1999/12/08 (revised 12/10) ComOS 3.9b26 Open Beta Release Note for the PortMaster 3 ________________ Introduction The new Lucent Technologies ComOS(R) 3.9b26 open beta software release is now available for the PortMaster(R) 3 Integrated Access Server. This open beta release is provided at no charge to all Lucent customers, but is recommended only for customers who wish to test the new functionality before the general availability (GA) release of ComOS 3.9. Command syntax for new commands might change between this open beta release and the general availability release of ComOS 3.9. This release note documents commands and features added between ComOS 3.8.2 and ComOS 3.9b26 on the PortMaster 3. This release note applies only to the PortMaster 3. The modem code in ComOS 3.9b26 is the same modem code included in ComOS 3.9b22 and ComOS 3.9b24 for the PortMaster 3. Before upgrading, thoroughly read "ComOS 3.9b26 Limitations" and "Upgrade Instructions." WARNING! Due to the increased size of ComOS, the amount of nonvolatile RAM (NVRAM) available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater than 64KB will lose some of their configuration. For this reason, be sure to back up your PortMaster configuration before upgrading to this release. You can check the amount of memory used for your configuration with the "show files" command. Ignore any files that also include an uncompressed size. WARNING! The PortMaster 3 must be running ComOS 3.5 or later to upgrade to ComOS 3.9b26. If you are running an earlier release of ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26. NOTE: Any PortMaster running ComOS 3.9b26 requires 4MB of dynamic RAM (DRAM). Use 16MB if you are running the Border Gateway Protocol (BGP). _______________ Export Restrictions This release of ComOS 3.9b26, available to any Lucent customer worldwide, does not include support for the Data Encryption System (DES) and Triple DES (3DES) encryption methods. However, the Authentication Header (AH) RSA Data Security, Inc. MD5 Message-Digest Algorithm (MD5) authentication feature of the IPSec encryption ("coprocessor") card is available worldwide and is included in ComOS 3.9b26. Because of export restrictions, the DES and 3DES features for ComOS 3.9b26 will be handled on a case-by-case basis outside of the standard release process. Any US-owned or Canadian-owned company wishing to obtain this feature should call Cary Hayward at 1-925-730-2637. This restricted release of ComOS 3.9b26enc168, which supports DES and 3DES, is available to Lucent customers in the United States and Canada only. To use DES or 3DES for encrypting data payloads, you must install the IPSec encryption card (PM3-VPN). Versions of ComOS 3.9b26 supporting DES and 3DES on the IPSec encryption card will be made available to customers in other countries as export licensing permits. Licensing approval is being sought at this time. For more information, see the sections on "Virtual Private Network (VPN) Tunneling" and "IPSec Encryption Card for the PortMaster 3". _______________ Contents Introduction Export Restrictions Bugs Fixed in ComOS 3.9b26 Reconfiguring NVRAM New Features in ComOS 3.9b26 RADIUS Authentication Failover RADIUS Accounting Retry Interval and Count Non-Facility Associated Signaling (NFAS) Layer 2 Tunneling Protocol (L2TP) Virtual Private Network (VPN) Tunneling IPSec Encryption Card for the PortMaster 3 Network Address Translator (NAT) Assigned IP for Dial-Out Locations Port Required for Telnet Device Service Enhanced PMVision Support Configuring NFAS Configuring L2TP Configuring VPN Tunneling Configuring NAT ComOS 3.9b26 Limitations Troubleshooting Modems Upgrade Instructions Technical Support _______________Bugs Fixed in ComOS 3.9b26 * The Point-to-Point Protocol (PPP) counters are now always reset when a port is initialized. Previously, incorrectly set counters sometimes caused the second link of a PPP multilink connection to fail. * The PortMaster 3 no longer retains a remote router's Multichassis PPP (MCPPP) master entry after the router disconnects. Previously, under certain conditions, the master entry remained after disconnection and prevented the PortMaster from routing the packets of this remote router when it dialed in again. * Simple Network Management Protocol (SNMP) access to the serial table for PortMaster user information now works properly. Earlier versions of this release reported "No Response." * A sporadic reboot problem has been fixed. The stack trace displayed the message "Assertion failed: nbuf_p->bytes_left, file mdp_os.c, line 1586" when this problem occurred. * Unauthorized Telnet connections are now timed out after 2 minutes. * The "set maximum pmconsole" command now takes effect immediately. Previously, active connections on port 1643 had to be reset before changes were applied. * Output for the "set debug ?" command has been enhanced. * A RADIUS Login-User with the telnet login service no longer generates a Framed-User start record erroneously. * The AH and Encapsulating Security Payload (ESP) protocols now work together. * An administrative reset of a Layer 2 Tunneling Protocol (L2TP) session now generates only one stop record instead of two. * Accounting records for a RADIUS Administrative-User logging in to port S0 now show the correct service type. * Administrative logins logged to syslog no longer have the password sent in clear text. * The authentication packet sent for telnet logins now reports the correct user type to the access log. Previously, the authentication packet erroneously reported a user type of Outbound-User. * Startup and shutdown accounting packets are now resent like other accounting packets. * When the PortMaster 3 receives an incoming V.110 setup request, it now returns the message "Cause 88 Incompatible Destination." Previously, the message "Release Complete with the Cause 17 User Busy" was erroneously returned. * The "show sessions" command no longer returns garbage characters at the end of a 12-character location name. * The "show table location" command now shows the full location name. * The command "set user protocol ppp" no longer deletes the Point-to-Point Protocol (PPP) asynchronous map. * The attributes associated with the user are now deleted when the user entry is deleted. For example, if a network user (netuser) named lee configured with NAT is deleted, the old NAT configuration parameters are no longer listed for any new user named lee. * When the call-check feature has been enabled ("set call-check on"), callback users specified through RADIUS are now authenticated. * If a RADIUS menu user fails over a Telnet connection, an administrative user is now allowed to telnet in. Previously, the administrative user was rejected until the PortMaster 3 was rebooted. * RADIUS accounting records for an L2TP access concentrator (LAC) now include the Tunnel-Server-Endpoint information. This information was not provided in previous releases. * When routing is disabled on a WAN port, the port status now reflects this condition. * BGP summarization settings that are configured with the "set bgp summarization" command are now saved after you enter "save all" and "reset bgp." Previously, only settings configured with the "add bgp summarization" command were saved. * Subnets included as part of an OSPF area range are now advertised as internal OSPF routes. If not included as part of the range, they are advertised as OSPF type 2 external (E2) routes. In previous releases, the PortMaster 3 advertised routes in this way when they were part of an assigned address pool, but not if they were subnets used to assign static IP addresses. * OSPF configuration information is now saved during an upgrade from ComOS 3.7 to ComOS 3.9b26. * Modem code fixes: - A downward spiraling upstream rate caused by an incorrect Link Access Procedure for Modems (LAPM) error check is fixed. - Rate reduction due to LAPM errors has been made less sensitive. - In the presence of LAPM retransmission errors, the modem code retrains to allow the link to adjust to a lower speed and improve throughput. - The number of disconnections from LAPM retrains within a retrain has been reduced. - The modem code now suspends LAPM transactions during any rate changes or retrains and thereby eliminates some connection failures, connections without error control, and some disconnections. - U.S. Robotics (USR) Telepath V.34 modems can now establish LAPM error correction. Previously under certain conditions, the modem was choosing too high a connection rate and was unable to establish LAPM error correction. The modem code now detects these conditions and forces the connection speed down by one rate to allow LAPM to be negotiated. - For all modems, retrain detection has been improved to prevent some client disconnections. - For modems with Rockwell Semiconductor Systems (RSS) K56flex chipsets, fast rate changes now work properly. Previously, a retrain was forced after a rate change. (RSS is now Conexant Systems Inc.) - A NO EC (no error control) connection problem with Cirrus Logic modems is fixed, and overall performance with Cirrus Logic modems is improved. Cirrus Logic modems are now supported by Ambient Technologies. - The number of rate renegotiations with USR/3Com and Cirrus Logic modems has been reduced because ComOS now allows the client modem to specify spectral shaping. - USR/3Com modem connections are now more reliable. - Rate renegotiation and retrain problems with USR/3Com and Rockwell HCF modems are fixed. - Connectability with USR/3Com and Rockwell HCF modems and LT Winmodems is improved. - Motorola SM56 modems can now connect with V.90. - A V.90-to-V.34 fallback problem, which can result in a disconnection, is fixed by earlier V.34 detection. - A-law V.90 connectability is improved. - K56flex connectability is improved by an increase in a K56flex timeout. _______________ Reconfiguring NVRAM After loading the new ComOS 3.9b26 and rebooting, look for messages like the following on the console screen to verify that ComOS has loaded successfully: Testing System Memory.... 1024K Checking Boot Rom.... Calibrating.... 33MHz Starting FLASH Boot..... Loading Image at 0fff0000 17110 flash copy complete Verifying Load Module Checksum... Starting Load Module ... Loading kernel... 691260 bytes Testing High Memory ... . 4096K Loading kernel extensions... 125952 bytes Async found in slot 1 Found 11 ports.... ether0 active ... 16K shared-RAM Reconfiguring FLASH... Malloc size 65534 at 18a208 Opened modules STD file Read 64506 bytes at 18a208 read 1 buffers Call flash format Call freecntl Call save Call f_open Write 64506 bytes at 18a208 done - rebooting _______________ New Features in ComOS 3.9b26 The following commands and features have been added in ComOS 3.9b26. _______ RADIUS Authentication Failover Authentication failover allows the PortMaster to dynamically switch primary and alternate RADIUS authentication servers according to their response. Use the following commands: set authentication interval Seconds set authentication failover on | off The first command sets the response interval. The PortMaster sends a RADIUS access-request packet every "interval" number of seconds. If no response is received from the primary RADIUS server, the PortMaster switches or "fails over" to the secondary authentication server. The secondary RADIUS server then is treated as the primary, and is marked with an asterisk (*) in "show global"output. set authentication interval Seconds Seconds A value between 1 and 255. The number of seconds that must elapse between RADIUS access-request retransmissions if the PortMaster receives no response. The default is 3 seconds, and 0 resets the value to the default. If the primary server does not respond, failover occurs after two times the Seconds value. For example, if "set authentication interval 6" is used, failover occurs in 12 seconds. The second command enables the failover feature on the PortMaster 3: set authentication failover on | off on If the primary server fails to respond three times in a row, the PortMaster sends the packet to both the primary and secondary servers for the next seven retransmissions. If the secondary server replies before the primary server, the PortMaster switches the primary and secondary servers. Then on the next login attempt, the PortMaster tries the secondary server first. If the secondary server fails to respond three times in a row, the PortMaster sends the packet to both servers and designates the server that replies first as the new primary server. off The PortMaster 3 always tries the primary server first, same as the current behavior. This is the default. _____RADIUS Accounting Retry Interval and Count The PortMaster attempts to send each RADIUS accounting packet every "interval" seconds, and sends it the "count" number of times before giving up. If an acknowledgement is received from the RADIUS accounting server, the PortMaster no longer tries to resend the accounting packet. If no acknowledgment is sent from the primary server in response to the first packet, the PortMaster sends the packet to both the primary and secondary RADIUS accounting servers. set accounting count Number set accounting interval Seconds Number A decimal number between 1 and 99. The number of times the PortMaster sends a RADIUS accounting packet without acknowledgement from a RADIUS server. Seconds A decimal number between 1 and 255. The number of seconds that must elapse between RADIUS accounting packet retransmissions if not acknowledged by the accounting server. The default is 30 seconds. Use the "show global" command to view the Accounting Count and the Accounting Interval settings. Examples: Command> set accounting count 45 Accounting retry count changed from 23 to 45 Command> set accounting interval 60 Accounting retry interval changed from 30 to 60 sec _______ Non-Facility Associated Signaling (NFAS) Non-facility associated signaling (NFAS) is a service offered by telephone companies that permits a single D channel to provide the signaling for a group of ISDN Primary Rate Interfaces PRIs. This service allows the channel that is normally used for signaling on the remaining PRIs to be used as a B channel. Because combining the signaling onto a single D channel increases the consequences if communication with that channel fails, some telephone companies use the D channel backup (DCBU) system. DCBU requires two D channels per NFAS group, one as a primary and one as a secondary. The Lucent ComOS implementation of NFAS supports both standard NFAS and NFAS with DCBU across up to 20 PRIs. See the section titled "Configuring NFAS" for NFAS configuration information. For more information about NFAS commands, see the PortMaster Command Line Reference. For detailed configuration information, see the PortMaster Configuration Guide. _______ Layer 2 Tunneling Protocol (L2TP) ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol (L2TP). You can configure the PortMaster 3 as both an L2TP access concentrator (LAC) and an L2TP network server (LNS). See the section titled "Configuring L2TP" for L2TP configuration information. For more information about L2TP commands, see the PortMaster Command Line Reference. For detailed configuration information, see the PortMaster Configuration Guide. _______ Virtual Private Network (VPN) Tunneling ComOS 3.9b26 on the PortMaster 3 supports virtual private networks (VPNs) and IP Security (IPSec). A properly configured PortMaster is capable of tunneling using the IP Encapsulation within IP (IPIP) and IPSec protocols and a Lucent proprietary Proxy Tunnel protocol. Tunneling allows you to create custom network topologies that are independent of the underlying physical topology of the network, with or without additional security and authentication. See the section titled "Configuring VPN Tunneling" for more information. For more information about VPN tunneling commands, see the PortMaster Command Line Reference. For detailed configuration information, see the PortMaster Configuration Guide. _______ IPSec Encryption Card for the PortMaster 3 ComOS 3.9b26 now supports the IPSec encryption ("coprocessor") card for the PortMaster 3 (PM3-VPN). To use IPSec, you must install the IPSec encryption card in the PortMaster 3, into the same interface on the motherboard used by the Stac compression card (PM3-CMP). The PortMaster 3 can support either the Stac compression card or the IPSec encryption card, not both. The PortMaster 3 does not require the IPSec encryption card to run the IPIP or Proxy Tunnel protocols. The following message is displayed on the console port at boot time if the IPSec encryption card is installed correctly and operating: Found MIPS 4640 daughter board with 512Kb bytes of memory The IPSec encryption card is booted from the file named "mipsboot" on the NVRAM file system. You can use the "show files" command to verify that this file exists. If it does not, you must upgrade your release of ComOS. To see which encryption algorithms and protocols are supported, use the "show ipsec modules" command. _______ Network Address Translator (NAT) ComOS 3.9b26 supports the network address translator (NAT) based on RFC 2663. The basic network address translator (basic NAT) maps IP addresses from one group to another, transparently to users and applications. The network address port translator (NAPT) is an extension to basic NAT, in which multiple network addresses and their TCP and UDP ports are mapped to a single network address and its ports. ComOS supports both basic NAT and NAPT for both outbound and inbound sessions. It also supports an "outsource" mode in which all NAT processing is done on the server side of the connection. See the section titled "Configuring NAT" for more information. For more information about NAT commands, see the PortMaster Command Line Reference. For detailed configuration information, see the PortMaster Configuration Guide. _______ Assigned IP for Dial-Out Locations Use the following command to configure a dial-out location on the PortMaster 3 to receive a dynamically assigned address: set location Locname local-ip-address assigned | Ipaddress Locname Name of a location table entry. In previous releases of ComOS for the PortMaster 3, dial-out locations could not receive a dynamic address. _______ Port Required for Telnet Device Service The "set S0 service_device telnet" command now requires a TCP port number. set S0 service_device telnet Tport Tport Specifies the TCP port for the connection. The range is from 1 to 65535. Previously, if the port number was omitted, the PortMaster listened on port 23, the default Telnet port. This behavior caused problems for users telnetting to the PortMaster. _______ Enhanced PMVision support Additional support has been added to ComOS 3.9b26 to allow PMVision(TM) to monitor and configure ComOS 3.9b26 features on the PortMaster. See the most recent PMVision release note for details. _______________ Configuring NFAS Non-facility associated signaling (NFAS) is a service offered by telephone companies that permits a single D channel to provide the signaling for a group of PRIs. This service allows the channel that is normally used for signaling on the remaining PRIs to be used as a B channel. Because combining the signaling onto a single D channel increases the consequences if communication with that channel fails, some telephone companies use the D channel backup (DCBU) system. DCBU requires two D channels per NFAS group, one as a primary and one as a secondary. The Lucent ComOS implementation of NFAS supports both standard NFAS and NFAS with DCBU across up to 20 PRIs. See the "ComOS 3.9b26 Limitations" section before using NFAS. _______ NFAS Configuration To configure a line for NFAS operation, use the following command: set Line0 nfas primary | secondary | slave | disabled Identifier Group Line0 line0 or line1. primary This PRI contains the primary D channel. secondary This PRI contains the secondary D channel. slave This PRI contains no D channel. disabled Clears this PRI's NFAS configuration. Identifier Number between 0 and 19 that is unique among all PRI interfaces in the same NFAS group. Group Number between 1 and 99 identifying which NFAS group this PRI belongs to. Example: The following example shows how to configure four PortMaster 3s on a common Ethernet with two NFAS groups, one with DCBU and one without. Each group contains two PortMaster 3s. NFAS bundle #1 (with DCBU) PM3-1 (Line0 contains the primary D channel. Line1 is a slave line.): set line0 nfas primary 0 1 set line1 nfas slave 1 1 save all reboot PM3-2 (Line0 is a slave line, and Line1 contains the secondary D channel): set line0 nfas slave 2 1 set line1 nfas secondary 3 1 save all reboot NFAS bundle #2 (without DCBU) PM3-3 (Line0 contains the primary D channel, and Line1 is a slave line): set line0 nfas primary 0 2 set line1 nfas slave 1 2 save all reboot PM3-4 (Line0 and Line1 are slave lines): set line0 nfas slave 2 2 set line1 nfas slave 3 2 save all reboot _______ Displaying General NFAS Information Several commands are available to display statistics and information specific to NFAS operation. show nfas The "show nfas" command displays neighboring PortMaster products in the same NFAS group as this one and shows in-service D channel information and slave status. show nfas history The "show nfas history" command displays the last 40 significant messages exchanged between this PortMaster and its neighbors. show nfas stat The "show nfas stat" command displays the status of NFAS calls for PortMaster products in the same group(s) as this one. _______ Displaying NFAS Debugging Information A new debug command has been added to aid in diagnosing problems that might occur in testing. set debug nfas on | off This command enables or disables the logging of NFAS events to the console. Remember to use "set console" before using this command, and "reset console" after turning off the debug process. _______________ Configuring L2TP ComOS 3.9b26 on the PortMaster 3 supports Layer 2 Tunneling Protocol (L2TP). You can configure the PortMaster 3 as both an L2TP access concentrator (LAC) and an L2TP network server (LNS). The implementation of L2TP in ComOS 3.9b26 is based on the latest IETF L2TP draft (revision 12 and 13 as of this writing). For specific details of operation and protocol implementation of L2TP, refer to the IETF Internet-Drafts. L2TP allows PPP frames to be tunneled as follows from one PortMaster that answers an incoming call (the LAC) to another PortMaster that processes the PPP frames (the LNS): End user--->incoming call--->LAC--->LNS--->network access NOTE: None of the IP addresses or networks used in the examples in this section are intended to refer to any actual real-world company or network assignment. _______ Description and Applications The Layer 2 Tunneling Protocol (L2TP) provides tunneling of PPP connections, to separate the functionality normally provided by a single network access server (NAS) into two parts: * The L2TP access concentrator (LAC) provides the "physical" connection point between the telephone network (and therefore the dial-in user) and the host network. * The L2TP network server (LNS) terminates the PPP sessions and handles the "server-side" of the connection, such as authentication of the user, routing network traffic to and from the PPP user, and so forth. The LNS does not have any physical ports, only virtual interfaces. An outsourcer can use L2TP to provide dial-up ports to customers using a central, "shared" common physical dial-up pool. The pool resides in a shared access server (the LAC). The outsourcer's customers maintain a home gateway (the LNS) and some type of IP connectivity to the outsourcer. L2TP provides virtual dial-up ports to the outsourcer's customers. This use of L2TP is sometimes referred to as a virtual private dial-up network (VPDN). The service is transparent to the customer because users still terminate PPP sessions on the customer network via the LNS. RADIUS authentication and accounting and IP address assignment are all done by the customer. The LAC does no PPP processing unless it is using partial authentication for determining the tunnel end point. It only accepts the call and establishes a tunnel to the LNS for that PPP session. The tunnel can be established based upon Called-Station-Id or User-Name (where partial authentication occurs on the LAC before tunnel establishment). For example, if you use Called-Station-Id and call-check with L2TP, the session follows these steps: 1. The end user places a call. 2. The LAC detects the incoming call. 3. The LAC using call-check sends an authentication request to a RADIUS server containing the Called-Station-Id and Calling-Station-Id check items before answering the call. 4. If the RADIUS server accepts the user, an access-accept message is returned to the LAC along with information on how to create the L2TP tunnel for this session: the type of tunnel, IP address of the LNS, and so on. 5. The LAC then creates a tunnel to the LNS by encapsulating the PPP frames into IP packets and forwarding those packets to the LNS. 6. The LNS negotiates PPP normally with the end user. _______ RADIUS Dictionary Updates for L2TP Add the following lines to your RADIUS dictionary: VALUE Service-Type Call-Check 10 VALUE NAS-Port-Type Virtual 5 ATTRIBUTE Tunnel-Type 64 integer ATTRIBUTE Tunnel-Medium-Type 65 integer ATTRIBUTE Tunnel-Server-Endpoint 67 string ATTRIBUTE Tunnel-Password 69 string VALUE Tunnel-Type L2TP 3 VALUE Tunnel-Medium-Type IP 1 The RADIUS daemon must be stopped and restarted to read the new dictionary. _______ RADIUS User Profiles for L2TP The user profiles for the LNS are the same as for your users who do not use L2TP. For the LAC, some new user profiles are required. Exactly which additional user profiles you add depend on whether you are using call-check or partial username-based tunneling on the LAC. The following profiles can be used on the RADIUS server serving the LAC for either approach: # Using Called-Station-Id with Call-Check to route callers who dial # 555-1313 to the LNS "172.16.1.221". # Note that the LNS address must be enclosed in double quotation # marks because it is sent as a string, not as a 32-bit integer. DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "172.16.1.221" # Same as the previous profile, but with a shared secret to # authenticate the session to the LNS. DEFAULT Called-Station-Id = "5551313", Service-Type = Call-Check Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Password = "mrsparkle", Tunnel-Server-Endpoint = "172.16.1.221" In both user profiles, the first line contains the RADIUS check item, with the Called-Station-ID being used to match the entry before the call is answered. The L2TP tunnel parameters from the matching entry are then sent in the RADIUS access-accept message. The Tunnel-Type specifies the tunneling protocol to be used. The Tunnel-Medium-Type specifies the transport medium over which the tunnel is created, IP for now. Tunnel-Server-Endpoint indicates the other end of the tunnel, the LNS in the case of L2TP. Note that the LNS address must be enclosed in double quotation marks because it is sent as a string, not as a 32-bit integer. If you are not using call-check and are instead providing partial authentication based on User-Name, the following user profile works. The user "bgerald" dials in to the LAC, which initiates an L2TP tunnel on the user's behalf to LNS 172.16.1.55. bgerald Password = "wackamole" Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "172.16.1.55" _______ L2TP and RADIUS Accounting The LAC and LNS both log user sessions to RADIUS accounting, but different accounting data is available from each. If you are using call-check to establish the tunnel, the LAC's accounting data shows the Calling-Station-Id, but not the user's name, because that information has not yet been passed over the link. The LNS accounting data shows both the Calling-Station-Id and the User-Name along with the assigned IP address. If partial authentication (instead of call-check) is taking place on the LAC, then the username might be available to it. In that case, the username appears in the RADIUS accounting logs for both the LNS and the LAC. In both cases, the LNS shows the NAS-Port-Type as "Virtual", while the LAC shows the NAS-Port-Type set to the connection type of the physical interface. The LNS starts its NAS-Port numbering at 100. _______ Redundant Tunnel Server End Points To increase the robustness of L2TP, a user profile can be configured to contain redundant tunnel server end points. If the primary LNS fails, inbound L2TP tunnels can be redirected to other machines. Up to three redundant tunnel server end points can be specified. Any more than three are ignored by the LAC. The following example shows a RADIUS user profile with multiple redundant tunnel server end points. Each tunnel server end point is preceded by the tunnel medium type for that tunnel. DEFAULT Service-Type = Call-Check, Called-Station-Id = "5551234" Service-Type = Framed-User, Framed-Protocol = PPP, Tunnel-Type = L2TP, Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "192.168.11.2", Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "192.168.11.17", Tunnel-Medium-Type = IP, Tunnel-Server-Endpoint = "192.168.230.97" This feature provides redundant LNS backup, not load balancing. _______ L2TP Command Summary set l2tp noconfig | disable | enable lac | enable lns set l2tp authenticate-remote on | off set l2tp secret [ Password | none ] show l2tp global | sessions | stats | tunnels reset l2tp [ stats | tunnel Number] create l2tp tunnel udp Ipaddress [ Password | none] set l2tp choose-random-tunnel-endpoint on | off set debug l2tp max | packets [Bytes] | setup | stats Use the following command to have the PortMaster load the L2TP feature on startup: set l2tp noconfig | disable | enable lac | enable lns noconfig Sets the PortMaster to have no L2TP configuration. disable Sets L2TP off. L2TP is not used. enable lac Sets the PortMaster to be a LAC. enable lns Sets the PortMaster to be an LNS. When the PortMaster is configured to be an LNS, the line ports are configured for T1 and cannot be used for dial-in. The virtual S0 ports follow the W1 ports. Example: Command 0> set l2tp enable lns L2TP LNS will be enabled after next reboot After using the "set l2tp" command, you must use the "save all" command to save the configuration and the "reboot" command for the L2TP module to load. _______ Configuring L2TP to Initiate Authentication The following command configures L2TP to initiate tunnel authentication: set l2tp authenticate-remote on | off on The PortMaster initiates authentication with the other end point of the tunnel before a tunnel is established. This is the default. off The PortMaster does not initiate authentication. This command determines only whether the PortMaster initiates the authentication. It does not determine how the PortMaster responds to an authentication request. The "set l2tp authenticate-remote" command functions the same on both a LAC and an LNS. _______ Configuring an L2TP Secret The "set l2tp secret" global command configures the L2TP password that the PortMaster uses to respond to all L2TP tunnel authentication requests. The L2TP secret takes effect only after you issue a "reset l2tp command. set l2tp secret Password | none Password String of up to 15 characters that the PortMaster uses to respond to L2TP tunnel authentication requests. none Removes the L2TP secret. This is the default. The "set l2tp secret" command sets the L2TP secret for the entire PortMaster. If a PortMaster configured as a LAC receives a tunnel authentication request, it uses the Tunnel-Password from the RADIUS access-accept packet, if present, instead of the global L2TP secret. _______ Displaying L2TP Information The following command shows information on how L2TP is functioning: show l2tp global | sessions | stats | tunnels Examples: Command> show l2tp global debug packets debug stats debug setup Tunnel Authentication Enabled Initiation of Authentication Remote Tunnel Disabled Default Board Configuration Command> show l2tp sessions Id Assign-Id Tunnel-IdPortname State 31 21 75 S1 ESTABLISHED fl=8045 Command> show l2tp stats NEW_SESSION 1 NEW_TUNNEL 4 TUNNEL_CLOSED 3 HANDLE_CLOSED 3 L2TP_STATS_MEDIUM_HANDLE 3 INTERNAL_ERROR 14 CTL_SEND 9 CTL_REXMIT 1 CTL_RCV 10 MSG_CHANGE_STATE 4 WRONG_AVP_VALUE 3 EVENT_CHANGE_STATE 3 Command> show l2tp tunnels Id Assign-IdHnd State #Ses Server-Endpoint Client-Endpoint 75 65 14 L2T_ESTABLISH 1 192.168.6.13 192.168.10.28 _______ Resetting L2TP Use the "reset l2tp" command to reset an L2TP tunnel or the L2TP statistics counters. reset l2tp [ stats | tunnel Number ] stats Resets the L2TP counters displayed by "show l2tp stats" to zero. tunnel If no tunnel ID is specified, all L2TP tunnels are destroyed and all related PPP sessions are terminated. Number A tunnel ID from 1 to 100. If a tunnel ID is specified, only that one tunnel is destroyed. The "show l2tp tunnels" command displays a list of active tunnel IDs. _______ Creating an L2TP Tunnel Manually The following command manually brings up an L2TP tunnel for testing and troubleshooting: create l2tp tunnel udp Ipaddress [ Password | none ] Ipaddress IP address of the L2TP tunnel end point. Password Password that the PortMaster uses when responding to a tunnel authentication request from the tunnel end point. If no password is specified, the global L2TP secret is used if configured. none Sets the PortMaster to use the L2TP secret configured for it with the "set l2tp secret" command. This is the default. Example: Command> create l2tp tunnel udp 149.198.110.19 OK _______ Selecting a Tunnel End Point The following command determines in what order to choose an end point when multiple tunnel end points are returned in a RADIUS access-accept packet. set l2tp choose-random-tunnel-end point on | off on Causes the tunnel end point to be chosen randomly from the list of tunnel end points returned by RADIUS. off Selects the first tunnel end point that can be reached. Normally, when L2TP is configured with multiple tunnel end points, the end points are chosen serially, always beginning with the first. If a tunnel cannot be established with the first, then the second is tried, and then the third. When this feature is enabled, a random tunnel end point is selected from those returned in the RADIUS access-accept packet. _______ Debugging L2TP The following command is used to troubleshoot L2TP problems: set debug l2tp max | packets Bytes | setup | stats max Provides the same debugging as setup, packets, and stats combined. packets Shows a representation of the L2TP packets, similar to the "ptrace dump" command. Bytes 0 to 1500, number of bytes to display. setup Shows L2TP control messages and errors. stats Displays information that appears in "show l2tp stats" in more detail. Remember to use "set console" before using this command, and "reset console" after turning off the debug process. _______________ Configuring VPN Tunneling ComOS 3.9b26 on the PortMaster 3 supports virtual private networks (VPNs) and IP Security (IPSec). A properly configured PortMaster is capable of tunneling using the IP Encapsulation within IP (IPIP) and IPSec protocols and a Lucent proprietary Proxy Tunnel protocol. Tunneling allows you to create custom network topologies that are independent of the underlying physical topology of the network, with or without additional security and authentication. For example, you can use VPN and IPSec to do the following on a PortMaster 3: * Encapsulate, encrypt, and/or authenticate IP packets * Outsource tunnels by user, location, or interface * Redirect packets in the clear * Perform UDP packet-forwarding services IPSec tunneling encapsulates, encrypts, and/or authenticates IP packets. IPIP ("IP within IP") tunneling encapsulates IP packets inside IP packets, with no encryption or authentication. Proxy Tunnel is a Lucent proprietary tunneling protocol. Proxy Tunnel places IP packets into UDP packets with the RSA Data Security, Inc. MD5 Message-Digest Algorithm signature for authentication. _______ Security Associations The security of the communications between two nodes is described manually by a security association (SA) table entry. This security association describes the parameters necessary to accomplish the desired security (security association bundle) between a pair of gateway nodes. Multiple security associations can be created to match different security policies for different peers or types of traffic. The following files are created in the PortMaster nonvolatile RAM file system: vpn Contains the saved security association table. random Contains random seed data for the next reboot. mipsboot Encryption card image. _______ VPN Command Summary Use the following commands to configure VPN security associations. The commands for configuring security profiles are listed in the section "Configuring Security Profiles." show sa Saname show table sa show ipsec modules add sa Saname delete sa Saname reset ipsec [Ether0 | S0 | W1] set sa Saname ah-inb-key | ah-inbound-key Key/[Bits] | random set sa Saname ah-inb-spi | ah-inbound-spi SPI set sa Saname ah-outb-key | ah-outbound-key Key/[Bits] | random set sa Saname ah-outb-spi | ah-outbound-spi SPI set sa Saname esp-inb-key | esp-inbound-key Key/[Bits] | random set sa Saname esp-inb-spi | esp-inbound-spi SPI set sa Saname esp-outb-key | esp-outbound-key Key/[Bits] | random set sa Saname esp-outb-spi | esp-outbound-spi SPI set sa Saname local-address @ether0 | @ipaddress set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none set sa Saname peer-identifier Ipaddress set sa Saname proxy-destport Uport set sa Saname proxy-localport Uport set sa Saname proxy-secret Key/Bits set sa Saname sec-proposal Method1 [Method2] Saname Security association name up to 15 characters long. Key A number in decimal, hexadecimal or binary. Bits The key length in bits optionally follows the key value, separated by a slash "/". SPI Number in decimal, hex or binary---a 32-bit value 256 or higher. Ether0 Ethernet interface. Ipaddress IP address in dotted decimal format, or hostname up to 39 characters long. Uport UDP port between 1 and 65535. Method1 Supported security method. Method2 Supported security method. _______ Displaying Security Association Information The "show sa Saname" command shows the entire configuration for the security association called Saname. The output varies with the protocol used for that security association. The command also displays the status of the IPSec encryption card (PM3-VPN) if the card is not installed or not operating correctly. The "show table sa" command displays all security associations in a summary format. The "show ipsec modules" command displays available Layer 3 VPN tunneling methods. See the section titled "IPSec Commands" for more information. _______ Creating Security Associations Use the following commands to create the security association and define the mode (protocol) that it uses: add sa Saname set sa Saname mode ipip-tunnel | proxy-tunnel | sec-ipip-tunnel | none The "set sa Saname mode" command can also be used to change the mode of an existing security association. Setting the security association mode erases any keys that were previously associated with this security association. ipip-tunnel Encapsulates packets into other IP packets. No security is provided. See the "IPIP Commands" section. proxy-tunnel This is a Lucent proprietary tunneling protocol. Proxy Tunnel places IP packets into UDP packets with an MD5 signature for authentication. See the "Proxy Tunnel Commands" section. sec-ipip-tunnel Encapsulates packets using the IPSec protocols in tunnel mode. See the "IPSec Commands" section. none Null configuration mode. Packets received on this security association are dropped. _______ Deleting Security Associations The following command deletes a security association: delete sa Saname _______ Common Security Association Configuration Commands Each security association has a few common commands, and a few mode-specific commands. The common commands are listed in this section. The following command sets the IP address of the peer at the other end of this tunnel. set sa Saname peer-identifier Ipaddress The following command sets the IP address of this end of this tunnel. The default is to use the address of the Ether0 interface. set sa local-address @ether0 | @ipaddress _______ IPSec Commands To set up a security association using IPSec, you must configure the following information. First, create the security association and set the mode to "sec-ipip-tunnel" as follows: add sa Saname set sa Saname mode sec-ipip-tunnel Security Parameter Index: The security parameter index (SPI) is a 32-bit number. The first 256 values are reserved and cannot be entered by users. The inbound SPI set on an IPSec gateway must match the outbound SPI set on the peer. Be careful not to assign the same SPI to two security associations on the same PortMaster. set sa Saname ah-inb-spi | ah-inbound-spi SPI set sa Saname ah-outb-spi | ah-outbound-spi SPI set sa Saname esp-inb-spi | esp-inbound-spi SPI set sa Saname esp-outb-spi | esp-outbound-spi SPI Examples: Command> set sa net172 esp-inbound-spi 11111111 Command> set sa net172 esp-outbound-spi 11110000 Command> set sa net172 ah-inbound-spi 11112222 Command> set sa net172 ah-outbound-spi 22220000 AH and ESP Protocols: Configure the security association to define the methods used for the Authentication Header (AH) and Encapsulating Security Payload (ESP) protocols. ESP is the method used to encrypt the actual data (the "payload") contained in a packet. AH is used to authenticate a packet. Authentication guarantees that the packet comes from the node with which you share a security association and was not tampered with during transit. Use the "show ipsec module" command to see which methods are available. To use both ESP and AH together, specify two methods. Otherwise, just specify one in the following command: set sa Saname sec-proposal Method [ Method2 ] The following methods are supported in ComOS 3.9b26: esp-des Sets the ESP protocol for a security association using the US Data Encryption Standard-cipher block chaining (DES-CBC) encryption algorithm defined in RFC 2405. The keys must be exactly 64 bits in length. esp-des-rfc1827 Uses the DES-CBC encryption protocol defined in RFC 1827 and RFC 1829. The keys must be exactly 64 bits in length. esp-3des Sets the ESP protocol for a security association using the Triple DES-CBC (3DES) encryption algorithm defined in RFC 2451. The keys must be exactly 192 bits in length. esp-3des-rfc1827 Uses the 3DES encryption protocol. The keys must be exactly 192 bits in length. ah-md5 Sets the AH protocol for a security association using MD5 and authentication methods defined in RFC 2403. The keys must be exactly 128 bits in length. ah-md5-rfc1826 Uses the MD5 hashing protocol defined in RFC 1826 and 1828. The keys must be exactly 128 bits in length. ah-sha Sets the AH protocol for a security association using the Secure Hash Algorithm (SHA-1 defined in RFC 2404. The keys must be exactly 160 bits long. Use the following commands to set inbound and outbound keys for the chosen protocols: set sa Saname esp-inbound-key Key/[Bits] | random set sa Saname esp-outbound-key Key/[Bits] | random set sa Saname ah-inbound-key Key/[Bits] | random set sa Saname ah-outbound-key Key/[Bits] | random Saname Security association name up to 15 characters long. Key Decimal, hexadecimal, or binary key. The secret shared between the ends of a security association. /Bits The key length in bits optionally follows the key value. random Applies a randomly generated key and key length that match the requirements for the specified encryption method. Example: Command> set sa net172 esp-inbound-key 0x0123456789abcd/64 Command> set sa net172 esp-outbound-key 0x0123456789abcd/64 Command> set sa net172 ah-inbound-key 0x0123456789abcd/128 Command> set sa net172 ah-outbound-key 0x0123456789abcd/128 Although these examples use the same key for both inbound and outbound, and for both ESP and AH, Lucent recommends that you use different keys for each of these. _______ Entering Static Keys You can enter keys as the following types of numbers: * Hexadecimal (hex)---base 16, starting with 0x * Decimal (the default)---base 10 * Binary---base 2, starting with 0b The key value is followed by a slash ("/") and the key length in bits. For example: * 0x12345678/32 is a 32-bit key in hexadecimal. * 346345/64 is a 64-bit key in decimal. * 0b1000001/64 is a 64-bit key in binary. Keys must fall on 8-bit boundaries. Some protocols allow only specific key lengths, while others allow a range of lengths. ESP and AH protocols require specific key lengths. See the section "AH and ESP Protocols" for more information. Keys are displayed in hexadecimal format. High-order bits not specified are zero-filled. For example, 0x12/32 is the same as 0x00000012/32. Once the key is entered, you cannot see it again. The security of your network depends on picking appropriate keys. You can have the PortMaster generate a key by using the special key value "random". For example: set sa Saname esp-inbound-key random This command generates a random key of the correct length for the protocol. You must then copy this key to the peer in a secure fashion. NOTE: To configure secure keys and avoid unintended typing errors, Lucent recommends that you set a random value for each key on one node and then copy and paste it on the other node. _______ IPIP Commands To use the IPIP protocol, set the security association to IPIP mode using the following command: set sa Saname mode ipip-tunnel _______ Proxy Tunnel Commands To use the Lucent proprietary Proxy Tunnel protocol, set the security association mode using the following command: set sa Saname mode proxy-tunnel Each end of the tunnel chooses a UDP port between 1 and 65535 for sending and receiving packets. Lucent strongly recommends using a port that does not conflict with well-known services. The same port number can be used at both ends, if desired. set sa Saname proxy-localport Uport set sa Saname proxy-destport Uport Each end of the tunnel chooses a shared secret and configures it. Lucent supports secrets from 32 to 128 bits long, and each secret must be a multiple of 8 bits long. set sa Saname proxy-secret Key/Bits Saname Security association name up to 15 characters long. Key Number in decimal, hexadecimal, or binary. The secret shared between the ends of a security association. /Bits Key length in bits. Uport UDP Port between 1 and 65535. Example: Command> add sa lu77 Command> set sa lu77 proxy-tunnel Command> set sa lu77 proxy-localport 1050 Command> set sa lu77 proxy-destport 1051 Command> set sa lu77 proxy-secret 0x123456789/64 _______ Configuring Security Profiles A security profile defines the security association and policy filter used on a router interface. A profile can be attached directly to a network interface, user, or location, or can be assigned to a user with RADIUS. Security profiles use the security association and policy filters to transfer packets. Profile names can be up to 15 characters long. Use the following commands to configure security profiles: show table sec-profile show sec-profile Profile show ipsec statistics add sec-profile Profile delete sec-profile Profile set Ether0 | S0 | W1 ipsec active-profile Profile set user Username ipsec active-profile Profile set location Locname ipsec active-profile Profile set sec-profile Profile blank set sec-profile Profile Profilerule pfilter | policy-filter Filtername | none set sec-profile Profile Profilerule static-sa Saname | none set Ether0 | S0 | W1 ipsec outsource-profile Profile set user Username ipsec outsource-profile Profile set location Locname ipsec outsource-profile Profile set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough set user Username ipsec pda drop | icmp reject | passthrough set location Locname ipsec pda drop | icmp reject | passthrough Profile Security profile name up to 15 characters long. Profilerule Rule number between 1 and 20. Filtername Policy filter name up to 15 characters long. Saname Security association name up to 15 characters long. ________ Displaying Security Profile Information The "show table sec-profile" command displays a summary of all the security profiles. The "show sec-profile Profile" command displays information about the security profile named. The "show ipsec statistics" command displays a summary of all the security profiles and the traffic generated: Router Profile Sec-AssocMode In-pktsOut-pktsIn-BadOut-Dropped PortType Name Pkts Pkts --- ------------------------------------------------------------------ ether0 Active-pr local sec-ip 3678 4534 0 0 ptp0 Active-pr remote ipip 2987 3768 0 0 _______ Adding Security Profiles Use the following command to add a security profile: add sec-profile Profile Profile Security profile name up to 15 characters long. _______ Deleting Security Profiles Use the following command to delete a security profile: delete sec-profile Profile Profile Security profile name. _______ Setting Security Profiles Use the following commands to configure a security profile after adding it: set sec-profile Profile Profilerule policy-filter Filtername | none set sec-profile Profile Profilerule static-sa Saname | none A profile can be an active profile, a passive profile, or an outsource profile. You assign an active profile to a user, location, or interface that is configured as an end point of a tunnel. An active profile is applied to outbound traffic and identifies a set of peers with which the PortMaster knows how to communicate. Passive profiles are not supported in this release. You assign an outsource profile to a user, location, or interface that is not configured as an end point of a tunnel. An outsource profile refers to security associations established from any port of the PortMaster, based on the inbound traffic on a port. The policies set are based on the wire traffic, just as with the policies on other profiles. _______ Policy Filters Policy filters determine which data the PortMaster sends through its security profiles. Policy filtering takes place right before the PortMaster routes a packet. The packet is compared against all the defined policy filters in a security profile. If none apply, the packet is routed as usual, without any VPN processing. NOTE: You must be very careful to not create security filters that might overlap each other in their coverage. For example, IP address ranges in two filters might overlap. If two filters overlap, only one security association is applied to the packet and you cannot determine which one. Policy filters are created like packet filters. For example, to process all packets destined for the network 10.200.1.0/24, you can create the following filter: add filter internal.sec set filter internal.sec 1 permit 0.0.0.0/0 10.200.1.0/24 Then you add and configure your security profile "examplespf": set sec-profile examplespf 1 policy-filter internal.sec You can also selectively process only certain types of traffic and not others using "deny" statements. For example, you might use the following filter to encrypt all traffic except packets to TCP port 80 for HTTP: add filter internal.sec set filter internal.sec 1 deny tcp dst eq 80 set filter internal.sec 2 permit A "deny" keyword in a policy filter does not block packets that meet its criteria. Instead, the "deny" keeps the security association from being applied to those packets and passes the IP traffic through, unprocessed. If you want to block the traffic entirely, you must place input or output packet filters on the appropriate interface(s). _______ Policy Deny Action Use the following commands to determine what to do with packets denied by policy filters. set Ether0 | S0 | W1 ipsec pda drop | icmp reject | passthrough set user Username ipsec pda drop | icmp reject | passthrough set location Locname ipsec pda drop | icmp reject | passthrough drop The PortMaster drops packets that do not fit the security profile. This is the default. icmpreject The PortMaster rejects packets that do not fit the security profile and sends an ICMP reject message to inform the remote end of the tunnel. passthrough The PortMaster transmits the packets with no VPN processing, even if they do not fit the security profile. _______ Filter Extensions The IPSec and IPIP protocols use their own protocols on top of IP, instead of using UDP or TCP. You can filter these protocols in packet filter rules, as in this example: add filter eg set filter eg 1 permit esp set filter eg 2 permit ah set filter eg 3 permit ipip You can also specify the protocol number in the filter as in this example: set filter eg 4 permit proto 4 IPIP is protocol type 4, ESP is protocol type 50, and AH is protocol type 51. _______ Attaching a Security Profile to a Network Interface Use the following command to attach a security profile to a network interface: set S0 | W1 | Ether0 ipsec active-profile Profile S0 Serial port. W1 Synchronous serial port. Ether0 Ethernet interface. Profile Security profile name. _______ Attaching a Security Profile to a User Use the following command to attach a security profile to a user so that when the user logs in, the profile is attached to the user's interface: set user Username ipsec outsource-profile Profile Username Name of a user in the user table. Profile Security profile name. _______ Attaching a Security Profile to a Location Use the following command to attach a security profile to a location so that when the PortMaster connects to that location, the profile is attached to the resulting interface. set location Locname ipsec outsource-profile Profile Locname Name of a location in the location table. Profile Security profile name. _______ Resetting VPN on a Port The following command resets any VPN settings on the designated port: reset ipsec S0 S0 Port name. _______ Debugging and Troubleshooting VPN The profiles keep statistics of their traffic. Use the "show ipsec statistics" command to show how much traffic was sent or received, and any invalid packets. Use the "set console" command, along with the following debug commands, to display any errors generated: set debug ipsec-max | ipsec-packets | ipsec-state [ on | off ] show ipsec modules The following command turns on all VPN debugging: set debug ipsec-max on The following command shows packets processed by the VPN subsystem: set debug ipsec-packets on The following command shows state changes in the processor in the IPSec encryption card: set debug ipsec-state on Remember to use "reset console" after turning off the debug process. The following command shows which protocols are in this ComOS, and provides version information for the "mipsboot" file that is run on the IPSec encryption card (PM3-VPN): show ipsec modules _______ VPN Logging Use the following commands to enable and disable the logging of VPN packet transmissions and rejections at a specified PortMaster interface, location, or user: set Ether0 | S0 | W1 ipsec log safail | sasuccess | syslog | console on | off set location Locname ipsec log safail | sasuccess | syslog | console on | off set user Username ipsec log safail | sasuccess | syslog | console on | off The "safail" and "console" options are on by default. safail Logs the inbound and outbound packets that are rejected by the security association. sasuccess Logs the inbound and outbound packets that are sucessfully transmitted. syslog Sends the log to syslog. console Displays the log to the console. _______ Using RADIUS with VPN VPN parameters can be configured on a per-user basis with RADIUS. You must be running the Lucent RADIUS 2.1 server or another RADIUS server---such as the NavisRadius(TM) product---that supports vendor-specific attributes. Add the following lines to your RADIUS dictionary, then stop and restart your RADIUS server: ATTRIBUTE Vendor-Specific 26 string ATTRIBUTE LE-Terminate-Detail 2 string Livingston ATTRIBUTE LE-Advice-of-Charge 3 string Livingston ATTRIBUTE LE-Connect-Detail 4 string Livingston ATTRIBUTE LE-SA-Id 5 string Livingston ATTRIBUTE LE-IPSec-Log-Options 9 integer Livingston ATTRIBUTE LE-IPSec-Policy-Deny 10 integer Livingston ATTRIBUTE LE-IPSec-Active-Profile 11 string Livingston ATTRIBUTE LE-IPSec-Outsource-Profile 12 string Livingston ATTRIBUTE LE-IPSec-Passive-Profile 13 string Livingston # # IPSEC PROTOCOL TYPES # VALUE LE-IPSec-Log-Options SA-Success-On 1 VALUE LE-IPSec-Log-Options SA-Failure-On 2 VALUE LE-IPSec-Log-Options Console-On 3 VALUE LE-IPSec-Log-Options Syslog-On 4 VALUE LE-IPSec-Log-Options SA-Success-Off 5 VALUE LE-IPSec-Log-Options SA-Failure-Off 6 VALUE LE-IPSec-Log-Options Console-Off 7 VALUE LE-IPSec-Log-Options Syslog-Off 8 # # IPSEC POLICY DENY ACTION VALUES # VALUE LE-IPSec-Policy-Deny Drop 1 VALUE LE-IPSec-Policy-Deny ICMP-Reject 2 VALUE LE-IPSec-Policy-Deny Pass-Through 3 Each RADIUS attribute or value corresponds to its command line equivalent. Refer to the usage information on a particular VPN command in this release note for more information. Here is a sample RADIUS user profile for a user configured for VPN: pepi Password = "notpepzi" Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, Framed-IP-Netmask = 255.255.255.255, LE-IPSec-Log-Options = Console-On, LE-IPSec-Outsource-Profile = "mypro" _______ Example VPN Tunneling Configurations The following are three examples of VPN configuration. In each example, a remote office is configured to connect back to headquarters via an ISP. The first example uses an IPSec tunnel, the second uses an IPIP tunnel, and the third uses a Proxy Tunnel tunnel. The remote office has a Frame Relay connection to a nearby ISP. The office has been assigned the network 192.168.1.0/24. The corporate headquarters uses the network 172.16.0.0/16. Headquarters uses the packet filter rules for the AH and ESP protocols to configure a firewall that allows VPN traffic from the 192.168.1.0/24 network to pass through. Each location is using a PortMaster 3. NOTE: These examples use simple keys for readability. For best results in your configurations, take advantage of the full length of the key. NOTE: None of the IP addresses or networks used in the examples are intended to refer to any actual real-world company or network assignment. Example 1 -- Using IPSec Both locations are using the PortMaster 3 with the IPSec encryption card and need to do both encryption (ESP) and authentication (AH) using DES and MD5. The headquarters firewall is configured to allow IPSec traffic from the 192.168.1.0/24 network through, using the packet filter rules for AH and ESP. * On the remote PortMaster 3, create security association "corp" with appropriate SPIs, keys, and filter. Then create security profile "corp-pro" and attach it to a synchronous serial port. * On the PortMaster at headquarters, create security association "remote" with appropriate SPIs, keys, and filter. Then create security profile "remote-pro" and attach it to a synchronous serial port. pm3-remote (192.168.1.254): add sa corp set sa corp mode sec-ipip-tunnel set sa corp peer-identifier 172.16.1.1 set sa corp esp-inbound-spi 1001 set sa corp esp-outbound-spi 1002 set sa corp ah-inbound-spi 2001 set sa corp ah-outbound-spi 2002 set sa corp sec-proposal esp-des-rfc1827 ah-md5-rfc1826 set sa corp esp-inbound-key 0x9876543210/64 set sa corp esp-outbound-key 0x1234567890/64 set sa corp ah-inbound-key 0x98761234/128 set sa corp ah-outbound-key 0x12349876/128 add filter corp.sec set filter corp.sec 1 permit 192.168.1.0/24 172.16.0.0/16 add sec-profile corp_pro set sec-profile corp_pro 1 policy-filter corp.sec set sec-profile corp_pro 1 static-sa corp set w0 ipsec active-profile corp_pro save all pm3-corp (172.16.1.1): add sa remote set sa remote mode sec-ipip-tunnel set sa remote peer-identifier 192.168.1.254 set sa remote esp-inbound-spi 1002 set sa remote esp-outbound-spi 1001 set sa remote ah-inbound-spi 2002 set sa remote ah-outbound-spi 2001 set sa remote sec-proposal esp-des-rfc1827 ah-md5-rfc1826 set sa remote esp-inbound-key 0x1234567890/64 set sa remote esp-outbound-key 0x9876543210/64 set sa remote ah-inbound-key 0x12349876/128 set sa remote ah-outbound-key 0x98761234/128 add filter remote.sec set filter remote.sec 1 permit 172.16.0.0/16 192.168.1.0/24 add sec-profile remote_pro set sec-profile remote_pro policy-filter remote.sec set sec-profile remote_pro 1 static-sa remote set w48 ipsec active-profile remote_pro save all Example 2 -- Using IPIP For IPIP, create a new security associations "corp-ipip" and "remote-ipip." Then create an IPIP tunnel and add each new security association to the appropriate security profile as a static security association. pm3-remote (192.168.1.254): add sa corp_ipip set sa corp_ipip mode ipip-tunnel set sa corp_ipip peer-identifier 172.16.1.1 set sec-profile corp_pro 1 static-sa corp_ipip pm3-corp (172.16.1.1): add sa remote_ipip set sa remote_ipip mode ipip-tunnel set sa remote_ipip peer-identifier 192.168.1.254 set sec-profile remote_pro 1 static-sa remote_ipip Example 3 -- Using Proxy Tunnel Protocol For the Proxy Tunnel protocol, create a new security associations "corp-prox" and "remote-prox." Then create a proxy tunnel and add each new security association to the appropriate security profile as a static security association. pm3-remote (192.168.1.254): add sa corp_prox set sa corp_prox mode proxy-tunnel set sa corp_prox peer-identifier 172.16.1.1 set sa corp_prox proxy-localport 1050 set sa corp_prox proxy-destport 1051 set sa corp_prox proxy-secret 0x123456789/64 set sec-profile corp_pro 1 static-sa corp_prox pm3-corp (172.16.1.1): add sa remote_prox set sa remote_prox mode proxy-tunnel set sa remote_prox proxy-localport 1051 set sa remote_prox proxy-destport 1050 set sa remote_prox proxy-secret 0x123456789/64 set sec-profile remote_pro 1 static-sa remote-prox _______ VPN Security Concerns Be aware of the following security concerns when using VPN: * Denial of Service. If a large amount of random data has a valid SPI, the IPSec encryption card must decrypt the data and then dump it as invalid. The unnecessary decryption degrades performance and can cause denial of service for encrypted traffic. However, because the CPU on the IPSec encryption card handles only encryption, unencrypted traffic is not interrupted. Legitimate, but very heavy, traffic can also cause this problem. * No Byte Count. Most security protocols recommend that you do not use the same key for more than a certain number of bytes, depending on the protocol. Because the keys are manually configured, ComOS does not count the bytes sent with each key. As a result, you cannot automatically limit key use by byte count. _______ VPN References The implementation of VPN in ComOS is based on the information in the following sources: * RFC 1321, The MD5 Message-Digest Algorithm * RFC 1825, Security Architecture for the Internet Protocol * RFC 1826, IP Authentication Header (AH) * RFC 1827, IP Encapsulating Security Payload (ESP) * RFC 1828, IP Authentication using Keyed MD5 (AH-MD5) * RFC 1829, The ESP DES-CBC Transform (ESPDES) * RFC 2003, IP Encapsulation within IP (IPIP) * RFC 2403, The Use of HMAC-MD5-96 within ESP and AH * RFC 2404, The Use of HMAC-SHA-1-96 within ESP and AH * RFC 2405, The ESP DES-CBC Cipher Algorithm with Explicit IV * RFC 2451, The ESP CBC-Mode Cipher Algorithms * "Applied Cryptography", Bruce Schneier. New York, NY: John Wiley and Sons, Inc., 1994. (ISBN 0-471-59756-2): - Diffie-Hellman algorithm - DES algorithm and DES-CBC method - Triple-DES (3DES) _______________ Configuring NAT ComOS 3.9b26 supports the network address translator (NAT) based on RFC 2663. The basic network address translator (basic NAT) capability maps IP addresses from one group to another, transparently to users and applications. The network address port translator (NAPT) capability is an extension to basic NAT in which multiple network addresses and their TCP and UDP ports are mapped to a single network address and its ports. ComOS supports both basic NAT and NAPT for both outbound and inbound sessions. It also supports an "outsource" mode in which all NAT processing is done on the server-side of the connection. NOTE: While this release note covers only the PortMaster 3, other PortMaster products support NAT and might be used in the examples in this section. None of the IP addresses or networks used in the examples are intended to refer to any actual real-world company or network assignment. _______ Quick Setup of Outbound NAPT ("Many-to-One") Outbound NAPT is very common in a small office/home office (SOHO) situation. To configure, use the following command---entered all on one line: set Ether0 | S0 | W1 | location Locname | user Username nat outmap defaultnapt The port, location, or user is your connection to the outside world. For example, on a PortMaster dialing out to location "myisp" you enter the following: set location myisp nat outmap defaultnapt Then connect normally. You must reset the port if the connection has already been established. If this is a dial-on-demand location, then you must also reboot the PortMaster, or follow the instructions listed in the section "Handling Changes to On-Demand Locations." With the "defaultnapt" NAT configuration, all the hosts behind the PortMaster will have their addresses translated to the IP address of the interface that is assigned to the location. _______ NAT Concepts This section explains some of the NAT terminology and provides hints to assist you in developing more complex NAT configurations. For example, you might want to allow inbound connections---external connections into a web server that resides behind the PortMaster running NAT. Or you might need to renumber your network and want to use basic NAT to avoid renumbering the entire network. Private vs. Global IP Addresses: Global IP addresses are accessible from anywhere on the Internet. They are "external" to the PortMaster running NAT---at another branch office, for example---because NAT is not limited to the Internet. External hosts do not generally recognize any internal private IP addresses that you might have assigned to your local hosts. Private IP addresses are usually taken from one of the following ranges defined in RFC 1918, which are reserved specifically for this purpose: 10.0.0.0 - 10.255.255.255 (10.0.0.0/8) 172.16.0.0 - 172.31.255.255 (172.16.0.0/12) 192.168.0.0 - 192.168.255.255 (192.168.0.0/16) Lucent strongly recommends numbering your private IP network(s) with IP addresses from one of the reserved ranges rather then just selecting IP addresses randomly. Inbound vs. Outbound Sessions: A "session" in NAT is considered either inbound or outbound: * An inbound session is initiated to a client behind the NAT router by a host external to a private IP network. * An outbound session is initiated to an external host by a client within the NAT-covered private IP network. Basic NAT vs. NAPT: Basic NAT does a one-to-one mapping of a private IP address to a global IP address. You still must have a global IP address for every host with a private IP address that needs to connect to an external host at the same time. With basic NAT, you can configure dynamic IP address pools from which IP address allocations are made, allowing a number of private hosts to use a (possibly) smaller pool of global IP addresses. Or you can configure static IP address pools in which a static mapping exists for each host, requiring the size of the pool to match the number of hosts being translated. If you configure a dynamic pool and have fewer global IP addresses available than total private hosts, you will have a shortage of IP addresses if all the hosts try to access the external network simultaneously. This possibility needs to be accounted for in your planning. The network address port translator (NAPT) performs a many-to-one "port translation." This capability allows any number of private hosts to communicate globally while using only a single global IP address. Outsource Mode NAT: Outsource mode NAT allows a PortMaster to handle NAT processing and management for a connected network interface. If a remote router that the PortMaster is connected to cannot run NAT locally, the PortMaster can perform NAT services for that device. All NAT configuration is handled on the PortMaster. A central site administrator can maintain all NAT mappings for all sites on the PortMaster without having to worry about the capabilities or management of a number of entirely separate routers. _______ Map Management NAT maps define the mappings and translations between global and private IP address space. The following map table commands are supported: show table map Shows all map files. show map Mapname Displays a map's contents. add map Mapname Creates a new map. delete map Mapname Deletes a map. save map Saves map contents into nonvolatile RAM. NOTE: In the this release of NAT, inbound maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound maps do not have this limitation. See the following section for map configuration commands. _______ Configuring Map Contents Entering NAT maps is very similar to configuring filters in ComOS. The basic command "set map Mapname" has five versions that you can use as follows---entered all on one line: 1. To define a single dynamic pool IP address map entry or range or list of entries, use the following command: set map Mapname Rulenumber addressmap Ipaddrxfrom Ipaddrxto | @ipaddr [log] 2. To define a single static pool IP address map entry or range or list of entries, use the following command: set map Mapname Rulenumber staticaddressmap Ipaddrxfrom Ipaddrxto | @ipaddr [log] 3. To define a static or dynamic TCP or UDP port range map entry or list of entries, use the following command: set map Mapname Rulenumber static-tcp-udp-portmap Ipaddxfrom:Tport1 | Uport1 | Portname Ipaddxto: Tport2 | Uport2 | Portname [log] 4 . To remove rule Rulenumber in a map file, use the following command: set map Mapname Rulenumber 5. To empty the contents of a map file, use the following command: set map Mapname blank Mapname Address map name of up to 15 characters. Rulenumber Integer between 1 and 20. Ipaddxfrom IP address or range or list of IP addresses to be translated. Ipaddxto IP address or range or list of IP addresses to translate to. Tport TCP number or range of numbers---between 1 and 65535. Uport UDP number or range of numbers---between 1 and 65535. Portname One of the following services: telnet TCP port 23. ftp TCP ports 20 and 21. tftp UDP port 69. http TCP port 80. dns TCP/UDP port 53. smtp TCP port 25. @ipaddr IP address of the port being configured as the destination address. log Selectively logs events for this map entry. The following keywords have abbreviations for ease of entry: addressmap = am staticaddressmap = sam static-tcp-udp-portmap = stupm Values for "Ipaddxfrom" and "Ipaddxto" can be one or more of the following, separated by commas (,): IP address/mask IP address - IP address IP address1,Ipaddress2, ... IP address The value for "Portnumber" can be a single port number or a range of ports such as "6000-6010" (for an inbound X Server) that you want statically mapped. This capability prevents your needing multiple map rules to accomplish the same mapping. Although you have NAT configured for a specified port, user, or location, you are not required to translate the addresses of all the hosts behind the PortMaster running NAT. You can choose the hosts for which NAT processing is done by designing your maps around them. Example 1 -- Basic NAT: When an outbound NAT map is defined for a port, the translation succeeds when the source IP address matches the "Ipaddrxfrom" address in the outbound map. Here is an outbound map that maps a single host with the private IP address 10.5.3.6 to the global IP address 192.168.5.3. This is a basic NAT configuration. 1. Configure a map for outbound NAT named myisp.outmap: set map myisp.out 1 addressmap 10.5.3.6 192.168.5.3 2. Configure location myisp: set location myisp nat outmap myisp.out BEFORE Outbound NAT: Src: 10.5.3.6:12023 Dest: 192.168.2.4:80 AFTER NAT translation using the example outbound map: Src: 192.168.5.3:12023 Dest: 192.168.2.4:80 Example 2 -- @ipaddr Keyword: As a special case, the "Ipaddrxto" value for an address map can be set to "@ipaddr" when the address map is being used for outbound or outbound outsource connections. The special macro "@ipaddr" uses the IP address assigned to the port on which the address map is being used. set map myisp.outmap 1 addressmap 10.2.3.0/0 @ipaddr Example 3 -- defaultnapt Map: The reserved map "defaultnapt," described in the section "Using the Default NAPT Map," is equivalent to the following map: set map myisp.outmap 1 addressmap 0.0.0.0/0 @ipaddr Example 4 -- Basic NAT Pools: Using the "Ipaddrxfrom" and "Ipaddrxto" values for an address map allows you to configure one-to-one mappings of private IP addresses to global IP addresses. Using lists of addresses for these values allows the configuration of IP address allocation pools, from which global IP addresses can be allocated for outbound sessions as they are required. Here is a configuration using a global IP address pool range of 192.168.9.1 through 192.168.9.10 for hosts in the private network 10.9.9.0/24 for outbound NAT. This configuration allows only 10 concurrent outbound NAT sessions from the 10.9.9.0 subnet. 1. Configure rule 1 for outbound NAT map myisp.outmap: set map myisp.out 1 addressmap 10.9.9.0/24 192.168.9.1-192.168.9.10 2. Configure location myisp: set location myisp nat outmap myisp.out Example 5 -- Basic NAT Static Maps: If you require that private addresses always be mapped to the same global addresses, use a static address map instead of a dynamic address map. The following example creates a NAT mapping in which the private IP address range 10.1.1.0/24 is translated to the global IP address range 192.168.65.0/24 on the outbound transmission. Because this is a static address map, it always translates 10.1.1.1 to 192.168.65.1, 10.1.1.55 to 192.168.65.55, and so on. Configure a map for outbound NAT named myisp.out, and apply it as an outmap to the location: set map myisp.out 1 staticaddressmap 10.1.1.0/24 192.168.65.0/24 set location myisp nat outmap myisp.out Alternatively, to allow inbound sessions to the same set of hosts, create an inbound map named myisp.in and apply it as an inmap to the location: set map myisp.in 1 staticaddressmap 192.168.65.0/24 10.1.1.0/24 set location myisp nat inmap myisp.in For a static address map, the total ranges on both sides must have the same number of IP addresses; otherwise, a one-to-one static mapping is not possible. If you do not have sufficient global addresses to do one-to-one mapping, use NAPT for all or part of the private hosts (see Example 6), or reduce the number of IP addresses being translated. Example 6 -- Mixing Static and Dynamic Address Maps: This example uses a combination of static address maps for specific hosts and NAPT for the remainder of the private hosts. set map myisp.out 1 staticaddressmap 192.168.65.1-192.168.65.10 10.1.1.1-10.1.1.10 set map myisp.out 2 staticaddressmap 192.168.65.73 10.1.1.73 set map myisp.out 3 addressmap 192.168.65.0/24 10.1.1.11 set location myisp nat inmap myisp.out The order of the rules in a NAT map is important. In this example, a private host with an address of 192.168.65.73 attempting outbound access via the myisp location uses rule 2 and is translated to address 10.1.1.73. A private host with an address of 192.168.65.74 uses rule 3 and is translated to 10.1.1.11. Example 7 -- Fully Specified Inbound Map: When an inbound NAT map is defined for a port, the translation succeeds when the destination IP address matches the "Ipaddrxfrom" address in the inbound map. Suppose you want to allow an Internet access to your internal HTTP server running on 10.4.2.9. To do so, configure the following as an inbound map. You also have a global IP address 192.168.2.4 assigned to your PortMaster as the global address for all hosts residing behind NAT: 1. Configure inbound NAT map myisp.inmap: set map myisp.in 1 static-tcp-udp-portmap 192.168.2.4:http 10.4.2.9 2. Configure the location: set location myisp nat inmap myisp.in BEFORE Inbound NAT: Src: 130.65.2.3:12023 Dest: 192.168.2.4:80 (80 is http) AFTER NAT translation using the example inbound map: Src: 130.65.2.3:12023 Dest: 10.4.2.9:80 _______Configuring Interfaces, Locations, and Users The basic command "set Ether0 | S0 | W1 | location Locname | user Username" has five NAT commands that you can use as follows---entered all on one line---to configure NAT on a PortMaster. You must reset an active port for changes in its NAT configuration to take effect. For more information, see the section "Resetting NAT Sessions." 1. To configure a NAT map for outbound sessions and optionally enable the outsource function, use this command: set Ether0 | S0 | W1 | location Locname | user Username nat outmap Mapname [outsource] 2. To configure a NAT map for inbound sessions and optionally enable the outsource function, use this command: set Ether0 | S0 | W1 | location Locname | user Username nat inmap Mapname [outsource] To remove the map entry from the specified interface, user, or location, re-enter the command, minus the "outsource" keyword, with a space after the Mapname value. 3. To set logging options for a NAT session on an interface, use this command: set Ether0 | S0 | W1 | location Locname | user Username nat log sessionfail | sessionsuccess | syslog | console on | off 4. To set the default action that the PortMaster takes if a request for a NAT session is refused because the mapping configuration is invalid or does not exist, use this command: set Ether0 | S0 | W1 | location Locname | user Username nat session-direction-fail-action drop | icmpeject | passthrough 5. To set the maximum idle time for a NAT session, use this command: set Ether0 | S0 | W1 | location Locname | user Username nat sessiontimeout tcp | other Number [minutes | seconds] _______ Using the Default NAPT Map You can assign the reserved map name "defaultnapt" to an outbound-only NAPT configuration, with the following results: * When "defaultnapt" is assigned as an outbound map, without the "outsource" option, all outbound IP sessions through the given port are subject to NAPT and use the IP address assigned to the port. * When "defaultnapt" is assigned as an outbound map for the port---using "outsource" in the command line---all inbound IP sessions (with respect to the calling device) through the given port are subject to outsource NAPT and use the IP address assigned to the port. NOTE: In the this release of NAT, inbound maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound maps do not have this limitation. _______ Using RADIUS for NAT Many NAT configuration parameters can also be configured via RADIUS on a per-user basis. For RADIUS to support the new vendor-specific attributes, you must be running the Lucent RADIUS 2.1 server or another RADIUS server---such as the NavisRadius product---that supports vendor-specific attributes. Add the following attributes and values to your RADIUS dictionary if they are not already there. Then stop and restart your RADIUS server. RADIUS Dictionary Updates: ATTRIBUTE LE-NAT-TCP-Session-Timeout 14 integer Livingston ATTRIBUTE LE-NAT-Other-Session-Timeout 15 integer Livingston ATTRIBUTE LE-NAT-Log-Options 16 integer Livingston ATTRIBUTE LE-NAT-Sess-Dir-Fail-Action 17 integer Livingston ATTRIBUTE LE-NAT-Inmap 18 string Livingston ATTRIBUTE LE-NAT-Outmap 19 string Livingston ATTRIBUTE LE-NAT-Outsource-Inmap 20 string Livingston ATTRIBUTE LE-NAT-Outsource-Outmap 21 string Livingston VALUE LE-NAT-Sess-Dir-Fail-Action Drop 1 VALUE LE-NAT-Sess-Dir-Fail-Action ICMP-Reject 2 VALUE LE-NAT-Sess-Dir-Fail-Action Pass-Through 3 VALUE LE-NAT-Log-Options Session-Success-On 1 VALUE LE-NAT-Log-Options Session-Failure-On 2 VALUE LE-NAT-Log-Options Console-On 3 VALUE LE-NAT-Log-Options Syslog-On 4 VALUE LE-NAT-Log-Options Success-Off 5 VALUE LE-NAT-Log-Options Failure-Off 6 VALUE LE-NAT-Log-Options Console-Off 7 VALUE LE-NAT-Log-Options Syslog-Off 8 Each RADIUS parameter corresponds to its command line equivalent. Refer to the usage information on a particular NAT command in this release note for more information. When configuring a user profile, be sure to list any multiple occurrences of the LE-NAT-Log-Options attribute, which sometimes requires multiple values, in the order in which the values are listed in the dictionary---the order shown above. For example: joe Auth-Type = System, Framed-Protocol = PPP Service-Type = Framed-User, Framed-Protocol = PPP, Framed-IP-Address = 255.255.255.254, LE-NAT-Outsource-Outmap = "defaultnapt", LE-NAT-Sess-Dir-Fail-Action = Drop, LE-NAT-Log-Options = Session-Failure-On, LE-NAT-Log-Options = Console-On _______ NAT Session Management NAT sessions can be managed, viewed, and reset in several ways. You can display the currently active NAT sessions using the following command: show nat sessions [tcp | udp | ftp | Sessionid] Enter "show nat sessions" to display NAT session identification numbers. You can also limit the display to the sessions for a single port, user, or location by appending a regular expression at the end of the command line, as you can do with the "show routes" command. You can view real-time statistics on NAT: show nat statistics This command displays statistics on a per-port basis, including successful translations, failures, address shortages when you are using IP pools, and unsuccessful translations and/or lookups due to timeouts. Use the following command for debugging and to see resource usage: show nat mapusage This command displays a list of active IP address and port bindings, including a list of the remaining resources---TCP/UDP ports or IP addresses---available for use. _______ Resetting NAT Sessions CAUTION! Resetting any or all interfaces while sessions are active might cause active connections on clients and servers to be left open or terminated abruptly. Lucent recommends NOT entering this command while the interface is being used because doing so can leave connections in an unknown state between the two communicating hosts. You can reset the entire NAT subsystem with the following command: reset nat [Ether0 | S0 | W1] The default resets all existing NAT sessions on the PortMaster---like the "reset all" command. Specifying the name of an interface resets all NAT sessions associated with the specified interface. Use the "ifconfig" command to see a list of interfaces. Resetting NAT affects active NAT sessions only. If you modify the NAT configuration on an active port, you must reset the port directly and also reset NAT on that interface. _______ Deleting Individual NAT Sessions You can delete individual NAT sessions by using the session ID. This value is displayed in the first column of a "show nat sessions" output. Determine the session ID and then enter the following command: delete nat sessions [Sessionid] _______ NAT Administrative Concerns Be aware that you might need to do the following when configuring your network in the presence of a NAT. Stopping the Advertisement of Routing Information: NAT creates a private network that cannot be advertised outside the private boundary delimited by the NAT router. As a result, you must be sure to disable network advertisements on the NAT router's global interface. For example if you are running NAT on a PortMaster IRX(TM) Router model IRX-211, with Ether0 as your private interface and Ether1 as your global interface with NAT enabled on it, you must disable RIP broadcasts: set ether1 rip listen Or use the "off" option if you do not need to listen to RIP routing updates at all. If you are using OSPF, you must specify the private IP address range as "quiet": set ospf area 0.0.0.0 range 10.0.0.0/8 quiet If you are using BGP, you must not advertise any private IP address blocks to the outside world. Rerouting Global IP Addresses Used by NAT to Static Routing: Because NAT is not equipped to advertise routing, the global IP addresses (or networks) used by NAT, might require the addition of static routes on the routers that are external peers of the PortMaster. Particularly, if you are using basic NAT to manage a pool of global addresses, you must configure a static route for the pool of addresses on the next-hop router of the PortMaster. Avoiding Ethernet LANs: NAT does not provide Ethernet ARP services for the global IP addresses it uses. For this reason, Lucent recommends that NAT be configured on WAN interfaces instead of Ethernet interfaces. If you choose to configure basic NAT on a LAN interface, be sure to select for use with NAT a global IP address block that does not fall within the same network prefix of the LAN interface itself. Determining If Additional Security, Privacy, and/or Firewalls Are Needed: Security is viewed differently in different environments. Many people view NAT as a one-way (session) traffic filter, restricting sessions from external hosts into their network. In that context, NAT provides a certain degree of security that might not be acceptable for your situation. In addition, address assignment in NAT is often done dynamically. Dynamically assigned addresses can often hinder an attacker from pointing to any specific host in the NAT domain as a potential target of attack. Partial privacy is gained because tracing an individual connection to a particular user is more difficult. You can use firewalls with NAT maps to provide other ways to filter unwanted traffic. However, NAT maps cannot by themselves transparently support all applications and often must co-exist with application-level gateways (ALGs)---for example, SOCKS. If you use NAT, you must determine the application requirements first so that you can assess the extensions to NAT and the security they provide. NAT routers have a security limitation that allows NAT and/or its application-level gateway extensions to read the packet data in the end user traffic that passes through them. This limitation is a security problem if the NAT routers are not in a trusted boundary. Although you can encrypt NAT traffic, NAT must usually be the end point to such an encryption-decryption setup. For example, you cannot configure an end-to-end VPN tunnel with NAT routers in between. The end point(s) must be a router running NAT. Lucent does not guarantee NAT as an complete security solution. Although placing your private network behind NAT might make it seem inaccessible to the outside, this is not the intention of NAT. You must evaluate the particular configuration, network topology, and security requirement of your organization to determine whether simply installing NAT eliminates the need for further security measures such as a firewall. Mapping for DNS: When configuring DNS on the hosts behind NAT, if you add a map similar to the following on the internal interface---usually Ether0 on an Office Router---you can enter the IP address of your Office Router as the DNS server. This is a useful feature if you do not always have the same DNS server, because of multiple providers, but do not want to reconfigure all your private hosts. Use the following commands, entering each command all on one line: set map dns.inmap 1 static-tcp-udp-portmap @ipaddr:dns set ether0 nat inmap dns.inmap set location Locname nat outmap defaultnapt Handling Changes to On-Demand Locations: Because of the way that on-demand locations and their corresponding interfaces are traditionally handled within ComOS, NAT configuration changes might not take effect in the way you expect. To get around this problem, you can either reboot immediately after changing the settings for a location that is currently set to on-demand, or do the following: 1. Enter "set location Locname maxports 0". 2. Enter "reset dialer". 3. Change whatever settings you need to. 4. Enter the following: set location Locname maxports Manually dialed locations are unaffected. _______ NAT Examples 1. Dial-Out Location Using defaultnapt with a Dynamically Assigned PPP IP Address: Your Office Router OR-U is dialing in to a corporate network's PortMaster 3 (192.168.2.5). The PortMaster 3 has one dynamically assigned IP address for the Office Router in a NAPT configuration. Everything behind the Office Router is subject to NAPT. You configure the Office Router as follows: add location corporate set location corporate phone 5558583 set location corporate username joeuser set location corporate password secrets set location corporate destination 192.168.2.5 set location corporate max 2 set location corporate idle 15 minutes set location corporate on-demand set location corporate local-ip-address assigned set location corporate nat outmap defaultnapt 2. Preventing Address Renumbering with Basic NAT on an Office Router: Company ABC, Inc. (198.34.4.0/24) has just merged with Big Company (25.0.0.0/8) and must renumber its hosts to access Big Company's network. ABC has an ISDN connection from its Office Router to Big Company's network. Big Company has just assigned ABC the IP range 25.9.1.0/24 to use. ABC configures its Office Router as follows: add map abc.outmap set map abc.outmap 1 addressmap 198.34.4.0/24 25.9.1.0/24 add location bigcomp set location bigcomp phone 5558583 set location bigcomp username abc set location bigcomp password bigsecret set location bigcomp destination 25.1.1.7 set location bigcomp idle 15 minutes set location bigcomp on-demand set location bigcomp local-ip-address 25.9.1.254 set location bigcomp nat outmap abc.outmap The abc.outmap NAT map assigns IP addresses dynamically as needed. If ABC wants to have static translations, abc.outmap on the Office Router must be changed as follows: set map abc.outmap 1 staticaddressmap 198.34.4.0/24 25.9.1.0/24 3. Address Redirection to a Backup IRX-211 to Perform Server Maintenance: The following two servers on your Ether1 provide inbound FTP and Web service: * primary.web.com at 129.65.2.1 * backup.web.com at 129.65.2.2 The IP addresses of primary and backup are global IP addresses. However, you need to take primary off-line to perform some maintenance work. Just before shutting down primary, you configure an inbound map on Ether0 that statically maps primary's address to backup. You use a basic NAT setup as follows: add map ether0.inmap set map ether0.inmap 1 addressmap 129.65.2.1 129.65.2.2 set ether0 nat inmap ether0.inmap reset nat As part of this configuration, you might also want to set the NAT session-direction-fail-action (SDFA) to passthrough: set ether0 nat sdfa passthrough This setting prevents NAT from intercepting outbound packets from the remapped host when primary returns to service and you want to run a Telnet or FTP session from it. 4. T1 or Fractional T1 WAN Link Using defaultnapt for Outbound and Providing Inbound HTTP Service: Line1 on your PortMaster 3 is a T1 WAN link with a private network 10.0.0.0/8 behind it. The T1 point-to-point interfaces are numbered with global addresses (local: 192.168.44.99, dest: 192.168.44.254). The HTTP server in the private network resides at 10.1.1.10. You configure the PortMaster 3 as follows: set w24 address 192.168.44.99 set w24 destination 192.168.44.254 set w24 nat outmap defaultnapt add map w24.inmap set map w24.inmap 1 static-tcp-udp-portmap 192.168.44.99:http 10.1.1.10:http set w24 nat inmap w24.inmap reset w24 5. Dial-In User Using defaultnapt in Outsource Mode: You want to provide NAT service to a user (or incoming network) by connecting the user (or network) in an outsource-mode NAPT configuration using the defaultnapt map on a PortMaster. The global IP address 192.168.129.130 is assigned to the dial-up router and will be used as the global address by NAT. Because this configuration uses the defaultnapt map, the IP addresses that the client's network is using are not needed in the NAPT configuration. Configure the PortMaster as follows: add netuser joeuser set user joeuser password mysecret set user joeuser destination 192.168.129.130 set user joeuser nat outmap defaultnapt outsource No NAT configuration is required on the dial-up router (client) side. If the client also wants to run an FTP server with a private IP address of 192.168.5.1 on his network and have it accessible globally, you can configure further as follows: add map joeuser.in set map joeuser.in 1 stupm 192.168.129.130:ftp 192.168.5.1:ftp set user joeuser nat inmap joeuser.in outsource When you configure the NAT map for a user with outsource NAT, you can consider the map as being on the calling router's outbound interface. 6. Dial-Out Location Using a Dynamic IP Address Basic NAT Map: Your ISP gives you a small address block (192.168.129.129/29), but you have more hosts then global IP addresses available. You do not want to request more global IP addresses because of the added expense. In addition, because not all workstations use the connection at the same time, additional addresses will be wasteful. You want to use a dynamic IP address pool map instead. You configure your PortMaster as follows: add map isp.outmap set map isp.outmap 1 addressmap 10.1.1.0/24 192.168.129.129/29 add location isp set location isp phone 5558583 set location isp username mycompany set location isp password bigsecret set location isp destination negotiated set location bigcomp max 2 set location bigcomp continuous set location bigcomp local-ip-address assigned set location bigcomp nat outmap isp.outmap 7. Dial-Out Location Using a Static IP Address Basic NAT Map: Your ISP gives you an address block (192.168.130.0/24). You can use a dynamic IP address pool for your workstation IP addresses because they do not need Internet access at the same time. However, you must give two of your trusted systems static IP addresses for security reasons---to perform packet filtering, for example. You configure your PortMaster as follows: add map isp.outmap set map isp.outmap 1 addressmap 10.1.1.1 192.168.130.1 set map isp.outmap 2 addressmap 10.1.1.2 192.168.130.2 set map isp.outmap 3 addressmap 10.1.0.0/16 192.168.130.3-192.168.130.254 add location isp set location isp phone 5558583 set location isp username mycompany set location isp password bigsecret set location isp destination negotiated set location bigcomp max 2 set location bigcomp continuous set location bigcomp local-ip-address assigned set location bigcomp nat outmap isp.outmap _______ NAT-Unfriendly Applications: The following applications are considered unfriendly to NAT because they embed the IP source and/or destination addresses in the packet data, are multicast based or broadcast based, or rely on end-to-end node security: * Multicast-based applications * Routing protocols RIP and OSPF * DNS zone transfers * End-to-end VPN tunnels * Anything that embeds the IP source and/or destination address(es) into the packet data. _______ NAT Debugging and Troubleshooting Tips * Verify obvious values like correct IP addresses in map entries. * Make sure your maps match the flow of the session (inbound or outbound). Check "show nat sessions" output to make sure the correct translations are taking place. * Watch "show nat statistics" output for failed translations that can indicate incorrect session flow direction and possibly incomplete maps. * Watch the source and destination IP addresses of packets going through the PortMaster. You can find a simple ptrace debug filter for this purpose in the PortMaster Troubleshooting Guide. If you are running NAT on your WAN link, look for private IP addresses that are exiting the ptp0 interface untranslated. If translation is not taking place, either your NAT maps are not translated properly or NAT is not active on the port. * Make sure that you reset the active network interface to make its NAT configuration take effect. In the case of an Ethernet interface, enter "reset nat ether0". * If a location is set to dial-on-demand, you might need to reboot the PortMaster for configuration changes to take effect. * If a port loses its network connectivity---for example, if the modem drops carrier---NAT maintains the state of any existing sessions ONLY if the IP address assigned to the port remains the same. * Because of the nature of NAT operation, some applications that work under basic NAT might not work with NAPT. If you are using a particular application under NAPT and it is not working, try using basic NAT and see if the situation improves. _______ NAT Logging Control You can activate syslog and console logging on a per-port basis to identify configuration errors and for auditing purposes. Enter the following commands---all on one line---to configure logging to the PortMaster console of all NAT sessions that fail for any reason: set Ether0 | S0 | W1 | location Locname | user Username nat log sessionfail on set Ether0 | S0 | W1 | location Locname | user Username nat log console on To log to syslog instead, enter "syslog" instead of "console". Syslog logging is logged at the priority level shown in "show syslog" output. If you have not set the PortMaster global option for logging NAT information to syslog, then no logging takes place, regardless of the logging options configured on any particular port. Lucent recommends that you log NAT activity at the same priority as packet filters: set syslog nat auth.notice You can also log more selectively for only certain map entries by appending the "log" keyword at the end of a particular map entry you want logged. For example: set map abc.outmap 1 addressmap 192.168.1.1 172.16.1.1 log Whenever a session from 192.168.1.1 is successfully translated to the global IP address 172.16.1.1 via this outbound map, a syslog message is sent to your loghost. Here is some sample syslog output: Mar 24 17:28:11 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:28:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:28:57 nat-or NAT: ptp3: Out TCP (192.168.3.1:34177)-> (192.168.247.6:80) translated to (192.168.129.129:20001)->(192.168.247.6:80) Mar 24 17:29:23 nat-or NAT: ptp3: Out TCP (192.168.3.1:34178)-> (192.168.247.6:80) translated to (192.168.129.129:20002)->(192.168.247.6:80) Mar 24 17:29:36 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 24 17:30:22 nat-or NAT: ptp3: Out TCP (192.168.3.1:34179)-> (192.168.247.6:80) translated to (192.168.129.129:20003)->(192.168.247.6:80) Mar 24 17:34:18 nat-or NAT: ptp3: Out TCP (192.168.3.1:34172)-> (192.168.247.6:80) Xlation failed: Session may have prematurely timed out. Mar 25 11:02:03 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)-> (192.168.65.50:23) translated to (255.255.255.254:20001)->(192.168.65.50:23) Mar 25 11:02:40 nat-or NAT: ptp3: Out TCP (192.168.3.1:34185)-> (192.168.65.50:23) translated to (192.168.129.129:20001)->(192.168.65.50:23) _______ Debugging NAT The following commands set ComOS debugging options for NAT: set debug nat-ftp on | off Displays FTP payload processing. set debug nat-icmp-err on | off Displays ICMP error payload processing. set debug nat-rt-interface on | off Displays NAT parameters changes during interface binding. set debug nat-max on | off Enables full NAT debugging. Remember to use "set console" before using these commands, and "reset console" after turning off the debug process. _______ Network Diagnostic Tools for NAT Because NAT includes ICMP and UDP translation, the two most common network diagnostic tools, ping and traceroute, can still be used---with the following restrictions: * When using NAPT, you will not be able to run traceroute or ping inbound to the private hosts because you cannot reach them directly from the outside. But you can use the tools in an outbound direction without any problems. * When using basic NAT, you can run traceroute and ping inbound but only if you have an inbound map active. You still must include an entry for the actual host you are trying to ping or trace routes to. As with NAPT, you can do all network diagnostics in outbound mode. _______ NAT References * draft-ietf-nat-traditional-03.txt, Traditional IP Network Address Translator (Traditional NAT) * RFC 1918, Address Allocation for Private Internets * RFC 2663, IP Network Address Translator (NAT) Terminology and Considerations _______________ ComOS 3.9b26 Limitations * Limitations on Upgrading and Downgrading: - The PortMaster must be running ComOS 3.5 or later to upgrade to ComOS 3.9b26. If you are running an earlier release of ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26. - Downgrading a PortMaster 3 from ComOS 3.9b26 to a previous release requires two successful downgrades. After the first successful downgrade the PortMaster is operational, but without system messages. The second downgrade applies the system messages. - Downgrading from ComOS 3.9b26 to ComOS 3.5 might change the Ether0 IP address. * A ComOS online help file is not included in this release; therefore, the "help" command is not supported. * Modem Limitations: - Support for the obsolete "True Digital V.34 Card" (MDM-PM3-8 and MDM-PM3-10) has been removed from this release, except for support of the V.110 protocol. The "True Digital 56K Card" (MDM-56K-8 and MDM-56K-10) is still supported. - Lucent is still fixing some problems with Rockwell HCF and Cirrus Logic modems. If you experience any difficulties with modems, verify that the client modem is running the latest firmware. Then refer to http://www.livingston.com/tech/bulletin/comos-modem.html. If these instructions do not help, contact Lucent NetCare(R) technical support - The extended Link Access Procedure for Modems (LAPM) (V.42) timeout in the ComOS 3.9b26 modem code keeps the Sega Dreamcast modem from connecting. * You cannot use Inverse Address Resolution Protocol (ARP) on a Frame Relay interface with subinterfaces. The primary Frame Relay interface does not automatically map IP addresses to data link connection identifiers (DLCIs). When you enter a "show arp frm1" command, no ARP tables appear, and the PortMaster cannot ping across the Frame Relay cloud. * The PortMaster 3 can support either the Stac compression card or the IPSec encryption ("coprocessor") card, but not both. Both cards use the same interface on the PortMaster 3 motherboard. * Neither the Internet Key Exchange (IKE) protocol nor the Internet Security Association Key Management Protocol (ISAKMP) is supported in this release. *Passive security profiles for VPN tunnels are not supported in this release. * NAT Limitations: - NAT and VPN tunneling cannot be configured to work together on the same port in this release. - Inbound NAT maps are restricted to static address maps and/or static TCP/UDP port maps only. Outbound NAT maps do not have this limitation. - NAT translates only TCP, UDP, and ICMP packets. Point-to-Point Tunneling Protocol (PPTP) traffic is not translated. * A Layer 2 Tunneling Protocol (L2TP) network server (LNS) can support only 94 L2TP sessions in this release. * NFAS Limitations: - This release does not support mixing NFAS and non-NFAS ISDN PRIs in the same chassis. If one line is used for NFAS, the other line must be used for NFAS or left empty. - NFAS operates only on National ISDN (NI-2) switch types. - Configuring NFAS settings on a line that is not configured for ISDN or unable to perform ISDN functions makes the line behave strangely. - When you are using NFAS and a problem occurs on the physical PRI line with the D channel, the line sometimes does not return to service until you reset the D channel. - When a PortMaster running NFAS is rebooted, you must sometimes reset the D channel to return the PRI to service. * To advertise your address pools allocated for static users as internal OSPF routes, you must add them to the OSPF area range as full class C addresses. If these addresses are instead added as subnets of a class C address, they are incorrectly advertised as OSPF type 2 external (E2) routes. An address pool on a PortMaster 3 is most commonly made up of 48 contiguous addresses, the first of which is a network address. For example, suppose you configure an address pool using subnets 192.168.110.16/28 and 192.168.110.32/27, with 192.168.110.16 as the first address. If you add the address pool to the OSPF area range as *192.168.110.0/24, the address pool is correctly advertised as "ospf." However, if you add the address pool to the OSPF area range as *192.168.110.16/28 and *192.168.110.32/27, it is advertised as "ospf/E2." _______________ Troubleshooting Modems As part of modem troubleshooting, confirm that the client modem is running the latest firmware before submitting a modem trouble report. When making a report of a new modem problem, send the following information to Lucent NetCare technical support: * ComOS version * Client modem manufacturer * Client modem model * Results on the client modem of commands ATI0 through ATI11 * Whether the problem is reproducible Lucent might want to monitor your PortMaster while the client modem reproduces the problem. _______________ Upgrade Instructions You can upgrade your PortMaster 3 using PMVision 1.7 or later, or pmupgrade 4.3 or later from PMTools. Alternatively, you can upgrade using the older programs pminstall 3.5.3, PMconsole 3.5.3, or PMconsole for Windows 3.5.1.4. You can also upgrade using TFTP with the "tftp get comos" command from the PortMaster command line interface. See ftp://ftp.livingston.com/pub/le/software/java/pmvision17.txt for installation instructions for PMVision 1.7. *** CAUTION! If the upgrade fails, do NOT reboot! Contact *** Lucent NetCare Technical Support without rebooting. The upgrade process on the PortMaster 3 erases the configuration area from nonvolatile memory and saves the current configuration into nonvolatile memory. Never interrupt the upgrade process, or loss of configuration information can result. WARNING! Due to the increased size of ComOS, the amount of NVRAM available for saving configurations has been reduced from 128KB to 64KB. PortMaster products with configurations greater than 64KB will lose some of their configuration. For this reason, be sure to back up your PortMaster configuration before upgrading to this release. You can check the amount of memory used for your configuration with the "show files" command. Ignore any files that also include an uncompressed size. WARNING! The PortMaster must be running ComOS 3.5 or later to upgrade to ComOS 3.9b26. If you are running an earlier release of ComOS, upgrade to ComOS 3.5 first, reboot, then upgrade to ComOS 3.9b26. IMPORTANT: Any PortMaster running ComOS 3.9b26 requires 4MB of DRAM. If you are running BGP, 16MB of DRAM is required. The installation software can be retrieved by FTP from ftp://ftp.livingston.com/pub/le/software/, and the upgrade image can be found at ftp://ftp.livingston.com/pub/le/upgrades: ComOS Upgrade Image Product _________ _____________ _____________________________________ 3.9b26 pm3_3.9b26 PortMaster 3 ________________________________________________________________________ Copyright and Trademarks Copyright 1999 Lucent Technologies. All rights reserved. PortMaster, ComOS, ChoiceNet, and NetCare are registered trademarks of Lucent Technologies. PMVision, IRX, PortAuthority, and NavisRadius are trademarks of Lucent Technologies. All other marks are the property of their respective owners. Notices Lucent Technologies makes no representations or warranties with respect to the contents or use of this publication, and specifically disclaims any express or implied warranties of merchantability or fitness for any particular purpose. Further, Lucent Technologies reserves the right to revise this publication and to make changes to its content, any time, without obligation to notify any person or entity of such revisions or changes. Contacting Lucent NetCare Technical Support Lucent NetCare Professional Services provides PortMaster technical support via voice or electronic mail, or through the World Wide Web at http://www.livingston.com/. Specify that you are running ComOS 3.9b26 when reporting problems with this release. Internet service providers (ISPs) and other end users in Europe, the Middle East, Africa, India, and Pakistan should contact their authorized Lucent NetCare sales channel partner for technical support; see http://www.livingston.com/International/EMEA/distributors.html. For North America, the Caribbean and Latin America (CALA), and Asia Pacific customers, technical support is available Monday through Friday from 7 a.m. to 5 p.m. U.S. Pacific Time (GMT -8). Dial 1-800-458-9966 within the United States (including Alaska and Hawaii), Canada, and CALA, or 1-925-737-2100 from elsewhere, for voice support. For email support, send to support@livingston.com (asia-support@livingston.com for Asia Pacific customers).