HP 5500 Ei 5500 Si Switch Series Configuration Guide
Have a look at the manual HP 5500 Ei 5500 Si Switch Series Configuration Guide online for free. It’s possible to download the document as PDF or print. UserManuals.tech offer 1114 HP manuals and user’s guides for free. Share the user manual or guide on Facebook, Twitter or Google+.
![Page 1948
283
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\
defg
[SwitchA-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[SwitchA] ripng 1
[SwitchA-ripng-1] enable ipsec-policy policy001
[SwitchA-ripng-1] quit
2. Configure Switch B
# Assign an IPv6 address to each interface. (Details not shown.)
# Create a RIPng process and enable it on VLAN-interface 100 and VLAN-interface 200.
system-view
[SwitchB] ripng 1
[SwitchB-ripng-1]...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1947.png "Page 1948
283
[SwitchA-ipsec-policy-manual-policy001-10] sa string-key inbound esp abc\
defg
[SwitchA-ipsec-policy-manual-policy001-10] quit
# Apply IPsec policy policy001 to the RIPng process.
[SwitchA] ripng 1
[SwitchA-ripng-1] enable ipsec-policy policy001
[SwitchA-ripng-1] quit
2. Configure Switch B
# Assign an IPv6 address to each interface. (Details not shown.)
# Create a RIPng process and enable it on VLAN-interface 100 and VLAN-interface 200.
system-view
[SwitchB] ripng 1
[SwitchB-ripng-1]...")
![Page 1949
284
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit
# Create an IPsec proposal named tran1, and set the encapsulation mo de to transport mode, the
security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to
SHA1-HMAC-96.
[SwitchC] ipsec proposal tran1
[SwitchC-ipsec-proposal-tran1] encapsulation-mode transport
[SwitchC-ipsec-proposal-tran1] transform esp...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1948.png "Page 1949
284
[SwitchC-ripng-1] quit
[SwitchC] interface vlan-interface 200
[SwitchC-Vlan-interface200] ripng 1 enable
[SwitchC-Vlan-interface200] quit
# Create an IPsec proposal named tran1, and set the encapsulation mo de to transport mode, the
security protocol to ESP, the encryption algorithm to DES, and authentication algorithm to
SHA1-HMAC-96.
[SwitchC] ipsec proposal tran1
[SwitchC-ipsec-proposal-tran1] encapsulation-mode transport
[SwitchC-ipsec-proposal-tran1] transform esp...")
![Page 1950
285
Using the display ipsec sa command on Switch A, you will s ee the information about the inbound
and outbound SAs.
display ipsec sa
===============================
Protocol: RIPng
===============================
-----------------------------
IPsec policy name: policy001
sequence number: 10
mode: manual
-----------------------------
connection id: 1
encapsulation mode: transport
perfect forward secrecy:
tunnel:
flow:
[inbound ESP SAs]
spi:...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1949.png "Page 1950
285
Using the display ipsec sa command on Switch A, you will s ee the information about the inbound
and outbound SAs.
display ipsec sa
===============================
Protocol: RIPng
===============================
-----------------------------
IPsec policy name: policy001
sequence number: 10
mode: manual
-----------------------------
connection id: 1
encapsulation mode: transport
perfect forward secrecy:
tunnel:
flow:
[inbound ESP SAs]
spi:...")
![Page 1956
291
Configuration procedure
To configure the protocols for a user interface to support:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view of
one or more user interfaces. user-interface
vty number
[ ending-number ] N/A
3.
Set the login authentication
mode to scheme. authentication-mode
scheme By default, the authentication
mode is
password .
4. Configure the user interface(s)
to support SSH login. protocol inbound
{ all | ssh }...](http://img.usermanuals.tech/thumb/36/58909/w64_hp-5500-ei-5500-si-switch-series-configuration-guide-1955.png "Page 1956
291
Configuration procedure
To configure the protocols for a user interface to support:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view of
one or more user interfaces. user-interface
vty number
[ ending-number ] N/A
3.
Set the login authentication
mode to scheme. authentication-mode
scheme By default, the authentication
mode is
password .
4. Configure the user interface(s)
to support SSH login. protocol inbound
{ all | ssh }...")
286 Configuring SSH2.0 Overview Introduction to SSH2.0 Secure Shell (SSH) offers an approach to logging in to a remote device securely. Using encryption and strong authentication, SSH protects devices against attacks such as IP spoofing and plain text password interception. The swi tch c an not only work as an SSH ser ver to suppor t c onnections wi th SSH cl ients, but al so work as an SSH client to allow users to establish SSH connections with a remote device acting as the SSH server. Unless otherwise noted, SSH in this document refers to SSH2.0. NOTE: When acting as an SSH server, the switch supports SSH2.0 and SSH1. When acting as an SSH client, the switch supports SSH2.0 only. SSH operation To establish an SSH connection and communicate with each other through the connection, an SSH client and the SSH server go through the stages listed in Tabl e 14. Table 14 Stages in session establish ment and interact ion between an SSH client and the server Sta ges Description Version negotiation SSH1 and SSH2.0 are supported. The tw o parties negotiate a version to use. Key and algorithm negotiation SSH supports multiple algorithms. The two parties negotiate algorithms for communication, and use the DH key exchange algorithm to generate the same session key and session ID. Authentication The SSH server authenticates the client in response to the client’s authentication request. Session request After passing authentication, the client sends a session request to the server. Interaction After the server grants the request, the client and the server start to communicate with each other. Version negotiation 1. The server opens port 22 to listen to connection requests from clients. 2. The client sends a TCP connection request to the server. 3. After the TCP connection is established, the server sends a packet that carries a version information string to the client. The version information string is in the format SSH-.- . The primary and
287 secondary protocol version numbers constitute the protocol version number. The software version number is used for debugging. 4. After receiving the packet, the client resolves the packet and compares the server’s protocol version number with that of its own. If the serv er’s protocol version is lower and supportable, the client uses the protocol version of the server; otherw ise, the client uses its own protocol version. In either case, the client sends a packet to the server to notify the server of the protocol version that it decides to use. 5. The server compares the version number carried in the packet with that of its own. If the server supports the version, the negotiat ion succeeds and the server and th e client proceed with key and algorithm negotiation. Otherwise, the negotiation fails, and the server breaks the TCP connection. NOTE: All the packets involved in the precedin g steps are transferred in plain text. Key and algorithm negotiation IMPORTANT: Before the key and algorithm negotiation, the server must have already generated a DSA or RSA key pair, which is used in generating the session key and session ID, and by the clie nt to authenticate the identity of the server. For more information about DSA and RSA key pairs, see Managing public keys. The server and the client send algorithm negotiation packets to each other, notifying the peer of the supported public key algorithms, encryption al gorithms, Message Authentication Code (MAC) algorithms, and compression algorithms. Based on the received algorithm negotiation packets, the server and the client figure out the algorithms to be used. If the negotiation of any type of algorith m fails, the algorithm negotiation fails and the server tears down the connection with the client. The server and the client use the DH key exchange algorithm and parameters such as the host key pair to generate the session key and session ID, and the client authenticates the identity of the server. Through the steps, the server and the client get the same session key and session ID. The session key will be used to encrypt and decrypt data exchanged between the server and client later. The session ID will be used to identify the session established between the server and client and will be used in the authentication stage. Authentication SSH supports the following authentication methods: • Password authentication —The SSH server uses AAA for authentication of the client. During password authentication, the SSH client encrypts its username and password, encapsulates them into a password authentication request, and sends the request to the server. After receiving the request, the SSH server decrypts the username and password, checks the validity of the username and password locally or by a remote AAA server, and then informs the client of the authentication result. If the remote AAA server requires the user for a password re -authentication, it carries a prompt in the authentication response sent to the client. The prompt is transparently transmitted to the client, and displayed on the client to notify th e user to enter a specified password. After the user enters the correct password and passes validity ch eck on the remote AAA server, the server returns an authentication success message to the client. • Publickey authentication—The server authenticates the client by the digital signature. During publickey authentication, the client sends the server a publickey authentication request that contains
288 its username, public key, and publickey algorithm information. The server checks whether the public key is valid. If the public key is invalid, the authentication fails. Otherwise, the server authenticates the client by the digital signature. Finally, the server sends a message to the client to inform it of the authentication result. The switch supports using the publickey algorithms RSA and DSA for digital signature. An SSH2.0 server might require the client to pass both password authentication and publickey authentication or either of them. However, if the client is running SSH1, the client only needs to pass either authentication, regardless of the requirement of the server. The following gives the steps of the authentication stage: 1. The client sends the server an authentication requ est that includes the username, the authentication method, and the information related to the authen tication method (for example, the password in the case of password authentication). 2. The server authenticates the client. If the authentica tion fails, the server sends the client a message to inform the client of the failure and th e methods available for re-authentication. 3. The client selects a method from the li st to initiate another authentication. 4. The preceding process repeats until the authen tication succeeds or the number of failed authentication attempts exceeds the maximum of authentication attempts. In the latter case, the server tears the session down. NOTE: Only clients running SSH2.0 or a later version support password re-authentication that is initiated by the switch acting as the SSH server. Session request After passing authentication, the client sends a session request to the server, and the server listens to and processes the request from the client. If the server successfully processes the request, the server sends an SSH_SMSG_SUCCESS packet to the client and goes on to the interaction stage with the client. Otherwise, the server sends an SSH_SMSG_FAILURE packet to the client to indicate that the processing has failed or it cannot resolve the request. Interaction In this stage, the server and the client exchanges data as follows: 1. The client encrypts and sends the command to be executed to the server. 2. The server decrypts and executes the command, an d then encrypts and sends the result to the client. 3. The client decrypts and displays the result on the terminal. In the interaction stage, you can execute commands from the client by pasting the commands in text format (the text must be within 2000 bytes). The commands must be available in the same view. Otherwise, the server might not be able to perform the commands correctly. If the command text exceeds 2000 bytes, you can execute the commands by saving the text as a configuration file, uploading the configuration file to the server through Secure FTP (SFTP), and then using the configuration file to restart the server.
289 SSH connection across VPNs (available only on the HP 5500 EI) With this function, you can configure the device as an SSH client to establish connections with SSH servers in different VPNs. As shown in Figure 100, the ho sts in VPN 1 and VPN 2 access the MPLS backbone through PEs, with the s e r v i c e s o f t h e t w o V P N s i s o l a t e d . A f t e r a n H P 55 0 0 E I sw i t c h t h a t a c t s a s a n M C E d e v i c e i s e n a b l e d w i t h the SSH client function, it can establish SSH connections with CEs in different VPNs that are enabled with the SSH server function to implement secure access to the CEs and secure transfer of log file. Figure 100 Network diagram For more information about MCE, see Layer 3—IP Routing Configuration Guide. Configuring the switch as an SSH server SSH server configuration task list Task Remarks Generating DSA or RSA key pairs Required Enabling the SSH server function Required Configuring the user interfaces for SSH clients Required Configuring a client public key Required for publickey authentication users and optional for password authentication users Configuring an SSH user Optional Setting the SSH management parameters Optional Setting the DSCP value for packets sent by the SSH server Optional Generating DSA or RSA key pairs In the key and algorithm negotiatio n stage, the DSA or RSA key pairs are used to generate the session key and session ID and for the client to authenticate the server.
290
To support SSH clients that use different types of key pairs, generate both DSA and RSA key pairs on the
SSH ser ver.
Generating procedure
To generate DSA or RSA key pairs on the SSH server:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Generate DSA or RSA key
pairs. public-key local create
{ dsa | rsa } By default, neither DSA nor RSA
key pairs exist.
Commands for generating DSA or RSA key pairs
The public-key local create rsa command generates a server RSA key pair and a host RSA key pair. Each
of the key pairs consists of a public key and a private key. The public key in the server key pair of the SSH
server is used in SSH1 to encrypt the session key for secure transmission of the key. As SSH2.0 uses the
DH algorithm to generate the session key on the SSH server and client, no session key transmission is
required in SSH2.0 and the server key pair is not used.
The length of the modulus of RSA server keys and host keys must be in the range of 512 to 2048 bits.
Some SSH2.0 clients require that the length of the key modulus be at least 768 bits on the SSH server
side.
The public-key local create dsa command generates only the host key pair. SSH1 does not support the
DSA algorithm.
T h e l e n g t h o f t h e m o d u l u s o f D S A h o s t k e y s m u s t b e i n t h e r a n g e o f 512 t o 2 0 4 8 b i t s . S o m e S S H 2. 0 c l i e n t s
require that the length of the key modulus be at least 768 bits on the SSH server side.
For more information about the public-key local create command, see Security Command Reference.
Enabling the SSH server function
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the SSH server
function. ssh server enable
Disabled by default
Configuring the user interfaces for SSH clients
Configuration guidelines
An SSH client accesses the switch through a VTY user interface. You must configure the user interfaces for
SSH clients to allow SSH login. The configuration takes effect only for clients that log in after the
configuration.
If you configure a user interface to support SSH, be sure to configure the corresponding authentication
mode with the authentication-mode scheme command.
For a user interface configured to support SSH, you cannot change the authentication mode. To change
the authentication mode, undo the SSH support configuration first.
291
Configuration procedure
To configure the protocols for a user interface to support:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter user interface view of
one or more user interfaces. user-interface
vty number
[ ending-number ] N/A
3.
Set the login authentication
mode to scheme. authentication-mode
scheme By default, the authentication
mode is
password .
4. Configure the user interface(s)
to support SSH login. protocol inbound
{ all | ssh } Optional.
All protocols are supported by
default.
For more information about the
authentication-mode and protocol inbound commands, see
Fundamentals Command Reference.
Configuring a client public key
This configuration task is only necessary for SSH users using publickey authentication.
To allow an SSH user to pass publickey authentication and log in to the server, you must configure the
client’s DSA or RSA host public key on the server, and configure the client to use the corresponding host
private key, so that the server uses the digital signature to authenticate the client.
You can manually configure the public key of an SSH client on the server, or import it from the public key
file:
• Configure it manually—You can type or copy the public key to the SSH server. The public key must
have not been converted and be in the Distin guished Encoding Rules (DER) encoding format.
• Import it from the public key file —During the import process, the server will automatically convert
the public key in the public key file to a string in Public Key Cryptography Standards (PKCS) format,
and save it locally. Before importing the public key, you must upload the public key file (in binary)
to the server through FTP or TFTP.
NOTE:
HP recommends you to configure a client public key by importing it from a public key file.
Configuring a client public key manually
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enter public key view.
public-key peer keyname N/A
3. Enter public key code view.
public-key-code begin N/A
4. Configure a clients host
public key. Enter the content of the host public
key Spaces and carriage returns are
allowed between characters.
5.
Return to public key view and
save the configured host
public key. public-key-code end When you exit public key code
view, the system automatically
saves the public key.
292
Step Command Remarks
6. Return to system view.
peer-public-key end N/A
Importing a client public key from a public key file
Step Command
1. Enter system view.
system-view
2. Import the public key from a public key file.
public-key peer keyname import sshkey filename
For more information about client public key configuration, see Managing public keys.
Configuring an SSH user
To configure an SSH user that uses publickey authentication, you must perform the procedure in this
section.
To configure an SSH user that uses password authentication, whether together with publickey
authentication or not, you must configure a local user account by using the local-user command in
Configuring AAA
for local authentication, or configure an SSH user account on an authentication
server, for example, a RADIUS server, for remote authentication.
For password-only SSH users, you do not need to perform the procedure in this section to configure them
unless you want to use the display ssh user-information command to display all SSH users, including the
password-only SSH users, for centralized management.
Configuration guidelines
When you perform the procedure in this section to configure an SSH user, follow these guidelines:
You can set the service type to Stelnet, SFTP, and SC P (Secure copy). For more information about Stelnet,
see Overview . F
or more information about SFTP, see Configuring SFTP. F or more information about
SCP, see Configuring SCP .
• You can enable one of the following authentication modes for the SSH user:
{ Password —The user must pass password authentication.
{ Publickey authentication —The user must pass publickey authentication.
{ Password-publickey authentication —As an SSH2.0 user, the user must pass both password and
publickey authentication. As an SSH1 user, the user must pass either password or publickey
authentication.
{ Any—The user can use either password authentication or publickey authentication.
• If publickey authentication, whether with password authentication or not, is used, the command
level accessible to the user is set by the user privilege level command on the user interface. If only
password authentication is used, the command level accessible to the user is authorized by AAA.
• SSH1 does not support SCP and SFTP. For an SSH1 client, you must set the service type to stelnet
or all.
• For an SCP or SFTP user, the working folder depends on the authentication method:
{ If only password authentication is used, the working folder is authorized by AAA.
{ If publickey authentication, whether with password authentication or not, is used, the working
folder is set by using the ssh user command.
293
• If you change the authentication mode or public key for an SSH user that has been logged in, the
change can take effect only at the next login of the user.
Configuration procedure
To configure an SSH user and specify the service type and authentication method:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Create an SSH user, and
specify the service type and
authentication method.
• For Stelnet users:
ssh user username service-type
stelnet authentication-type
{ password | { any |
password-publickey |
publickey } assign publickey
keyname }
• For all users, SCP or SFTP users:
ssh user username service-type
{ all | scp | sftp }
authentication-type { password
| { any | password-publickey
| publickey } assign publickey
keyname work-directory
directory-name } Use either command.
Setting the SSH management parameters
SSH management includes:
•
Enabling the SSH server to be compatible with SSH1 client
• Setting the RSA server key pair update interval, applicable to users using SSH1 client
• Setting the SSH user authentication timeout period
• Setting the maximum number of SSH authentication attempts
Setting these parameters can help avoid malicious guessing at and cracking of the keys and usernames,
securing your SSH connections.
IMPORTANT:
Authentication fails if the number of authentication
attempts (including both publickey and password
authentication) exceeds that specified in the ssh server authentication-retries command.
To set the SSH management parameters:
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the SSH server to
support SSH1 clients. ssh server compatible-ssh1x
[
enable ] Optional.
By default, the SSH server supports
SSH1 clients.
294 Step Command Remarks 3. Set the RSA server key pair update interval. ssh server rekey-interval hours Optional. By default, the interval is 0, and the RSA server key pair is not updated. 4. Set the SSH user authentication timeout period. ssh server authentication-timeout time-out-value Optional. 60 seconds by default. 5. Set the maximum number of SSH authentication attempts. ssh server authentication-retries times Optional. 3 by default. Setting the DSCP value for packets sent by the SSH server Step Command Remarks 1. Enter system view. system-view N/A 2. Set the DSCP value for packets sent by the SSH server. • Set the DSCP value for packets sent by the IPv4 SSH server: ssh server dscp dscp-value • Set the DSCP value for packets sent by the IPv6 SSH server: ssh server ipv6 dscp dscp-value Optional. By default, the DSCP value is 16 in packets sent by the IPv4 SSH server and is 0 in packets sent by the IPv6 SSH server. Configuring the switch as an SSH client SSH client configuration task list Task Remarks Specifying a source IP address/interface for the SSH client Optional Configuring whether first-time authentication is supported Optional Establishing a connection between the SSH client and server Required Setting the DSCP value for packets sent by the SSH client Optional Specifying a source IP address/interface for the SSH client This configuration task allows you to specify a source IP address or interface for the client to access the SSH server, improving service manageability. To specify a source IP address or interface for the client: Step Command Remarks 1. Enter system view. system-view N/A
295
Step Command Remarks
2. Specify a source IP
address or interface for
the SSH client.
• Specify a source IPv4 address or interface for the
SSH client:
ssh client source { ip ip-address | interface
interface-type interface-number }
• Specify a source IPv6 address or interface for the
SSH client:
ssh client ipv6 source { ipv6 ipv6-address |
interface interface-type interface-number } Select either approach.
B y d e f a u l t , a n S S H c l i e n t
uses the IP address of
the outbound interface
defined by the route to
the SSH server to access
the SSH server.
Configuring whether first-time authentication is supported
When the switch acts as an SSH client and connects to the SSH server, you can configure whether the
switch supports first-time authentication.
•
With first-time authentication, when an SSH client not configured with the server host public key
accesses the server for the first time, the user can continue accessing the server, and save the host
public key on the client. When accessing the server again, the client will use the saved server host
public key to authenticate the server.
• Without first-time authentication, a client not configured with the server host public key will refuse to
access the server. To enable the client to access the server, you must configure the server host public
key and specify the public key name for authentication on the client in advance.
Enabling the switch to support first-time authentication
Step Command Remarks
1. Enter system view.
system-view N/A
2. Enable the switch to support
first-time authentication. ssh client first-time
[ enable ] Optional.
By default, first-time authentication
is supported on a client.
Disabling first-time authentication
For successful authentication of an SSH client not supporting first-time authentication, the server host
public key must be configured on the client and the public key name must be specified.
To disable first-time authentication:
Step Command Remarks
1.
Enter system view.
system-view N/A
2. Disable first-time
authentication support. undo ssh client first-time By default, first-time authentication
is supported on a client.
3.
Configure the server host
public key. See
Configuring a client public
key T
he method for configuring the
server host public key on the client
is similar to that for configuring
client public key on the server.
4. Specify the host public key
name of the server. ssh client
authentication server
server assign publickey keyname N/A