Manuals / 3Com / Computer Equipment / Network Router

3Com OfficeConnect Remote 812 Value Name ProhibitIpSec, aaa authentication login cisco local

Models: OfficeConnect Remote 812

1 170

Download 170 pages 51.21 Kb

Page 47

Value Name: ProhibitIpSec

Setting Up a Virtual Private Network (VPN) Tunnel 6-11

An administrator may also set up a Windows 2000 Server as a router with a private IP subnet set to 98.76.54.0/C. To add DHCP Services on the Windows 2000 Server, an administrator can use any IP addresses from 98.76.54.1 to 98.76.54.253 inclusive. IP addresses for workstations on the private LAN side of the Windows 200 Server will be in the 98.76.54.xx subnet.

Configuring Windows 2000 Server to Support Encryption for L2TP Tunnels

Microsoft supports encryption for both PPTP and L2TP tunnels. However, to configure encryption for an L2TP tunnel connecting an OCR 812 with a Windows 2000 Server, you must modify your Windows 2000 Server Registry settings.

To configure Windows 2000 Server Registry settings to support L2TP encryption, perform the following steps:

1Start the Registry Editor (Run Regedt32.exe).

2Locate the following Registry key:

\HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Services\RasMan \Parameters

3On the Edit menu, select Add Value.

4In the Add Value window, specify the following Registry Value Name, Data Type, and Value:

Value Name: ProhibitIpSec

Data Type: REG_DWORD

Value: 1

5Exit from the Registry Editor.

6Restart your computer (Registry changes will not take effect if you do not restart the computer).

Configuring a Cisco Router to Support Encryption for L2TP Tunnels

Cisco routers support encryption for both PPTP and L2TP tunnels. However, to configure encryption for an L2TP tunnel you must first modify the router’s default configuration settings.

To configure Cisco router settings to support encryption for an L2TP tunnel, perform the following steps:

1In Cisco router configuration mode, enter the following commands to configure tunnel authentication:

aaa authentication login cisco local

aaaauthentication ppp default local aaa authorization network default local username <username> password <password>

2In Cisco router configuration mode, enter the following commands to configure the router as an L2TP server:

Image 47

3Com OfficeConnect Remote 812 Value Name ProhibitIpSec, Configuring a Cisco Router to Support Encryption for L2TP Tunnels

Contents

Part Number 10043337 AA ReleaseOfficeConnect Remote ADSL Router CLI User’s Guide 95052-8145 3Com Corporation5400 Bayfront Plaza Santa Clara, CaliforniaCONFIGURATION METHODS Table of ContentsACCESSING THE CONFIGURATION INTERFACE CLI COMMAND CONVENTIONS AND TERMINOLOGYIPX Routing Network Service PPP QUICKVC SETUPMANUAL SETUP Starting QuickVC SetupSetting Up a Virtual Private Network VPN Tunnel Monitoring the DHCP Relay Configuring IPX for Remote Site ConnectionsSetting Date and Time Using Network Time Protocol NTP Providing TFTP AccessOFFICECONNECT REMOTE 812 SAMPLE CONFIGURATION CLI COMMAND DESCRIPTION disable securityoption snmp useraccess list processes list accesslist ip addresses list services B list snmp communities or list snmp trapcommunities B set system TELNET TCP COUNTERSINPUT COUNTERS Output Pause 3COM CORPORATION LIMITED WARRANTY FCC CLASS A VERIFICATION STATEMENTFCC CLASS B STATEMENT FCC DECLARATION OF CONFORMITY POSITIONAL HELP B Command Completion BMacintosh Computers ACCESSING THE CONFIGURATION 1 INTERFACEEstablishing Communications with the OfficeConnect Remote IBM-PC Compatible Computerstelnet ipaddress UNIX-Based ComputersParameters CLI COMMAND CONVENTIONS AND 2 TERMINOLOGYCommand Structure add ip network is the commandHelp CommandAbbreviation and CompletionConventions Command Language Terminology Page QuickVC Setup Instructions CONFIGURATION METHODSQuick Setup Instructions 3-2 CHAPTER 3 CONFIGURATION METHODS Manual Setup InstructionsADSL Router Installation Guide QUICK SETUPCLI Quick Setup Script Restoring the OfficeConnect Remote 812 to an Unconfigured StatePassword Protection Quick Setup ScriptQuick Setup Script Instructions Do you want to continue Quick Setup?Quick Setup Management Information Quick Setup Identification Information4-4 CHAPTER 4 QUICK SETUP Quick Setup IP InformationTELNET information Quick Setup IPX Information TELNET Management Quick Setup Bridge InformationSample Identification Information Management InformationSample Output Display as Quick Setup Executes Page Starting QuickVC Setup OCR-DSL quickvc QUICKVC SETUPCLI QuickVC Setup Script Network Service PPP CLI QuickVC Setup Script Bridging Service PPPService RFC IPX Routing Networkas Quick Setup Executes Sample IdentificationInformation Sample Output DisplayPage Configuration Overview MANUAL SETUPmemory Remember to save your configuration using the save all command beforeRemote Site ManagementConfiguring Network Service Information set vc vc name networkservice pppset vc vc name dynamicipaddressing dhcpclient set vc vc name networkservice pppoeset vc vc name networkservice pppoa Currently, the SVC capability is disabled in the OCRwhen transmitting data to the remote site Setting Up a Virtualset vc vc name atm categoryofservice unspecifed pcr cell rate set vc vc name atm categoryofservice constant pcr cell rateOn the 812 ADSL Router “Client” Side VPN Tunneling Overview Before You Begin Initiating a VPN TunnelOn the Remote Private Network “Server” Side Enabling and Disabling a disable tunnel commandVPN Tunnel list tunnel Use this command to list the name and status of tunnels Values Authentication and EncryptionTo learn how to set up encryption using the CLI, see Configuring Router to Support Encryption for L2TP Tunnels Configuring Windows 2000 Server to Support CHAP AuthenticationEncryption MICROSOFT56BIT NONE REQUIREDValue Name ProhibitIpSec Configuring a Cisco Router to Support Encryption for L2TP Tunnelsaaa authentication login cisco local interface Ethernet1/2 peer default ip address pool L2TPvpdn-group 1 accept-dialin protocol l2tp virtual-template terminate-from hostname OfficeConnect local name c7200error ppp authentication papRIP Configuration router rip ver network IP Pool for L2TP Tunnel Debug vpdn command6-14 CHAPTER 6 MANUAL SETUP IP Routingshow ip routing settings enable ip forwardingenable ip RIP disable ip RIPaddressselection negotiateRemote Site The defaultrouteoption can only be enabled in one VC profileset vc vc name 6-18 CHAPTER 6 MANUAL SETUP Configuring Static and Framed IP RoutesAddress Translation used For a vc added using QuickVC, NAT is enabled by defaultcontinues to run until a NAT port frees up Use the following command to configure PAT in a vc profile port 80, private port 80, and the private address of the LAN Server6-22 CHAPTER 6 MANUAL SETUP Intelligent PATset vc vc name natoption nat set vc vc name intelligentpatoption Enable/DisablePlease also note the following Enabling NAT6-24 CHAPTER 6 MANUAL SETUP Configuring NAT Static and Dynamic MappingsAND / OR add nat dynamic vc vc name publicpoolstart ip address count numberlist nat vc vc name port port list nat vc vc name addrRemote DHCP Configuring the DHCP Modeset dhcp server router ip address set dhcp server startaddress ip address endaddress ip addressset dhcp server mask ip address set dhcp server lease secondslist dhcp server leases Configuring the DHCPset dhcp mode relay show dhcp server countersset dns enable dnsshow dns settings timeoutlist dns servers Access ListsIPX Routing 6-32 CHAPTER 6 MANUAL SETUP Enabling IPX Routing Configuring IPX for the LANConfiguring IPX for Remote Site Connections add ipxroute vc vc name ipxnet ipx network address metric number Configuring IPX Static and Framed Routes6-34 CHAPTER 6 MANUAL SETUP Configuring IPX Static and Framed Servicesdelete ipx service name type hex number add ipxservice vc vc name hops numberset ipx network network name Configuring IPX RIP and SAPBridging set ipx network network name6-36 CHAPTER 6 MANUAL SETUP Configuring Bridging for the Remote Site ConnectionsBridging IP Traffic Configuring Bridging for the LANset bridge agingtime seconds show ip settingsset bridge forwarddelay seconds Advanced Bridging Optionsset bridge firewall discardroutedprotocols set vc vcname macrouting enableSimultaneous Bridging and Routing set bridge firewall fwdunicastonly AdministrationSetting Date and Time SystemFor example set date 01-JAN-1998 Network Time Protocol CLI Commandsset enable ntp set disable ntpset retransmissions number set timeout secondsset secondaryserver ipnameoraddr set pollinginterval secondsNTP Servers clock.psu.edu delete user name show systemset system name name location location contact contact list userslist tftp clients Setting Password ProtectionAfter logging in to the CLI, you can exit the CLI with the command exit cli6-46 CHAPTER 6 MANUAL SETUP OfficeConnect Remote 812 Filtering CapabilitiesData Filtering Overview Filter Classes The OCR 812 supports three filter classes Overview Creating Filters UsingCommand Line Creating FiltersProtocol Rules IP 1 ACCEPT src-addr=xxx 2 ACCEPT dst-addr=yyy 999 DENY The OR operation can be implemented by successive rulesLENGTH - The number of bytes in the packet to compare to the value IP RIP Packet Filtering Using CLI IP Source and Destination Network Filtering Using CLIIP Source and Destination Port Filtering Using CLI IP Protocol Filtering Using CLIIPX Source and Destination Socket Number Filtering Using CLI IPX Source and Destination Network Filtering Using CLIIPX Source and Destination Host Filtering Using CLI IPX 1 ACCEPT src-socket = 999 DENY IPX RIP Packet Filtering Using CLIIPX SAP Packet Filtering Using CLI Bridge / Generic Filtering Using CLImemory Using CLICreating Filter Files Assigning Filters VC/Remote Site Filters Applying Filters UsingInterface Using CLI by entering the CLI command set interface eth1 filteraccess offVPN Tunnel Using CLIFilter List Using CLI Managing FiltersDeleting a Packet Filter an Interface Using CLIRemoving a Filter from VC/Remote Site Profile6-60 CHAPTER 6 MANUAL SETUP Overview OFFICECONNECT REMOTE 812 SAMPLE A CONFIGURATIONSample Configuration OCR 812 featuresadd user root password !root Configuring theGlobal Configuration enable securityoption remoteuser administrationset dhcp server dns1 192.168.200.254 dns2 add dns server * vc Internet enable dnsadd ipx network ipx address 10 frame ethernetii enable yes disable bridge spanningtree add bridge network bridgeset vc Internet iprouting listen set vc Internet sendname internet-user sendpassword 1a2b3cset vc Internet defaultrouteoption enable enable vc Internet Configuring the Sample Network A-5 set vc corp-net ipxaddress 0 ipxrouting all enable vc corp-netset vc corp-net iprouting both Page vcblknetbios CLI Command DescriptionCLI Commands add accessprimaryaddress ipaddress secondaryaddress ipaddress vcname vcname metric add ip defaultrouteadd framedroute vc name iproute ipaddress metric numbergateway gatewayaddr metric hopcount address ipxaddress interface eth1 enabled yesadd ip network networkname address ipnetaddress frame ETHERNETII SNAP LOOPBACK interface eth1gateway ipxhostaddress metric metricnumber ticks ticknumber add ipx service servicenametype servicetype add ipx route ipxnetaddressadd ipxroute vc name ipxnet ipxaddress metric hopcount ticks ticknumbertype servicetype add ipxservice vc nameCLI Commands B-7 add network service servicename statusservertype servertype socket socketnumber enabled YES data “string” closeactiveconnections TRUE FALSE Add network service exampleadd networkservice CLIaccess servertype TELNETD socket address ipaddress access RO RWadd tunnel add snmp trapcommunity nameipnameoraddr address ipaddressenabled yes add user nameadd vc name arp output outputfilename ipnameoraddrtype servicetype delete ipx route ipxnetaddress delete ipx service servicenamedelete pat tcp vc vcnameentries publicaddress ipaddresspublicpoolstart ipaddress tunnelnamebridge forwarding DISABLEdisable ip network DIALoutput outputfile disable snmpinterfacename interface settings command authentication trapsnetworks ENABLEinterfacename interface settings command using list network servicesHANGUP interfacenameLIST HELPHISTORY KILLmgmt - unknown, but filtering information exists CLI Commands B-19 If Name - eth1, DA1 or loopbackInterface - eth1, DA1 or loopback Prot - LOCAL or RIP trapcommunities not list access Quit PAUSED COMMANDSMore or CR Continue printingRESOLVE timeout timeoutvaluePING RENAMEset bridge forwarddelay secondsset command history numerical range idle timeout minutes SAVEaddress IPaddress enabled YES NOset dhcp relay server1 set dhcp relay server2DNS2 IPaddress set dns cachesize number numberretries number timeout secondsset dhcp server DNS1 IPaddressroutingprotocol NONE RIPV1 RIPV2 filteraccess ON OFF inputfilter filtername outputfilter filternameset interface interfacename B-28 APPENDIX B CLI COMMAND DESCRIPTION CLI Commands B-29 routerid routeridsapupdateinterval number rip BOTH DISABLE LISTEN RESPONDONLY SEND ripagemultiplier numberrippacketsize number ripupdateinterval number sap BOTH DISABLE LISTEN RESPONDONLY SEND sapagemultiplier numberSets parameters for dynamic IPX networks set network service adminnamepoolmembers number Sets parameters for configured network servicesFor in-depth information about CHAP and PAP, see RFC A VPN tunnel can only be configured for MSCHAPv1 by using the CLIAuthentication Options MPPE Options address IPaddress access RO RWNONE REQUIRED location “location” transmitauthenticationname nameset system name “name”message “message” password passwordsessiontimeout seconds set user usernameip enable disable bridging enable disabledefaultrouteoption enable disable idletimeout secondsCLI Commands B-37 pcr number categoryofservice Unspecified UBR Variable VBRset vc vcname atm set numberSets ATM parameters for VCs Total errored seconds in previous 15 minutes Total time since system reboot hours, minutes, secondsErrored seconds since last link down Total errored seconds in 15 minutesFields Base Aging Time - time to age out a known MAC address, defaultHistory Depth Current Prompt OCR-DSL Local Prompt OCR-DSL settings Problems with Name Server - internal server error show dns counters show dns settings show filter filternameSPECIFIC ERROR COUNTERS OUTPUT COUNTERS ICMP COUNTERSINPUT COUNTERS OUTPUT COUNTERS show interface interfacename countersshow interface Displays INPUT COUNTERSsettings Fragments Needing Reassembly - # of fragmented datagramsIP Dynamic Address Pool Begin - start of IP address range IP Dynamic Address Pool Size - size of IP address rangeINPUT COUNTERS show ipx counters show ipx network networkname countersOUTPUT COUNTERS settings show ipx ripcounters settingsDefault Gateway - default IPX router address show ipx sapDynamic Address Pool Begin - starting IPX address settingsname counters vcname settingsname settings vcname countersOperational Status - opened or not opened SETTINGS for PPP BUNDLESETTINGS for PPP BUNDLE 1 COMPRESSION SETTINGS for PPP LINK 1INPUT COUNTERS show snmp counters Displays many SNMP statisticsOUTPUT COUNTERS System Contact - modify using set systemSystem Location - modify using set system System Descriptor - for exampleOUTPUT COUNTERS TCP SETTINGSTCP COUNTERS INPUT COUNTERSverify filter CommandsTELNET VERIFYCommand Features CLI Exit CommandsB-58 APPENDIX B CLI COMMAND DESCRIPTION CommentsINDEX Server Input and Output filters contrasted Static Services Passwords Page Page Page SOFTWARE 3Com Corporation LIMITED WARRANTYSTANDARD WARRANTY SERVICE HARDWAREModelDescription FCC CLASS B STATEMENTFCC DECLARATION OF CONFORMITY The Interference Handbook