37.3 Managing SSL VPN settings via the CLI. Westermo RFI-219-F4G-T7G, Viper-212A-T5G-P8-HV, RFI-219-F4G-T7G-F8, RFI-211-F4G-T7G, L106-F2G, Viper-212A, L205-S1, Viper-112A-T5G, L110-F2G, Viper-112A-T3G
Add to my manuals
1088 Pages
advertisement
Westermo OS Management Guide
Version 4.22.0-0
37.3
Managing SSL VPN settings via the CLI
The WeOS unit can be configured as SSL VPN server gateway (waiting for clients to connect), or as an SSL VPN client (initiating connections). We start out by shown the CLI commands available when configuring an SSL VPN server gateway
(”[no] server” command set to ”server”).
Default Section Command
General SSL VPN Server Gateway Settings tunnel
[no] ssl <INDEX> server
[no] enable
[no] description <STRING>
[no] type <layer2|layer3>
[no] push-network <NETWORK/LEN>
[no] pool start <IPADDR> <num
<NUM>|end <IPADDR>>
[netmask NETMASK]
[no] cn-binding <IDX>
[no] common-name <STRING>
[no] address <IPADDR/LEN>
Server
Enabled empty layer3
Disabled
Disabled
Authentication Settings
[no] certificate
[no] ca-certificate
[no] tls-auth label <KEY LABEL>
Empty
Empty
Empty
[direction <0|1>]
[no] aaa-method <remote-server <ID> Disabled
| server-group <ID> | local <ID>>
Data Security Settings
[no] crypto <aes128-cbc|. . . >
[no] auth <sha1|md5>
Additional/Advanced Settings
[no] protocol <tcp|udp> aes128-cbc sha1
UDP
Continued on next page
© 2017 Westermo Teleindustri AB 939
Westermo OS Management Guide
Version 4.22.0-0
Command
[no] port
[no] outbound
[no] keepalive <interval <SEC> restart <SEC>>
[no] compression [adaptive]
[no] renegotiation-timeout <SEC>
[no] client-to-client
[no] duplicate-cn
[no] max-clients <NUM>
Show SSL VPN Status show tunnel ssl [ID]
See also (Interface and Firewall Settings) iface ssl<ID> inet <static|dynamic|dhcp>
Various Interface settings ip
[no] firewall
Various Firewall/NAT settings
Continued from previous page
Default
1194
Auto interval 10 restart 60
Adaptive
3600
Disabled
Disabled
25
Section
Dynamic (SSL)
. . .
See
Disabled
. . .
See
The table below shows the available CLI commands when configuring the WeOS unit as SSL client (”[no] server” command set to ”no server”).
Default Section Command
General SSL VPN Settings tunnel
[no] ssl <INDEX> no server
[no] enable
[no] description <STRING>
[no] type <layer2|layer3>
[no] peer <ADDRESS|DOMAIN>
Server
Enabled empty layer3 empty
Continued on next page
940 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
Command
Authentication Settings
[no] certificate
[no] ca-certificate
[no] tls-auth label <KEY LABEL>
[direction <0|1>]
[no] identity <USERNAME> password <PASSWORD>
Data Security Settings
[no] crypto <aes128-cbc|. . . >
[no] auth <sha1|md5>
Additional/Advanced Settings
[no] protocol <tcp|udp>
[no] port
[no] outbound
[no] keepalive <interval <SEC> restart <SEC>>
[no] compression [adaptive]
[no] renegotiation-timeout <SEC>
[no] pull
Continued from previous page
Default
Empty
Empty
Empty
Disabled aes128-cbc sha1
UDP
1194
Auto interval 10 restart 60
Adaptive
3600
Enabled
Section
Show SSL VPN Status show tunnel ssl [ID]
See also (Interface and Firewall Settings) iface ssl<ID> inet <static|dynamic|dhcp> Dynamic (SSL)
Various Interface settings . . .
See
ip
[no] firewall
Various Firewall/NAT settings
Disabled
. . .
See
© 2017 Westermo Teleindustri AB 941
Westermo OS Management Guide
Version 4.22.0-0
37.3.1
Managing SSL VPN Tunnels
Syntax [no] ssl <INDEX> where INDEX is a number greater or equal to 0.
Context
context
Usage Create, delete, or modify an SSL VPN tunnel. Use ”ssl <INDEX>” to create a new SSL tunnel, or to enter the configuration context of an existing
SSL tunnel. (To find the index of configured tunnels, use ”show tunnel” as described in
Use ”no ssl <INDEX>” to remove a specific SSL VPN tunnel, or ”no ssl” to remove all configured SSL VPN tunnels.
Use ”show ssl <INDEX>” to show all settings of a specific SSL tunnel (also available as ”show” command within the
context).
Note
Tunnels which are not intended to be used should either be deleted or
Default values Not applicable.
37.3.2
Change tunnel mode (Server/Client)
Syntax [no] server
Context
context
Usage Set the tunnel in server or client mode, use ”no server” for client mode.
Default values Server
37.3.3
Enable/disable a SSL VPN tunnel
Syntax [no] enable
Context
context
Usage Enable or disable a SSL VPN tunnel. A disabled tunnel will be deactivated, but keeps its configuration settings.
Use ”enable” to enable and ”no enable” to disable an SSL VPN tunnel.
942 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
Use ”show enable” to show whether this SSL VPN tunnel is enabled or disabled.
Note
Tunnels which are not intended to be used should either be deleted
Default values Enabled
37.3.4
SSL VPN Description Setting
Syntax [no] description <STRING>
Context
context
Usage Set or remove the SSL VPN description string.
Use ”description <STRING>” to set a description for this database.
Use ”no description” to remove the current description.
Use citation marks around the string if you want to have a description containing space characters.
To view the current description, use ”show description”.
Default values Empty.
Examples
Example
example:/config/tunnel/ssl-19/#> description secrets or ...
example:/config/tunnel/ssl-19/#> description ’’Office tunnel’’
37.3.5
Configure tunnel type
Syntax [no] type <layer2|layer3>
Context
context
Usage Change which type of tunnel you want to use, select layer2 (sometimes called bridged) or layer3 (sometimes called routed). ”no type” reset to layer3.
© 2017 Westermo Teleindustri AB 943
Westermo OS Management Guide
Version 4.22.0-0
Default values layer3
37.3.6
Push networks to connecting clients
Syntax [no] push-network <NETWORK/LEN>
Context
context (Only valid when server)
Usage This is a part of the auto-configuration of the clients, push networks (Max is 10) to the clients, these routes will automatically be set as routes to us as long as the client has ”pull” enabled.
Default values Disabled
37.3.7
Configure an address pool
Syntax [no] pool start <IPADDR> <num <NUM> | end <IPADDR>> [netmask
NETMASK]
Context
context (Only valid when server)
Usage Auto configure all clients connecting to us, if netmask is omitted it will be set to the default mask for the address class for the start address.
Note
The address of the server interface will be untouched, you will need to configure it manually from the interface context for the ssl-interface
Example
example:/config/tunnel/ssl-19/#> pool 192.168.253.2 num 10
Default values Disabled
37.3.8
Manage Common Name bindings
Syntax [no] cn-binding <INDEX>
Context
context (Only valid when server)
944 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
Usage Create, delete, or modify an SSL Common Name (CN) binding. The CN binding context is used to assign specific settings to the SSL client with the given CN in his/her certificate. i.e., a client.
Use ”cn-binding <INDEX>” to create a new CN binding, or to enter the
context of an existing CN binding.
Use ”show cn-binding” to find the index of all configured bindings, and use
”show cn-binding <INDEX>” to list information about a specific binding.
Use ”no cn-binding” to remove all configured bindings, and use ”no cn-binding
<INDEX>” to remove a specific binding.
Default values Not applicable.
37.3.9
Set Common Name for CN binding
Syntax [no] common-name <STRING>
Context
context (Only valid when server)
Usage Declare the CN string to match for this binding.
”common-name <STRING>” sets the string to match against the Common
Name in the client’s X.509 certificate. Max 64 characters. Valid characters are ASCII 32-126, except ’/’ (ASCII 47). ’Space’ (ASCII 32) cannot be used at the start or end of the string.
”no common-name” deletes the common name setting, but without a defined common name the binding configuration is not valid.
Example
alice-server:/config/tunnel/ssl-0/#> cn-binding 1
Creating new CN binding: 1!
alice-server:/config/tunnel/ssl-0/cn-binding-1/#> common-name John Smith alice-server:/config/tunnel/ssl-0/cn-binding-1/#> address 192.168.5.43/24
Default values Not applicable
37.3.10
Set CN specific IP address
Syntax [no] address <IPADDR/LEN>
© 2017 Westermo Teleindustri AB 945
Westermo OS Management Guide
Version 4.22.0-0
Context
context (Only valid when server)
Usage Declare the IP address and network prefix length to assign to this VPN client.
Use ”address <IPADDR/LEN>” to define what IP address and network prefix to assign to the VPN client for this binding.
”no address” deletes the IP address setting, but without a defined IP address the binding configuration is not valid.
Example
alice-server:/config/tunnel/ssl-0/#> cn-binding 1
Creating new CN binding: 1!
alice-server:/config/tunnel/ssl-0/cn-binding-1/#> common-name John Smith alice-server:/config/tunnel/ssl-0/cn-binding-1/#> address 192.168.5.43/24
Default values Not applicable
37.3.11
Change remote peer
Syntax [no] peer <ADDRESS|DOMAIN>
Context
context (Only valid when client)
Usage Set the peer for the client to connect to.
Default values Disabled
37.3.12
Select local certificate
Syntax [no] certificate <LABEL>
Context
context
Usage Select local certificate (and associated private key), i.e., the certificate by which this unit will authenticate itself. The ”LABEL” is the reference of the certificate when imported to the WeOS unit. The certificate must be signed of by the CA certificate set in
Use ”show certificate” to show the local certificate setting.
Default values Empty
946 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
37.3.13
Select CA certificate
Syntax [no] ca-certificate <LABEL>
Context
context
Usage Select CA certificate, i.e., the certificate by which this unit will authenticate itself. The ”LABEL” is the reference of the certificate when imported to the WeOS unit. Use ”show ca-certificate” to show the CA certificate setting.
Default values Empty
37.3.14
Enable TLS authentication
Syntax [no] tls-auth label <KEY LABEL> [direction <0|1>]
Context
context
Usage Enable TLS authentication. ”KEY LABEL” is the label of an OpenVPN key to be used for authentication. The direction is optional and not setting it means to use the key in both directions (bi-directionally).
Default values Empty (disabled)
37.3.15
Configure AAA remote authentication
Syntax [no] aaa-method <remote-server | server-group | local> <ID>
Context
context
Usage Require an extra authentication after the certificate exchange. Require to first create a remote-server, server-group or a local user database in the
AAA context.
Example
example:/config/tunnel/ssl-19/#> aaa-method local 1 or ...
example:/config/tunnel/ssl-19/#> aaa-method remote-server 1
Default values Disabled
© 2017 Westermo Teleindustri AB 947
Westermo OS Management Guide
Version 4.22.0-0
37.3.16
Configure authentication identity
Syntax [no] identity <USERNAME> password <PASSWORD>
Context
context (Only valid when client)
Usage This is only required if the server is configured to require an extra authentication layer after the certificate exchange.
Example
example:/config/tunnel/ssl-19/#> identity user1 password secrets
Default values Disabled
37.3.17
Change cryptographic cipher
Syntax [no] crypto <<bf-cbc|des-ede3-cbc|aes128-cbc|aes192-cbc|aes256-cbc»
Context
context
Usage Set the crypto to use, must match on both the client and the server. ”no
crypto” disables all encryption, all traffic will pass over the tunnel unencrypted.
Default values aes128-cbc
37.3.18
Change authentication hash
Syntax [no] auth <sha1|md5>
Context
context Authenticate packets with HMAC using message digest. Use ”no auth” to disable the authentication hash.
Default values sha1
37.3.19
Configure protocol
Syntax [no] protocol <tcp|udp>
Context
context
948 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
Usage Select the protocol to encapsulate the traffic in.
Default values UDP
37.3.20
Configure port
Syntax [no] port <PORT>
Context
context
Usage In client mode, this selects the port to connect to on the server, in server mode, this selects which port to listen for incoming connections on.
Note
A neat function when using SSL VPN is to listen on TCP ( Section 37.3.19
port 443, this will allow the tunnel to pass almost all firewalls, since the traffic will look like it is HTTPS. To achieve this in server mode you will have to move HTTPS on the WeOS unit to a separate port. See
Default values 1194
37.3.21
Configure Outbound Interface
Syntax [no] outbound <IFACE>
Context
context
Usage Set the outbound interface of this tunnel.
Use ”no outbound” to automatically select the interface leading to the de-
fault gateway as outbound interface.
Use ”show outbound” to show the configured outbound interface for this tunnel. ”Default Gateway” is shown if the interface leading to the default gateway should be used as outbound interface.
Default values Auto (”no outbound”)
© 2017 Westermo Teleindustri AB 949
Westermo OS Management Guide
Version 4.22.0-0
37.3.22
Change keepalive settings
Syntax [no] keepalive <interval <SEC> restart <SEC>>
Context
context
Usage Send keepalive probes over the tunnel to make sure that stateful firewalls gets updated as expected, they is only sent as long as there is no traffic on the tunnel.
ˆ interval - The interval to send probes, if there are not traffic on
ˆ restart - Force restart of the ping probe, this will force reload of DNS for
example, this is very useful when dealing with DynDNS ( section 22.3.3
Note: In server mode, this settings will also be pushed to the clients, if
”pull” is enabled in the clients, they will not need to configure keepalive settings.
Use ”show keepalive” to view current keepalive settings.
Default values interval 10 restart 60
37.3.23
Configure compression settings
Syntax [no] compression [adaptive]
Context
context
Usage Toggle compression settings, ”no compression” will disable all compression. ”compression adaptive” will result in that SSL VPN tries to find out if the traffic is encrypted, if not it will encrypt it. This will have performance penalty if all traffic already is encrypted. This setting must match on client and server to get the traffic going. In server mode, this setting will also be pushed to the clients.
Default values Adaptive
37.3.24
Change renegotiation timeout
Syntax [no] renegotiation-timeout <SECONDS>
Context
context
950 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
Usage Set the renegotiation time for the data channel, this can be set on both the client and the server, if so, the lowest value will be used. To disable renegotiation use ”no renegotiation-timeout” on both ends.
Default values 3600 seconds
37.3.25
Change client to client communication
Syntax [no] client-to-client
Context
context (Only valid when server)
Usage If enabled all clients will be able to communicated with each other.
Note
No traffic will be passed through the normal network stack, e.g firewall rules will not be possible. If you want the possible to set firewall rules per client you have to create multiple server instance and route between the instances.
Default values Disabled
37.3.26
Allow/deny clients with the same CN
Syntax [no] duplicate-cn
Context
context (Only valid when server)
Usage The normal behaviour is to deny clients which connect with a CN (common name) that is already connected. Enabling this setting will allow the second connection.
Note
This is a serious security risk, use only if you know what you are doing,
you should look to combine this with an aaa-method ( Section 37.3.15
Default values Disabled
© 2017 Westermo Teleindustri AB 951
Westermo OS Management Guide
Version 4.22.0-0
37.3.27
Limit number of simultaneous clients
Syntax [no] max-clients <NUM>
Context
context (Only valid when server)
Usage Use ”max-clients <NUM>” to define how many clients that are allowed to simultaneously connect to the server. When this number is reached, the server will reject an incoming request.
”no max-clients” (or ”max-clients 0”) means unlimited.
Use ”show max-clients” to show the current setting.
Note
The ”max-clients” setting defines the maximum number of clients
allowed to simultaneously connect. The exact number of connections the server can handle can be further limited for performance reasons,
as it depends on the platform of your product ( section 1.5
load of the established tunnels as well as the configuration of your unit.
Default values 25
37.3.28
Change pull settings
Syntax [no] pull
Context
context (Only valid when client)
Usage In client mode the client may receive routes and ip address from the server. When setting ”no pull” all these settings the server tries to push, will be discarded.
Default values Enabled
37.3.29
Show SSL Tunnel Status
Syntax show tunnel ssl [ID]
Context
context.
Usage Show the status for all or for a specific SSL tunnel.
952 © 2017 Westermo Teleindustri AB
Westermo OS Management Guide
Version 4.22.0-0
Default values If no tunnel ID is specified, the status of all SSL tunnels is shown.
© 2017 Westermo Teleindustri AB 953
advertisement
* Your assessment is very important for improving the workof artificial intelligence, which forms the content of this project
Related manuals
advertisement