Wednesday, December 5, 2012
IPSEC-VPN overL2TP tunnel Configuration
Firewall Configuration details :
#
version 5.2X, Release 31xx
#
sysname XXXXXX
#
clock timezone 1 add 05:30:00
#
l2tp enable
#
ike local-name localvpn
#
domain default enable system
#
dns resolve
#
vlan 1
#
radius scheme system
#
domain system
authentication ppp local
authorization ppp local
accounting ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 10.10.218.5 10.10.218.125
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike peer localvpn_peer
exchange-mode aggressive
pre-shared-key cipher KJJJJDEU(3478*&%&^%
id-type name
remote-name test_remote
nat traversal
#
ipsec proposal localvpn_prop
#
ipsec policy-template localvpn_temp 1
ike-peer localvpn_peer
proposal localvpn_prop
#
ipsec policy localvpn_poli 1 isakmp template localvpn_temp
#
user-group system
#
local-user testvpn
password cipher 466@&*^$@($&6564
service-type ppp
#l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1 remote localvpn_prop
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Virtual-Template1
ppp authentication-mode pap domain system
ppp ipcp dns admit-any
ppp ipcp dns 4.2.2.2
remote address pool 1
ip address 10.10.218.1 255.255.255.128
#
interface NULL0
#
interface GigabitEthernet0/3
port link-mode route
description *****CONNECTED TO ROUTER*****
nat outbound static
nat outbound 3010 address-group 1
nat outbound 2009 address-group 1
ip address 192.168.6.25 255.255.255.0
ip address 172.117.80.66 255.255.255.240 sub
ipsec policy localvpn_poli
How to make H3C device to support only SSH2 Authentication.
Often it is observed that the SSH connection authenticates both SSH1 and SSH2 connectivity.Which is a security concern for the security administrator.Hence there is a simple command that will disable SSH1 authentication and allow only SSH2 connection on a H3C based devices.
Note: SSH server needs to be enabled to carry out this.
H3C device :
#Step 1 : enable the local SCHEME for radius & domain authentication.
# radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#Step-2 : Add the user-group and the local users.
#
user-group system
#
local-user admin
password cipher $*)@$*&(%*&
authorization-attribute level 3
access-limit 4
service-type ssh
# Step 3 : Enable the SSH server and impose restriction on the ssh connectivity
#
ssh server enable
undo ssh server compatible-ssh1x
#
user-interface aux 0 8
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
# END
Note: SSH server needs to be enabled to carry out this.
H3C device :
#Step 1 : enable the local SCHEME for radius & domain authentication.
# radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#Step-2 : Add the user-group and the local users.
#
user-group system
#
local-user admin
password cipher $*)@$*&(%*&
authorization-attribute level 3
access-limit 4
service-type ssh
# Step 3 : Enable the SSH server and impose restriction on the ssh connectivity
#
ssh server enable
undo ssh server compatible-ssh1x
#
user-interface aux 0 8
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
# END
Friday, May 18, 2012
HP-H3C base switch configuration for the Voice and Data Vlan on a single Port using the hybrid port configuration
HP-H3C base switch configuration
Configuration :
Step 1: enable the Voice vlan Mac-address Organizationally Unique Identifier (oui).
voice vlan Mac-address 001f-ca00-0000 mask ffff-ff00-0000 description Cisco pmfms
Step 2: go into the interface
interface GigabitEthernet1/0/30
Step 3 : Make the port into the hybrid mode.
port link-type hybrid
step 4 : take the default vlan out of the hybrid port.
undo port hybrid vlan 1
step 5 : Assign the Data and the voice vlan for the Hybrid port.
port hybrid vlan 800 tagged (Voice should be tagged)
port hybrid vlan 833 untagged (Data should be untagged always)
Step 6 : provide the port PVID to choose the data as the primary communication.
port hybrid pvid vlan 833
Step 7 : enable the voice vlan settings on the port. 1st need to remove the voice assignment mode from auto to manual
undo voice vlan mode auto
voice vlan 800 enable
step 8 : restart the interface .
undo poe en
poe en
Configuration Command of Voice over DATA on L3 switch.
#
voice vlan mac-address 001f-ca00-0000 mask ffff-ff00
vlan 1
#
vlan 800
#
vlan 808
#
interface GigabitEthernet1/0/30
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 800 tagged
port hybrid vlan 833 untagged
port hybrid pvid vlan 833
undo voice vlan mode auto
voice vlan 800 enable
poe enable
#
interface GigabitEthernet1/0/48
port link-type trunk
port trunk permit vlan all
#
ip route-static 0.0.0.0 0.0.0.0 10.96.55.1
#
Return
Configuration :
Step 1: enable the Voice vlan Mac-address Organizationally Unique Identifier (oui).
voice vlan Mac-address 001f-ca00-0000 mask ffff-ff00-0000 description Cisco pmfms
Step 2: go into the interface
interface GigabitEthernet1/0/30
Step 3 : Make the port into the hybrid mode.
port link-type hybrid
step 4 : take the default vlan out of the hybrid port.
undo port hybrid vlan 1
step 5 : Assign the Data and the voice vlan for the Hybrid port.
port hybrid vlan 800 tagged (Voice should be tagged)
port hybrid vlan 833 untagged (Data should be untagged always)
Step 6 : provide the port PVID to choose the data as the primary communication.
port hybrid pvid vlan 833
Step 7 : enable the voice vlan settings on the port. 1st need to remove the voice assignment mode from auto to manual
undo voice vlan mode auto
voice vlan 800 enable
step 8 : restart the interface .
undo poe en
poe en
Configuration Command of Voice over DATA on L3 switch.
#
voice vlan mac-address 001f-ca00-0000 mask ffff-ff00
vlan 1
#
vlan 800
#
vlan 808
#
interface GigabitEthernet1/0/30
port link-type hybrid
undo port hybrid vlan 1
port hybrid vlan 800 tagged
port hybrid vlan 833 untagged
port hybrid pvid vlan 833
undo voice vlan mode auto
voice vlan 800 enable
poe enable
#
interface GigabitEthernet1/0/48
port link-type trunk
port trunk permit vlan all
#
ip route-static 0.0.0.0 0.0.0.0 10.96.55.1
#
Return
Subscribe to:
Comments (Atom)