Security Service
Module (SSM) card and licenses for IPSec tunnel capacity (up to 200,000 tunnels) and IKE. The IPSec
interface card contains two hardware chips that provide IPSec encryption/decryption. The two chips
correlate to the first two (M00, M01) and last two physical interfaces (M10, M11). Therefore, a major
design goal is to split the IPSec tunnels between the two chips. Each chip can support up to 100,000
tunnels.
IKE interfaces and Security Associations are defined on two access networks 172.16.105.2/24 and
172.16.106.2/24 which are split across network interfaces to most effectively scale the distribution of
hardware IPSec capabilities on the NIU.
5.1 ike-config
The ike-config element defines system wide Internet Key Exchange (IKE) settings. Settings on the ike-
interface take precedence over these. This section describes parameters that are recommended other
than the default.
5.1.2 v2-rekey
When v2-rekey is enabled, the SD will initiate a v2 rekey at the expiration of the v2-ike-life-secs and
v2-ipsec-life-secs timers.
5.1.3 dpd-time-interval
By default, dead peer detection (DPD) initiation is disabled. Setting this to a value enables DPD and
will initiate DPD to each endpoint after each interval of inactivity. The recommended value for this is
3600.
overload-threshold 80
overload-interval 1
overload-action drop-new-connection
overload-critical-threshold 90
overload-critical-interval 1
5.1.5 red-port
The redundancy port must be configured to support high availability. The recommended port is 1995.
5.1.6 sd-authentication-method
The sd-authentication-method must be set to certificates when using X.509 certificates for
authentication. The alternative is shared-password to use pre-shared keys for authentication.
5.2 ike-interface
These configuration parameters take precedence over the ike-config parameters. If a parameter is left
blank, the ike-config value will be used.
5.2.1 realm-id
Defines the realm to be associated with this interface. Specifically it maps the ike-interface to the
network-interface defined in the realm.
5.2.2 local-address-pool-id-list
Defines the local-address-pools to be used for this interface. Local address pools are described in
Section 5.4
5.2.3 dpd-params-name
Defines the dead peer detection (DPD) parameters object to be used for this interface. DPD
parameters are described in section 5.6
5.3 ike-sainfo
These configuration parameters define the IKE Security Association (SA) parameters.
5.3.1 security-protocol
Defines the IPSec security protocols supported by each SA. Esp-auth provides both encryption and
authentication services, so it is recommended.
5.3.2 auth-algo
Defines the authentication algorithms supported by each SA. SHA1 is more secure than MD5, so it is
recommended.
5.3.3 encryption-algo
Defines the authentication algorithms supported by each SA. AES is the most secure, so it is
recommended.
5.3.4 ipsec-mode
Defines whether the IPSec SA will support tunnel-mode or transport-mode. Tunnel-mode is
recommended because it encapsulates entire IP packets, while transport-mode encapsulates only the
IP packet payload.
5.4 local-address-pool
Local-address-pool objects must be defined when addresses will be managed locally by the SG. They
contain 1 or more address-ranges that may be allocated to endpoints upon their request. The maximum
number of IP addresses in a local-address-pool is 100,000. Given is an example of the maximum
100,000 addresses in a pool:
local-address-pool
name local-addr-pool-106
address-range
network-address 106.0.0.0
subnet-mask 255.255.0.0
address-range
network-address 106.1.0.0
subnet-mask 255.255.128.0
address-range
network-address 106.2.0.0
subnet-mask 255.255.252.0
address-range
network-address 106.3.0.0
subnet-mask 255.255.254.0
address-range
network-address 106.4.0.0
subnet-mask 255.255.255.128
address-range
network-address 106.5.0.0
subnet-mask 255.255.255.224
address-range
network-address 106.6.0.0
subnet-mask 255.255.255.248
address-range
network-address 106.7.0.0
subnet-mask 255.255.255.248
dns-realm-id core-106
data-flow data-flow-106
5.4.1 dns-realm-id
Defines the realm where DNS lookups will be done.
5.4.2 data-flow
Defines the data-flow object, as described in the preceding section, to be associated with this address
pool.
5.5 data-flow
The data-flow configuration object defines the size of individual data-flow groups and their bandwidth
constraints. This will prevent any one group of endpoints from becoming a resource hog and denying
service to others.
5.5.1 realm-id
This defines the realm and specifically that realms network-interface to be used by the data-flow
towards the next-hop gateway(s) in the core network.
5.5.2 group-size
This defines the number of UEs to be assigned to each data-flow. A smaller value here will create
more fine grained control over individual endpoints bandwidth limitations. A higher value will create
less overhead on the SG. For maximum performance, this value is recommended to be 256.
5.6 dpd-params
The dpd-params configuration object is used to provide control over DPD events, provide protection from
DPD storms and de-prioritize DPD from other functions, such as tunnel initiation.
DPD processing does consume CPU cycles. To effectively engineer max-loop and load-max-loop
values that result in a CPU overheard that is not detrimental to the overall processing of the system it
is recommended that customer specific testing take place based on subscriber load.
DPD processing does consume CPU cycles. To effectively engineer max-loop and load-max-loop
values that result in a CPU overheard that is not detrimental to the overall processing of the system it
is recommended that customer specific testing take place based on subscriber load.
5.6.3 max-cpu-limit
This defines the CPU usage threshold of the SG to use the max-loop and max-endpoints values for
determining DPD. When this value is exceeded the values for load-max-loop and load-max-endpoints
are used. The recommended value for max-cpu-limit is 80%
5.7 ike-certificate-profile
The ike-certificate-profile configuration object is used to specify the certificates allowed on an ike-
interface.
5.7.1 identity
The IP address or fully-qualified domain name (FQDN) that uniquely identifies the ike-certificate-
profiles that may be requested by a peer. This identity is sent as the requested ID (IDr field) in the IKE
messaging and must match exactly for the SG to provide the correct certificate.
5.7.2 end-entity-certificate
References the certificate-record configuration element of the X.509 certificate offered by a local IKEv2
entity in support of its asserted identity.
5.7.3 trusted-ca-certificates
References the certificate-record configuration element(s) of the certification authorities (CA) used to
authenticate remote endpoints.
5.8 ike-key-id
The ike-keyid configuration object is used to specify a pre-shared key when pre-shared keys are the
authentication method.
5.9 security-policy
The security-policy configuration object is used to match traffic flows to specific security policies.
Separate security-policies are needed for IKE negotiation, IKE negotiation from a NATted endpoint and
IPSec data flows. Additionally, the ike-sainfo parameters are specified for IPSec traffic. Also, note that
outbound-sa-fine-grained-mask parameters are not used for IKE or IPSec traffic. In the example, each
network-interface has four security-policies. Each matches a different set of criteria to allow, discard or
perform IPSec encryption on traffic. Allow policies are setup to allow IKE and NATted IKE traffic from
valid hosts. An IPSec policy is setup to allow data pass-through when an SA is setup. Finally, a discard
policy is setup to prevent any other data from reaching the host processor. Information on specific
parameters and an example follow.
5.9.1 name
Any unique name to identify this security policy. It will not be referenced elsewhere.
5.9.2 network-interface
References the network-interface that will be used to match this security policy.
5.9.3 priority
The priority (order) to check each security-policy to see if it matches. Each priority must be unique.
Higher priority equates to a lower number, so 0 is highest priority. All priority values must be unique
between 0 and 126. By default, there are low priority (127 inbound, 128 outbound) security-policies
that would allow all traffic through the IPSec card to the host processor.
5.9.4 action
Valid actions are allow, discard or ipsec. Allow will permit the traffic to pass to the host processor
without security services (encryption, decryption, authentication) applied. Discard will drop the traffic.
Lastly, ipsec will apply security services to the traffic, as described by the ike-sainfo set referenced by
the ike-sainfo name.
5.9.5 ike-sa-info
References the ike-sa-info configuration parameters for IPSec traffic. This is only valid when the
action is ipsec.
interface. To be specific, in the case that the direction is set to both, these settings will match traffic
based on the source IP address and port of the packets inbound to the interface, and will match traffic
based on the destination IP address and port of the packets outbound from the interface.
local-ip-addr-match 172.16.106.2
remote-ip-addr-match 6.0.0.0
local-port-match 500
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 255.255.255.255
remote-ip-mask 255.0.0.0
action allow
When traffic arrives on the interface that references this policy, the source and destination IP
addresses and ports would be examined. If the traffic was sourced from the 6.0.0.0 subnet and
destined for 172.16.106.2:4500, it would be allowed. Also, when traffic was to be sent from the
interface configured with this policy, the source IP address and port would be examined. If the traffic
was sourced from 172.16.106.2:4500 and destined to any IP address or port on the 6.0.0.0 subnet, it
would be allowed. The 6.0.0.0 subnet would be the public IP addresses used in IKE signaling and
thus would have nothing to do with the local-address-pools.
This security-policy will match any traffic from any source to any destination address and discard it
before it reaches the host processor. This is needed, because of the default security-policies to allow
traffic. It will not affect IKE, NATted IKE or IPSec traffic, because its priority is lower than those
security policies.
5.10 ipsec-global-config
The ipsec-global-config configuration object must be configured to allow high availability for the SG.
5.10.1 red-ipsec-port
The redundancy port must be configured to support high availability. The recommended port is 1994.
RFC 3579, RADIUS (Remote Authentication Dial In User Service) Support For Extensible Authentication
Protocol (EAP)
RFC 3580, IEEE 802.1X Remote Authentication Dial In User Service (RADIUS) Usage Guidelines
RFC 3706, A Traffic-Based Method of Detecting Dead Internet Key Exchange (IKE) Peers
3GPP TS 23.234, 3GPP system to Wireless Local Area Network (WLAN) interworking
8.0 Disclaimer
The content in this document is for informational purposes only and is subject to change by Acme Packet
without notice. While reasonable efforts have been made in the preparation of this publication to assure
its accuracy, Acme Packet assumes no liability resulting from technical or editorial errors or omissions, or
for any damages resulting from the use of this information. Unless specifically included in a written
agreement with Acme Packet, Acme Packet has no obligation to develop or deliver any future release or
upgrade or any feature, enhancement or function.
The limited permissions granted above are perpetual and will not be revoked by Acme Packet or its
successors or assigns.
This document and the information contained herein is provided on an "AS IS" basis and ACME PACKET
DISCLAIMS ALL WARRANTIES, EXPRESS OR IMPLIED, INCLUDING BUT NOT LIMITED TO ANY
WARRANTY THAT THE USE OF THE INFORMATION HEREIN WILL NOT INFRINGE ANY RIGHTS OR
ANY IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE.
certificate-record
name CA-root
country US
state MA
locality Burlington
organization Engineering
unit
common-name
key-size 1024
alternate-name
trusted enabled
key-usage-list
digitalSignature
keyEncipherment
extended-key-usage-list
serverAuth
options
last-modified-by admin@console
last-modified-date 2009-08-13 18:33:21
certificate-record
name CA-subordinate
country US
state MA
locality Burlington
organization Engineering
unit
common-name
key-size 1024
alternate-name
trusted enabled
key-usage-list
digitalSignature
keyEncipherment
extended-key-usage-list
serverAuth
options
last-modified-by admin@console
last-modified-date 2009-08-13 18:35:26
certificate-record
name SD-end-entity-106
country US
state MA
locality Burlington
organization Acme Packet
unit
common-name 172.16.106.2
key-size 1024
alternate-name
trusted enabled
key-usage-list
digitalSignature
keyEncipherment
extended-key-usage-list
serverAuth
options
last-modified-by admin@console
last-modified-date 2010-03-04 17:11:41
certificate-record
name SD-end-entity-105
country US
state WA
locality Burlington
organization Acme Packet
unit
common-name 172.16.105.2
key-size 1024
alternate-name
trusted enabled
key-usage-list
extended-key-usage-list
options
last-modified-by admin@console
last-modified-date 2010-03-04 17:11:17
ike-config
state enabled
ike-version 2
log-level NOTICE
udp-port 500
negotiation-timeout 15
event-timeout 60
phase1-mode main
phase1-dh-mode dh-group2
v2-ike-life-secs 86400
v2-ipsec-life-secs 28800
v2-rekey disabled
anti-replay enabled
phase1-life-seconds 3600
phase1-life-secs-max 86400
phase2-life-seconds 28800
phase2-life-secs-max 86400
phase2-exchange-mode dh-group2
shared-password <key value encrypted, not shown>
eap-protocol eap-radius-passthru
eap-bypass-identity disabled
addr-assignment local
dpd-time-interval 3600
overload-threshold 80
overload-interval 1
overload-action drop-new-connection
overload-critical-threshold 90
overload-critical-interval 1
red-port 1995
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
sd-authentication-method certificate
certificate-profile-id 172.16.106.2
id-auth-type idi
last-modified-by admin@console
last-modified-date 2010-03-03 18:06:34
ike-interface
address 172.16.105.2
realm-id access-105
ike-mode responder
local-address-pool-id-list local-addr-pool-105
dpd-params-name dpd1
v2-ike-life-secs
v2-ipsec-life-secs
v2-rekey
shared-password
eap-protocol
addr-assignment
sd-authentication-method certificate
certificate-profile-id-list 172.16.105.2
last-modified-by admin@console
last-modified-date 2010-03-03 18:16:09
ike-interface
address 172.16.106.2
realm-id access-106
ike-mode responder
local-address-pool-id-list local-addr-pool-106
dpd-params-name dpd1
v2-ike-life-secs
v2-ipsec-life-secs
v2-rekey
shared-password
eap-protocol
addr-assignment
sd-authentication-method certificate
certificate-profile-id-list 172.16.106.2
last-modified-by admin@console
last-modified-date 2010-03-03 18:16:39
ike-sainfo
name ike-sainfo-105
security-protocol esp-auth
auth-algo sha1
encryption-algo aes
ipsec-mode tunnel
tunnel-local-addr 172.16.105.2
tunnel-remote-addr *
last-modified-by admin@console
last-modified-date 2010-03-03 18:38:38
ike-sainfo
name ike-sainfo-106
security-protocol esp-auth
auth-algo sha1
encryption-algo aes
ipsec-mode tunnel
tunnel-local-addr 172.16.106.2
tunnel-remote-addr *
last-modified-by admin@console
last-modified-date 2010-03-03 18:38:53
local-address-pool
name local-addr-pool-105
address-range
network-address 105.0.0.0
subnet-mask 255.255.0.0
address-range
network-address 105.1.0.0
subnet-mask 255.255.128.0
address-range
network-address 105.2.0.0
subnet-mask 255.255.252.0
address-range
network-address 105.3.0.0
subnet-mask 255.255.254.0
address-range
network-address 105.4.0.0
subnet-mask 255.255.255.128
address-range
network-address 105.5.0.0
subnet-mask 255.255.255.224
address-range
network-address 105.6.0.0
subnet-mask 255.255.255.248
address-range
network-address 105.7.0.0
subnet-mask 255.255.255.248
dns-realm-id core-105
data-flow data-flow-105
last-modified-by admin@console
last-modified-date 2010-03-03 16:42:35
local-address-pool
name local-addr-pool-106
address-range
network-address 106.0.0.0
subnet-mask 255.255.0.0
address-range
network-address 106.1.0.0
subnet-mask 255.255.128.0
address-range
network-address 106.2.0.0
subnet-mask 255.255.252.0
address-range
network-address 106.3.0.0
subnet-mask 255.255.254.0
address-range
network-address 106.4.0.0
subnet-mask 255.255.255.128
address-range
network-address 106.5.0.0
subnet-mask 255.255.255.224
address-range
network-address 106.6.0.0
subnet-mask 255.255.255.248
address-range
network-address 106.7.0.0
subnet-mask 255.255.255.248
dns-realm-id core-106
data-flow data-flow-106
last-modified-by admin@console
last-modified-date 2010-03-03 16:43:16
data-flow
name data-flow-105
realm-id core-105
group-size 256
upstream-rate 0
downstream-rate 0
last-modified-by admin@console
last-modified-date 2009-08-06 11:01:43
data-flow
name data-flow-106
realm-id core-106
group-size 256
upstream-rate 0
downstream-rate 0
last-modified-by admin@console
last-modified-date 2009-08-06 11:02:02
dpd-params
name dpd1
max-loop 100
max-endpoints 25
max-cpu-limit 60
load-max-loop 40
load-max-endpoints 5
last-modified-by admin@console
last-modified-date 2010-03-04 15:02:41
ike-certificate-profile
identity 172.16.105.2
end-entity-certificate SGW-end-entity-105
trusted-ca-certificates
CA-root
CA-subordinate
verify-depth 3
last-modified-by admin@console
last-modified-date 2010-03-04 17:09:48
ike-certificate-profile
identity 172.16.106.2
end-entity-certificate SD-end-entity-106
trusted-ca-certificates
CA-root
CA-subordinate
verify-depth 3
last-modified-by admin@console
last-modified-date 2010-03-04 17:10:01
network-interface
name M00
sub-port-id 0
description
hostname
ip-address 192.168.105.2
pri-utility-addr 192.168.105.21
sec-utility-addr 192.168.105.22
netmask 255.255.255.0
gateway 192.168.105.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 192.168.105.2
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin@console
last-modified-date 2009-08-06 10:52:31
network-interface
name M01
sub-port-id 0
description
hostname
ip-address 172.16.105.2
pri-utility-addr 172.16.105.21
sec-utility-addr 172.16.105.22
netmask 255.255.255.0
gateway 172.16.105.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 172.16.105.2
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:44:16
network-interface
name M11
sub-port-id 0
description
hostname
ip-address 192.168.106.2
pri-utility-addr 192.168.106.21
sec-utility-addr 192.168.106.22
netmask 255.255.255.0
gateway 192.168.106.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary 192.168.106.10
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 192.168.106.2
ftp-address
icmp-address snmp-address
telnet-address
last-modified-by admin@console
last-modified-date 2009-08-25 15:00:24
network-interface
name M10
sub-port-id 0
description
hostname
ip-address 172.16.106.2
pri-utility-addr 172.16.106.21
sec-utility-addr 172.16.106.22
netmask 255.255.255.0
gateway 172.16.106.1
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list 172.16.106.2
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:44:02
network-interface
name wancom1
sub-port-id 0
description
hostname
ip-address
pri-utility-addr 169.254.1.1
sec-utility-addr 169.254.1.2
netmask 255.255.255.252
gateway
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin@console
last-modified-date 2009-12-01 11:30:37
network-interface
name wancom2
sub-port-id 0
description
hostname
ip-address
pri-utility-addr 169.254.2.1
sec-utility-addr 169.254.2.2
netmask 255.255.255.252
gateway
sec-gateway
gw-heartbeat
state disabled
heartbeat 0
retry-count 0
retry-timeout 1
health-score 0
dns-ip-primary
dns-ip-backup1
dns-ip-backup2
dns-domain
dns-timeout 11
hip-ip-list
ftp-address
icmp-address
snmp-address
telnet-address
last-modified-by admin@console
last-modified-date 2009-12-01 11:31:03
phy-interface
name M00
operation-type Media
port 0
slot 0
virtual-mac 00:08:25:a1:10:6a
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed
last-modified-by admin@console
last-modified-date 2009-08-06 10:47:35
phy-interface
name M01
operation-type Media
port 1
slot 0
virtual-mac 00:08:25:a1:10:6b
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:42:37
phy-interface
name M10
operation-type Media
port 0
slot 1
virtual-mac 00:08:25:a1:10:6c
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:42:56
phy-interface
name M11
operation-type Media
port 1
slot 1
virtual-mac 00:08:25:a1:10:6d
admin-state enabled
auto-negotiation enabled
duplex-mode FULL
speed
last-modified-by admin@console
last-modified-date 2009-08-06 10:48:33
phy-interface
name wancom1
operation-type Control
port 1
slot 0
virtual-mac
wancom-health-score 8
last-modified-by admin@console
last-modified-date 2009-12-01 11:30:12
phy-interface
name wancom2
operation-type Control
port 2
slot 0
virtual-mac
wancom-health-score 9
last-modified-by admin@console
last-modified-date 2009-12-01 11:30:24
realm-config
identifier core-105
description
addr-prefix 192.168.105.0/24
network-interfaces
M00:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
last-modified-by admin@console
last-modified-date 2009-08-06 11:08:34
realm-config
identifier access-105
description
addr-prefix 0.0.0.0
network-interfaces
M01:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:45:07
realm-config
identifier core-106
description
addr-prefix 192.168.106.0/24
network-interfaces
M11:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
last-modified-by admin@console
last-modified-date 2009-08-06 11:08:49
realm-config
identifier access-106
description
addr-prefix 0.0.0.0
network-interfaces
M10:0
mm-in-realm disabled
mm-in-network enabled
mm-same-ip enabled
mm-in-system enabled
bw-cac-non-mm disabled
msm-release disabled
qos-enable disabled
generate-UDP-checksum disabled
max-bandwidth 0
fallback-bandwidth 0
max-priority-bandwidth 0
max-latency 0
max-jitter 0
max-packet-loss 0
observ-window-size 0
parent-realm
dns-realm
media-policy
in-translationid
out-translationid
in-manipulationid
out-manipulationid
manipulation-string
class-profile
average-rate-limit 0
access-control-trust-level none
invalid-signal-threshold 0
maximum-signal-threshold 0
untrusted-signal-threshold 0
nat-trust-threshold 0
deny-period 30
ext-policy-svr
symmetric-latching disabled
pai-strip disabled
trunk-context
early-media-allow
enforcement-profile
additional-prefixes
restricted-latching none
restriction-mask 32
accounting-enable enabled
user-cac-mode none
user-cac-bandwidth 0
user-cac-sessions 0
icmp-detect-multiplier 0
icmp-advertisement-interval 0
icmp-target-ip
monthly-minutes 0
net-management-control disabled
delay-media-update disabled
refer-call-transfer disabled
codec-policy
codec-manip-in-realm disabled
constraint-name
call-recording-server-id
stun-enable disabled
stun-server-ip 0.0.0.0
stun-server-port 3478
stun-changed-ip 0.0.0.0
stun-changed-port 3479
match-media-profiles
qos-constraint
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:45:31
redundancy-config
state enabled
log-level NOTICE
health-threshold 75
emergency-threshold 50
port 9090
advertisement-time 500
percent-drift 210
initial-time 1250
becoming-standby-time 1800000
becoming-active-time 100
cfg-port 1987
cfg-max-trans 10000
cfg-sync-start-time 5000
cfg-sync-comp-time 1000
gateway-heartbeat-interval 0
gateway-heartbeat-retry 0
gateway-heartbeat-timeout 1
gateway-heartbeat-health 0
media-if-peercheck-time 300
peer
name Jimland1
state enabled
type Primary
destination
address 169.254.1.1:9090
network-interface wancom1:0
destination
address 169.254.2.1:9090
network-interface wancom2:0
peer
name Jimland2
state enabled
type Secondary
destination
address 169.254.1.2:9090
network-interface wancom1:0
destination
address 169.254.2.2:9090
network-interface wancom2:0
last-modified-by admin@console
last-modified-date 2010-03-04 17:01:23
system-config
hostname
description MSG BCP config
location
mib-system-contact
mib-system-name
mib-system-location
snmp-enabled enabled
enable-snmp-auth-traps enabled
enable-snmp-syslog-notify enabled
enable-snmp-monitor-traps disabled
enable-env-monitor-traps disabled
snmp-syslog-his-table-length 1
snmp-syslog-level NOTICE
system-log-level NOTICE
process-log-level NOTICE
process-log-ip-address 0.0.0.0
process-log-port 0
collect
sample-interval 5
push-interval 15
boot-state disabled
start-time now
end-time never
red-collect-state disabled
red-max-trans 1000
red-sync-start-time 5000
red-sync-comp-time 1000
push-success-trap-state disabled
call-trace disabled
internal-trace disabled
log-filter all
default-gateway 172.30.0.1
restart enabled
exceptions
telnet-timeout 0
console-timeout 0
remote-control enabled
cli-audit-trail enabled
link-redundancy-state disabled
source-routing enabled
cli-more disabled
terminal-height 24
debug-timeout 0
trap-event-lifetime 0
last-modified-by admin@console
last-modified-date 2010-03-04 17:00:18
security-policy
name sec-policy-ike-105
network-interface M01:0
priority 10
local-ip-addr-match 172.16.105.2
remote-ip-addr-match 6.0.0.0
local-port-match 500
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 255.255.255.255
remote-ip-mask 255.0.0.0
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0x000
last-modified-by admin@console
last-modified-date 2010-03-04 15:36:45
security-policy
name sec-policy-ipsec-105
network-interface M01:0
priority 101
local-ip-addr-match 0.0.0.0
remote-ip-addr-match 105.0.0.0
local-port-match 0
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 0.0.0.0
remote-ip-mask 255.0.0.0
action ipsec
ike-sainfo-name ike-sainfo-105
outbound-sa-fine-grained-mask
local-ip-mask 0.0.0.0
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0x000
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:53:19
security-policy
name sec-policy-ike-106
network-interface M10:0
priority 20
local-ip-addr-match 172.16.106.2
remote-ip-addr-match 6.0.0.0
local-port-match 500
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 255.255.255.255
remote-ip-mask 255.0.0.0
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:51:03
security-policy
name sec-policy-ipsec-106
network-interface M10:0
priority 102
local-ip-addr-match 0.0.0.0
remote-ip-addr-match 106.0.0.0
local-port-match 0
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 0.0.0.0
remote-ip-mask 255.0.0.0
action ipsec
ike-sainfo-name ike-sainfo-106
outbound-sa-fine-grained-mask
local-ip-mask 0.0.0.0
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0x000
last-modified-by admin@172.30.0.46
last-modified-date 2009-08-11 10:53:52
security-policy
name sec-policy-ike-105-NAT
network-interface M01:0
priority 11
local-ip-addr-match 172.16.105.2
remote-ip-addr-match 8.0.0.0
local-port-match 4500
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 255.255.255.255
remote-ip-mask 255.0.0.0
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2010-03-11 13:54:21
security-policy
name sec-policy-ike-106-NAT
network-interface M10:0
priority 21
local-ip-addr-match 172.16.106.2
remote-ip-addr-match 6.0.0.0
local-port-match 4500
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 255.255.255.255
remote-ip-mask 255.0.0.0
action allow
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2010-03-11 14:05:56
security-policy
name sec-policy-deny-106
network-interface M10:0
priority 126
local-ip-addr-match 0.0.0.0
remote-ip-addr-match 0.0.0.0
local-port-match 0
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 0.0.0.0
remote-ip-mask 0.0.0.0
action discard
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2010-03-30 16:17:00
security-policy
name sec-policy-deny-105
network-interface M01:0
priority 125
local-ip-addr-match 0.0.0.0
remote-ip-addr-match 0.0.0.0
local-port-match 0
remote-port-match 0
trans-protocol-match ALL
direction both
local-ip-mask 0.0.0.0
remote-ip-mask 0.0.0.0
action discard
ike-sainfo-name
outbound-sa-fine-grained-mask
local-ip-mask 255.255.255.255
remote-ip-mask 255.255.255.255
local-port-mask 0
remote-port-mask 0
trans-protocol-mask 0
valid enabled
vlan-mask 0xFFF
last-modified-by admin@console
last-modified-date 2010-03-30 16:16:32
ipsec-global-config
red-ipsec-port 1994
red-max-trans 10000
red-sync-start-time 5000
red-sync-comp-time 1000
last-modified-by admin@console
last-modified-date 2008-08-11 10:48:03