2007 july1 dfl-210/800/1600/2500 training material dfl fundamental part i created on 2007...

2007 July 1

DFL-210/800/1600/2500 Training Material

DFL fundamentalPart I

Created on 2007©Copyright 2007. All rights reserved

2007 July 2

Agenda

• Firewall traffic flow• Chapter 1

– Routing table

• Chapter 2– Core v.s Interface(WAN,LAN,DMZ)

• Chapter 3– PBR

• Chapter 4– NAT combine with semi-transparent mode(ProxyArp)

• Chapter 5– Traffic Shaping

• Chapter 6– VPN

2007 July 3

New feature on firmware v2.12

• New function implement – Full CLI support– IP rules (insert, move to, disable)– Interface: PPPoE schedule– The DPD in IPSEC tunnel– Configurable ID type (IP, DNS, FQDN) in IPSEC tunnel– Session control in Threshold– Blacklist in threshold and IDS/IDP– DHCP status improvement

2007 July 4

Firewall traffic flow

2007 July 5

Firewall traffic flow

Incoming traffic

1. Check the routing table of “main”

2. Check the PBR, if match one of the routing rules, then it flow to the specific PBR’s table.

3. Check IP rules

7. Finally the traffic can pass through the firewall

4. Queue for other examine

5. Check if anyone of the IDP/IDS rules is matched:Match, comparing the signature DB of IDS/IDP

6. Check if anyone of the Piperules is matched : Match , applying the rule of traffic shaping.

If traffic lookup failed in main routing table, then the traffic will be dropped by default-access-rule. You can depend on setting the “Access” to ignore the checking of main routing table.

(Allow/FWDFast/NAT/SAT…)

2007 July 6

2007 July 7

Chapter 1

Routing Table

2007 July 8

Routing Table 1/6How to read the routing table ?

• Interface: The interface to be routed• Network: The network to route• Gateway: The gateway to send routed packets to• Local IP Address: The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, The firewall's interface IP address will be used.• Metric: Specifies the metric for this route. (Mostly used in route fail-over scenario)

Note.1.The entry with the feature of “longest match value” will be first applied.2.If we got the same feature of “Longest value” between two routing entries, which one will be applied is based on the “Metric” value.

2007 July 9

Routing Table 2/5The generic concept for selecting the routing

entry

1.The entry with the feature of “longest match value” will

be first apply.Mask:255.255.255.xxxIP:192.168.0.0

192.168.0.5192.168.0.30

2007 July 10

Routing Table 3/5 The gereric concept for selecting the routing entry

Lower Mertic Value with higher priority.

2. If we got the same Longest value between two routing entries, which one will be applied is based on the Metric value.

2007 July 11

Routing Table 4/5 The gereric concept for selecting the routing entry

The entry with longest value will be first apply.

LAN: 1.1

PC1: 1.5G/W: 1.1

Router2

Router1

E0 1 .254

0.254

E0 0.2

192.168.1.0/24

192.168.0.0/24

1. PC1 send a packet to the host 192.168.0.150, which route match?

2. PC1 send a packet to the host 192.168.0.60, which route match?

1.2

B

A

192.168.0.128/25

C

DST:192.168.0.150DST:192.168.0.60E1

E1

2007 July 12

Routing Table 5/5

How to verify the lookup result?

1 Routes -lookup=IP address

2 Ping -srcip=“Src IP” “Ds IP” -verbose

2007 July 13

Routing TableScenario hands-on

Create a static route to network B

G1_LAN: 192.168.10.1

G2_LAN: 192.168.20.1

G3_LAN: 192.168.30.1

G4_LAN: 192.168.40.1

G5_LAN: 192.168.50.1

G6_LAN: 192.168.60.1

G7_LAN: 192.168.70.1

G8_LAN: 192.168.80.1

Sub-if1: 192.168.10.254 Sub-if2: 192.168.20.254 Sub-if3: 192.168.30.254 Sub-if4: 192.168.40.254 Sub-if5: 192.168.50.254 Sub-if6: 192.168.60.254 Sub-if7: 192.168.70.254 Sub-if8: 192.168.80.254

server

Creating a static route on LAN for internal user to reach the 192.168.200.60

LAN 192.168.200.0/24

B

200.60

200.254E0

E1

2007 July 14

Routing tableDebug-CLI

Routes -lookup=[insert the IP address]

Routes -all -verbose [routing table name]

Rule -ruleset=main -verbose

Ping -s [source IP address] [destination IP address]

Arpsnoop [interface name] -verbose

arp -show

2007 July 15

Routing tableCase study-01

Relay Syn to DS

Syn to 200.60 RCV Syn From 10.5

Drop ACK from A

Syn ACK to 10.5RCV Syn Ack

ACK to 200.60

?? Wait Syn ACK

Connection table

2007 July 16

Routing tableCase study-02

2007 July 17

Chapter 2

Core vs Interfaces (WAN,DMZ,LAN)

2007 July 18

Core vs interfaces(WAN,DMZ,LAN) 1/10What means the “Core” in DFL units

Core owns the IP addresses

int extCore

192.168.1.1 218.210.16.26

2007 July 19

Core vs interfaces(WAN,DMZ,LAN) 1/5

Each interface-- WAN LAN DMZ, those interfaces have their own direction, but the “Core” is no meaning any direction. For example:Below is the routing table

2007 July 20


1

3

If we set the IP rule as below:

DFL-800 only pass the traffic who contacts with WAN1 interface directly, and the traffic will map into the specific server(192.168.1.6) without contacting the “Core”.

2

2007 July 21


Core

WAN1

DMZ

LAN

WAN2127.0.0.1218.210.16.26192.168.1.1192.168.120.254172.16.100.254

ARP publish:218.210.16.27

server: 192.168.1.6

Destination IP: 218.210.16.27

2007 July 22


If we set the IP rule as below:

1

2

The traffic from any physical interfaces are allowed to access the IP 218.210.16.26.

2007 July 23


Core

WAN1

DMZ

LAN

WAN2127.0.0.1218.210.16.26192.168.1.1192.168.120.254172.16.100.254

ARP publish:218.210.16.27

server: 192.168.1.6

Destination IP: 218.210.16.26

Internal User 192.168.1.58

Note. For internal users, we shall add one NAT rule between SAT and allow rule sets .

2007 July 24

Core vs interfaces(WAN,DMZ,LAN)Summarize

• Core’s IP address we also call it as “loop back IP address”.

• No matter where the traffic from, it can access into Core interface.

• If we bind an IP address on one of the physical interface, the traffic to this IP address will only through this specific physical interface.

2007 July 25

Chapter 3

Policy Based Route

2007 July 26

PBR

PBR’s table

2007 July 27

PBR How is the PBR working?

The sequence of Policy-based Routing execution in conjunction with the main routing table and the rule-set can be summarized as follows:

1. Check main routing table - 2. Look up Routing rules - If the lookup in step 1 allows packets to go through, NetDefendOS will perform a lookup in the Policy-based Routing rules. The first matching rule will be the one to use.

3. Select the PBR’s table (By the ordering of “First”, “Default” or “Only”)

Default Default means that the main routing table will be consulted first. If the only match is the default route (0.0.0.0/0), the PBR’s table will be consulted. First First means that the PBR’s table is consulted first of all. If this lookup fails, the lookup will continue in the main routing table. Only Only means that the PBR’s table is the only one consulted. In another words, that the named routing table is consulted first of all. If this lookup fails, the packet will be dropped.

2007 July 28

PBRScenario 1-Link Sharing

ISP1 ISP2

HTTP/FTP server7.7.7.5

WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24

PC1: 192.168.1.50

LAN: 192.168.1.1/24

PC1: 192.168.1.101

1. The traffic of FTP is outgoing via WAN1(Red one)2. The traffic of HTTP and ICMP are outgoing via WAN2 (Black one)

GW:1.1.1.2 GW:3.3.3.2

WAN1 IPGroup1: 1.1.1.11Group2: 1.1.1.12Group3: 1.1.1.13


……

2007 July 29

PBRTips

Step 1 Setup the IP address for each physical interface

Step 2 Create the PBR’s table and set the entry of default

route to ISP2

Step 3 Create a Routing Rule set

Step 4 Create the IP rule sets for deciding the traffic’s behavior

Step 5 Using the command of “rules -ruleset=pbr -verbose” and “rules -ruleset=main -verbose” to verify the configuration

2007 July 30

PBRScenario 1 Settings 1/5

1 Set the object of IP4 address 2 Alter the routing table of “Main”

2007 July 31


3 Creating the PBR’s table

Note.If Remove Interface IP Routes is enabled, the default interface routes are removed, i.e. routes to the core interface (127.0.0.1) (which are routes to NetDefendOS itself).

2007 July 32


4 Creating the “Routing Rules” for triggering to use the specific PBR’s table.

Why we set the destination interface to WAN1 instead of “wan2” ?

Due to all the traffic still will lookup the “Main” routing table, so in here we shall set this value to the default gateway of routing table of “Main”. Based on our scenario, the default gateway in the “Main” routing table is the “WAN1” interface, so we shall set “wan1” on above figure.

2007 July 33


Finally step we shall create the IP rule set for allowing the specific service.

5

2007 July 34


6 To verify the configuration via console.

2007 July 35

PBRScenario 1-Link Sharing

ISP1 ISP2


WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24

PC1: 192.168.1.50

LAN: 192.168.1.1/24

PC1: 192.168.1.101

1. The traffic of FTP is outgoing via WAN1(Red one)2. The traffic of HTTP and ICMP are outgoing via WAN2 (Black one)

GW:1.1.1.2 GW:3.3.3.2



……

2007 July 36

PBR Scenario 2 Link Sharing with failover

ISP1 ISP2

HTTP/FTP server

7.7.7.5

WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24

PC1: 192.168.1.50

LAN: 192.168.1.1/24

PC1: 192.168.1.101

1. The traffic of FTP is outgoing via WAN1. When wan1 is broken the traffic will switch to WAN2. . 2. The traffic of HTTP and ICMP are outgoing via WAN2. When wan2 is broken the traffic will switch to WAN1

FTP

HTTP

2007 July 37

PBRSecenario2-Tips

Based on the configuration of previous scenario

Step 1 Cancel the feature of auto add default route for both physical interfaces wan1 and wan2.

Step 2 Manually add the default gateway routing along with the monitoring feature in Main routing table for wan1 and wan2 respectively, and give the wan1 with higher priority than wan2.

Step 3 Setup the PBR’s table and repeat the step 2 but the wan2 with higher priority than wan1 instead.

Step 4 Grouping the wan1 and wan2 interface for easy configuration.

Step 5 Setup the IP rule set for allowing the specific traffic via both wan1 and wan2 interfaces.

2007 July 38

Policy Base RouteScenario 2 Settings 1/3

1 Add the value of default gateway for WAN2 then enable the function of monitor and set different priority (Metric) for failover on both interfaces.

2007 July 39

Policy Base Route Scenario 2 Settings 2/3

2Add PBR’s table for wan2 and repeat the same action with step 1 to enable the function of monitor and change the value of metric

3 Add a “routing rules” for triggering the HTTP service to use the table of “http-go-wan2” .

2007 July 40

Policy Base RouteScenario 2 Settings 3/3

4 Add interface group including wan1 and wan2 for simply configuration.

5 Creating the IP rules set for both kinds of services.

2007 July 41

PBR Scenario 2 Link Sharing with failover

ISP1 ISP2

HTTP/FTP server

7.7.7.5

WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24

PC1: 192.168.1.50

LAN: 192.168.1.1/24

PC1: 192.168.1.101

1. The traffic of FTP is outgoing via WAN1. When wan1 is broken the traffic will switch to WAN2. . 2. The traffic of HTTP and ICMP are outgoing via WAN2. When wan2 is broken the traffic will switch to WAN1

FTP

HTTP

2007 July 42

Chapter 4

NAT combine with Semi-Transparent mode

(ProxyArp)

2007 July 43

NAT combine with Semi-Transparent mode(ProxyArp)

What is Proxy ARP

RFC 1027 - Using ARP to implement transparent subnet gateways

Fools the sender of the ARP request into thinking that the router is the destination.

The router is acting as a proxy agent for the destination, relaying packets to it from other hosts

Proxy ARP is also known as promiscuous ARP or the ARP hack

2007 July 44


How it worksHow it works?

Router

E0 E1

A B

E0 IP address: 1.1.1.1 /24 MAC:00:13:46:aa:bb:ccE1 IP address:192.168.1.1 /24 MAC:00:13:46:aa:bb:ddHost A IP address:1.1.1.100 /24 MAC:00:11:22:33:44:bb:aaHost B IP address:1.1.1.200 /24 MAC:55:66:77:dd:bb:ff

Sender’s MAC address (Host B)

Sender’s IP address (Host B)

Target’s MAC address

Targer’s IP address (Host A)

55:66:77:dd:bb:ff 1.1.1.200 00:00:00:00:00:00 1.1.1.100

1

Sender’s MAC address (E1)

Sender’s IP address (E1)

Target’s MAC address (Host B)

Targer’s IP address (Host B)

00:13:46:aa:bb:dd 1.1.1.100 55:66:77:dd:bb:ff 1.1.1.200

Request from :Host B Host A

2 Reply from : E1 Host B

Subnet B192.168.1.0/24

Subnet A1.1.1.0/24

bb:ff1.1.1.200

bb:aa1.1.1.100

bb:dd192.168.1.1

bb:cc1.1.1.1

2007 July 45


Cast Study1

1.2 3.2

Server 7.7.7.5

WAN1 3.1

Proxy Arp the IP of ISP1 to LAN1


LAN1Hosts IP address 1.1.1.5~1.1.1.100Gateway:1.1.1.2

LAN2Hosts IP address 3.3.3.5~3.3.3.100Gateway:3.3.3.2

DHCP server on LAN1DHCP pool: 1.1.1.5~1.1.1.100----------------------------------DHCP server on LAN2DHCP pool: 3.3.3.5~3.3.3.100 ISP1

1.1

1.1.1.0/24

ISP2

3.3.3.0/24

WAN2

2007 July 46


Tips 1

• The traffic between WAN1 and LAN1– The settings in main routing table

• Proxy ARP the ISP1’s IP address to LAN1• The hosts located at LAN1 side we have to proxy those

hosts’ IP address to WAN1 interface.• Default route go through WAN1 interface

2007 July 47


Tips 2

• The traffic between WAN2 and LAN2– The settings in main routing table

• Proxy ARP the ISP2’s IP address to LAN2• The hosts located at LAN2 side we have to proxy those

hosts’ IP address to WAN2 interface.

– The setting in “Access” component• Add an Access rule, let incoming traffic won’t lookup the

main routing table.

2007 July 48

Tips 3

2007 July 49


Cast Study1-setup-011 Create the object of IP4 address 2

Create the routing in main routing table for the settings of ProxyARP

2007 July 50


Cast Study1-setup-02

3 Proxy the IP address of WAN1’s gateway to the interface of LAN1

2007 July 51



4 Add another route on the interface of LAN1, and Proxy the IP addresses of LAN1’s hosts to the interface of WAN1.

2007 July 52



5 Based on the same concept with step 3 to create the route for WAN2.

2007 July 53



6 Based on the same concept with step 4 to create the route for LAN2.

2007 July 54



7Then create a route of default gateway on WAN1 for the “main” routing table.

8 Add PBR’s table for the traffic between WAN2 and LAN2

2007 July 55



9 Create the necessary routes as below figure on the PBR’s table of “wan2-lan2”

2007 July 56



10 Create the routing rule for triggering to use the PBR’s table of “wan2-lan2”

Notice

2007 July 57


Cast Study1-setup-911 We created a PBR rule for wan2-lan2 as below:

12 Under the “Rules” ”Access”, we add an access rule for the interface of “WAN2”.

2007 July 58


Cast Study1-setup-1013 Add the interface groups for easy to set the “IP rules”

up.

14 Add the “IP rules” for allowing the traffic from bi-direction.

2007 July 59


Cast Study1-setup-1115 Based on the scenario requirement, we shall set the DHCP server on both interfaces of “LAN1”

and “LAN2” respectively.

2007 July 60


Cast Study1

1.2 3.2

Server 7.7.7.5

WAN1 3.11



LAN1Hosts IP address 1.1.1.110~119

LAN2Hosts IP address 3.3.3.110~119

DHCP server on LAN1DHCP pool: 1.1.1.110~119----------------------------------DHCP server on LAN2DHCP pool: 3.3.3.110~119 ISP1

1.11

1.1.1.0/24

ISP2

3.3.3.0/24

WAN2

2007 July 61


NAT combine with ProxyARPUnknown client7.7.7.7/24


LAN1--NAT modeHosts IP address 192.168.1.0/24Gateway:192.168.1.1

LAN2--Semi-Transparent mode Hosts IP address 3.3.3.5~3.3.3.100Gateway:3.3.3.2

LAN1:192.168.1.1 /24

1.2 3.2

ISP1

1.1.1.0/24

ISP2

3.3.3.0/24

WAN1 3.1

WAN21.1

2007 July 62

Scenario2Tips

• Based on the previous scenario, we only have to adjust two settings:– Under the “IP rules”

• The traffic from LAN1 to WAN1, we set the Action field to “NAT”.

• Disable the Allow rule set between WAN1 and LAN1

2007 July 63


NAT combine with ProxyARP--Setup-01

1 Create the object of IP4 address Create the routing in main routing table for the settings of ProxyARP

2

2007 July 64



4

Add a route on the interface of WAN2, and Proxy the Gateway IP addresses of WAN2 to the interface of LAN2.

Add another route on the interface of LAN2, and then Proxy the IP addresses of LAN2’s hosts to the interface of WAN2.

2007 July 65


NAT combine with ProxyARP--Setup-035 Setup default gateway(1.1.1.2) on the interface of WAN1

Below figure is a glance of main routing table:

2007 July 66


NAT combine with ProxyARP--Setup-046 Add a PBR’s table for the traffic from LAN2

Below figure is a glance of PBR’s table of “wan2-lan2”:

2007 July 67


NAT combine with ProxyARP--Setup-057 Add the PRB for triggering the traffic

from LAN2 to use the routing table of “wan2-lan2”

2007 July 68



9

Under the “rules” ”access”, add an access rule for wan2 interface to ignore the checking of routing table.

Under the “IP Rules” create the necessary IP rules sets for lan1 to wan1, bi-direction traffic of lan2-wan2 and lan1-lan2 .

2007 July 69


NAT combine with ProxyARPUnknown client7.7.7.7/24


LAN1--NAT modeHosts IP address 192.168.1.0/24Gateway:192.168.1.1

LAN2--Semi-Transparent mode Hosts IP address 3.3.3.5~3.3.3.100Gateway:3.3.3.2

LAN1:192.168.1.1 /24

1.2 3.2

ISP1

1.1.1.0/24

ISP2

3.3.3.0/24

WAN1 3.1

WAN21.1

2007 July 70

Chapter 5

Traffic Shaping

2007 July 71

Traffic shapingAlgorithm

Two predominant methods for shaping traffic existing:

1. Token bucket Reference : http://en.wikipedia.org/wiki/Token_bucket

2. Leaky bucket Reference : http://en.wikipedia.org/wiki/Leaky_bucket

http://en.wikipedia.org/wiki/Token_bucket

http://en.wikipedia.org/wiki/Leaky_bucket

2007 July 72

Traffic shapingTerminology

Two major components and two sub-items in DFL’s traffic shaping:

• Pipe object• PipeRule

– Traffic filter factor• Service (protocol)• Direction (the traffic from…to…)

– Pipe Chain• First Pipe

– (a kinds of statement for declaring the traffic’s precedence)

• Following Pipe– ( Assign the token for specific traffic)

2007 July 73

Traffic shaping Terminology

• Pipe– Is an object for loading up all kinds of traffics.– We can limit the total bandwidth or dynamic

balancing bandwidth for First Pipe and Following Pipe respectively.

2007 July 74


• PipeRule– Traffic filter factor

• Set up the specific traffic which you want to control.

– Pipe Chain• Assign the role to Pipe (First / Following)for bi-direction

(Forward chain, Return chain) traffic. • Declare the precedence of First pipe by following way:

– Use the default from first pipe– Fixed precedence (0~7)– Use IP DSCP (TOS)

• Assign the traffic’s token by Following pipe.

2007 July 75


• First Pipe– The role is assigned by PipeRule – Bandwidth control– Declare the precedence level (0~7)

• Following Pipe– The role is assigned by PipeRule – Total bandwidth control– Assign the token for the traffic from First Pipe

2007 July 76

Prec 5 : 200 Prec 5 : 150 Prec 5 : 100

Traffic shapingFlow chartTwo tiers concept

First Pipe Following Pipe

Raw Packet A100 kbps

BW Limitation: 50 kbpsDeclared precedence : 5

Total BW Limitation: 200 kbps

Prec 7 : 200 Prec 6 : 200

Prec 4 : 200 Prec 3 : 200 Prec 2 : 200 Prec 1 : 200

Total BW : 200

BufferRaw Packet A

50 kbpsOut

Prec 0 : 200

Raw Packet A50 kbps (5)

Raw Packet A50 kbps (5)

Prec 5 : 200

Raw Packet A50 kbpsRaw Packet A50 kbps

2007 July 77

Prec 5 : 100

Prec 0 : 200 Prec 0 : 100

Prec 4 : 100 Prec 3 : 100

Prec 1 : 100 Prec 2 : 100

Raw Packet A 100 kbps (5)

Raw Packet A 100 kbps (0)

Prec 5 : 0

Traffic shapingFlow chartTwo tiers concept


Raw Packet A200 kbps

BW Limitation: No limitationDeclared precedence : 5

Total BW Limitation: 200 kbps

Prec 7 : 100 Prec 6 : 100

Total BW : 200

OutRaw Packet A

200 kbps

2007 July 78

Traffic shapingScenario hands-on 1

ISP


GW:3.3.3.2

14

15

11

16

13

17

12

18

Network: 3.3.3.0 /24

Upstream commit rate is 500 kilobits/per secDownstream commit rate is 500 kilobits/per sec

1. Insure the HTTP CR to 200 kbps for bi-direction traffic. (Marking the HTTP traffic to precedence 7 (highest priority) . HTTP doesn’t utilize the rest of bandwidth.2. Set 400 kbps to precedence 1 for FTP bi-direction traffic. When the FTP token is running out, the part of overflow have flow to precedence 0 to compete with other services , it’s so-called “utilize remaining bandwidth ”.

2007 July 79

Traffic shapingTips1

Step 1 Create the “IP rule” set for specific service you want to control, and then

make sure this rule set will be first triggered in all of the IP rules

Step 2 Create the Pipe objects for containing each kinds of traffic.

Step 3 Create the same rule set we created before in Step 1 under the pipe rule.

Step 4 In the tab of traffic shaping, select the desired pipe object respectively for both forward sessions and return sessions along with the chain concept, and then announce the precedence by “Use defaults from first pipe”, “Use Fixed Precedence” or “Map IP DSCP (ToS)” for first pipe object of return chain or forward chain.

Step 5 Make sure whether the specific pipe rule will be first triggered in all of the pipe rules.

2007 July 80

Traffic shapingTips2

2007 July 81

Traffic shapingScenario hands-on 1 Settings-01/12

1 Changing the WAN1 IP address and subnet mask

2 Set the default gateway on interface on wan1

2007 July 82


3 Add the necessary IP rule sets in IP rules

2007 July 83


4 Add a pipe object for inbound FTP traffic, and we don’t have to set anything in the tag of “Pipe limits”

2007 July 84


5 Add a pipe object for outbound FTP traffic, and we don’t have to set anything in the tag of “Pipe limits”

2007 July 85


6 Add a pipe object for inbound HTTP traffic, and we shall set the total Kbps to limit the HTTP traffic

2007 July 86


7 Add a pipe object for outbound HTTP traffic, and we shall set the total Kbps to limit the HTTP traffic

2007 July 87


8Add a pipe object for:1.marking the total downstream commit rate.2.pointing out the bandwidth for each precedence, in another words, it’s marking out how much token we will give for each precedence level.

2007 July 88


9Add a pipe object for marking the total upstream commit rate and also pointing out the bandwidth for each precedence level.

2007 July 89


10 Under the Pipe Rule, we have to point out which one target, service and traffic flow shall be applying the Shaper.

How to read the tab of Traffic Shaping in right page ?

Outgoing FTP service (Forward Chain) which the traffic will flow to the First Pipe-- ftp-out and declare the precedence 1 first, then this traffic will take the token from Following Pipe--total-out. Vice versa for the traffic of Return FTP service.

Outgoing traffic

Step1 P 1Step2 give p1 token

2007 July 90


11 Under the Pipe Rule, we have to point out which one target, service and traffic flow shall be applying the Shaper.

2007 July 91


12 Under the Pipe Rule, we shall mark the other services to precedence level “0”, let those services compete with each other under the precedence level zero.

2007 July 92


13 Below is an overview of pipe rule sets. The theory of operation is the same with the “IP rules”, it also following the rule of “first trigger first go ”. So based on the below rule’s order, you can’t put the pipe index 3 to the index 1 because of the original index 1 won’t be triggered anymore.

2007 July 93

Traffic shapingScenario hands-on 1

ISP


GW:3.3.3.2

14

15

11

16

13

17

12

18

Network: 3.3.3.0 /24

Upstream commit rate is 500 kilobits/per secDownstream commit rate is 500 kilobits/per sec

1. Insure the HTTP CR to 200 kbps for bi-direction traffic. (Marking the HTTP traffic to precedence 7 (highest priority) ). HTTP have no Utilizing the rest of bandwidth.2. Setting the 400 kbps in precedence 1 for FTP bi-direction traffic. When the FTP token is running out, the part of overflow can flow to precedence 0 to compete with other services , it’s so-called “utilizing remaining bandwidth ”.

2007 July 94

Traffic shapingTraffic flow 1/5-Http-download

1. Check IP rules

2. Pipe rules

Triggered

2007 July 95


2007 July 96


Following Pipe CLI

2007 July 97


The bandwidth limitation to First pipe

First Pipe

Following Pipe

2007 July 98


We don’t give the limitation to First Pipe


2007 July 99

Traffic shaping-Sum up the traffic flow

IP rule pipe ruleset precedence for each service based on1.use from default first pipe 2. fixed precedence setting 3. Map IP DSCP (TOS)pipe pipe chain (if required) prioritize packets in memory queue packet outgoing

Note. the traffic shaper will buffer and delay packets when the speed specified in the pipe is reached. If the buffers get full we remove the longest and the lowest precedence packet when a new packet arrive.

2007 July 100

Traffic ShapingHow to observe the traffic shaping status

The relative command:Pipe [pipename]

Showing the specific pipe status, in common way we always showing the overall pipe object for checking the status easily.

Pipe –users Showing the status of the pipe’s overall usage.

2007 July 101

Chapter 6

VPN-IPSEC

2007 July 102

VPN-IPSEC

• For IPSec, we have two roles in IPSec terminology for distinguishing from server and client : – Initiator (Client)

• Who is the role to initial the IPSec session for establishing the IPSec tunnel.• It’s a security gateway (IPSec server) or road warrior (Roaming client).

– Responder (Server)• Who is the role to receive the request from initiator, and response some necessary information for establishing the IPSec Tunnel • It’s a security gateway (IPSec Server)

2007 July 103

IPSEC Tunnel

IPSEC VPN Main mode Phase1

InitiatorResponder

IPSEC serverRoad Warrior/Security Gateway

Initiator Responder

M1 UDP(500,500)

M2

(Source Port, Destination port)

UDP(500,500)

UDP(500,500)Key Exchange

M3

UDP(500,500)

Key Exchange

M4

UDP(500,500)ID,Auth

M5(encrypt)

UDP(500,500)

IDr,AuthM6

(encrypt

Provide proposal lists, support features

Reply which one proposal matched and supported feature

Provide key material for encrypting.

Provide key material for encrypting

Provide ID, authenticate request if necessary

Provide ID, authenticate reply, produce key material for phase 2 process

2007 July 104

IPSEC Tunnel

IPSEC VPN Main mode Phase1

InitiatorNAT Responder

IPSEC serverRoad Warrior/IPSEC server

Initiator Responder

M1

NATedUDP(500,500) UDP(x,500)

M2

(Source Port, Destination port)

UDP(500,x)UDP(500,500)

UDP(500,500)NAT-D,NAT-D

UDP(x,500)NAT-D,NAT-D

M3

UDP(500,x)

NAT-D,NAT-DUDP(500,500)

NAT-D,NAT-D

M4

UDP(4500,4500)UDP(Y,4500)M5

UDP(4500,Y)UDP(4500,4500) M6

Both peers must support the feature of NAT-T

2007 July 105

VPN-IPSEC The Quick mode Phase2

InitiatorResponder

IPSEC serverRoad Warrior

Initiator Responder

M1Hash using Phase 1 information,Message ID, SA Proposal List, Nonce I, [DH Public Key I ], Proxy ID

M2

Hash using Phase 1 information,Message ID, SA Proposal List Accept, Nonce R, [DH Public Key I ], Proxy ID

Hash using Phase 1 information,NotifyM3

Security Tunnel established(Data be protected by AH/ESP protocol)

2007 July 106

VPN-IPSEC

• Several key components must consistent between the Initiator and Responder– Initiator’s Remote net the same with Responder’s Local net– Responder must has one of the proposal lists match the prop

osal which’s provided by Initiator.– If both peers based on the preshare key to authenticate, the keyi

ng value must the same to each other. – Both peers must base on the same IKE mode (main or aggress

ive)with the same DHGroup(1,2,5) in Phase 1 exchange.– The PFS feature also require consistence to each other in Phas

e2 exchange.– For security protocol (AH or ESP), both peers must base on the

same mode (tunnel or transport) to transmit.

2007 July 107

VPN-IPSECDFL IPSEC-General page

1.Establish the SA for the usage of input traffic mapping

2.Establish the SA for the usage of output traffic mapping

3.For the local device can initial the IPSEC session to specific remote peer. (Be the role of initiator in IPSEC process )

4. Select the encapsulation mode of tunnel or transport for the ESP packet.

5. Select the support proposal lists of IKE hash algorithm for IKE phase 1 (main mode or aggressive mode)

6. Select the support proposal lists of IPSEC hash algorithm for IKE phase 2 (Quick mode)

2007 July 108

VPN-IPSECDFL IPSEC-IKE settings

1. Select IKE main mode or aggressive mode Note. Both peers must using the same mode for establishing the IPsec tunnel.

2. Enable the function of PFS (perfect forward secrecy) or not. The value must consistent on both peers.

3. Select the way for producing Security Association . Select to Per Host or Per Net, these options will affect

the mapping relation between SPI (or SPD) and IP addresses. 4. Select if the NAT Traversal feature should be enabled or not. There have three options, Off. On if supported and NATed, On if supported.

5. The DPD feature, it pinpoint detect the tunnel status using the ISAKMP protocol.

2007 July 109

VPN-IPSECTunnel Mode-scheme-2

2007 July 110

VPN-IPSECTransport Mode-Scheme

2007 July 111

VPNScenario hands-on

2007 July 112

VPN-IPSECScenario1 Hands-on

IPSEC-VPN-----LAN to LAN (Spilt tunnel)

WAN1:5.5.5.5 /24GW:5.5.5.2

WAN1:1.1.1.1 /24GW:1.1.1.2

LAN1:192.168.123.1 /24

LAN:192.168.1.1/24

HostA: 192.168.123.58GW:192.168.123.1

HostB: 192.168.1.60GW:192.168.1.1

IPSEC Tunnel

DFL-800Branch office

DFL-1600Headquarter

DS:192.168.123.58DS: xx.xx.xx.xx xx=ANY, except local and remote nets

Setup the Spilt Tunnel

2007 July 113


Tips

• Step1 Set the IP address and default gateway for physical interface if necessary.

• Step2 Add an object of Pre-shared key

• Step3 Create Proposal lists for IPsec and IKE respectively if necessary

• Step4 Add IPsec interface

• Step5 Add IP Rule for allowing the bi-direction traffic

• Step6 Input the below commands via console for verify the IPSEC status– vpnstat -verbose -ike– Vpnstat -verbose -ipsec– ikesnoop -on -verbose

Branch office

2007 July 114


1

1

2 Under the Authentication Object, add pre-shared key (value: testtest)

Create the IPSec objects and change the IP of wan1 and lan, subnet mask of lan1 and wan1, under the Address Book

Branch office

2007 July 115


2

Add an object of IKE Algorithm under VPN objects, and select the encryption algorithm to 3DES, the integrity algorithm to SHA1

3

Note. This IKE proposal list must match one of the proposals of remote peer (headquarter-DFL1600).

Branch office

2007 July 116


3

Add an object of IPsec Algorithm under VPN objects, and select the encryption algorithm to 3DES, the integrity algorithm to MD5

4

Note. This IPSEC proposal list must have one of the proposals match to remote peer (headquarter-DFL1600).

Branch office

2007 July 117


4

6 In the General tab, set the necessary parameter for establishing VPNLocal Network: lannet (192.168.1.0/24)Remote Network: ipsec-remote-net (192.168.123.0/24)Remote Endpoint:ipsec-endpoint1 (3.3.3.3)Encapsulation Mode: TunnelIKE Algorithms: ph1-3des-sha1 (3DES-SHA1)IKE Life Time: 28800 (Secs)IPSec Algorithms:ph2-3des-md5 (3DES-MD5)IPSec Life Time: 3600 (seconds)IPSec Life Time: 0 kilobytes (unlimited)

Under Interface, add the IPSEC tunnel interface.

5

Branch office

2007 July 118


5

7Select the authentication way, in this scenario we using the way of pre-shared key (testtest)

8 No using the Xauth feature in this scenario.

Branch office

2007 July 119


6

9 The settings of routing page as below: Make sure the IKE settings is the same with HQ.

10

Branch office

2007 July 120


7

The Keep-alive feature 12 Select auto add route feature 13 Put the IPSec and LAN interface into a group for easily configure the IP rule sets.

11

Branch office

2007 July 121


8

14 Create the Allow (routing) IP rule sets for the bi-direction traffic between LAN and IPSEC tunnel.

15 Create the NAT IP rule sets for internal hosts using the way of NAT wan1 interface to go to the internet.

Branch office

2007 July 122

Scenario1 Hands-on1

1Create the IPSec objects and change the IP of wan1 and lan1, subnet mask of lan1 and wan1, under the Address Book

2 Under the Authentication Object, add pre-shared key (value: testtest)

HQ

2007 July 123

Scenario1 Hands-on2

At the IKE algorithms, we choice using one of the default proposals—Medium for high compatibility.

3

Note. why we selected a series of proposals in HQ? Since the HQ will based on that proposal lists to compromise with remote peer till no any proposal lists can be matched, then we will receive the log message of “No proposal chosen” on both peers.

HQ

2007 July 124

Scenario1 Hands-on2-1

Initiator’s IPSEC fail logsHQ

2007 July 125

Scenario1 Hands-on3

5 In the General tab, set the necessary parameter for establishing VPNLocal Network: lan1net (192.168.123.0/24)Remote Network: ipsec-remote-net (192.168.1.0/24)Remote Endpoint:ipsec-endpoint1 (1.1.1.1)Encapsulation Mode: TunnelIKE Algorithms: Medium IKE Life Time: 28800 (Secs)IPSec Algorithms:MediumIPSec Life Time: 3600 (seconds)IPSec Life Time: 0 kilobytes (unlimited)

Under Interface, add the IPSEC tunnel interface.

4

HQ

2007 July 126

Scenario1 Hands-on4

6Select the authentication way, in this scenario we using the way of pre-shared key (testtest)

7 No using the Xauth feature in this scenario.

HQ

2007 July 127

Scenario1 Hands-on5

8 The routing page’s settings as below: Make sure the IKE settings is the same with HQ.

9

HQ

2007 July 128

Scenario1 Hands-on6

The Keep-alive feature 11 Select auto add route feature 12 Put the IPSec and LAN1 interface into a group for easily configure the IP rule sets.

10

HQ

2007 July 129

Scenario1 Hands-on7

14 Create the Allow (routing) IP rule sets for the bi-direction traffic between LAN1 and IPSEC tunnel.

15 Create the NAT IP rule sets for internal hosts using the way of NAT wan1 interface to go to the internet.

HQ

2007 July 130


IPSEC-VPN-----LAN to LAN (Non-split tunnel)

WAN1:5.5.5.5 /24GW:5.5.5.2

WAN1:1.1.1.1 /24GW:1.1.1.2

LAN1:192.168.123.1 /24

LAN:192.168.1.1/24

HostA: 192.168.123.58GW:192.168.123.1

HostB: 192.168.1.60GW:192.168.1.1

IPSEC Tunnel

DFL-800Branch office

DFL-1600Headquarter

DS:192.168.123.58DS: xx.xx.xx.xx xx=ANY, except local and remote nets

Setup the Non-Spilt Tunnel

2007 July 131


Tips-1 For HQ settings


• Step2 Add an object of Pre-shared key• Step3 Create Proposal lists for IPsec and IKE

respectively if necessary• Step4 Add IPsec interface (Local-net= all-nets)• Step5 Add IP Rule

– Allowing the bi-direction traffic (the partial of LAN to LAN)– Create the NAT rule let the traffic from IPSEC remote peer c

an outgoing to internet

• Step6 Verify by CLI

HQ

2007 July 132


Tips-2 For Branch settings


• Step2 Add an object of Pre-shared key• Step3 Create Proposal lists for IPsec and IKE

respectively if necessary• Step4 Add IPsec interface (Remote net: all-net)• Step5 Add a static routing entry as below in routing table.

• Step6 Add IP Rule for allowing all of the traffic via IPsec tunnel.

Branch office

2007 July 133


DFL-800-1

1

Based on the settings of scenario 1, we only have to change three parts on DFL-800 for achieving the scenario 2 requirement.

In the tag of General, change the Remote Network to “all-nets” which the value is 0.0.0.0/0, it means the DFL unit allow the unknown traffic outing via IPSEC tunnel.

Branch office

2007 July 134


DFL-800 -2

2 Under the IP Rules, add an IP rule set for allowing the LAN net users’ outgoing traffic pass through the IPSEC tunnel by routing.

3 Under the Routing table of main, add a static routing entry for the DFL can initial the IPSEC session to remote peer(DFL-1600) which IP address is 5.5.5.5.

Branch office

2007 July 135


DFL-800 -3

Now we shall check again the whole routing status on DFL-800 first, to make sure all of the traffic is following our direction.

Select the Routes which is under the tab of Status on web GUI

1. You can find it from left page have two default route entries on the main routing table, you shall make sure the ipsec-tunnel with a lower metric value than WAN1, since all of the outgoing traffic must be put into the IPSEC tunnel, let the HQ do the centralize control.

2. Because of the ipsec-tunnel not yet exists in the main routing table before we initial the IPSEC tunnel, so we must inform the DFL unit the way of how to contact IPSEC remote peer(DFL-1600).

Branch office

2007 July 136


DFL-1600 -1

Regarding the headquarter (DFL-1600) settings, we just only have to adjust two components based on the settings of scenario 1.

1 In the tag of General, change the Local Network to “all-nets” which the value is 0.0.0.0/0, it means the DFL unit accept unknown traffic (destination field) incoming via IPSEC tunnel.

HQ

2007 July 137


DFL-1600 -2

2Under the IP Rules, add an IP rule set for allowing the traffic from IPSEC tunnel can outgoing to wan1 using the way of NAT..

HQ

2007 July 138


DFL-1600 -3

Now we still shall check again the whole routing status on DFL-1600 first, to make sure all of the traffic is following our direction.

HQ

2007 July 139

L2TP-over-ISPECFor roaming user

VPN-Gateway1.1.1.1

Road WarriorWindows XP SP2

CompanyNetwork

192.168.123.0/24

5.5.5.60

L2TP-over-IPSEC Tunnel

DFL-1600

2007 July 140

L2TP-over-ISPECFor roaming user

2007 July 141

L2TP-over-ISPECFor roaming user----DFL-1600-settings-1/7

1Create the IP pools, L2tp-server’s IP address and change the IP of wan1 and lan1, subnet mask of lan1 and wan1, under the Address Book

2Under Authentication Objects, create a pre-share key for the usage of IPSEC tunnel

2007 July 142


3 Under the Interfaces, create the IPSEC interface for roaming users.

1. Why I select the Local Network to wan1_ip?

Because we shall let the remote roaming users knowing the firewall is a final destination.Or you can set this value to all-nets, let the DFL unit auto search suitable policy.

2. Due to we don’t know the roaming user address ,we also let DFL unit auto search suitable policy.

2007 July 143


4Under the authentication, select the pre-shared key “ipsec-pre” that we created in step 2

5In this scenario we have no use the Xauth feature.Under the Routing field, enable the function of “Dynamically Add Route To Remote Net..”

2007 July 144


6

Under IKE Settings: IKEMode: Main (Mainmode) DHGroup: 2 PFS: None SetupSAPer: Host (Per host) DeadPeerDetection: Yes NATTraversal: OnIfNeeded (Only if needed)

Disable Keep-alive feature

Under Advanced: AutoInterfaceNetworkRoute: No

2007 July 145


7 Under Interfaces field, add L2TP server’s interface, below is a step-by-step settings. Note the field of “Outer Interface Filter” shall set to IPSEC interface which is created at STEP 3

2007 July 146


8Add Local User DatabaseAdd User Authentication rule

2007 July 147


9Add Interface Groupes, grouping the interface of L2TP and LAN1 for easy setup. Create IP Rules set, allow bi-direction traffic between the interfaces of L2TP and lan1.

2007 July 148

L2TP-over-ISPECFor roaming user----Windows XP –settings-1/3

1 Checking the status of IPSEC service on Windows XP to make sure the IPSEC service is enabled.

2007 July 149


1 Under the Network Connections--->Create a new connection and following the procedure as below to set it up.

2007 July 150


2 After the wizard step by step settings, we shall adjust some advance value for fitting the settings with DFL-1600

2007 July 151

L2TP-over-ISPECFor roaming user—Confirmation-1/2

1 On the Windows platform, we shall try to connect the DFL-1600 server and checking the connection status and to see if we can get the IP address from L2TP server by using the command tool “ipconfig” and “ping”.

2007 July 152

L2TP-over-ISPECFor roaming user—Confirmation-2/2

Under the Status field, select User Authentication Status

2007 July 153

Thanks

2007 July 154

Appendix A

IPSec pass through V.S NAT-T

2007 July 155


IPSec pass through• IPSec pass through feature is the old way for

solving the issue which one of the IPSec peers behind the NAT device.

• This feature is implemented in the NAT device which is playing the role of intermediate during the IPSEC process.

• Have no standard for descript how to implement it, so each vendor have different solutions for it.

2007 July 156


NAT traversal• The new way for solving the same issue which

one of the remote peers is behind the NAT device• The feature is implemented on the both peers of

IPSec tunnel respectively.• Only both peers support this feature and

necessary then the function will be enabled.• The feature fully replace the IPSec Pass through.• The intermediate doesn’t involving the process.

2007 July 157

IPSEC NAT-traversalOn DFL unit

• NAT traversal drafts supported by NetDefendOS firewall: (DFL-210/800/1600/2500)– draft-ietf-ipsec-nat-t-ike-00– draft-ietf-ipsec-nat-t-ike-01– draft-ietf-ipsec-nat-t-ike-02– draft-ietf-ipsec-nat-t-ike-03

2007 July 158

IPSEC NAT-traversalThe timing for using the function of NAT-T

• Initiator hosts are behind the NAT device.

WAN1:5.5.5.5 /24IPSEC server

Host BDS601

Host ADS-601

NAT-device

Internet

IPSEC-tunnel 1

IPSEC-tunnel 2

Both peers must support the function of NAT-traversal

2007 July 159

IPSEC NAT-traversalHow to detection

NAT traversal is only used if both ends has support for it.

NAT-device DFL-800IPSec server

NAT-Traversal

Client A(DS-601) ˇ ˇ x ˇ

DFL units ˇ ˇ ˇ x

NAT-Discover required unnecessary N/A N/A

Result Enable Disable Disable Disable

Client A(DS-601)

2007 July 160

Appendix B

VPN limitation &

solution in DFL / DS-601

2007 July 161

IPSEC-Limitation 1/4The remote peer is behind the NAT device and with the same

identification

WAN1:7.7.7.7/24IPSEC server

Internet

IPSEC-tunnel 1

IPSEC-tunnel 2

NAT-device2WAN1:1.1.1.1/24LAN: 192.168.1.1/24

NAT-device1 WAN1:3.3.3.1/24LAN: 192.168.1.1/24

Network192.168.80.0/24

Network192.168.90.0/24

DFL-800-A

DFL-800-B

WAN1:192.168.1.80

WAN1:192.168.1.80

Company Network192.168.3.0/24

LAN1:192.168.3.1

The first IPSEC session will be replaced by the later session, It’s due to both remote peers along with identical ID in the IPSEC tunnel.

2007 July 162

IPSEC-Limitation 2/4

DFL solution

Changing the local ID value for one of remote peers.

2007 July 163

IPSEC-Limitation 3/4Roaming users behind the NAT device and with the same

identification

WAN1:7.7.7.7/24IPSEC server

Internet

IPSEC-tunnel 1

NAT-device1

Company Network192.168.3.0/24

LAN1:192.168.3.1

DS-601Road Warrior 2IP: 192.168.1.80

The earlier IPSEC session will be replaced by the later session, It’s due to both remote peers along with identical ID in the IPSEC tunnel.

1.1

IP: 192.168.1.80

IPSEC-tunnel 2

NAT-device2

DS-601Road Warrior 1

1.1

WAN: 1.1.1.1

WAN: 3.3.3.3

2007 July 164

IPSEC-Limitation 4/4DS-601 Solution

Changing the Local ID value on one of the DS-601 client.Note. At present our DFL unit support four kinds of ID type:

1. IP address2. IP subnet address3. FQDN4. User FQDN (so-called E-mail)

2007 July 165

Appendix C

Certification

2007 July 166

L2TP-over-ISPEC(Certification)With certification which is issued by CA server

SC--CA server

DFL-1600

Road Warrior3.3.3.100

Root CASC’s CA

Gateway CADFL’s self-signed CA

Certification1

Certification2

Personal CARequest from SC--CA server

Trusted CASC’s CA

Certification1

Certification2

Revoke listEnroll list

1.Roaming client send the ISAKMP packet (proposal list) for initialing IPSEC tunnel.

6. VPN gateway ask the CA server to see if the client’s certification include in enroll list. (it also called CRL check -- certificate revocation lists).

7. Reply the CRL lists to DFL

9. Encrypt the sensitive data by the initiator’s certification (PKI).

8.Approve the certification from roaming client.

2.DFL reply one of the suitable proposals which is requested by initiator.

3. (message#3) Send packet of NAT-discover.

4.Send certificate request to initiator

5.Encrypt the ISAKMP packet by itself certification (PKI).

WAN1:1.1.1.1/24

IP : 7.7.7.7

LAN:192.168.123.1/24

2007 July 167

L2TP-over-ISPEC(Certification)The authentication is based on the certificate

• DFL requirement:

Gateway certificate

The X.509 certificate of CA-server

DNS setting

•Roaming clients requirement:

Request a X.509 certification from CA server for end-user

Make sure the personal certificate is available

Install the personal certification into the certificates of “Local Computer” and ”Current User” ”personal”

Add the X.509 certification of CA server into the certificates of “Local Computer” and ”Current User” ”Trusted Root Certification Authorities ”

Enable the function of L2TP over IPSEC along with certification.

2007 July 168

L2TP-over-ISPEC(Certification)CA-server settings

--Preparing the CA server

Before you start using the CA server, one setting should be changed on the CA server to simplify creation of certificates:

Start the program Administrative Tools\Certification Authority.

Right-click on your CA server and select Properties.

Open up the tab Policy Module and select Properties.

Select Follow the settings in the certificate template.......

This setting will enable the CA server to automatically issue a pending certificate request that is created from the Web page dialogue.

2007 July 169

L2TP-over-ISPEC(Certification)Certificate

Save the CA server root certificate1

•Open up the page http://DFL.win2k3/certsrv with Internet Explorer and select Download a CA certificate......

•Select DER encoding and Download CA certificate. Select a name for your CA root certificate (for example certnew.cer) and save it on a folder on the server.

2007 July 170


Generate client certificates2

•Open up the page http://DFL.win2k3/certsrv with Internet Explorer. •Select Request a certificate, advanced certificate request and Create and submit a request to this CA.

•Enter the certificate information and select IPsec Certificate.

•Install the certification and export it with password from the MMC console of certificate-current user.

Repeat the steps for every client certificate.

2007 July 171


Generate gateway certificate3

•All of the generate procedure just the same with client’s certificate.

Repeat the steps for every gateway certificate.

2007 July 172


Preparing the gateway certificate for import4

•Install the Crypto4 tool first in your computer and then select the gateway certificate which is produced by step 3, unpacked the gateway certificate into two files:

One is the format of certificate, another is the private key and the extended file name is *.cer and *.key respectively.

2007 July 173


Importing certificates for DFL5

•Certcache for checking the certificate status.

•Under Authentication Object add CA certificate and gateway certificate on DFL unit respectively.

•Set DNS value on DFL unit for downloading and checking the CRL from CA server.

•Save and Activate the DFL unit, and then using the command of Certcache to check the certificate status again.

2007 July 174


Importing certificates for Windows XP6

•Run and input mmc.

•Add/Remove snap-in and select Certificate for My user account and Computer account.

•Install the personal certificate (summer.pfx) into both personal certificates of user account and computer account respectively.

•Install the CA certificate (certnew.cer) into both personal certificates of user account and computer account respectively.

Repeat the steps for importing both certificates into Current User and Local Computer respectively.

2007 July 175

L2TP-over-ISPEC(Certification)Certificate-Windows Client

Configure the Windows client7

•We can based on the previous scenario’s settings to change the client’s value as right figure

2007 July 176

L2TP-over-ISPEC(Certification)Certificate-Confirm

Confirm the result on windows platform.8

2007 July 177

L2TP-over-ISPEC(Certification) Certificate-Confirm

Confirm the result on DFL-16009

2007 July 178

VPN-IPSECIPsec-debug-CLI

ipsecstats -ike -verbose (vpnstats -ike -verbose)

ipsecstats -ipsec -verbose (vpnstats -ipsec -verbose)

ipsecstats -ipsec -u (vpnstats -ipsec -u)

ipsecstats -ike -u (vpnstats -ike -u) -----IKE utilization

ikesnoop -on -verbose

killsa -all

ipsecglobalstats -verbose

2007 july1 dfl-210/800/1600/2500 training material dfl fundamental part i created on 2007...

Documents

routing table routing

routing entries

routing tablechapter

routing entry1

route match

metric value

feature of longest match

feature of longest value