Enterasys Aurorean ANG-3000 Installation and operating instructions
AVN-AN-CLI-R11 Page 1 of 64
APPLICATION NOTE
ANG Configuration Using the Command Line Interface
Introduction
This Application Note describes the commands used to configure a remote
Aurorean Network Gateway (ANG) 7000/3000 series using the Command Line
Interface (CLI). The first section of the document defines the routing subsystem,
virtual IP subnets, naming servers, authentication service (user and group tables),
IPSec with El Gamal Key Exchange (IRPP) and PPTP tunnel protocol settings, and
site-to-site tunnels.
The second section of this document defines a suite of command line utilities that
manage IP Security (IPSec) with Internet Key Exchange (IKE) configuration on a
Remote (stand-alone) ANG. IPSec IKE commands available for the
ANG-3000/7000 are described.
The final section of the document details how to configure a tunnel between a
Remote ANG and a Cisco router. For more information on configuring IPSec
tunnels, consult the ANG-1100 User’s Guide and the Rel. 3.5 Enhanced Support for
VPN Clients Application Note.
Listing Data
The Aurorean Network Gateway CLI is designed so that configuration data
exported to the file is in an easily displayed format, especially when that data
(such as static routes) consists of zero to N objects.
This is accomplished by:
!Displaying the configuration data as a fixed number of fields, without
labels. The name of each value is inferred by its position on the line. The
data is tabbed to display under column headers when printed.
!Displaying items such as static routes one route at a time. The output lists
route 1, route 2, for example.
IRC Configuration Utilities
Arguments
The term <arg> is used as a place-holder for actual argument data that is supplied
by the CLI. For example, the following command line information for the
Page 2 of 64 AVN-AN-CLI-R11
IRC Configuration Utilities Application Note
ANG Configuration Using the Command Line Interface
command PPTP is configured for 128-bit encryption, no 40-bit encryption, and
compression enabled:
ircpptp -1 Enabled -4 Disabled -c Enabled
and the subsequent listing output (invoking the command: ircpptp -l) is:
Enabled Disabled Enabled
Switches
Most of the functions include the “L” switch which provides column headers for
display or print as shown in the example below.
!The order that command line switches are expressed is irrelevant.
Source Directory
!All IRC configuration utilities are stored in the directory /usr/indus/irc
Conventions
The CLI observes the following conventions:
!Upper/lower case is insensitive: the utilities are forgiving about argument
values for the various command line switches (with the exception of the
ircUser command). Values such as Enabled can be entered in any combination
of upper or lower case letters. Boolean values (such as Compression enabled)
may be expressed as enabled, disabled, enable, disable, yes, no, true, false, 0,
and 1.
!Switches can be omitted: configuration options not specified on the command
line will have their value “preserved”. If the value has never been defined
then the “standard” default value is assumed.
CAUTION
The ircBoot and ircReboot commands listed in the irc directory are not usable and
must not be invoked.
ircpptp -L
128-bit
Encryption 40-bit
Encryption Compression
Enabled Disabled Enabled
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 3 of 64
Login
To log in to the ANG via the CLI requires that you enter a username and password
only. Perform the following steps to log in to the ANG.
1. From Start, Programs menu, select an MS DOS Command Prompt.
2. On the command line type: telnet x.x.x.x (where xis your ANG IP Address)
A Unix command prompt will display.
3. On the Unix command line, type the login: netadmin
4. Type the password: netadmin
ANG Configuration Commands
The following table lists the commands, a description of each command and their
location in this Application Note.
Command Description Page
ircauthcheck Authorization Check: Checks on a user’s authentication page 4
ircbackup Backup: Saves configuration to a local floppy disk page 4
ircdelivery Delivery: Carries data between all Aurorean components page 5
ircext External Routes: Accesses Internet outside of Trusted network page 6
ircgroup Groups: Establishes groups to categorize Users page 7
ircheartbeat Heartbeat: Sets a tunnel keep-alive interval page 8
irchostname Hostname: Applies Host Domain name to the ANG page 11
ircicr ICR Routing: Sets Intelligent Client Routing page 12
ircipaddr IPaddress: Sets Trusted and External IP addresses page 12
ircipx IPX: Sets frame types for Internet Packet Exchange protocol page 13
ircirpp IRPP: Sets a proprietry protocol based upon IPSec page 14
ircl2tp L2TP: Sets Layer 2 Protocol parameters page 29
irclistusers List Users: Provides a list of all the users page 15
ircns Name Servers: Sets addresses for DNS/ WINS used by clients page 15
ircospf OSPF: Sets Open Shortest Path First routing protocol page 16
ircpptp PPTP: Sets Point-to-Point Tunneling Protocol page 17
ircrip RIP: Sets Routing Information Protocol page 17
ircstatic Static Routes: Sets limitations to access certain subnets page 18
ircsts Site-to-Site: Connects a Remote ANG to an existing ANG page 20
irctrace Trace: Sets trace level for any of ten Aurorean services page 21
ircuser Users: Adds Users to Groups page 25
ircvsn Virtual Subnets: Aurorean Client address assignment page 27
Page 4 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
ircauthcheck
Authorization Check
Example
ircbackup
Backup
Example
irctunnel Tunnels: Displays connected tunnel statistics page 22
ircspecial Special: Sets advanced logging or tunnel forwarding page 24
Command Description Page
Tests whether the specified user is authenticated.
Usage ircauthcheck -u <name> -p <arg> -i <arg> [-r <arg>]
SW <arg> Definition
-u Name Define the User Name to check
-p Password Define the Password for the User
-i IP address Set IP address of the browser machine
-r random number Specified if you already have a random number and no password.
ircauthcheck -u admin -p 1234 -i 123.6.24.122
/usr/indus/irc/ircauthcheck: test_adduser results for netadmin - Reply returned IRresultOK
Backs up the configuration information to a local floppy disk.
Usage ircbackup -f
SW <arg> Definition
-f floppy drive name Set the backup floppy drive
Backup the Configuration changes
ircbackuo -f <arg>
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 5 of 64
ircdelivery
Delivery
Example
Example
Example List
Carries messages between all Aurorean components, including servers, Aurorean Clients,
and the RiverMaster management application. Aurorean Delivery is a critical service that
must be operational for Aurorean components to initialize properly and synchronize with one
another.
Usage ircdelivery -r -a <arg> -d <name> -l -L
SW <arg> Definition
-r True or False Set Remote or Local ANG. True: Remote, False: Local
-d VPN Domain name Define the Delivery domain name
-a IP Address Specify the authentication IP Address (APS)
-l None List the delivery variables
-L None List the delivery variables formatted
Defaults
!Authentication IP Address defaults to the trusted IP address of the
terminating Remote ANG.
!–r: TRUE
!VPN name: DOMAIN1
!IP Address: 192.168.1.2
Configure delivery service on the remote server
ircdelivery -d irvpn
Configure delivery service on the local server
ircdelivery -r FALSE -d irvpn -a 10.10.4.24
ircdelivery -L
isLocal IR Domain Auth IP Address
FALSE VPN 192.168.1.2
TRUE APS4_ANG4 10.10.4.24
Page 6 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
ircext External Routes
Example
Example
Example List after the modification
Provides external routes to reach outside the trusted network.
Usage ircext -a -d -n -m -g -l <arg> -h -L
SW <arg> Definition
-a None Add a new external route -n & -m & -g
-d IP Subnet Delete a external router identified by -n
-n IP Subnet Set reachable Subnet Address
-mIP Mask Set reachable Subnet Mask
-g Gateway Address Set gateway to subnet
-l Number “N” external route List the ‘Nth’ external route
-h Help Request Help for command variables
-L None List all external routes formatted
Defaults !No default value for -n is provided.
Notes
!Arguments -a & -d are mutually exclusive.
!To modify an external route use the IP address of the -n switch as the
name of the route.
!To change the -n switch IP address of an existing route, first delete
the external route and then add a new route with the new address.
Configure an external route
ircext -a -n 0.0.0.0 -m 0.0.0.0 -g 192.168.4.1
Modify an external route.
ircext -n 0.0.0.0 -m 255.255.255.0 -g 192.168.4.1
ircext -L
Subnet Mask Gateway
0.0.0.0 255.255.255.0 192.168.4.1
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 7 of 64
ircgroup
Group
Example
Example
Example
Creates a group to include Users. For each group you can assign a set of policies that
determine the Aurorean features and functions that members of that group can use.
Usage ircgroup -a -i -n -m -d <arg> -h -l <arg>
SW <arg> Definition
-a Group name Add the group name
-i IP Address Define the IP Address of the Virtual Subnet for the group
-n Mask Define the IP Subnet mask of the Virtual Subnet for the group
-m Group name Modify Values –i or –n
-d Group name Delete group
-h Help Request Help for command variables
-l Group name List a single group. To list all groups, type no <arg>
Defaults !Admin
!DEFAULT
Notes
!The group Admin is factory-configured. Do not remove this group. It is
the only group that has administrative privileges to log into
RiverMaster. It is recommended that you add a new login account to
the Admin group, then remove the enterasys user account.
!NULL is used to clear the data for a group.
Add the group “test_group”
ircgroup -a test_group -i 10.10.170.0 -n 255.255.255.0
Add the group “test1”
ircgroup -a test1 -i 10.10.171.0 -n 255.255.255.248
Modify the group test1
ircgroup -m test1 -n 255.255.255.255
Page 8 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
Example List
ircheartbeat
Heartbeat
ircgroup -l No Headings
Admin NULL NULL
test_group 10.10.170.0 255.255.255.0
test1 10.10.171.0 255.255.255.255
DEFAULT NULL NULL
Applies a tunnel keep-alive interval to the Aurorean Network Gateway. This enables
Uninterrupted Data Session failover between site-to-site tunnels, providing high availability
for mission critical applications.
Usage ircheartbeat -a -d -n <name> -s -m -p -i -r -e -l <arg> -h -L
SW <arg> Definition
-a Add a new heartbeat object defined by -s, -m, -p, -i, -r, -c
-d Delete the heartbeat object
-n Name Specify a heartbeat name for reference from other parts of the
ANG. In addition to the heartbeat named default, heartbeats may
be named after user groups. Every user belongs to a group which
is named. A heartbeat can be created with the same name as the
user group - that heartbeat will then be used for all inbound tunnels
created for users in that group. Other names are for the
administrator’s convenience and would typically be used for pings
to systems in the site's Intranet. You may specify arbitrary names
to define pings to systems in the site's Intranet or a specific
heartbeat mechanism for use by particular site-to-site tunnels.
-s VPN or
Tunnel Define the heartbeat scope - the portion of the ANG that is disabled
when the heartbeat fails: VPN or Tunnel. Tunnel scope terminates
only the single tunnel that the heartbeat was checking. The LCP
Echo heartbeat mechanism is always Tunnel Scope. VPN Scope
applies to the entire ANG-3000/7000 series. When a VPN scope
heartbeat fails it indicates all VPN access must be immediately
terminated. The ANG disconnects all VPN tunnels and refuses to
accept new tunnel connections.
-m LcpEcho,
PingPeer or
PingAddress
Define one of three heartbeat Ping mechanisms:
!an LCP echo request sent via PPP over an IPSEC/IRPP, PPTP,
or L2TP tunnel
!an ICMP echo request (Ping Peer) sent to the other end of the
tunnel
!an ICMP echo request (Ping Address) mechanism sent to an
arbritrary IP address
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 9 of 64
-p IP address Set the target (destination) IP address: the destination address of
an ICMP ping.
-i Milliseconds Specify the heartbeat interval - how often pings or LCP echos are
transmitted. The ANG rounds this value up to the nearest multiple
of 250 milliseconds.
-r Retries Specify how many LCP echos or ICMP pings must be transmitted,
without getting a reply, before the heartbeat fails and the tunnel
failed.
-c True or False Determine whether the heartbeat is critical or not.
-l None List the Nth heartbeat object
-h Help Request Help for command variables
-L None List all heartbeat objects
Defaults
!Default - The heartbeat nameddefault is always present and it defines
the heartbeat mechanism used when any other heartbeat, by name,
does not exist. The default heartbeat parameters provide tunnel
timeout detection identical to earlier Aurorean releases.
!IKE, IRPP and PPTP - These defaults define the heartbeats used for
the IKE/IPSec, IRPP/IPSec, and PPTP tunnel protocols, respectively.
Notes
!A single VPN Scope heartbeat will take down the entire VPN if the
addressed ping destination goes down. This may be extreme, so
multiple VPN Scope heartbeats may be defined that all reference
different IP addresses reachable via the trusted interface. If those
heartbeats are not marked as critical then the VPN is not brought
down until every non-critical heartbeat has failed. Note that the VPN
is brought down if any critical heartbeat fails.
!All Tunnel Scope heartbeats are unconditionally considered critical
because only one is used per tunnel and because they only terminate
a single tunnel when the heartbeat fails.
!The Ping Address heartbeat mechanism continues to run even when
the VPN has been disabled after a failure of the trusted interface on
the connected ANG. The VPN will automatically allow new inbound
tunnel connections once the ANG starts getting replies to its ICMP
echo requests.
!Heartbeat time-outs and Retry counts should be the same at both
ends of a site-to-site tunnel.
Applies a tunnel keep-alive interval to the Aurorean Network Gateway. This enables
Uninterrupted Data Session failover between site-to-site tunnels, providing high availability
for mission critical applications.
Usage ircheartbeat -a -d -n <name> -s -m -p -i -r -e -l <arg> -h -L
SW <arg> Definition
Page 10 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
Example
Example
Example
Example
Example
Example
Change the default timeout used for all remote access and site-to-site tunnels. Note that this
command would be used on the central ANG which accepts incoming site-to-site tunnels.
ircheartbeat -n default -i 5000 -r 6
Assuming all site-to-site tunnel user accounts are in the group STS, create a heartbeat for
that group that uses a 3.5 second interval and tries 4 times before terminating the tunnel.
ircheartbeat -a -n STS -i 3500 -r 4
Set the heartbeat for two site-to-site tunnels originated by an ANG. Note the two tunnels
have different heartbeat times.
ircheartbeat -a -n STS1 -i 4000 -r 5
ircsts -n MyTunnel -s enabled -g 1.2.3.4 -c IRPP -u foo -p bar -b STS1
ircheartbeat -a -n STS2 -i 3000 -r 6
ircsts -n OtherTunnel -s enabled -g 4.3.2.1 -c PPTP -u frob -p nitz -b STS2
Set a common shared heartbeat for two site-to-site tunnels originated by an ANG.
ircheartbeat -a -n ALL_STS -i 4000 -r 5
ircsts -n Tunnel_1 -s enabled -g 1.2.3.4 -c IRPP -u foo -p bar -b ALL_STS
ircsts -n Tunnel_2 -s enabled -g 5.6.7.8 -c IRPP -u doo -p car -b ALL_STS
ircsts -n Tunnel_3 -s enabled -g 9.10.11.12 -c IRPP -u goo -p har -b ALL_STS
Define a VPN scope heartbeat that verifies reachability of at least one of three IP addresses
reachable via the trusted interface. Since these heartbeats are not critical, the VPN will only
be disabled when the ANG is unable to ping any of the addresses 100.1.2.3, 100.1.2.4, and
100.1.2.5.
ircheartbeat -a -n HB1 -i 4000 -r 5 -s VPN -c FALSE -p 100.1.2.3
ircheartbeat -a -n HB2 -i 4000 -r 5 -s VPN -c FALSE -p 100.1.2.4
ircheartbeat -a -n HB3 -i 4000 -r 5 -s VPN -c FALSE -p 100.1.2.5
Define a VPN scope heartbeat that is critical. For example, assume a single router
connected to the ANG’s trusted interface is the internal gateway to the rest of the company
Intranet. If that router is down then the VPN must be disabled
ircheartbeat -a -n GATEWAY -i 4000 -r 5 -s VPN -c TRUE -p 209.6.112.1
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 11 of 64
Example List
irchostname
Hostname
Example
Example List
ircheartbeat -L
Name Scope Mechanism Ping Address Interval Retries Critical
PPTP Tunnel LcpEcho (ignored) 12000 10 TRUE
IRPP Tunnel LcpEcho (ignored) 12000 10 TRUE
IKE Tunnel PingPeer (automatic) 5000 6 TRUE
Applies a Host Domain Name to the Aurorean Network Gateway.
Usage irchostname -n <name> -h -l -L
SW <arg> Definition
-n FQDN Define the new Host Name
-h Help Request Help for command variables
-l None List the Host Name
-L None List the Host Name formatted
Defaults !Initial Name: ent.domainTBD.com
Notes !FQDN: Fully Qualified Domain Name
Configure new FQDN name for the server
irchostname -n ent.irvpn.com
irchostname -L
Index Hostname
1 ent.irvpn.com
Page 12 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
ircicr ICR Routing
Example
Example List
ircipaddr
IPaddress
Intelligent Client Routing (ICR) provides a measure of control over an Aurorean Client’s
access to the Internet. When enabled, ICR allows remote clients to browse the Internet
directly outside the tunnel.
Usage ircicr -r <arg>-h -l -L
SW <arg> Definition
-r Enable or Disable Enable/Disable ICR
-h Help Request Help for command variables
-l None List the ICR configuration
-L None List the ICR configuration formatted
Default !Enable
Configure ICR Routing
ircicr -r disable
ircicr -L
Client
Routing
Enabled
Sets the Trusted and External IP Address for the Aurorean Network Gateway.
Usage ircipaddr -n <arg> -h -i -m -g <arg> -l -L
SW <arg> Definition
-n Trusted or External Define the interface type
-h Help Request Help for command variables
-i Address Set the IP Address for interface
-m Mask Set the IP subnet mask for interface
-g Address Set the default gateway for interface
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 13 of 64
Example
Example
Example List
ircipx IPX
A script used to enable and configure frame types for the Internet Packet Exchange
(IPX) protocol. IPX, alternately known as Novell’s NetWare operating system, is a
datagram protocol used for connectionless communications.
Entering ircipx on the command line prompts you to request IPX and to select one of
the following frame types:
!Ethernet 802.2
!Ethernet 802.3
!Ethernet SNAP
!Ethernet II
-l None List the first IP address, mask and gateway
-L None List all IP addresses, masks and gateways formatted
Defaults
!Argument for –n switch: trusted
!Trusted Interface IP Address: 192.168.1.2
!External Interface IP Address: 192.168.2.2
!Subnet Mask: 255.255.255.0
!Default Gateway: 0.0.0.0
Configure trusted (default) IP address
ircipaddr -i 10.10.153.1 -m 255.255.255.0 -g 10.10.153.2
Configure external IP address using default mask and gateway
ircipaddr -n external -i 192.168.4.25
ircipaddr -L
Interface IP Address Subnet Mask Default Gateway
trusted 10.10.153.1 255.255.255.0 10.10.153.2
external 192.168.4.25 255.255.255.0 0.0.0.0
Sets the Trusted and External IP Address for the Aurorean Network Gateway.
Usage ircipaddr -n <arg> -h -i -m -g <arg> -l -L
SW <arg> Definition
Page 14 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
ircirppIRPP
Example
IRPP Tunneling Protocol uses the IP Security (IPSec) protocol with El Gamal key exchange
to route packets through the Internet.
Usage ircirpp -p <arg> -s <arg> -a <arg> -c <arg> -D <arg> -V <arg> -P <arg> -h -l -L
SW <arg> Definition
-p 3DES, DES, AF128, AF40, None Define the Primary Encryption Algorithm type
-s 3DES, DES, AF128, AF40, None Define the Secondary Encrypting Algorithm type
-a SHA, MD5, None Define the Authentication Algorithm type
-cEnabled / Disabled Set Compression
-D Duration in seconds Define the lifetime duration of key after which a
new key is generated
-V Volume in kilobytes Define the lifetime volume of key after which a
new key is generated
-P Preferred, Required, Disabled Sets Perfect Forward Secrecy mode for IKE
Phase 2 negotiation.
-h Help Request Help for command variables
-l None List IRPP configuration
-L None List IRPP configuration with headings
Default
!Duration: 1 hour
!Volume: disabled
!Perfect Forward Secrecy: preferred
Notes
!A lifetime value of 0 for Duration or Volume disables the rekeying
mechanism.
!Enabling PFS configures stronger security for every block of IPSec
keys but degrades network performance. To ensure rapid rekeying,
keep PFS off.
!The Preferred argument sets PFS if the remote server accepts and
accepts rejection without setting PFS; Required sets PFS regardless of
the remote response but results in the tunnel coming down; Disabled
keeps PFS off even if the remote server accepts PFS resulting in no
tunnel traffic being transmitted.
Configure IRPP Tunneling Protocol
ircirpp -p AF128 -s none -a SHA -c Disabled -D 3600 -V 0
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 15 of 64
Example List
irclistusers
List Users
Entering irclistusers on the command line display all current users logged in. The
data is displayed at the command line in the following form:
ircns Name Server
Example
ircirpp -L
Primary
Encryption Secondary
Encryption Integrity Compression Rekey
Duration Rekey
Volume
3DES None SHA Disabled 3600 0
User Name Browser
IP Address Time Logged in Status
netadmin 134.121.160.25 Tue Feb 13 12:25:45 2001 Idle
Sets IP addresses for the Domain Name System (DNS) and Windows Internet Name Service
(WINS) servers to be used by remote clients for name resolution.
Usage ircns -d -D -w -W <arg> -h -l -L
S
W<arg> Definition
-d IP Address Define the primary DNS server IP address
-D IP Address Define the secondary DNS server IP address
-w IP Address Define the primary WINS server IP address
-W IP Address Define the secondary WINS server IP address
-h Help Request Help for command variables
-l None List servers
-L None List servers formatted
Notes This command is not required for Remote ANGs unless DNS resolution is desired.
Set the addresses for the Primary DNS and WINS servers
ircns -d 172.16.2.2 -w 172.16.4.4
Page 16 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
Example List of formatted IP addresses
ircospf
OSPF
Example
Example List
ircns -L
Primary
DNS Address Secondary
DNS Address Primary
WINS Address Secondary
WINS Address
172.16.2.2 0.0.0.0 172.16.4.4 0.0.0.0
The Open Shortest Path First (OSPF) routing protocol is one of two routing protocols
supported by Aurorean Client.
Usage ircospf -o -r -i -a -p -l <arg> -h -L
SW <arg> Definition
-o Enable or Disable Enable/disable OSPF
-r IP Address Define an OSPF Router ID
-i IP Address Define an OSPF Area ID
-aNone, Simple Define OSPF Authentication type
-p Password Set an OSPF Authentication Password
-h Help Request Help for command variables
-l None List OSPF configuration
-L None List OSPF configuration with headings
Defaults !The default value for the –r IP address (router ID) is the IP address
assigned to the Trusted interface on the ANG.
Configure OSPF routing protocol
ircospf -o disable -r 0.0.0.0 -i 0.0.0.0 -a none
ircospf -L
OSPF Router ID Area ID Auth Password
Disabled 10.10.223.2 0.0.0.0 none
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 17 of 64
ircpptp
PPTP
Example
Example List
ircrip RIP
Point-to-Point Tunneling Protocol (PPTP) uses Point-to-Point Protocol (PPP) and Generic
Routing Encapsulation (GRE) to route packets through the Internet.
Usage ircpptp -1 -4 -c <arg> -h -l –L
SW <arg> Definition
-1 Enable / Disable Enable/disable 128-bit encryption
-4 Enable / Disable Enable/disable 40-bit encryption
-c Enable / Disable Enable/Disable Compression
-h Help Request Help for command variables
-l None List PPTP configuration
-L None List PPTP configuration formatted
Configure PPTP Tunneling Protocol.
ircpptp -1 enable -4 disable -c enable
ircpptp -L
128-bit
Encryption 40-bit
Encryption Compression
Enabled Enabled Enabled
The Routing Information Protocol (RIP) is one of two routing protocols supported by the
Aurorean Client.
Usage ircrip -r -v -i -e -a -p -g <arg> -h -l -L
SW <arg> Definition
-r Enable or Disable Enable or disable RIP
-v Version: 1 or 2 Define the RIP version
-i Enable or Disable Route Import Enable/Disable
-eEnable or Disable Route Export Enable/Disable
Page 18 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
Example
Example List
ircstatic
Static Routes
-a None, Simple Define the RIP Authentication type
-p Password Define the RIP Authentication Password
-g IP Address List Set RIP Trusted Gateways (list of IP
addresses)
-h Help Request Help for command variables
-l None List RIP configuration
-L None List RIP configuration with headings
Notes
!RIP Trusted Gateways cannot be set using Aurorean Web Config.
!The -g switch requires the addresses for the routers that the system
will accept updates from. The addresses are of the form “address1;
address2;....address(n)”. Be sure to include the quotes.
Configure the RIP routing protocol
ircrip -r enable -v2 -i enable -e enable -a none
ircrip -L
RIP Vers Import Export Auth Password Trusted GW
Enabled 2 Enabled Enabled none
The Routing Information Protocol (RIP) is one of two routing protocols supported by the
Aurorean Client.
Usage ircrip -r -v -i -e -a -p -g <arg> -h -l -L
SW <arg> Definition
Limits access to certain subnets.
Usage ircstatic -a -d -n -m -g -l <arg> -h -L
SW <arg> Definition
-a None Add a new static route -n & -m & -g
-d IP Subnet Delete a static route identified by -n
-n IP Subnet Define a Reachable Subnet Address
Application Note ANG Configuration Commands
AVN-AN-CLI-R11 Page 19 of 64
Example
Example List
Example
-mIP Mask Define a Reachable Subnet Mask
-g Gateway Address Define a Gateway to subnet
-h Help Request Help for command variables
-l Number “N” static route List the ‘Nth’ static route
-L None List all static routes formatted
Defaults !No default value for –n is provided.
Notes
!Configuring a default static route (0.0.0.0/0.0.0.0) on the Trusted
interface of the Aurorean Network Gateway disables Intelligent
Client Routingunless another static route isalso configured or RIP or
OSPF are enabled on the trusted interface.
!Arguments -a and -d are mutually exclusive.
!To modify a static route use the IP address of the -n switch as the
name of the route.
!To modify the -n switch IP address of an existing route, first delete
the static route and then add a new route
!with the new address.
Configure a static route
ircstatic -a -n 10.10.3.0 -m 255.255.255.0 -g 10.10.170.100
ircstatic -L
Subnet Mask Gateway
10.10.3.0 255.255.255.0 10.10.170.100
Modify a static route
ircext -n 10.10.3.0 -g 192.168.4.1
Limits access to certain subnets.
Usage ircstatic -a -d -n -m -g -l <arg> -h -L
SW <arg> Definition
Page 20 of 64 AVN-AN-CLI-R11
ANG Configuration Commands Application Note
ANG Configuration Using the Command Line Interface
Example List after the modification
ircsts Site-to-Site
Example
ircstatic -l 1
10.10.3.0 255.255.255.0 192.168.4.1
Sets up Remote ANG site-to-site connections by first adding an ANG to an existing ANG
configuration, then adding the tunnel itself. This is done by configuring a user on that server
with the following values: an IP address or FQDN (Fully Qualified Domain Name) for the
server, user name and password, and tunnel protocol (either IPSec with IKE, IRPP or PPTP).
Usage ircsts -n <name> -s -g -h -H -c -u -p -d –l <arg> –L -q -Q
SW <arg> Definition
-n Name Designate user-defined tunnel name
-s Enable or Disable Enable or disable the tunnel
-g Gateway Address Set network gateway IP Address
-h Help Request Help for command variables
-H Heartbeat Policy Specify heartbeat (tunnel health) policy name
-c PPTP, IRPP Select tunnel protocol type
-u User name Identity used to log into gateway
-p Password Define password used to log into gateway
-d Name Delete the tunnel identified by –n
-l Nth tunnel List the Nth site-to-site tunnel
-L None List all site-to-site tunnels formatted
-q None Query the Nth tunnel’s status
-Q None Query all tunnel status
Default !Heartbeat: DEFAULT. If tunnel type is IRPP, the default is the IRPP heartbeat.
Notes
!Any changes made to tunnels must be disabled/enabled to take effect.
!When an ANG responds to an inbound tunnel connection, it looks up policies
for the tunnel using the Group including the authenticated user.
Configure a site-to-site tunnel
ircsts -n ang1 -s enable -g 192.168.4.11 -c pptp -u remote -p s2s1
Other manuals for Aurorean ANG-3000
4
This manual suits for next models
1
Table of contents
Other Enterasys Gateway manuals
Enterasys
Enterasys ANG-1100 Series How to use
Enterasys
Enterasys Aurorean ANG-3000 Installation and operating instructions
Enterasys
Enterasys Aurorean ANG-7000 Series Installation and operating instructions
Enterasys
Enterasys Aurorean ANG-3000 How to use
Enterasys
Enterasys ANG-1100 Series User manual
Enterasys
Enterasys ANG-1100 Series User manual
Enterasys
Enterasys ANG-1000 User manual
Enterasys
Enterasys SNS-TAG-HPA User manual
Enterasys
Enterasys ANG-1000 User manual
