Nortel Secure router 4134 Quick guide

Nortel Secure Router 4134

Security — Conﬁguration and

Management

NN47263-600 (323257-A).

Document status: Standard

Document version: 01.02

Document date: 3 August 2007

This document is protected by copyright laws and international treaties. All information, copyrights and any other

intellectual property rights contained in this document are the property of Nortel Networks. Except as expressly

authorized in writing by Nortel Networks, the holder is granted no rights to use the information contained herein and

this document shall not be published, copied, produced or reproduced, modiﬁed, translated, compiled, distributed,

displayed or transmitted, in whole or part, in any form or media.

Sourced in Canada, the United States of America, and India.

Contents

New in this release 13

Features 13

Firewall and NAT 13

Packet ﬁlter 14

IPsec VPN 14

GRE and IPIP tunneling 15

PPPoE client 15

Authentication, Authorization, and Accounting 16

SSH2 17

Introduction 19

Navigation 19

Firewall and NAT Fundamentals 21

Firewall Overview 21

Stateful inspection elements 22

Virtual ﬁrewall zones 22

Transit policies on trusted zones only 23

No transit policies on internet untrusted zone 23

Default ﬁrewall 24

Three-legged ﬁrewall 24

Firewall network protection features 25

Application and URL ﬁltering 25

Policy-based controls 26

Logging and statistics 26

ALG Overview 27

Supported ALGs 27

NAT Overview 28

Static NAT 29

Dynamic NAT 29

PAT 29

NAT failover for ﬁrewalls 30

Scalability 30

Interoperability with CS 1000 and MCS 5100 call servers 30

Cone NAT for CS 1000 30

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

4Contents

SIP ALG for MCS 5100 31

NAT Hairpinning 35

Standards compliance 36

Packet ﬁlter fundamentals 37

Packet ﬁlters on WAN modules and chassis Ethernet ports 37

Packet ﬁlters on Ethernet modules 37

Maximum allowable ﬁlter rules on Ethernet modules 38

Available packet ﬁlters 38

IPv4 packet ﬁlters 38

IPv6 packet ﬁlters 39

MAC packet ﬁlters 40

Logging 40

Scalability 40

Ethernet module limits 40

Conﬁguration considerations 41

Troubleshooting 41

IPsec VPN fundamentals 43

Site-to-Site VPN 44

Remote access VPN 46

Remote access VPN with L2TP server 47

Supported IPsec security protocols 48

IPsec modes 48

Shared key negotiation with IKE 48

IKE modes 49

Peer authentication methods for IKE 50

User authentication for remote access VPN 51

Digital Certiﬁcates in IKE 51

Internet X.509 PKI certiﬁcate and CRL proﬁle 52

Certiﬁcate validation 52

Certiﬁcate enrollment using SCEP client 53

Manual certiﬁcate enrollment 54

Dead peer detection 54

Nat Traversal support 54

Multiple IKE proposals 54

Multiple IPsec proposals 55

Identifying trafﬁc to be encrypted with VPN 56

Firewall considerations for trusted and untrusted VPN interfaces 57

Routing considerations for VPN (and ﬁrewall) 57

Perfect forward secrecy 57

Dead peer detection 58

Security Policy Database 59

PMTU support 59

Firewall considerations with VPN 59

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

Contents 5

QoS over VPN 60

Crypto QoS (CBQ) for IPsec VPN 60

Logging and Statistics 62

Standards compliance 62

GRE and IPIP tunneling fundamentals 65

GRE and IPIP tunneling for IPv4 65

IPIP 66

GRE 66

Tunnel protection 66

IPv6 over IPv4 tunneling 66

IPv6 over manually-conﬁgured IPv4 tunnels 66

IPv6 over IPv4 GRE tunnels 67

Auto 6to4 tunneling 67

Standards compliance 67

PPPoE client fundamentals 69

Standards compliance 70

Authentication, Authorization, and Accounting fundamentals 71

Authentication 71

PAP authentication 71

CHAP authentication 72

RADIUS 72

TACACS 72

EAP IEEE 802.1X 73

Standards compliance 73

Authorization 74

Accounting 74

SSH2 fundamentals 75

SSH2 features 75

SSH ciphers 76

SSH MAC algorithms 76

SSH compression 76

SSH key exchange methods 77

SSH public key algorithms 77

SSH user authentication methods 77

SSH public key ﬁle formats 78

Standards compliance 78

Firewall and NAT conﬁguration 79

Conﬁguring global properties 79

Conﬁguring global ALGs 79

Conﬁguring global bypass trusted 80

Conﬁguring global DOS protection 81

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

6Contents

Conﬁguring global NAT hairpinning 83

Conﬁguring global IP reassembly 84

Conﬁguring global logging 87

Conﬁguring global maximum connection limits for the ﬁrewall 89

Conﬁguring NAT failover 90

Conﬁguring proxy NAT 91

Conﬁguring global timeout 91

Conﬁguring global URL key ﬁlters 93

Conﬁguring port trigger records 93

Conﬁguring policy-speciﬁc properties 95

Conﬁguring ﬁrewall objects 95

Conﬁguring connection reservations 97

Conﬁguring reset of invalid ACK packets 97

Conﬁguring stealth mode 98

Conﬁguring ﬁrewall policies 98

Applying an object to a policy 100

Conﬁguring bandwidth for the policy 101

Conﬁguring the maximum connections for the policy within a conﬁgured

timeframe 102

Conﬁguring the maximum connections for the policy 102

Conﬁguring policing for the policy 103

Enabling the policy 104

Adding interfaces to the ﬁrewall zone 104

Displaying ﬁrewall information 105

Clearing ﬁrewall connections 106

Clearing ﬁrewall statistics 106

Packet ﬁlter conﬁguration 107

Conﬁguring IPv4 packet ﬁlters 107

Conﬁguring IPv6 packet ﬁlters 110

Conﬁguring MAC packet ﬁlters 112

Applying a packet ﬁlter to an interface 113

Deleting rules from packet ﬁlters 113

Deleting a packet ﬁlter 114

Displaying packet ﬁlters 114

Displaying packet ﬁlters applied to an interface 114

IPsec VPN conﬁguration 117

Conﬁguring IKE for site-to-site VPN 118

Creating an IKE policy 118

Conﬁguring the local address for IKE negotiations 118

Conﬁguring the IKE policy local ID 119

Conﬁguring the IKE policy remote ID 120

Conﬁguring the IKE mode 120

Conﬁguring the IKE exchange type 121

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

Contents 7

Conﬁguring the pre-shared key for IKE 122

Enabling or disabling PFS 123

Conﬁguring IKE proposal 123

Conﬁguring OCSP for the IKE policy 128

Conﬁguring IPsec for site-to-site VPN 129

Creating an IPsec policy 129

Conﬁguring anti-replay 129

Enabling or disabling the IPsec policy entry 130

Specifying the IP stream on which to apply IPsec 130

Conﬁguring DH prime modulus group for PFS 131

Conﬁguring IPsec proposal 132

Conﬁguring remote access IKE policies 137

Creating an IKE policy for remote access VPN 137

Conﬁguring an IKE proposal for remote access VPN 146

Conﬁguring remote access IPsec policies 151

Creating an IPsec policy for remote access VPN 151

Specifying the IP stream on which to apply IPsec for remote access VPN 152

Conﬁguring DH prime modulus group for PFS 153

Conﬁguring IPsec proposal template for remote access VPN 154

Enabling the dynamic IPsec policy 158

Conﬁguring L2TP server for L2TP remote access 159

Creating the L2TP remote access interface 159

Conﬁguring IP address for the L2TP access interface 159

Conﬁguring IPsec protection for the L2TP access interface 160

Conﬁguring client parameters for L2TP remote access 161

Conﬁguring user parameters for L2TP remote access 161

Shutting down the L2TP access interface 162

Conﬁguring dead peer detection keepalive 162

Enabling dead peer detection 162

Conﬁguring the keepalive retry interval 163

Conﬁguring the keepalive transmit-interval 163

Conﬁguring PMTU 163

Conﬁguring DF bit 163

Conﬁguring the MTU threshold value 164

Conﬁguring processing of unsecured ICMP messages 164

Conﬁguring CA trustpoint 165

Conﬁguring the certiﬁcate enrollment method 165

Conﬁguring parameters for the certiﬁcate request 166

Conﬁguring certiﬁcate password 169

Authenticating the CA and importing a CA certiﬁcate 169

Generating a certiﬁcate request for enrollment 170

Manually importing a self certiﬁcate 171

Manually importing an OCSP Responder certiﬁcate 171

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

8Contents

Conﬁguring LDAP parameters 172

Requesting a CRL from the CA 173

Conﬁguring OCSP 173

Displaying IPsec VPN conﬁgurations 174

Displaying certiﬁcates 174

Displaying CRL 174

Displaying trustpoint 174

Displaying IKE policies 175

Displaying IKE SA 175

Displaying IPsec policies 175

Displaying IPsec SA 175

Displaying remote access IKE policies 176

Displaying remote access IPsec policies 176

Displaying remote access VPN clients 176

Displaying status of interfaces as trusted or untrusted 176

Displaying dead peer detection conﬁguration 177

Displaying PMTU information 177

Displaying IPsec statistics 177

Displaying L2TP server conﬁguration 177

Clearing IPsec conﬁgurations 178

Deleting certiﬁcates 178

Deleting CRL 178

Deleting CA private key 178

Clearing IKE SA information 178

Clearing IPsec SA information 179

Clearing IPsec statistics 179

GRE and IPIP tunnel conﬁguration 181

Conﬁguring a tunnel 181

Creating a tunnel 181

Conﬁguring tunnel encapsulation mode 182

Conﬁguring an IP address for the tunnel 182

Conﬁguring tunnel source 183

Conﬁguring tunnel destination 183

Conﬁguring GRE tunnel parameters 184

Conﬁguring keepalive for GRE tunnels 184

Conﬁguring checksum for GRE tunnels 185

Conﬁguring tunnel key for GRE tunnels 185

Conﬁguring tunnel sequencing 186

Conﬁguring tunnel parameters 186

Conﬁguring path MTU discovery for tunnel packets 186

Conﬁguring the tunnel as an untrusted interface for IPsec protection 187

Conﬁguring tunnel protection with IPsec 187

Conﬁguring tunnel ToS 188

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

Contents 9

Conﬁguring tunnel TTL 189

Shutting down a tunnel 189

Displaying tunnel information 190

Clearing tunnel counters 190

PPPoE client conﬁguration 191

Creating a PPPoE interface 191

Conﬁguring IP address for PPPoE interface 191

Conﬁguring PPPoE tunneling protocol 192

Conﬁguring PPPoE Ethernet interface 193

Conﬁguring PPP authentication method and parameters 193

Conﬁguring PPPoE access concentrator 194

Conﬁguring PPP keepalive 194

Displaying PPPoE client information 195

Authentication, Authorization, and Accounting conﬁguration 197

Enabling AAA 197

Conﬁguring AAA authentication 197

Conﬁguring AAA authentication login 197

Conﬁguring AAA authentication protocol 198

Applying AAA authentication to an interface 199

Conﬁguring AAA authorization 199

Applying AAA authorization to an interface 200

Conﬁguring AAA accounting 200

Conﬁguring AAA accounting update 201

Applying AAA accounting to an interface 202

Conﬁguring RADIUS primary and secondary servers 202

Conﬁguring RADIUS server port for accounting 202

Conﬁguring RADIUS server port for authentication 203

Conﬁguring the RADIUS server IP address 203

Conﬁguring RADIUS client retries 204

Conﬁgure RADIUS shared secret key 205

Conﬁgure RADIUS timeout 205

Conﬁguring RADIUS client source address 206

Conﬁguring TACACS+ primary or secondary server IP address 206

Conﬁguring TACACS+ retries 207

Conﬁguring TACACS+ server port 207

Conﬁguring TACACS+ shared encryption key 208

Conﬁguring TACACS+ timeout 208

Conﬁguring 802.1x 209

Conﬁguring 802.1x on an Ethernet interface 209

Enable 802.1x on the interface 209

Conﬁguring the maximum failed requests 210

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

10 Contents

Conﬁguring port control 210

Conﬁguring quiet period 211

Enabling reauthentication 211

Conﬁguring reauthorization period 212

Conﬁguring authentication server response timeout 212

Conﬁguring supplicant response timeout 213

Displaying AAA information 214

Displaying AAA accounting information 214

Displaying AAA authentication information 214

Displaying AAA authorization information 214

Displaying AAA interface information 214

Displaying AAA status 215

Displaying RADIUS information 215

Displaying TACACS+ information 215

Displaying 802.1x information 215

Clearing 802.1x statistcs 216

SSH2 conﬁguration 217

Conﬁguring SSH2 server keys 217

Generating SSH2 server keys 217

Encrypting a private key ﬁle 218

Changing the passphrase used for encryption 218

Converting public key ﬁles to SSH format 219

Generating a public key digest of a key ﬁle 220

Conﬁguring SSH2 server parameters 221

Conﬁguring SSH2 authentication 221

Conﬁguring SSH2 authentication retries 221

Conﬁguring SSH encryption algorithms 222

Conﬁguring SSH compression 222

Enabling and disabling SSH server 223

Specifying host key ﬁle for the SSH server 223

Enabling and disabling log events 224

Conﬁguring MAC algorithms 225

Conﬁguring SSH listen port 225

Restoring default SSH parameter values 226

Enabling and disabling SSH SFTP server 226

Conﬁguring SSH session timeout 227

Displaying SSH server conﬁguration 227

Displaying SSH server sessions 228

Clearing SSH sessions 228

Conﬁguration examples 229

Conﬁguring an IPv4 packet ﬁlter 229

Conﬁguring an IPv6 packet ﬁlter 229

Conﬁguring a MAC packet ﬁlter 230

Nortel Secure Router 4134

Security — Conﬁguration and Management

NN47263-600 01.02 Standard

10.0 3 August 2007

Other manuals for Secure Router 4134

Table of contents

Other Nortel Network Router manuals

Nortel

Nortel BCM50a User manual

Nortel

Nortel Contivity 100 User instructions

Nortel

Nortel 8300 Series User manual

Nortel

Nortel 1700 Instruction Manual

Nortel

Nortel 1700 Dimensions

Nortel

Nortel Contivity VPN Switch 1010 User manual

Nortel

Nortel 4500 Series Quick guide

Nortel

Nortel Passport 8600 Series Operator's manual

Nortel

Nortel BayStack 600 Series User manual

Nortel

Nortel 222 Instruction Manual

Nortel

Nortel 1010-24T User manual

Nortel

Nortel BayStack ARN Dimensions

Nortel

Nortel 10292FA Instruction sheet

Nortel

Nortel 7 Quick guide

Nortel

Nortel 222 User manual

Nortel

Nortel 1500 Series User manual

Nortel

Nortel 5000 How to use

Nortel

Nortel 425-24T User manual

Nortel

Nortel Secure Router 4134 User manual

Nortel

Nortel Passport 8600 Series Instruction Manual

Nortel

Nortel BayStack 820 Installation and operating manual

Nortel

Nortel 1000 Con?guration guide Quick setup guide

Nortel

Nortel BayStack 460-24T-PWR Reference guide

Nortel

Nortel Secure Router 4134 User manual

Popular Network Router manuals by other brands

TRENDnet

TRENDnet TEW-435BRM - 54MBPS 802.11G Adsl Firewall M Quick installation guide

Siemens

Siemens SIMOTICS CONNECT 400 manual

Alfa Network

Alfa Network ADS-R02 Specifications

Barracuda Networks

Barracuda Networks Link Balancer quick start guide

ZyXEL Communications

ZyXEL Communications ES-2024PWR Support notes

HPE

HPE FlexNetwork 5510 HI Series Openflow configuration guide

Allied Telesis

Allied Telesis AT-AR236E quick start guide

ADTRAN

ADTRAN NetVanta 3458-PoE quick start

C&H Technologies

C&H Technologies EM405-8 manual

Huawei

Huawei WiFi Mesh 3 Product description

Addonics Technologies

Addonics Technologies ISC8P2G-S Quick install guide

Atel

Atel W02 Arch+ Faqs

Allnet

Allnet ALL0333AU user guide

Sercomm

Sercomm Genesis OC3505D Quick installation guide

Billion

Billion BIPAC 5102 Series user manual

TP-Link

TP-Link TD-8817 QIG

Motorola

Motorola MR1900 user guide

Cisco

Cisco SOHO Series Regulatory compliance and safety information

Nortel Secure Router 4134 Quick guide

Popular Network Router manuals by other brands