3Com Router User Manual

							Configure Firewall 557
one to use after viewing the current time range (special or normal). For example, 
the current system time is in special time range (which is defined by 
rule special 
acl-number
), and then the special time range rules will be used for filtering. But 
when the current system time is switched to the normal time range (which is 
defined by 
rule normal acl-number), the normal time range rules will be used 
for filtering.
Perform the following configurations in system view.
Ta b l e 625   Enable/Disable Filtering According to Timerange
By default, the filtering based on time range is disabled.
Only when the switch of filtering according to time range is enabled will the 
special time range access rules set by the user be effective. But when this switch is 
disabled, the normal time range access rules will be applied.
Set special time range
When you enable message-filtering according to time range, the firewall adopts 
user defined special time range access rules for filtering during the time range 
defined by the user. The newly defined special time range becomes valid about 1 
minute after it is defined, and that defined last time will become invalid 
automatically.
Perform the following configurations in system view.
Ta b l e 626   Set Special Time Range
By default, the system adopts the access rules defined for normal time range for 
message filtering. The command 
settr can define 6 time ranges at the same time. 
The format of the time range is hh:mm. The value of hh is 0 - 23 hours and the 
value of mm is 0- - 59 minutes.
The command display clock can be used to view the current clock status of the 
system. 
Configuring Rules for 
Applying Access Control 
List on InterfaceTo apply access rules to specific interfaces to filter messages, it is necessary to 
apply the access control list rules to the interfaces. Users can define different 
access control rules for messages of both inbound and outbound directions at one 
interface. 
Perform the following configurations in interface view.
OperationCommand
Enable filtering according to timerangetimerange  enable
Disable filtering according to timerangetimerange  disable
OperationCommand
Set special time rangesettr  begin-time end-time [ 
begin-time end-time...... ]
Cancel special time rangeundo settr 
						

							558CHAPTER 39: CONFIGURING FIREWALL 
Ta b l e 627   Configure Rules for Applying Access Control List on Interface
By default no rule for filtering messages on interface is specified.
In one direction of an interface (inbound or outbound), up to 20 access rules can 
be applied. That is to say, 20 rules can be applied in 
firewall packet-filter 
inbound
, and 20 rules can be applied in firewall packet-filter outbound.
If two rules with different sequence numbers conflict, then the number with 
greater acl-number should be matched preferentially.
Specifying Logging HostFirewall supports a logging function. When an access rule is matched, and if the 
user has specified to generate logging for this rule, logs can be sent to and 
recorded and saved by the logging host.
Perform the following configurations in system view.
Ta b l e 628   Specify Logging Host
For detailed description logging host parameters, see “Logging Function” in 
“System Management”.
Displaying and 
Debugging Firewall Use debugging, reset and display commands in all views.
Ta b l e 629   Display and Debug Firewall 
Firewall Configuration 
Example The following is a sample firewall configuration in an enterprise. 
This enterprise accesses the Internet through interface Serial 0 of one 3Com 
router, and the enterprise provides www, FTP and Telnet services to the outside. 
The internal sub-network of the enterprise is 129.38.1.0, the internal ftp server 
address 129.38.1.1, internal Telnet server address 129.38.1.2, and the internal 
OperationCommand
Specify rule for filtering receive/send 
messages on interfacefirewall packet-filter acl-number [ 
inbound | outbound ]]
Cancel rule for filtering receive/send 
messages on interfaceundo firewall packet-filter 
acl-number [ inbound | outbound ]]
OperationCommand
Specify logging hostip host unix-hostname ip-address
Cancel logging hostundo ip host
OperationCommand
Display firewall statusdisplay firewall 
Display packet filtering rule and its 
application on interfacedisplay acl [ all | acl-number | 
interface type number ]
Display current timerangedisplay timerange
Display whether the current time is within 
special timerangedisplay isintr
Clear access rule countersreset acl counters [ acl-number ]
Enable the information debugging of 
firewall packet filteringdebugging filter { all | icmp | tcp | 
udp} 
						

							Firewall Configuration Example 559
www server address 129.38.1.3. The enterprise address to the outside is 
202.38.160.1.Address conversion has been configured on the router so that the 
internal PC can access the Internet, and the external PC can access the internal 
server. By configuring a firewall, the following are expected:
■Only specific users from external network can access the internal server.
■Only a specific internal host can access the external network.
In this example, assume that the IP address of a specific external user is 
202.39.2.3.
Figure 172   Sample networking of firewall configuration
1Enable firewall
[Router]firewall enable
2Configure firewall default filtering mode as packet pass permitted
[Router]firewall default permit 
3Configure access rules to inhibit passing of all packets
[Router] acl 101
[Router-acl-101] rule deny ip source any destination any
4Configure rules to permit specific host to access external network, to permit 
internal server to access external network.
[Router-acl-101] rule permit ip source 129.38.1.4 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.1 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.2 0 destination any
[Router-acl-101] rule permit ip source 129.38.1.3 0 destination any
5Configure rules to permit specific external user to access internal server 
[Router] acl 102
[Router-acl-102] rule permit tcp source 202.39.2.3 0 destination 
202.38.160.1 0    
Enterprise Ethernet
Quidwayrouter
www server
Specific internal PC
WAN
129.38.1.3
Ftp server 129.38.1.1
Telnet server129.38.1.2
129.38.1.4129.38.1.5
202.38.160.1
Specific external PC
Router 
						

							560CHAPTER 39: CONFIGURING FIREWALL 
6Configure rules to permit specific user to obtain data (only packets of port greater 
than 1024) from an external network
[Router-acl-102] rule permit tcp source any destination 202.38.160.1 
0.0.0.0 destination-port greater-than 1024   
7Apply rule 101 on packets coming in from interface Ethernet0
[Router-Ethernet0] firewall packet-filter 101 inbound
8Apply rule 102 on packets coming in from interface Serial0
[Router-Serial0] firewall packet-filter 102 inbound 
						

							40
CONFIGURING IPSEC 
This chapter covers the following topics:
■IPSec Protocol Overview
■Configuring IPSec
■Creating a Security Policy
■Displaying and Debugging IPSec
■IPSec Configuration Example
■Troubleshooting IPSec 
IPSec Protocol 
OverviewIPSec is the general name of a series of network security protocols that provide 
services such as access control, connectionless integrity, data authentication, 
anti-replay, encryption and classified encryption of data flow for both 
communication parties.
With IPSec, it is unnecessary to worry about the data to be monitored, modified or 
forged when they are transmitted in public network, which enables secure access 
to VPN (Virtual Private Network), including internal, external networks and that 
between remote users.
NDEC CardIn actual implementation, the packets processing performed by IPSec includes 
processing ESP protocol, adding an authentication header to packets after 
encryption, and deleting the authentication header after packets are 
authenticated. To ensure security, the algorithms of encryption, decryption, and 
authentication are very complicated. The encryption and decryption algorithm 
process of the router occupies large quantities of resources; as a result the 
performance of the integrated machine is affected. Using crypto cards (modular 
plug-in cards), the 3Com modular series routers process encryption and decryption 
operation in a way of hardware. It improves performance of the router when 
software is processing the IPSec, and improves the operating efficiency of the 
router. 
A crypto card uses the following procedure to implement encryption/decryption. 
The host of the router transmits the data to be encrypted or decrypted to the 
crypto card. Then the crypto card performs the encryption or decryption 
algorithms, and adds or deletes encryption frame header. After that, the crypto 
card will send the encrypted or decrypted data back to the host to forward. 
Dividing the works of processing user data among multiple crypto cards. 3Com 
modular series routers can support multiple crypto cards. The host software 
divides the work of processing the user data among the crypto cards in normal  
						

							562CHAPTER 40: CONFIGURING IPSEC 
state by polling. Thus, crypto cards can synchronously process user data, which 
improves the speed of data encryption and decryption.
For the IPSec applied at the crypto card side, the crypto cards will be unable to 
implement the IPSec processing if all the crypto cards on the router are in 
abnormal state. In this case, given that the host has been enabled to backup the 
crypto cards, the IPSec module of the operating system will replace the crypto 
cards to implement the IPSec processing, if the IPSec module supports the 
encryption/authentication algorithm used by the crypto cards. Thus, the software 
IPSec module fulfills the backup of crypto cards.
The processing mechanism of the crypto cards and that of the software IPSec 
module is almost the same. The only difference is that the former implements the 
encryption/decryption processing through the software and the latter through the 
the main operating system.
IPSec Message 
Processing IPSec can process messages as follows (with AH protocol as an example):
■Add authentication header to messages: IP messages sent by the module block 
from IPSec queue are read, and an AH header is added according to the 
configured protocol mode (transport or tunnel mode), then forward it by IP 
layer. 
■Cancel the authentication header after messages are authenticated: The IP 
message received at the IP layer is analyzed as a local host address with 
protocol number 51, then the corresponding protocol switch table item is 
searched and the corresponding input processing function is called. This 
processing function authenticates the message to make a comparison with the 
original authentication value. If the values are the same, the added AH is 
canceled, and the original IP message is restored. Then IP input flow is recalled 
for processing. Otherwise, this message is discarded.
IPSec Related Terms
The following terms are important to an understanding of IPSec:
■Data stream: A combination of a group of traffic, which is prescribed by 
source address/mask, destination address/mask, encapsulation upper-level 
protocol number of IP message, source port number, destination port number, 
etc. Generally, a data stream is defined by an access list, and all messages 
permitted by access list are called a data stream logically. A data stream can be 
a TCP connection between the endpoints, or all the data stream transferred 
between two subnets. IPSec can implement different security protections for 
different data streams. For example, it can use different security protocols for 
different data flow, algorithm and ciphering. 
■Security policy: The policy, which is configured manually by the user to define 
what security measure to take for what data stream. The data stream is defined 
by configuring multiple rules in an access list, and in security policy this access 
list is quoted to determine to protect the data flow. Name and Sequence 
number define a security policy uniquely.
■Security policy group: The set of the security policies with the same name. A 
security policy group can be applied or cancelled on an interface, applying 
multiple security polices in the same security policy group to this interface, to 
implement different security protection for different data streams. The security  
						

							Configuring IPSec563
policy with smaller sequence number in the same security policy group is of 
higher priority. 
■SA (Security Association): IPSec provides security service for data streams 
through security association, which includes protocol, algorithm, key and other 
contents and specifies how to process IP messages. An SA is a unidirectional 
logical connection between two IPSec systems. Inbound data stream and 
outbound data stream are processed separately by inbound SA and outbound 
SA. SA is identified uniquely by a triple (SPI, IP destination address and security 
protocol number (AH or ESP). SA can be established through manual 
configuration or automatic negotiation. A SA can be manually established after 
some parameters set by the users at two ends are matched and the agreement 
is reached through negotiation. Automatic negotiation mode is created and 
maintained by IKE, i.e., both communication parties are matched and 
negotiated based on their own security policies without users interface. 
■SA Update Time: There are two SA update time modes: time-based during 
which SA is updated at regular intervals and traffic-based, during which SA is 
updated whenever certain bytes are transmitted. 
■SPI (Security Parameter Index): a 32-bit value, which is carried by each IPSec 
message. The trio of SPI, IP destination address, security protocol number, 
identify a specific SA uniquely. When SA is configured manually, SPI should also 
be set manually. To ensure the uniqueness of an SA, you must specify different 
SPI values for different SAs. When SA is generated with IKE negotiation, SPI will 
be generated at random.
■IPSec Proposal: It includes security protocol, algorithm used by security 
protocol, and the mode how security protocol encapsulates messages, and 
prescribes how ordinary IP messages are transformed into IPSec messages. In 
security policy, a IPSec proposal is quoted to prescribe the protocol and 
algorithm adopted by this security policy.
Configuring IPSecIPSec configuration includes: 
■Creating an Encryption Access Control List
■Configure NDEC Cards
■Enable the main software backup
■Defining IPSec Proposal
■Selecting the Encryption and Authentication Algorithm
■Creating a Security Policy
■Apply Security Policy Group on Interface
Creating an Encryption 
Access Control ListMatching the encrypted access control list determines which IP packets are 
encrypted and sent, and which IP packets are directly forwarded. Encryption 
access control lists are different from the ordinary ones, because the ordinary ones 
only determine which data can pass an interface. An encryption access list is 
defined by an extended IP access list.
For one kind of communication to accept one security protection mode (only 
authentication, for instance), and another kind to accept a different one (both  
						

							564CHAPTER 40: CONFIGURING IPSEC 
authentication and encryption, for instance), it is necessary to create two different 
encryption access control lists and apply them to different security policies.
Encryption access control list can be used to judge both inbound communication 
and outbound communication.
To create an encryption access control list, perform the following configurations in 
system view.
Ta b l e 630   Create Encryption Access Control List
The information transmitted between the source and destination addresses 
specified by the 
permit key word is encrypted/decrypted by the peer router.
The deny key word does not allow the defined policy to be applied in the security 
policy. This can prevent the router from encrypting or decrypting communication 
information. (that is to say not allowing the policy defined in this security policy to 
be applied). If all the security policies on an interface are denied, this 
communication is not protected by encryption.
Do not use the wildcard any in the source address and destination address of the 
command 
rule when creating an encryption ACL. This is because when the data 
packet enters the router, and is sent to a router not configured with encryption, 
the key word 
any will cause the router to try to establish encryption session with a 
router without encryption.
The encryption access list defined at local router must have a mirror encryption 
access list defined by the remote router so that the communication contents 
encrypted locally can be decrypted remotely.
When the user uses the display acl command to browse the access lists of the 
router, all extended IP access lists, including those for both communication 
filtering and for encryption, will be displayed in the command outputs. That is to 
say, these two kinds of extended access lists for different purposes are not 
distinguished in the screen output information. 
OperationCommand
Establish encryption access control list 
(applicable to IPSec software and crypto 
card)acl acl-number [ match-order config | 
auto ]
rule { normal | special }{ permit | 
deny }  pro-number [source  
source-addr source-wildcard | any ] 
[source-port operator port1 [ port2 ] 
]  [ destination dest-addr dest- 
wildcard | any ]  [destination-port 
operator port1 [ port2 ] ]  
[icmp-type icmp-type icmp-code] 
[logging]
Delete encryption access control list 
(applicable to IPSec software and crypto 
card)undo rule { rule-id | normal | 
special }
undo acl {acl-number| all } 
						

							Configuring IPSec565
Configure NDEC CardsEnable the crypto cards
When several crypto cards on the router work simultaneously, The commands 
enable and disable can be used to manage the crypto cards. To facilitate the 
management and debugging, you can set a crypto card to be in disabled state 
(disable the crypto card to process data) or enabled state as needed. Executing the 
enable command on a crypto card in disable state will reset and initiate it.
Perform the following configurations in system view.
Ta b l e 631   Enable/Disable the NDECCard
By default, all the crypto cards are enabled.
Synchronize the crypto card clock with the router host clock
NDEC cards have their own clock. To synchronize the crypto card clock and the 
host clock, the host will send the command of synchronizing clocks to the crypto 
card periodically. The users can synchronize the crypto card clock and the host 
clock immediately using this command.
Perform the following configuration in system view.
Ta b l e 632   Synchronize the NDEC Card Clock and the Router Host Clock
Set the output of the crypto card log
Perform the following configuration in system view.
Ta b l e 633   Set the Output of the NDEC Card Log
By default, the outputting of log is disabled.
Enable the main 
software backupFor the SAs applied at the encrypt-card side, the works of IPSec processing on the 
traffic will be shared among the normal encrypt-cards as long as there are 
encrypt-cards in normal status on the router. If all the encrypt-cards are abnormal, 
there will be no encrypt-cards can conduct the IPSec processing. In this case, given 
that the host has already been enabled to backup the encrypt-cards, the IPSec 
module will replace the encrypt-cards to conduct IPSec processing on the packets, 
if the IPSec module (the main software) supports the encryption/authentication 
algorithm used by this SA. If it does not, the packets will be discarded.
Perform the following configurations in system view.
OperationCommand
Enable the crypto cardencrypt-card enable [ slot-id ]
Disable the crypto cardencrypt-card disable [ slot-id ]
OperationCommand
Synchronize the crypto card clock 
(applicable to crypto cards)encrypt-card set time [ slot-id ]
OperationCommand
Enable/Disable the output of log 
(applicable to crypto cards)encrypt-card set syslog { enable | 
disable } [ slot-id ] 
						

							566CHAPTER 40: CONFIGURING IPSEC 
Ta b l e 634   Enable/Disable the Host to Backup the NDEC Cards
By default, the host is disabled to backup the crypto cards.
Defining IPSec ProposalThe IPSec saved in conversion mode needs a special security protocol and 
encryption/authentication algorithm to provide various security parameters for the 
IPSec negotiation security confederation. Both ends must use the same conversion 
mode for successfully negotiating IPSec security confederation.
Define IPSec proposal
Multiple IPSec proposals can be defined, and then one or many of them can be 
quoted in one security policy. The same security protocol and algorithm conversion 
must be configured at both ends when security confederation is manually created.
If you modify the conversion mode after successful security confederation 
negotiation, this security confederation will still use the former conversion mode, 
while the newly negotiated security confederation will use the new conversion 
mode. To make the new setting effective at once, it is necessary to use the 
reset 
ipsec sa
 command to clear part or all of the SA database.
Perform the following configurations in system view.
Ta b l e 635   Define IPSec Proposal
By default, no proposal view is configured.
Set the Mode for Security Protocol to Encapsulate IP Message
The IP message encapsulating mode selected by both ends of security tunnel must 
be consistent.
Configure the following in IPSec proposal view (or proposal view of crypto card).
Ta b l e 636   Set the Mode for Security Protocol to Encapsulate Messages
OperationCommand
Enable the host to backup the crypto 
cardsencrypt-card backuped
Disable the host to backup the crypto 
cardsundo encrypt-card backuped
OperationCommand
Define IPSec proposal to enter the view of 
IPSec proposal view (applicable to IPSec 
software)ipsec proposal proposal-name
Delete IPSec proposal view (applicable to 
IPSec software)undo ipsec proposal proposal-name
Define the IPSec proposal and enter view 
of IPSec proposal view (applicable to 
crypto card)crypto ipsec card-proposal 
proposal-name
Delete IPSec proposal view of the crypto 
card (applicable to crypto card)undo crypto ipsec card-proposal 
proposal-name 
OperationCommand
Set the mode for security protocol to 
encapsulate messages (applicable to IPSec 
software and crypto card)encapsulation-mode { transport | 
tunnel }