Page 261 / 351 Scroll up to view Page 256 - 260
261
CONFIG Commands
Internet Key Exchange (IKE) Settings
The following four IPsec parameters configure the rekeying event.
set security ipsec tunnels name "123" IKE-mode
ipsec-soft-mbytes (1000) {1-1000000}
set security ipsec tunnels name "123" IKE-mode
ipsec-soft-seconds (82800) {60-1000000}
set security ipsec tunnels name "123" IKE-mode
ipsec-hard-mbytes (1200) {1-1000000}
set security ipsec tunnels name "123" IKE-mode
ipsec-hard-seconds (86400) {60-1000000}
The
soft
parameters designate when the system
begins
to negotiate a new key. For
example, after 82800 seconds (23 hours) or 1 Gbyte has been transferred (whichever
comes first) the key will begin to be renegotiated.
The
hard
parameters indicate that the renegotiation
must
be complete
or the tunnel will
be disabled. For example, 86400 seconds (24 hours) means that the renegotiation
must be complete within one day.
Both ends of the tunnel set parameters, and typically they will be the same. If they are not
the same, the rekey event will happen when the longest time period expires or when the
largest amount of data has been sent.
Page 262 / 351
262
Stateful Inspection
Stateful inspection options are accessed by the
security state-insp
tag.
set security state-insp [ ip-ppp | dsl ] vcc
n
option [ off | on ]
set security state-insp ethernet [ A | B ] option [ off | on ]
Sets the stateful inspection option
off
or
on
on the specified interface. This option is dis-
abled by default. Stateful inspection prevents unsolicited inbound access when NAT is dis-
abled.
set security state-insp [ ip-ppp | dsl ] vcc
n
default-mapping [ off | on ]
set security state-insp ethernet [ A | B ]
default-mapping [ off | on ]
Sets stateful inspection default mapping to router option
off
or
on
on the specified inter-
face.
set security state-insp [ ip-ppp | dsl ] vcc
n
tcp-seq-diff
[ 0 - 65535 ]
set security state-insp ethernet [ A | B ] tcp-seq-diff
[ 0 - 65535 ]
Sets the acceptable TCP sequence difference on the specified interface. The TCP
sequence number difference maximum allowed value is 65535. If the value of
tcp-seq-diff
is 0, it means that this check is disabled.
set security state-insp [ ip-ppp | dsl ] vcc
n
deny-fragments [ off | on ]
set security state-insp ethernet [ A | B ]
deny-fragments [ off | on ]
Sets whether fragmented packets are allowed to be received or not on the specified inter-
face.
set security state-insp tcp-timeout [ 30 - 65535 ]
Sets the stateful inspection TCP timeout interval, in seconds.
Page 263 / 351
263
CONFIG Commands
set security state-insp udp-timeout [ 30 - 65535 ]
Sets the stateful inspection UDP timeout interval, in seconds.
set security state-insp dos-detect [ off | on ]
Enables or disables the stateful inspection Denial of Service detection feature. If set to
on
, the device will monitor packets for Denial of Service (DoS) attack. Offending packets
may be discarded if it is determined to be a DoS attack.
set security state-insp xposed-addr exposed-address# "
n
"
Allows you to add an entry to the specified list, or, if the list does not exist, creates the list
for the stateful inspection feature.
xposed-addr
settings only apply if NAT is off.
Example:
set security state-insp xposed-addr exposed-address# (?): 32
32 has been added to the
xposed-addr
list.
Sets the exposed list address number.
set security state-insp xposed-addr
exposed-address#
"
n
" start-ip
ip_address
Sets the exposed list range starting IP address, in dotted quad format.
set security state-insp xposed-addr
exposed-address#
"
n
" end-ip
ip_address
Sets the exposed list range ending IP address, in dotted quad format.
32 exposed addresses can be created. The range for exposed address numbers are from
1 through 32.
set security state-insp xposed-addr
Page 264 / 351
264
exposed-address#
"
n
" protocol [ tcp | udp | both | any ]
Sets the protocol for the stateful inspection feature for the exposed address list. Accepted
values for
protocol
are
tcp
,
udp
,
both
, or
any
.
If
protocol
is not
any
, you can set port ranges:
set security state-insp xposed-addr
exposed-address#
"
n
" start-port [ 1 - 65535 ]
set security state-insp xposed-addr
exposed-address#
"
n
" end-port [ 1 - 65535 ]
Page 265 / 351
265
CONFIG Commands
SNMP Settings
The Simple Network Management Protocol (SNMP) lets a network administrator monitor
problems on a network by retrieving settings on remote network devices. The network
administrator typically runs an SNMP management station program on a local host to
obtain information from an SNMP agent such as the Motorola Netopia® Gateway.
set snmp community read
name
Adds the specified name to the list of communities associated with the Motorola Netopia®
Gateway. By default, the Motorola Netopia® Gateway is associated with the public commu-
nity.
set snmp community write
name
Adds the specified name to the list of communities associated with the Motorola Netopia®
Gateway.
set snmp community trap
name
Adds the specified name to the list of communities associated with the Motorola Netopia®
Gateway.
set snmp trap ip-traps
ip-address
Identifies the destination for SNMP trap messages. The
ip-address
argument is the IP
address of the host acting as an SNMP console.
set snmp sysgroup contact
contact_info
Identifies the system contact, such as the name, phone number, beeper number, or email
address of the person responsible for the Motorola Netopia® Gateway. You can enter up to
255 characters for the
contact_info
argument. You must put the
contact_info
argu-
ment in double-quotes if it contains embedded spaces.
set snmp sysgroup location
location_info
Identifies the location, such as the building, floor, or room number, of the Motorola Neto-
pia® Gateway. You can enter up to 255 characters for the
location_info
argument.

Rate

4 / 5 based on 3 votes.

Bookmark Our Site

Press Ctrl + D to add this site to your favorites!

Share
Top