Example Display IPsec policy profiles | Patton electronic 2800

OnSite 2800 Series User Manual	6 • VPN configuration

Example: Display IPsec transformation profiles

2800(cfg)#show profile ipsec-transform

IPSEC transform profiles:

Name: AES_128

ESP Encryption: AES-CBC, Key length: 128

Example: Display IPsec policy profiles

2800(cfg)#show profile ipsec-policy-manual

Manually keyed IPsec policy profiles:

Name: ToBurg, Peer: 200.200.200.1, Mode: tunnel, transform-profile: AES_128 ESP SPI Inbound: 1111, Outbound: 2222

ESP Encryption Key Inbound: 1234567890ABCDEF1234567890ABCDEF

ESP Encryption Key Outbound: FEDCBA0987654321FEDCBA0987654321

Debugging IPsec

A debug monitor and an additional show command are at your disposal to debug IPsec problems.

Procedure: To debug IPsec connections

Mode: Configure

Step	Command	Purpose

1	node(cfg)#debug ipsec	Enables IPsec debug monitor
2	node(cfg)#show ipsec security-associ-	Summarizes the configuration information of all
optional	ations	IPsec connections. If an IPsec connection does
		not show up, then one or more parameters are
		missing in the respective Policy Profile.
		The information ‘Bytes (processed)’ supports
		debugging because it indicates whether IPsec
		packets depart from (‘OUT’) or arrive at (‘IN’) the
		OnSite router.

Example: IPsec Debug Output

2800(cfg)#debug ipsec IPSEC monitor on

23:11:04 ipsec > Could not find security association for inbound ESP packet. SPI:1201

Example: Display IPsec Security Associations

2800(cfg)#show ipsec security-associations

Active security associations:

Dir Type	Policy	Mode	Udp-Encapsulation
Peer	SPI AH	SPI ESP	AH	ESP-Auth	ESP-Enc
Bytes (processed/lifetime)		Seconds (age/lifetime)

VPN configuration task list

74

Image 74

Patton electronic 2800 user manual Example Display IPsec transformation profiles, Example Display IPsec policy profiles

Contents

Managed VPN Router Mailsupport@patton.com Summary Table of Contents Table of Contents Getting started with the OnSite Managed VPN Router VPN configuration LEDs status and monitoring 112 Cabling 124 OnSite 2800 Series factory configuration 132 List of Figures List of Tables Structure About this guideAudience Precautions Impaired functioning Safety when working with electricity General observations Typographical conventions used in this document General conventions Chapter contents General information OnSite Model 2800 Series overview OnSite Managed VPN Router 2805 shown OnSite 2800 Series detailed description OnSite 2800 Series model codes DMZ OnSite 2800 Series power input connectors Model code extensions Ports descriptions OnSite 2800 Series rear-panel ports are described in table Applications overview Corporate multi-function virtual private network Corporate multi-function virtual private network General information Hardware installation Planning the installation Create a network diagram see section Network information on Installation checklist Network information Power sourceSite log IP related information Installing the Ethernet cable Installing the VPN routerConnecting cables Location and mounting requirements Installing the serial WAN cable Connecting an OnSite 2800 Series device to a hub DCD Hardware installation Rear panel of 2803K/EUI Pins not listed are not used Rear panel of 2803K/UI Connecting to external power source Power connector location on rear panel UI and EUI power supplies automatically adjust to accept an Getting started with the OnSite Managed VPN Router Configure IP address Introduction All Ethernet interfaces are activated upon power-up Configure IP addressPower connection and default configuration Terminal emulation program settings 9600 bps No parity Bit Stop bit No flow control LoginSelect the context IP mode to configure an IP interface Changing the IP address Respectively from the host ping Load configurationConnect the OnSite VPN Router to the network Load configuration Serial port configuration Serial port configuration task list Disabling an interface Enabling an interface Port Configuring the encapsulation for Frame RelayExample Configuring the serial encapsulation type Enter Frame Relay mode Configuring the LMI type Configuring the keep-alive interval Entering Frame Relay PVC configuration mode Configuring the PVC encapsulation type Binding the Frame Relay PVC to IP interface Mode PVC Enabling a Frame Relay PVC Disabling a Frame Relay PVC Displaying serial port information CRC Displaying Frame Relay information Dlci Integrated service access Configure the serial interface settings Port Configure the introduced PVCs Check that the Frame Relay settings are correct T1/E1 port configuration T1/E1 port configuration task list Enable/Disable T1/E1 port Configuring T1/E1 clock-mode Mode port e1t1 slot portConfiguring T1/E1 port-type Configuring T1/E1 line-code Configuring T1/E1 used-connector E1 only Configuring T1/E1 framingConfiguring T1/E1 line-build-out T1 only Name prt-e1t1 slot/port# framing Configuring T1/E1 encapsulation Configuring T1/E1 application modeConfiguring T1/E1 LOS threshold Default short-haul Mode channel-group group-name Be used Mode port e1t1 slot portConfiguring Channel-Group Timeslots Configuring Channel-Group Encapsulation T1/E1 Configuration Examples Configuring Hdlc CRC-TypeConfiguring Hdlc Encapsulation Default no encapsulation Example 1 Frame Relay without a channel-group Example 4 PPP with a channel-group Example 2 Framerelay with a channel-groupExample 3 PPP without a channel-group VPN configuration Authentication Encryption Creating an IPsec transformation profile VPN configuration task listTransport and tunnel modes Procedure To create an IPsec policy profile Creating an IPsec policy profile Nodecfg#profile ipsec-policy-man Creating/modifying an outgoing ACL profile for IPsec Configuration of an IP interface and the IP router for IPsec Displaying IPsec configuration information Debugging IPsec Example Display IPsec transformation profilesExample Display IPsec policy profiles Example IPsec Debug Output IPsec tunnel, DES encryption Sample configurationsOnSite configuration Cisco router configuration Cisco router configuration VPN configuration Access control list configuration Why you should configure access lists About access control listsWhat access lists do When to configure access lists Features of access control lists Access control list configuration task list Mapping out the goals of the access control list Nodepf-acl name#permit ip src src-wildcard any Where the syntax is Src-wildcard Nodepf-acl name#deny icmp src src-wildcard Nodepf-acl name#permit icmp src src-wildcard anyType type type type code code cos group Any host src dest dest-wildcard any host dest Where the syntax is as following Msg name Port lt port range from to cos group cos-rtp group Nodepf-acl name#permit tcp udp sctp src src-wildCard any host src eq port gt port lt port range Nodepf-acl name#deny tcp udp sctp src src Group-data Where the syntax is Debugging an access control list profile Unbind an access control list profile from an interfaceDisplaying an access control list profile Control list profile shall be debugged Examples Denying a specific subnet Link scheduler configuration Configuring access control lists Applying scheduling at the bottleneck Configuring quality of service QoSUsing traffic classes Priority Weighted fair queuing WFQIntroduction to Scheduling Hierarchy ShapingBurst tolerant shaping or wfq Some explanations Setting the modem rateQuick references Link scheduler configuration task list Command cross reference Defining the access control list profile Packet classification Creating an access control list Scenario with Web server regarded as a single source host Nodepf-acl name#permit ip host ip-address any traffic-class Creating a service policy profileNodecfg#profile acl name Nodepf-acl name#permit ip any any Structure of a Service-Policy Profile Defining fair queuing weight Specifying the handling of traffic-classes Defining absolute priority Specifying the type-of-service TOS fieldDefining the bit-rate Defining the maximum queue length Nodesrc name#set ip tos value Specifying differentiated services codepoint Dscp markingSpecifying the precedence field Nodesrc name#set ip precedence value Nodesrc name#set layer2 cos value Specifying layer 2 markingNodesrc name#set ip dscp value Nodesrc name#random-detect burst-tolerance Defining random early detectionDiscarding Excess Load Policy name in out Devoting the service policy profile to an interfaceNodeif-ip if-name#use profile service Displaying link scheduling profile information Enable statistics gatheringDisplaying link arbitration status Values defining detail of the queuing statistics LEDs status and monitoring Status LEDs Contacting Patton for assistance Patton Support Headquarters in the USA Warranty coverageContact information Return for credit policy Out-of-warranty serviceReturns for credit RMA numbers Appendix a Compliance information Radio and TV Interference FCC Part SafetyCompliance CE Declaration of Conformity Industry Canada Notice Model 2803 only Authorized European RepresentativeFCC Part 68 Acta Statement Model 2803 only Appendix B Specifications T1/E1 interface Model 2803 only Ethernet interfacesSync serial interface PPP support Management IP servicesDimensions Operating environment Internal AC version Power supplyInternal power supply 100-240 VAC, 50/60 Hz, 200 mA Appendix C Cabling Connecting a serial terminal Serial console Ethernet 10Base-T and 100Base-T Ethernet cross-over Ethernet straight-through Appendix D Port pin-outs Console port, RJ-45, EIA-561 RS-232 EIA-561 RJ-45 8-pin port RS-232 Console Port Ethernet ports are auto-detect MDI-X Ethernet 10Base-T and 100Base-T portSync serial port Serial port 21 Female DB-15 connector Appendix E OnSite 2800 Series factory configuration OnSite 2800 Series factory configuration Appendix F Installation checklist Installation checklist