Engage Black BlackDoor Duo User manual
BlackDoor Duo
Engage Black
Page 1
Product Warranty
Seller warrants to the Original Buyer that any unit shipped to the Original Buyer, under normal
and proper use, be free from defects in material and workmanship for a period of 24 months from
the date of shipment to the Original Buyer. This warranty will not be extended to items repaired by
anyone other than the Seller or its authorized agent. The foregoing warranty is exclusive and in lieu
of all other warranties of merchantability, fitness for purpose, or any other type, whether express or
implied.
Remedies and Limitation of Liability
A.
All claims for breach of the foregoing warranty shall be deemed waived unless notice of such claim
is received by Seller during the applicable warranty period and unless the items to be defective are
returned to Seller within thirty (30) days after such claim. Failure of Seller to receive written notice
of any such claim within the applicable time period shall be deemed an absolute and unconditional
waiver by buyer of such claim irrespective of whether the facts giving rise to such a claim shall have
been discovered or whether processing, further manufacturing, other use or resale of such items shall
have then taken place.
B.
Buyer's exclusive remedy, and Seller's total liability, for any and all losses and damages arising
out of any cause whatsoever (whether such cause be based in contract, negligence, strict liability,
other tort or otherwise) shall in no event exceed the repair price of the work to which such cause
arises. In no event shall Seller be liable for incidental, consequential, or punitive damages resulting
from any such cause. Seller may, at its sole option, either repair or replace defective goods or work,
and shall have no further obligations to Buyer. Return of the defective items to Seller shall be at
Buyer's risk and expense.
C.
Seller shall not be liable for failure to perform its obligations under the contract if such failure
results directly or indirectly from, or is contributed to by any act of God or of Buyer; riot; fire;
explosion; accident; flood; sabotage; epidemics; delays in transportation; lack of or inability to obtain
raw materials, components, labor, fuel or supplies; governmental laws, regulations or orders; other
circumstances beyond Seller's reasonable control, whether similar or dissimilar to the foregoing; or
labor trouble, strike, lockout or injunction (whether or not such labor event is within the reasonable
control of Seller)
Copyright Notice
Copyright @2000-2020 Engage Black All rights reserved. This document may not, in part
or in entirety, be copied, photocopied, reproduced, translated, or reduced to any electronic
medium or machine-readable form without first obtaining the express written consent of Engage
Communication. Restricted rights legend: Use, duplication, or disclosure by the U.S. government
is subject to restrictions set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and
Computer Software clause in DFARS 52.227-7013 and in similar clauses in the FAR and NASA FAR
Supplement.
Information in this document is subject to change without notice and does not represent a
commitment on the part of Engage Communication, Inc.
BlackDoor Duo
Engage Black
Page 2
FCC Radio Frequency Interference Statement
This equipment has been tested and found to comply with the limits for a Class A digital device,
pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection
against harmful interference when the equipment is operated in a commercial environment. This
equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in
accordance with the instruction manual, may cause harmful interference to radio communications.
Operation of this equipment in a residential area is likely to cause harmful interference in which case
the user will be required to correct the interference at his own expense.
NOTE - Shielded ethernet cables must be used with the Engage IP■Tube to ensure compliance with
FCC Part 15 Class A limits.
CAUTION
-
To reduce the risk of fire, use only No. 26 AWG or larger listed Telecommunication
cables.
Equipment Malfunction
If trouble is experienced with an BlackDoor Duo, please contact the Engage Communication Service
Center. If the equipment is causing harm to the telephone network, the telecommunications service
provider may request that you disconnect the equipment until the problem is resolved.
Engage Communication Service Center:
Phone (U.S.) +1.831.688.1021
Fax +1.831.688.1421
Email support@engageinc.com
Web www.engageinc.com
BlackDoor Duo
Engage Black
CONTENTS
Page 3
Contents
1
Introduction 5
1.1 Security............................................................................................................................................5
1.2 Management ...................................................................................................................................5
1.3 Unit Ports and Indicators .............................................................................................................5
1.3.1 Console Port .......................................................................................................................5
1.3.2 LAN Interface ....................................................................................................................5
1.4 About this Guide ...........................................................................................................................5
1.4.1 Organization ......................................................................................................................5
1.4.2 Intended Audience ............................................................................................................6
2
Installation QuickStart 7
2.1 Communication with BlackDoor Duo..........................................................................................7
2.1.1 Console Port .......................................................................................................................7
2.1.2 SSH......................................................................................................................................7
2.2 Editing & Pasting Configurations ...............................................................................................7
2.3 BlackDoor Duo Cabling ................................................................................................................7
2.4 BlackDoor Duo Configuration Parameters..................................................................................8
2.4.1 Interface Specific Parameters ...........................................................................................8
2.4.2 BlackDoor Duo System Parameters ................................................................................8
3
Installation of BlackDoor Duo 9
3.1 Installing the Hardware................................................................................................................9
3.1.1 Locating BlackDoor Duo..................................................................................................9
3.1.2 Powering BlackDoor Duo .................................................................................................9
3.1.3 Console Port .......................................................................................................................9
3.1.4 Configuring the Engage BlackDoor Duo for the LAN................................................10
3.1.5 Ethernet Interfaces..........................................................................................................10
3.1.6 Ethernet Status LEDs .....................................................................................................10
4
Command Line Interface 11
4.1 Console Communication .............................................................................................................11
4.2 Logging in to BlackDoor Duo.....................................................................................................11
4.3 Overview of Commands...............................................................................................................11
4.3.1 Categories.........................................................................................................................11
4.3.2 Configuration Modes.......................................................................................................12
4.3.3 Syntax for Command Parameters .................................................................................12
BlackDoor Duo
Engage Black
CONTENTS
Page 4
4.4 System Level or General Commands ........................................................................................12
4.5 Show Commands .........................................................................................................................13
4.6 Configuration Commands...........................................................................................................13
4.6.1 Config Commands...........................................................................................................13
4.6.2 Config Interface Commands ..........................................................................................14
4.6.3 Config BlackDoor Commands .......................................................................................14
4.6.4 Connection Configuration Commands..........................................................................15
4.6.5 Config Quantum Key Distribution Commands...........................................................16
4.6.6 Configuration Examples .................................................................................................16
5
Troubleshooting 20
5.1 Unable to Communicate with BlackDoor Duo.........................................................................20
5.2 Ethernet/General .........................................................................................................................20
5.3 High Ethernet Error Count.........................................................................................................20
5.4 Can't Communicate using SSH with the BlackDoor Duo ......................................................20
5.5 Can't communicate to BlackDoor Duo - Console Port............................................................21
5.6 BlackDoor Duo O Net IP Interconnect Verification...............................................................21
5.7 TCP/IP Connection ....................................................................................................................21
5.8 Can't IP Ping Remote BlackDoor Duo.....................................................................................21
6
Appendix 22
6.1 BlackDoor Duo Specifications ....................................................................................................22
6.1.1 Ethernet Port....................................................................................................................22
6.1.2 LAN Protocol ...................................................................................................................22
6.1.3 Upgrade Capable .............................................................................................................22
6.1.4 Management ....................................................................................................................22
6.1.5 Power Supply ...................................................................................................................22
6.1.6 Physical.............................................................................................................................22
7
Glossary 23
7.1 General Networking Terms .........................................................................................................23
7.2 TCP/IP Networking Terms ........................................................................................................23
BlackDoor Duo
Engage Black
1INTRODUCTION
Page 5
1
Introduction
BlackDoor Duo User's Guide provides the information users require to install, configure and operate
the BlackDoor Duo product developed and manufactured by Engage Communication Inc. This
product will enable the user to install the function, across an IP network, to move data in a securely
packaged form, to a unit in a remote location. Protocols supported include legacy protocols such as
NetBEUI, IPX, AppleTalk and Decnet. Legacy applications that utilize non-routable protocols are
able to access services across an IP point to point connection.
1.1
Security
BlackDoor Duo provides a high-level secure communication by only exchanging packets with the
remote network. The Ethernet frames within the IP envelope must be addressed to specific Ethernet
MAC addresses.
Network security is established with Full On Source, Destination Address, UDP Port and IP Packet
filtering. Interconnectivity is selectively controlled at the interface, network device and application
layers.
1.2
Management
Management of BlackDoor Duo is accomplished with a Command Line Interface, (CLI), that
is accessed through the console port or an SSH connection. Templates of the most common
configurations provide for an Edit and Paste approach.
1.3
Unit Ports and Indicators
1.3.1
Console Port
A console port for "Out of Band" management access to the unit.
1.3.2
LAN Interface
BlackDoor Duo provides two 10/100/1000BaseT Ethernet LAN interfaces. Management via the
LAN ports is enabled when access to the unit is more convenient remotely. LAN1 typically receives
unencrypted data from a local network and the LAN2 port moves the encrypted data to a remote
BlackDoor Duo. LAN protocols IP, TCP and ICMP are supported.
1.4
About this Guide
1.4.1
Organization
Introduction provides an overview of the BlackDoor Duo User s Guide as well as feature descriptions.
Installation QuickStart provides a concise description of the installation and configuration process,
plus examples to get the experienced user up and running in a minimum of time.
Installation of BlackDoor Duo gives a detailed step by step of the installation and initial configuration
of the units. It covers the physical environment and connections required to install the units then
BlackDoor Duo
Engage Black
1INTRODUCTION
Page 6
steps the administrator through the configuration process of the console port and LAN connections.
Command Line Interface provides a command-by-command description of the upper-level interface
as well as the interfaces to the various ports.
Troubleshooting reviews some of the common issues that may occur during installation and normal
operation of the units and provides descriptions of causes and solutions to these issues.
Appendix - BlackDoor Duo specifications, connector pinouts and crossover wiring details and includes
diagrams of the units.
Glossary - Telecommunication and TCP/IP terminology.
1.4.2
Intended Audience
This manual is intended for administrators of telecommunication and network systems. The
technical content is written for readers who have basic computer, telecommunication and networking
experience.
It is important that any administrator responsible for the installation and operation of Engage
BlackDoor products be familiar with IP networking and data communication concepts, such as
network addressing and synchronous serial interfaces. These terms are central to an understanding
of BlackDoor functionality and are covered in the Glossary section.
BlackDoor Duo
Engage Black
2INSTALLATION QUICKSTART
Page 7
2
Installation QuickStart
This QuickStart Chapter is intended for users who understand how they want their BlackDoor Duo
installed and configured and only require the mechanics of performing that installation.
2.1
Communication with BlackDoor Duo
2.1.1
Console Port
Initial communication with BlackDoor Duo unit is made through the Console port, utilizing the
Command Line interface, (CLI) detailed in Chapter 4: Command Line Interface.
Please use the provided USB to DB9 serial converter to connect to the BlackDoor Duo's USB port.
The DB9 side of the cable will connect to a computer that is running a Terminal Server program
(TeraTerm, HyperTerm, etc.). It is typical to connect the DB9 to another USB to DB9 serial
converter as DB9 serial ports are not common on today’s computers. In this case, use the NULL
MODEM ADAPTER provided to allow communication between BlackDoor Duo and computer. The
use of the null modem adapter is necessary when using two USB to DB9 serial converter cables.
Once a serial connection between a workstation and the BlackDoor Duo console port is established
and a carriage return
<
CR
>
is entered, a
Login
prompt will appear.
The default login is: root.
The default password for first time login is also root. It is highly recommended that the password
be changed upon initial login.
2.1.2
SSH
Once an IP address has been assigned, the user can log into the unit via the network and continue
configuration using SSH. Most SSH clients are compatible with the BlackDoor Duo.
2.2
Editing & Pasting Configurations
Users of either CLI have the option of editing a standard BlackDoor Duo configuration in a text
editor and pasting that configuration to BlackDoor Duo. The examples in this section are included
in a configuration file found on the shipping disk.
Edit the desired configuration listing using a simple text editor. Connect to the BlackDoor Duo unit
through SSH or the Console port, then enter the configuration mode with the command: config.
Paste the edited text, comments and all, to the BlackDoor Duo, then issue the command: save.
The unit will reset and come up with the new configuration.
To save an BlackDoor Duo configuration to a file, issue the command: show configuration all,
and copy the output of the command to a file with your text editor.
2.3
BlackDoor Duo Cabling
BlackDoor Duo uses standard 10/100/1000BaseT Ethernet cabling to connect to an Ethernet switch,
router or hub. A crossover 10/100/1000BaseT cable can be used for direct connection to a single
router, wireless radio or other Ethernet device.
BlackDoor Duo
Engage Black
2INSTALLATION QUICKSTART
Page 8
The cabling used to connect BlackDoor Duo LAN Ports to a switch, router or hub is straight through
Ethernet cabling.
2.4
BlackDoor Duo Configuration Parameters
The setup of BlackDoor Duo involves configuration of the:
■
Interface Specific Parameters
■
BlackDoor Duo System Parameters
2.4.1
Interface Specific Parameters
Console Configuration Parameters
Serial communication settings to the USB serial port should be set as:
115200 baud, 1 stop bit, no parity, 8-bit data, flow control none
LAN Configuration Parameters
BlackDoor Duo Ethernet number 2 (LAN2) is configured for network connectivity. The following
parameters must match the configuration of the LAN interface to which it is connected.
2.4.2
BlackDoor Duo System Parameters
System parameters include BlackDoor Duo Host name, the Ethernet IP address and the default
router.
host name
Provide a unique name for BlackDoor Duo.
Example:
host name AptosBlackDoor
ip address
BlackDoor Duo requires configuration of the LAN2 interface which will communicate to another
BlackDoor Duo. BlackDoor Duo IP packets communicate over LAN2 only. Configuration of
the LAN1 (Local Network) interface is required in Mode Route but optional in Mode Bridge.
Management access to the unit via SSH is possible via LAN1 or LAN2.
Example:
ip address aaa.bbb.ccc.ddd
default gateway
If the remote BlackDoor Duo, whose IP address is configured with ip address, resides on a different
IP network from the Local BlackDoor Duo, a default gateway must be specified. The default gateway
is typically the local IP WAN Router.
Example:
default gateway aaa.bbb.ccc.ddd
BlackDoor Duo
Engage Black
3INSTALLATION OF BLACKDOOR DUO
Page 9
3
Installation of BlackDoor Duo
This section provides details on the physical location and connections required for the installation of
Engage BlackDoor Duo equipment. Also covered is the initial communication with BlackDoor Duo.
References are made to BlackDoor Duo Command Line Interface as well as Configuration and
Operation. These topics are covered in detail in later chapters.
The use of Engage BlackDoor Duo systems to encrypt traffic between two Ethernet LANs over an
IP network requires one BlackDoor Duo unit at each end.
A standard BlackDoor Duo package includes:
■
BlackDoor Duo unit - with installed LAN interface
■
Console port adapter and cable
■
Power Converter (110 or 220 VAC input/12 VDC output)
■
Documentation Compact Disk with BlackDoor Duo User's Guide and configuration examples
3.1
Installing the Hardware
3.1.1
Locating BlackDoor Duo
Site consideration is important for proper operation of BlackDoor Duo. The user should install the
unit in an environment providing:
A well-ventilated indoor location
Access within six feet of a power outlet
Two feet additional clearance around the unit to permit easy cable connection.
As an option, BlackDoor Duo can be mounted in a standard 19-inch equipment rack, (rack mounts
are available from Engage).
3.1.2
Powering BlackDoor Duo
Engage BlackDoor Duo units utilize an external power adapter, available in 110 VAC and 220 VAC
versions, providing DC output.
The appropriate power adapter is provided with each unit. Ensure the power adapter is not
connected to power then plug the DC adapter into the rear panel POWER connector.
3.1.3
Console Port
BlackDoor Duo includes a Console port for initial configuration. It may be used for serial
communication from a local workstation or for remote connection via a modem. The Console port
utilizes a USB port.
Please use the provided USB to DB9 serial converter to connect to the BlackDoor Duo's USB port.
The DB9 side of the cable will connect to a computer that is running a Terminal Server program
(TeraTerm, HyperTerm, etc.). It is typical to connect the DB9 to another USB to DB9 serial
converter as DB9 serial ports are not common on today’s computers. In this case, use the
NULL
BlackDoor Duo
Engage Black
3INSTALLATION OF BLACKDOOR DUO
Page 10
MODEM ADAPTER provided to allow communication between BlackDoor Duo and computer. The
use of the null modem adapter is necessary when using two USB to DB9 serial converter cables.
Communication to the console port should be set for:
115200 baud, 1 stop bit, no parity, 8 bit fixed, flow control none
Once a serial connection between a workstation and BlackDoor Duo console port is established and
a carriage return <CR> is entered, a Login prompt will appear.
The default login is: root.
The default password for first time login is also root. It is highly recommended that the password
be changed upon initial login.
3.1.4
Configuring the Engage BlackDoor Duo for the LAN
BlackDoor Duo needs to be configured with a number of parameters for proper operation on the
network, including:
■
Ethernet IP address
■
IP data target unit IP address (peer ip address)
■
Default gateway if the IP data target is on another IP network
■
Mode Route or Mode Bridge. Mode Route utilizes layer 3 encryption where the BlackDoor
Duo acts as a router. Mode Bridge utilizes layer 2 encryption where the BlackDoor Duo acts
as a bridge between the LAN1 ports of the local and remote units.
The configuration procedure depends on the network environment in which BlackDoor Duo is to be
installed.
Note: It is strongly suggested that you configure BlackDoor Duo with its unique network identity
before making any Ethernet or Wide Area connections.
3.1.5
Ethernet Interfaces
Engage BlackDoor Duo systems utilize 10/100/1000BaseT Ethernet cable to connect to the Local
Area Network. Each system provides a 10/100/1000BaseT interface on the front panel for connection
to an Ethernet switch or hub using a straight-thru Ethernet cable. For direct connection to a PC
or other LAN device, the user should obtain a 10/100/1000BaseT crossover cable.
10/100/1000BaseT Ethernet cabling and crossover pinouts are provided in the Appendices.
3.1.6
Ethernet Status LEDs
The green LED on the right side of the Ethernet interface indicates link established and it will blink
for activity.
The amber LED on the left side of the Ethernet interface indicates a 1000BaseT link established.
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 11
4
Command Line Interface
Command Line access to BlackDoor Duo may be via a serial connection to the Console port or an
SSH connection to the Ethernet interface.
SSH provides a secure communications facility defining a standard method of interfacing terminal
devices to each other. Any standard SSH client can be used to communicate to an Engage BlackDoor
Duo provided there is IP connectivity between the User Host and the BlackDoor Duo.
For communication through the Console port, standard terminal communication software is used.
4.1
Console Communication
Serial communication to the console port should be configured for:
115200 baud, 1 stop bit, no parity, 8 bit fixed, flow control none
Please use the provided USB to DB9 serial converter to connect to the BlackDoor Duo's USB port.
The DB9 side of the cable will connect to a computer that is running a Terminal Server program
(TeraTerm, HyperTerm, etc.). It is typical to connect the DB9 to another USB to DB9 serial
converter as DB9 serial ports are not common on today’s computers. In this case, use the NULL
MODEM ADAPTER provided to allow communication between BlackDoor Duo and computer. The
use of the null modem adapter is necessary when using two USB to DB9 serial converter cables.
4.2
Logging in to BlackDoor Duo
■
An SSH session is opened by providing the IP address of the BlackDoor Duo. On opening
a Command Line Interface, (CLI) session, via the Console port or SSH, the login prompt
requires entry of a login ID.
■
The default login ID: root.
■
BlackDoor Duo is shipped with default passwords. Passwords are set or modified with the
passwd command, detailed below.
4.3
Overview of Commands
The Engage CLI supports shorthand character entry. At most 3 characters are required for the
parsing of commands. For example: show configuration can be entered as: sh con. The CLI is
not case sensitive. Description of the commands uses both upper and lower case for syntax definitions
and examples. A full description of the command line interface follows.
4.3.1
Categories
The command set can be divided into four categories:
■
General
■
Show
■
Config
■
Config Interface
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 12
4.3.2
Configuration Modes
For the config and config interface commands, Engage employs a modal approach. The user enters
the Config mode, makes changes, then Saves those changes. On Saving the changes the user leaves
the Config mode.
The Config interface mode, within the Config mode, is used to set parameters for a specified interface.
Once in the Configuration mode, the user enters the interface command. All subsequent commands
apply to the specified interface.
The command prompt indicates the mode of operation:
■
name# the single
"#"
indicates standard mode
■
name## indicates BlackDoor Duo is in the Config mode
■
name(LAN1)## BlackDoor Duo is in Config Interface mode for LAN Port 1
To move up one level, from Interface Config mode to Config mode, enter the interface command
with no argument. To change between interfaces when in Interface Config mode, specify the new
interface. For example:
name(s1)## interface lan1
Note: The LAN1 port is the private (local) interface, commonly receives data and LAN2 is the
public (WAN) port and generally sends data.
4.3.3
Syntax for Command Parameters
{} == one of the parameters in set is required
[ ] == one of the parameters in set is allowed (optional)
4.4
System Level or General Commands
passwd
Allows setting or modifying the login password. The BlackDoor Duo ships with default passwords.
On entering the passwd command, the user is prompted to enter, and confirm, the new password.
bye
I
quit
I
logout
Any of these commands will terminate the user session. If you have unsaved configuration changes,
you will be prompted to save or discard the new configuration.
reset
Resets BlackDoor Duo.
ping
{
dest.address
}
[src.address] [ [
{
number
}
] ]
Sends an ICMP ECHO message to the specified address. Any source address from an interface on
BlackDoor Duo can be used. This can be useful to test routes across a LAN or WAN interface.
By default, only 1 message (packet) is sent. A numeric value can be entered to send more than one
message.
upgrade [user@]
{
SFTP host
}
:
{
Filename
}
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 13
SFTP (secure file transfer protocol) provides a means for upgrading BlackDoor Duo firmware in
a TCP/IP environment. An SFTP upgrade may be accomplished from a CD provided by Engage
Communication if the user can configure their own local SFTP server and place the appropriate
upgrade file, from the CD or from Engage Tech Support, on the server.
Once a connection to a SFTP server site has been established, issue the upgrade command.
upgrade
chris©157.22.234.129:/users/chris/bd-duo.upg
Note that an BlackDoor Duo which is running an upgrade must go through a reset when performing
an upgrade. This may cause the SSH connection to drop. If this does occur, simply re-establish the
SSH connection.
maxpeersallowed maxpeers-allowed-string
Enter a string provided by Engage Black that is used to change the maximum number of peers
allowed on the BlackDoor Duo.
4.5
Show Commands
show interface [lan1
I
lan2]
{
info
I
statistics
}
Provides details on either LAN interface. If no interface is specified, either the current interface per
"interface" command will be used, or all interfaces will be shown.
info details the port type, port state, etc.
statistics lists the packets transmitted, received, etc.
show [black I qkd] info
info black details the status of the encryption tunnels. info qkd details the status of the quantum
key distribution network.
show router provides general configuration and status information, including the Ethernet
hardware address and the firmware version.
show config all provides a list of all configuration parameters. No argument is the same as all.
This list provides the basis for storing an BlackDoor Duo configuration into a local text file. The
full configuration can be edited offiine.
show config interface [lan1
I
lan2]
If no interface is specified, either the current interface per the interface command will be used, or
all interfaces will be shown.
show config router lists BlackDoor Duo Hostname, etc.
show log displays a log of the BlackDoor Duo peer to peer QKD communication.
4.6
Configuration Commands
4.6.1
Config Commands
Enter the configuration mode, at which point the following commands may be used.
save
Save the changes and exit Configuration mode.
end
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 14
Exit Configuration mode.
restore
Restores the current BlackDoor Duo configuration, ignoring any changes which have been made
during the current config session.
host name
{
namestring
}
Provide a unique name for BlackDoor Duo. The new host name does not take effect until a save
and reset is performed. For example:
host name Dallas IPTube
default gateway address
Enter the IP address of the default router or gateway. This must be an IP address on the same
network as BlackDoor Duo.
route add
{
route gateway
}
Configures a static route. The route must be in CIDR notation. The gateway is an IP address. The
interface is automatically configured LAN1 or LAN2 depending on the gateway IP address.
route del
{
route
}
Deletes a static route. The specified route must be in CIDR notation.
4.6.2
Config Interface Commands
Configuration of BlackDoor Duo involves setting parameters for the LAN interfaces. The user must
specify which interface is being configured with the command:
interface [lan1 I lan2]
To move up one level, from Interface Config mode to Config mode, enter the interface command
with no argument. To change between interfaces when in Interface Config mode, specify the new
interface. For example:
name(LAN1)##
interface lan1
ip address address
The interface IP address is required for configuration with SSH or connectivity tests with ping. This
configuration parameter is required for LAN2 only. LAN1 is optionally configured for an IP address
Example assigning IP address:
ip address 192.168.1.1
Example removing IP address:
ip address
4.6.3
Config BlackDoor Commands
mode
{
bridge
I
route
}
bridge specifies layer 2 encryption where the BlackDoor Duo acts as a bridge between the LAN1
ports of the local and remote units.
route specifies layer 3 encryption where the BlackDoor Duo acts as a router and the specified routes
are encrypted.
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 15
keymode
{
ike
I
manual
}
ike uses IKEv2 to establish keys.
manual is selected for manually entering the encryption key via the enterkey command.
rekey period
Specifies the time in minutes the BlackDoor Duo establishes new encryption and message
authentication keys with the remote unit. Not used when the keymode is manual.
enterkey
{
auth
I
encrypt
I
tlspsk
}
string1 string2
auth string1
Enter a string that is used as an authentication secret. The BlackDoor Duo authentication secret
must be the same as configured on the remote unit in order for an encryption tunnel to be set up.
encrypt string1
encrypt is used for keymode manual. Enter a 64 byte hex string to be used as the encryption
key.
tlspsk string1 string2
tlspsk is used when tls mode psk is selected.
Enter string1 that is the TLS PSK Key ID. Enter string2 that is the TLS PSK Key. The Key
ID and Key must be the same as configured on the remote unit in order for QKD to work properly.
The Key string should be kept secret and as cryptographically sound as possible.
See the
Config Quantum Key Distribution Commands
section for how to set
tls mode
.
The
enterkey
command causes the unit to reset.
4.6.4
Connection Configuration Commands
The BlackDoor Duo supports multiple connections to other BlackDoor Duo units. There are
special commands to configure the parameters for each connection. Connection parameters have
underscores. Take care to include the underscores when you type in the parameters.
add conn connection name
Creates a connection with the specified name. All subsequent configuration for this connection
specifies the name. The connection initially has no configuration parameters. The connection must
be configured with all the required configuration parameters for it to be operational.
remove conn connection name
Removes the named connection from the configuration. The connection and all its configuration
parameters are deleted.
setconn connection name peer ip address address
Specifies the destination ip address of the remote BlackDoor Duo unit.
setconn connection name peer conn name peer-connection-name
Specifies the peer's connection name.
setconn connection name udp port value
Specifies the UDP port source and destination address for communication to the remote BlackDoor
Duo. The udp port must be unique for each connection. When mode route is selected the
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 16
udp port is used to communicate to the remote connection when sae mode is master or slave.
When mode bridge is selected the udp port is used for the bridge packet tunnel to the remote
BlackDoor Duo. This port number is typically 1701 but can be any available port on the router.
setconn connection name remote encrypted routes
{
route[, route]
}
Specifies routes to be encrypted and sent to the remote BlackDoor Duo. The route must be in CIDR
notation. Example: 192.168.4.0/24. Multiple routes are separated by a comma with no white space
before or after the comma. Valid only in mode route.
setconn connection name local encrypted routes
{
route[, route]
}
Specifies local routes that are encrypted by the remote and sent to the local BlackDoor Duo.
local encrypted routes should match the remote encrypted routes specified on the remote
BlackDoor Duo. The route must be in CIDR notation. Example: 192.168.3.0/24. Multiple routes
are separated by a comma with no white space before or after the comma. Valid only in mode route.
setconn connection name sae peer id id
Specify a string representing the SAE ID of the BlackDoor Duo remote unit (not this unit). SAE
ID assignment is in the scope of the quantum key distribution network.
4.6.5
Config Quantum Key Distribution Commands
kme ip address
Specifies the IP address and optionally port address of the KME unit providing a quantum key to
the BlackDoor Duo.
sae mode
{
off
I
master
I
slave
}
When off the BlackDoor Duo does not utilize Quantum Key Distribution. master configures the
BlackDoor Duo to act as a master secure application entity in the quantum key distribution network.
slave configures the BlackDoor Duo to act as a slave secure application entity.
tls mode
{
psk
I
nopsk
}
tls mode selects the type of cipher suite for the TLS communication to the QKD KME unit. psk
indicates a TLS PSK cipher suite where the key is used to authenticate and derive session keys for
the TLS connection. nopsk indicates a TLS cipher suite in which public key certificates are used
for authentication and session keys are established with a Diffie-Hellman key exchange.
See the Config BlackDoor Commands section for how to set the TLS PSK key with enterkey.
4.6.6
Configuration Examples
Example:
This is an example of a configuration of the BlackDoor Duo in mode bridge.
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 17
unit 1
unit 2
default gateway 192.168.3.254
default gateway 192.168.4.254
interface lan1
ip address 192.168.2.50
interface lan1
ip address 192.168.2.50
interface lan2
ip address 192.168.3.50
interface lan2
ip address 192.168.4.50
mode bridge
mode bridge
Connections
bd-1
peer ip address 192.168.4.50
peer conn name bd-2
udp port 1701
Connections
bd-2
peer ip address 192.168.3.50
peer conn name bd-1
udp port 1701
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 18
Example:
This is an example of a configuration of the BlackDoor Duo in mode route with one encrypted
network.
unit 1
unit 2
default gateway 192.168.3.254
interface lan1
ip address 192.168.2.50
interface lan2
ip address 192.168.3.50
mode route
rekey period 60
Connections
bd-1
peer ip address 192.168.4.50
peer conn name bd-2
remote encrypted routes 192.168.5.0/24
local encrypted routes 192.168.2.0/24
default gateway 192.168.4.254
interface lan1
ip address 192.168.5.50
interface lan2
ip address 192.168.4.50
mode route
rekey period 60
Connections
bd-2
peer ip address 192.168.3.50
peer conn name bd-1
remote encrypted routes 192.168.2.0/24
local encrypted routes 192.168.5.0/24
Example:
This is an example of a configuration of the BlackDoor Duo in mode route with two connections
and QKD.
BlackDoor Duo
Engage Black
4COMMAND LINE INTERFACE
Page 19
unit 1
units 2 and 3
Unit 2
default gateway 192.168.4.254
interface lan1
ip address 192.168.5.50
interface lan2
ip address 192.168.4.50
default gateway 192.168.3.254
mode route
interface lan1
ip address 192.168.2.50
rekey period 60
kme ip address 10.0.0.76
interface lan2
ip address 192.168.3.50
sae mode slave
kme ip address 10.0.0.75
sae mode master
mode route
rekey period 60
Connections
bd-1
peer ip address 192.168.3.50
peer conn name bd-1
udp port 1701
remote encrypted routes 192.168.2.0/24
local encrypted routes 192.168.5.0/24
sae peer id ENG-0
Connections
bd-1
peer ip address 192.168.4.50
peer conn name bd-1
udp port 1701
remote encrypted routes 192.168.5.0/24
local encrypted routes 192.168.2.0/24
sae peer id ENG-1
Unit 3
default gateway 192.168.6.254
interface lan1
ip address 192.168.7.50
interface lan2
ip address 192.168.6.50
mode route
bd-2
peer ip address 192.168.6.50
peer conn name bd-1
udp port 1702
remote encrypted routes 192.168.7.0/24
local encrypted routes 192.168.2.0/24
sae peer id ENG-2
rekey period 60
kme ip address 10.0.0.77
sae mode slave
Connections
bd-1
peer ip address 192.168.3.50
peer conn name bd-2
udp port 1702
remote encrypted routes 192.168.2.0/24
local encrypted routes 192.168.7.0/24
sae peer id ENG-0
Other manuals for BlackDoor Duo
2
Table of contents
Other Engage Black Network Hardware manuals
