Wednesday, December 5, 2012
IPSEC-VPN overL2TP tunnel Configuration
Firewall Configuration details :
#
version 5.2X, Release 31xx
#
sysname XXXXXX
#
clock timezone 1 add 05:30:00
#
l2tp enable
#
ike local-name localvpn
#
domain default enable system
#
dns resolve
#
vlan 1
#
radius scheme system
#
domain system
authentication ppp local
authorization ppp local
accounting ppp local
access-limit disable
state active
idle-cut disable
self-service-url disable
ip pool 1 10.10.218.5 10.10.218.125
#
ike proposal 1
encryption-algorithm 3des-cbc
#
ike peer localvpn_peer
exchange-mode aggressive
pre-shared-key cipher KJJJJDEU(3478*&%&^%
id-type name
remote-name test_remote
nat traversal
#
ipsec proposal localvpn_prop
#
ipsec policy-template localvpn_temp 1
ike-peer localvpn_peer
proposal localvpn_prop
#
ipsec policy localvpn_poli 1 isakmp template localvpn_temp
#
user-group system
#
local-user testvpn
password cipher 466@&*^$@($&6564
service-type ppp
#l2tp-group 1
undo tunnel authentication
allow l2tp virtual-template 1 remote localvpn_prop
#
interface Aux0
async mode flow
link-protocol ppp
#
interface Virtual-Template1
ppp authentication-mode pap domain system
ppp ipcp dns admit-any
ppp ipcp dns 4.2.2.2
remote address pool 1
ip address 10.10.218.1 255.255.255.128
#
interface NULL0
#
interface GigabitEthernet0/3
port link-mode route
description *****CONNECTED TO ROUTER*****
nat outbound static
nat outbound 3010 address-group 1
nat outbound 2009 address-group 1
ip address 192.168.6.25 255.255.255.0
ip address 172.117.80.66 255.255.255.240 sub
ipsec policy localvpn_poli
How to make H3C device to support only SSH2 Authentication.
Often it is observed that the SSH connection authenticates both SSH1 and SSH2 connectivity.Which is a security concern for the security administrator.Hence there is a simple command that will disable SSH1 authentication and allow only SSH2 connection on a H3C based devices.
Note: SSH server needs to be enabled to carry out this.
H3C device :
#Step 1 : enable the local SCHEME for radius & domain authentication.
# radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#Step-2 : Add the user-group and the local users.
#
user-group system
#
local-user admin
password cipher $*)@$*&(%*&
authorization-attribute level 3
access-limit 4
service-type ssh
# Step 3 : Enable the SSH server and impose restriction on the ssh connectivity
#
ssh server enable
undo ssh server compatible-ssh1x
#
user-interface aux 0 8
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
# END
Note: SSH server needs to be enabled to carry out this.
H3C device :
#Step 1 : enable the local SCHEME for radius & domain authentication.
# radius scheme system
server-type extended
primary authentication 127.0.0.1 1645
primary accounting 127.0.0.1 1646
user-name-format without-domain
#
domain system
access-limit disable
state active
idle-cut disable
self-service-url disable
#Step-2 : Add the user-group and the local users.
#
user-group system
#
local-user admin
password cipher $*)@$*&(%*&
authorization-attribute level 3
access-limit 4
service-type ssh
# Step 3 : Enable the SSH server and impose restriction on the ssh connectivity
#
ssh server enable
undo ssh server compatible-ssh1x
#
user-interface aux 0 8
authentication-mode scheme
user-interface vty 0 4
authentication-mode scheme
# END
Subscribe to:
Comments (Atom)