Home > Motorola > Wireless > Motorola Wing 5 Manual

Motorola Wing 5 Manual

Add to Favourites
    Download as PDF Print this page Share this page

    Have a look at the manual Motorola Wing 5 Manual online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 249 Motorola manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.

    View all the pages
    Page
    of 1128
    Add page 561 to Favourites
    image text
    Enable zoom 
    							PROFILES 7 - 35
• controller hello-interval  adjacency-hold-time 
Examples
rfs7000-37FABE(config-profile-default-RFS7000)#controller group test
rfs7000-37FABE(config-profile-default-RFS7000)#controller host 1.2.3.4 pool 2
rfs7000-37FABE(config-profile-default-RFS7000)#show context
profile RFS7000 default-RFS7000
 no autoinstall configuration
 no autoinstall firmware
 crypto isakmp policy default
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 interface me1
 interface ge1
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge2
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge3
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge4
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 use firewall-policy default
 controller host 1.2.3.4 pool 2
 controller group test
 service pm sys-restart
Related Commands
level [1|2] The following are common to the IP and hostname parameters:
Optional. After providing the wireless controller address, optionally select one of the 
following two routing levels:
 1 – Level 1, local routing
 2 – Level 2, inter-site routing
pool  level [1|2] The following are common to the IP and hostname parameters:
Optional. Sets the wireless controller’s pool
  – Select either 1 or 2 as the pool. The default is 1. After selecting the pool, 
optionally select one of the following two routing levels:
 1 – Level 1, local routing
 2 – Level 2, inter-site routing
hello-interval  Configures the time interval between two consecutive hello packets exchanged betwen 
an AP and the wireless controller.
  – Sets the time interval in seconds.
adjacency-hold-time  Configures the time limit in seconds after which adjacency information between the 
wireless controller and the AP is lost and this information and link is reestablished.
  – Sets the adjacency hold time interval in seconds.
noDisables or reverts settings to their default
    Add page 562 to Favourites
    image text
    Enable zoom 
    							7 - 36 WiNG CLI Reference Guide
7.1.13 crypto
Creating Profiles
Use crypto to define system a level local ID for ISAKMP negotiation and to enter the ISAKMP Policy, ISAKMP Client, or 
ISAKMP Peer command set.
A crypto map entry is a single policy that describes how certain traffic is secured. There are two types of crypto map 
entries: ipsec-manual and ipsec-ike entries. Each entry is given an index (used to sort the ordered list).
When a non-secured packet arrives on an interface, the crypto map set associated with that interface is processed (in 
order). If a crypto map entry matches the non-secured traffic, the traffic is discarded.
When a packet is transmitted on an interface, the crypto map set associated with that interface is processed. The first 
crypto map entry that matches the packet is used to secure the packet. If a suitable SA exists, it is used for transmission. 
Otherwise, IKE is used to establish an SA with the peer. If no SA exists (and the crypto map entry is “respond only”), the 
packet is discarded.
When a secured packet arrives on an interface, its SPI is used to look up a SA. If a SA does not exist (or if the packet fails 
any of the security checks), it is discarded. If all checks pass, the packet is forwarded normally.
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
crypto [ipsec|isakmp|map|pki]
crypto ipsec [security-association|transform-set
crypto ipsec security-association lifetime [kilobytes |
seconds ]
crypto ipsec transform-set  [ah-md5-hmac|ah-sha-hmac|esp-3des|
esp-aes|esp-aes-192|esp-aes-256|esp-des|esp-md5-hmac|esp-sha-hmac]
crypto ipsec transform-set  [ah-md5-hmac|ah-sha-hmac|
esp-md5-hmac|esp-sha-hmac]
crypto transform-set  [esp-3des|esp-aes|esp-aes-192|
esp-aes-256|esp-des] [esp-md5-hmac|esp-sha-hmac]]
crypto isakmp [aggressive-mode-peer|client|keepalive|key|policy
crypto isakmp aggressive-mode-peer [address|dn|hostname]
crypto isakmp aggressive-mode-peer [address |dn |
hostname ] key [0 |2 |]
crypto isakmp client configuration group default
    Add page 563 to Favourites
    image text
    Enable zoom 
    							PROFILES 7 - 37
crypto isakmp keepalive 
crypto isakmp key [0 |2 |] address 
crypto isakmp policy ]
crypto map   [ipsec-isakmp|ipsec-manual] {dynamic}
crypto pki import crl  URL 
Parameters
• crypto ipsec security-association lifetime [kilobytes |
seconds ]
• crypto ipsec transform-set  [ah-md5-hmac|ah-sha-hmac|
esp-md5-hmac|esp-sha-hmac
ipsec Configures Internet Protocol Security (IPSec) policy parameters
security-association Configures IPSec SAs parameters
lifetime [kilobyte |seconds] Defines IPSec SAs lifetime (in kilobytes and/or seconds). Values can be entered in both 
kilobytes and seconds, which ever limit is reached first, ends the SA. When the SA 
lifetime ends it is renegotiated as a security measure.
 kilobytes – Specifies a volume-based key duration, the minimum is 500 KB and the 
maximum is 2147483646 KB.
  – Specify a value from 500 - 2147483646 KB.
 seconds – Specifies a time-based key duration, the minimum is 90 seconds and the 
maximum is 2147483646 seconds
  – Specify a value from 90 - 2147483646 seconds
ipsec Configures IPSec policy parameters
transform-set Defines transform configuration (authentication and encryption) for securing data
  – Specify a name for the transform set.
Specify the transform set used by the IPSec transport connection to negotiate the 
transform algorithm.
ah-md5-hmac Configures the AH-HMAC-MD5 transform. The transform set is assigned to a crypto 
map using the map’s set transform-set command.
ah-sha-hmac Configures the AH-HMAC-SHA transform. The transform set is assigned to a crypto map 
using the map’s set transform-set command.
esp-md5-hmac Configures the Encapsulating Security Payload (ESP) transform using HMAC-MD5 
authorization. The transform set is assigned to a crypto map using the map’s set 
transform-set command.
esp-sha-hmac Configures ESP transform using HMAC-SHA authorization. The transform set is 
assigned to a crypto map using the map’s set transform-set command.
    Add page 564 to Favourites
    image text
    Enable zoom 
    							7 - 38 WiNG CLI Reference Guide
• crypto ipsec transform-set  [aesp-3des|esp-aes|
esp-aes-192|esp-aes-256|esp-des] {esp-md5-hmac|esp-sha-hmac}
• crypto isakmp aggressive-mode-peer [address |dn |
hostname ] key [0 |2 |]
ipsec Configures IPSec policy parameters
transform-set 
Defines transform configuration (authentication and encryption) for securing data
  – Specify the transform set name.
Specify the transform set used by the IPSec transport connection to negotiate the 
transform algorithm.
esp-3des Configures the ESP transform using 3DES cipher (168 bits). The transform set is assigned 
to a crypto map using the map’s set transform-set command.
esp-aes Configures the ESP transform using Advanced Encryption Standard (AES) cipher. The 
transform set is assigned to a crypto map using the map’s set transform-set command.
esp-aes-192 Configures the ESP transform using AES cipher (192 bits). The transform set is assigned 
to a crypto map using the map’s set transform-set command.
esp-aes-256 Configures the ESP transform using AES cipher (256 bits). The transform set is assigned 
to a crypto map using the map’s set transform-set command.
esp-des Configures the ESP transform using Data Encryption Standard (DES) cipher (56 bits). The 
transform set is assigned to a crypto map using the map’s set transform-set command.
{esp-md5-hmac|esp-sha-
hmac}The following are common to all of the above transform sets:
 esp-md5-hmac – Optional. Configures ESP transform using HMAC-MD5 authorization
 esp-sha-hmac – Optional. Configures ESP transform using HMAC-SHA authorization
isakmp Configures Internet Security Association Key Management Protocol (ISAKMP) policy, 
also known as IKE policy.
aggressive-mode-peer Sets identification mode for the remote peer
address  Identifies remote peer by its IP address
  – Specify the IP address of the remote peer.
dn 
Identifies remote peer by its distinguished name
  – Specify the distinguished name of the remote peer.
hostname  Identifies remote peer by its hostname
  – Specify the hostname of the remote peer.
key [0 |
2 |]The following are common to the address, dn and hostname parameters:
 key – Sets a pre-shared key for the remote peer
 0  – Sets a clear text key. The minimum length is 8 characters.
 2  – Sets an encrypted key. The minimum length is 8 characters.
  – Sets a 8 character minimum key
    Add page 565 to Favourites
    image text
    Enable zoom 
    							PROFILES 7 - 39
• crypto isakmp client configuration group default
• crypto isakmp keepalive 
• crypto isakmp key [0 |2 |] address 
• crypto isakmp policy 
• crypto map   [ipsec-isakmp|ipsec-manual] {dynamic}
isakmp Configures ISAKMP policy, also known as IKE policy
client Moves to the config-crypto group instance
configuration Defines configuration set at the client end
group Defines group (currently only one group is supported)
default Configures the default group tag
isakmp Configures ISAKMP policy, also known as IKE policy
keepalive  Sets a keepalive interval for use with remote peers. It defines the number of seconds 
between Dead Peer Detection (DPD) messages
  – Specify a value from 10 - 3600 seconds.
isakmp Configures ISAKMP policy, also known as IKE policy
key 
[0 |
2 |] Sets a pre-shared key for the remote peer
 0  – Sets a clear text key. The minimum length is 8 characters.
 2  – Sets an encrypted key. The minimum length is 8 characters.
  – Sets a 8 character minimum key
address  The following is common to all three key options:
  – Specify the IP address of the remote peer.
isakmp Configures ISAKMP policy, also known as IKE policy
policy 
Sets a policy for a ISAKMP protection suite
  – Specify a name for the ISAKMP protection suite.
map  Configures the crypto map, a software configuration entity that selects data flows that 
require security processing. The crypto map also defines the policy for these data flows.
  – Specify a name for the crypto map. The name should not 
exceed 32 characters.
 Defines the crypto map entry sequence. Specify a value from 1 - 1000.
ipsec-isakmp Configures IPSEC w/ISAKMP
ipsec-manual Configures IPSEC w/manual keying. Remote configuration is not allowed for manual 
crypto map
dynamic The following is common to the ipsec-isakmp and ipsec-manual parameters:
 Optional. Configures dynamic map entry (remote VPN configuration) for XAUTH with 
mode-config or ipsec-l2tp configuration
    Add page 566 to Favourites
    image text
    Enable zoom 
    							7 - 40 WiNG CLI Reference Guide
• crypto pki import crl   
Usage Guidelines
If no peer IP address is configured, the manual crypto map is not valid and not complete. A peer IP address is required for 
manual crypto maps. To change the peer IP address, the no set peer command must be issued first, then the new peer IP 
address can be configured.
A peer address can be deleted with a wrong ISAKMP value. Crypto currently matches only the IP address when a no 
command is issued. 
rfs7000-37FABE(config-profile-default-rfs7000)#crypto isakmp key 12345678 address 
4.4.4.4
pki Configures certificate parameters. The Public Key Infrastructure (PKI) protocol creates 
encrypted public keys using digital certificates from certificate authorities.
import Imports a trustpoint related configuration
crl  Imports a Certificate Revocation List (CRL). Imports a trustpoint including either a private 
key and server certificate or a CA certificate or both
  – Specify the trustpoint name.
 Specify the CRL source address in the following format:
tftp://[:port]/path/file
ftp://:@[:port]/path/file
sftp://:@[:port]>/path/file
http://[:port]/path/file
cf:/path/file
usb1:/path/file
usb2:/path/file
 Sets command replay duration from 1 - 168 hours
    Add page 567 to Favourites
    image text
    Enable zoom 
    							PROFILES 7 - 41
Examples
rfs7000-37FABE(config-profile-default-RFS7000)#crypto ipsec transform-set tpsec-tag1 
ah-md5-hmac
rfs7000-37FABE(config-profile-default-RFS7000-transform-set-tpsec-tag1)#
rfs7000-37FABE(config-profile-default-RFS7000)#crypto map map1 10 ipsec-isakmp d
ynamic
rfs7000-37FABE(config-profile-default-RFS7000-cryptomap-map1 10)#
rfs7000-37FABE(config-profile-default-RFS7000)#crypto isakmp client configuratio
n group default
rfs7000-37FABE(config-profile-default-RFS7000-crypto-group)#
rfs7000-37FABE(config-profile-default-RFS7000-crypto-group)#?
Crypto Client Config commands:
  dns      Domain Name Server
  wins     Windows name server
  clrscr   Clears the display screen
  commit   Commit all changes made in this session
  end      End current mode and change to EXEC mode
  exit     End current mode and down to previous mode
  help     Description of the interactive help system
  revert   Revert changes
  service  Service Commands
  show     Show running system information
  write    Write running configuration to memory or terminal
rfs7000-37FABE(config-profile-default-RFS7000-crypto-group)#
rfs7000-37FABE(config-profile-default-RFS7000)#show context
pprofile RFS7000 default-RFS7000
 autoinstall configuration
 autoinstall firmware
 crypto isakmp policy default
 crypto ipsec transform-set default esp-aes-256 esp-sha-hmac
 crypto ipsec transform-set tpsec-tag1 ah-md5-hmac
 crypto map TEST 1000 ipsec-isakmp
 crypto map map1 10 ipsec-isakmp dynamic
 interface me1
 interface ge1
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge2
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge3
  ip dhcp trust
  qos trust dscp
  qos trust 802.1p
 interface ge4
  ip dhcp trust
  qos trust dscp
--More--
rfs7000-37FABE(config-profile-default-RFS7000)#
Related Commands
noDisables or reverts settings to their default
    Add page 568 to Favourites
    image text
    Enable zoom 
    							7 - 42 WiNG CLI Reference Guide
7.1.14 isakmp-policy
Use the (config) instance to configure ISAKMP policy configuration commands. To navigate to the config-isakmp-policy 
instance, use the following commands:
rfs7000-37FABE(config-profile-default-RFS7000)#crypto isakmp policy test
rfs7000-37FABE(config-profile-default-RFS7000-isakmp-policy-test)#?
Crypto Isakmp Config commands:
  authentication  Set authentication method for protection suite
  encryption      Set encryption algorithm for protection suite
  group           Set the Diffie-Hellman group
  hash            Set hash algorithm for protection suite
  lifetime        Set lifetime for ISAKMP security association
  no              Negate a command or set its defaults
  clrscr          Clears the display screen
  commit          Commit all changes made in this session
  end             End current mode and change to EXEC mode
  exit            End current mode and down to previous mode
  help            Description of the interactive help system
  revert          Revert changes  
  service         Service Commands
  show            Show running system information
  write           Write running configuration to memory or terminal
rfs7000-37FABE(config-profile-default-RFS7000-isakmp-policy-test)#
Table 7.3 summarizes ISAKMP policy commands
Table 7.3ISAKMP Policy Commands
Command Description Reference
authenticationAuthenticates RSA pre-share keyspage 7-44
encryptionConfigures encryption level of the data transmitted using the 
crypto-isakmp 
commandpage 7-45
groupSpecifies Diffie-Hellman group (1 or 2) used by the IKE policypage 7-46
hashSpecifies hash algorithm page 7-47
lifetimeSpecifies how long an IKE SA is valid before it expirespage 7-48
noNegates a commnd or sets its default valuepage 7-49
clrscrClears the display screenpage 5-3
commitCommits (saves) changes made in the current sessionpage 5-4
doRuns commands from EXEC modepage 4-66
endEnds and exits the current mode and moves to the PRIV EXEC modepage 5-5
exitEnds the current mode and moves to the previous modepage 5-6
helpDisplays the interactive help systempage 5-7
revertReverts changes to their last saved configurationpage 5-13
serviceInvokes service commands to troubleshoot or debug 
(config-if) instance 
configurationspage 5-14
    Add page 569 to Favourites
    image text
    Enable zoom 
    							PROFILES 7 - 43
showDisplays running system informationpage 6-4
writeWrites information to memory or terminalpage 5-42
Table 7.3ISAKMP Policy Commands
Command Description Reference
    Add page 570 to Favourites
    image text
    Enable zoom 
    							7 - 44 WiNG CLI Reference Guide
7.1.14.1 authentication
isakmp-policy
Sets authentication method for the ISAKMP protection suite
Supported in the following platforms:
 AP300
 AP621
 AP650
 AP6511
 AP6521
 AP6532
 AP71XX
 RFS4000
 RFS6000
 RFS7000
 NX9000
 NX9500
Syntax
authentication [pre-share|rsa-sig]
Parameters
• authentication [pre-share|rsa-sig]
Examples
rfs7000-37FABE(config-isakmp-policy-test)#authentication rsa-sig
rfs7000-37FABE(config-profile-default-RFS7000-isakmp-policy-test)#show context
 crypto isakmp policy test
  authentication rsa-sig
rfs7000-37FABE(config-profile-default-RFS7000-isakmp-policy-test)#
Related Commands
pre-share Configures a ISAKMP suite to use with the pre-shared key
rsa-sig Configures a ISAKMP suite to use with the Rivest-Shamir-Adleman (RSA) signature
noDisables or reverts ISAKMP policy settings to their default
    All Motorola manuals Comments (0)