Home » Lantronix Manuals » Electronics Accessories » Lantronix EMG 8500 » Manual Viewer

Lantronix EMG 8500 EMG User Guide - Page 125

Key File for Local Peer, Certificate File for Local

Add to My Manuals
Save this manual to your list of manuals

Page 125 highlights

7: Networking Certificate Authority for Local Peer Certificate File for Local Peer Key File for Local Peer A certificate can be uploaded to the EMG unit for peer authentication. The certificate for the local peer is used to authenticate any remote peer to the EMG, and contains a Certificate Authority file, a public certificate file, and a private key file. The public certificate file can be shared with any remote peer for authentication. The Certificate Authority and public certificate file must be in PEM format, e.g.: -----BEGIN CERTIFICATE----- (certificate in base64 encoding) -----END CERTIFICATE----- SA Lifetime The key file must be in RSA private key file (PKCS#1) format, eg: -----BEGIN RSA PRIVATE KEY----- (private key in base64 encoding) -----END RSA PRIVATE KEY----- How long a particular instance of a connection should last, from successful negotiation to expiry, in seconds. Normally, the connection is renegotiated (via the keying channel) before it expires. The formula for how frequently rekeying (renegotiation) is done is: rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) where the default margintime is 9m (or 540 seconds) and the default rekeyfuzz is 100%. For example, if the SA Lifetime is set to 3600 seconds (1 hour), how often the tunnel is rekeyed is calculated as: rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime maximum = 1h - (9m + 0m) = 51m So the rekeying time will vary between 42 minutes and 51 minutes. It is recommended that the SA Lifetime be set greater than 540 seconds; any values less than 540 seconds may require adjustments to the margintime and rekeyfuzz values (which can be set with a custom ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to come up and rekeying to function properly. XAUTH Client XAUTH Login (Client) XAUTH Password/Retype Password Cisco Unity For more information see the strongSwan Expiry documentation. If this is enabled, the EMG will send authentication credentials to the remote host if they are requested. XAUTH, or Extended Authentication, can be used as an additional security measure on top of the Pre-Shared Key or RSA Public Key. This is typically used with Cisco peers, where the Cisco peer is acting as an XAUTH server. If XAUTH Client is enabled, this is the login used for authentication. If XAUTH Client is enabled, this is the password used for authentication. If enabled, sends the Cisco Unity vendor ID payload (IKEv1 only), indicating that the EMG is acting as a Cisco Unity compliant peer. This indicates to the remote peer that Mode Config is supported (an IKE configuration method that is widely adopted, documented here). EMG™ Edge Management Gateway User Guide 125

Section	Page
EMG™ Edge Management Gateway User Guide	1
EMG 8500	1
EMG 7500	1
Intellectual Property	2
Warranty	2
Contacts	2
Open Source Software	2
Disclaimer & Revisions	3
Revision History	4
Table of Contents	5
List of Figures	16
List of Tables	20
1: About this Guide	21
Purpose and Audience	21
Summary of Chapters	21
Additional Documentation	22
2: Introduction	23
EMG 8500 Overview	23
EMG 7500 Overview	24
Key Features	24
Console Management	24
Performance Monitoring	25
Security	25
Power	25
Integration with Lantronix ConsoleFlow™	25
Applications	25
Protocol Support	26
Configuration Methods	26
Product Information Label	27
EMG 8500 Hardware Components	28
EMG 7500 Hardware Components	29
System Features	30
Access Control	30
Device Port Buffer	30
Console Port Interface	30
Device Port Interfaces	31
I/O Modules	32
Network Connections	32
Connectivity Modules	34
Front Panel LEDs	35
Digital IO Port	35
3: EMG 8500 Installation	37
EMG 8500 Package Contents	37
Order Information	38
User Supplied Items	38
Customize an EMG	38
Hardware Specifications	39
Physical Installation	40
Rack Mount Installation	41
Wall Mount Installation	42
Connecting to a Device Port	44
Modular Expansion for I/O Module Bays	45
Connecting to Network Ports	46
Modular Expansion for Connectivity Module Bays	46
Connecting Terminals	47
Power Input	48
I/O Module Installation	49
Connectivity Module Installation	50
Modem Installation	52
4: EMG 7500 Installation	53
EMG 7500 Package Contents	53
Order Information	53
User Supplied Items	53
Hardware Specifications	54
Physical Installation	55
Rack Mount Installation	56
Wall Mount Installation	57
Connecting to a Device Port	58
Connecting to Network Ports	60
Connecting Terminals	60
Power Input	61
Modem Installation	62
5: Quick Setup	63
Recommendations	63
IP Address	63
Lantronix Provisioning Manager	64
Method #1 Quick Setup on the Web Page	64
Network Settings	66
Date & Time Settings	67
Administrator Settings	67
Method #2 Quick Setup on the Command Line Interface	68
Next Step	71
Limiting Sysadmin User Access	71
6: Web and Command Line Interfaces	72
Web Manager	72
Logging in	74
Logging Out	75
Web Page Help	75
Command Line Interface	75
Logging In	75
Logging Out	76
Command Syntax	76
Command Line Help	76
Tips	76
General CLI Commands	77
7: Networking	79
Requirements	79
Network Port Settings	80
Ethernet Interfaces (Eth1 and Eth2)	83
Hostname & Name Servers	85
DNS Servers	85
DHCP-Acquired DNS Servers	85
TCP Keepalive Parameters	86
Gateway	86
Fail-Over Settings	87
Fail-Over Cellular Gateway Configuration	89
Advanced Cellular Gateway Configuration	90
Fail-Over Cellular Gateway Firmware	91
Load Cellular Gateway Firmware Options	91
Ethernet Counters	92
Network Commands	92
Cellular Modem Settings	93
Cellular Interface	94
Cellular Modem Configuration	94
Cellular Modem Firmware	94
Load Cellular Modem Firmware Options	95
Cellular Status	95
Cellular Modem Commands	96
Wireless Settings	97
Wireless Overview	97
Wireless Firmware	99
Troubleshooting	100
Wireless Client Settings	101
Wireless Access Point Settings	108
IP Filter	111
Viewing IP Filters	111
Mapping Rulesets	111
Enabling IP Filters	112
Configuring IP Filters	113
Rule Parameters	114
Updating an IP Filter	115
Deleting an IP Filter	115
IP Filter Commands	115
Routing	116
Dynamic Routing	116
Static Routing	116
Routing Commands	117
VPN Settings	117
Sample ipsec.conf Files	128
VPN Commands	133
Security	134
Performance Monitoring	137
Performance Monitoring - Add/Edit Probe	140
Performance Monitoring - Results	143
Performance Monitoring Commands	147
FQDN List	147
8: Services	148
System Logging and Other Services	148
SSH/Telnet/Logging	148
System Logging	149
Audit Log	150
SSH	150
Telnet	151
Web SSH/Web Telnet Settings	151
SMTP	151
SSH Commands	152
Logging Commands	152
SNMP	152
v1/v2c Communities	156
Version 3	156
V3 User Read-Only	157
V3 User Read-Write	157
V3 User Trap	157
Version 3 TLS (over TCP)	157
Services Commands	159
NFS and SMB/CIFS	160
SMB/CIFS Share	161
NFS and SMB/CIFS Commands	161
Secure Lantronix Network	162
Browser Issues	164
Troubleshooting Browser Issues	165
Web SSH/Telnet Copy and Paste	167
Secure Lantronix Network Commands	167
Date and Time	168
Date and Time Commands	169
Web Server	170
Admin Web Commands	172
Services - SSL Certificate	172
Services - Web Sessions	175
ConsoleFlow	176
ConsoleFlow Commands	180
9: USB/SD Card Port	181
Set up USB/SD Card Storage	181
Manage Files	184
USB Commands	185
SD Card Commands	185
10: Device Ports	186
Connection Methods	186
Permissions	186
I/O Modules	187
Device Status	188
Device Ports	188
Telnet/SSH/TCP in Port Numbers	190
Device Port Global Commands	190
Device Ports - Settings	191
Device Port Settings	193
IP Settings	195
Data Settings	196
Hardware Signal Triggers	197
Modem Settings (Device Ports)	198
Modem Settings: Text Mode	199
Modem Settings: PPP Mode	200
Port Status and Counters	201
Device Ports - Power Management	201
Device Port - Sensorsoft Device	204
Device Port Commands	206
Device Commands	206
Interacting with a Device Port	207
Device Ports - Logging and Events	208
Local Logging	208
NFS File Logging	208
USB and SD Card Logging	208
Token/Data Detection	209
Syslog Logging	209
Token & Data Detection	210
Local Logging	212
Log Viewing Attributes	212
NFS File Logging	212
USB / SD Card Logging	212
Syslog Logging	212
Logging Commands	213
Console Port	213
Console Port Commands	214
Internal Modem Settings	215
Internal Modem Commands	219
DIO Port	219
DIO Commands	220
Xmodem	221
Xmodem Commands	223
Host Lists	224
Host Parameters	224
Host List Commands	227
Sites	228
Site Commands	230
Modem Dialing States	231
Dial In	231
Dial-back	231
Dial-on-demand	232
Dial-in & Dial-on-demand	232
Dial-back & Dial-on-demand	233
CBCP Server and CBCP Client	234
CBCP Server	234
CBCP Client	234
Key Sequences	235
11: Remote Power Managers	236
Devices - RPMs	236
RPMs - Add Device	239
RPMs - Manage Device	242
RPMs - Outlets	246
RPM Shutdown Procedure	246
Optimizing and Troubleshooting RPM Behavior	248
RPM Commands	249
12: Scripts	250
Script Commands	255
Batch Script Syntax	256
Interface Script Syntax	257
Primary Commands	258
Secondary Commands	259
Control Flow Commands	261
Custom Script Syntax	263
Example Scripts	265
13: Connections	284
Typical Setup Scenarios for the EMG unit	284
Terminal Server	284
Remote Access Server	285
Reverse Terminal Server	285
Multiport Device Server	286
Console Server	286
Connection Configuration	287
Connection Commands	289
14: User Authentication	290
Authentication Commands	292
User Rights	293
Local and Remote User Settings	294
Sysadmin Account Default Login Values	295
Adding, Editing or Deleting a User	296
Shortcut	300
Local Users Commands	300
Remote User Rights Commands	300
NIS	301
NIS Commands	303
LDAP	304
LDAP Commands	308
RADIUS	309
RADIUS Commands	312
User Attributes & Permissions from LDAP Schema or RADIUS VSA	312
Kerberos	314
Kerberos Commands	316
TACACS+	317
TACACS+ Groups	317
TACACS+ Commands	321
Groups	322
Group Commands	325
SSH Keys	326
Overview	326
Imported Keys	326
Exported Keys	326
Create an SSH Key	326
Imported Keys (SSH In)	329
Exported Keys (SSH Out)	329
SSH Server/Host Keys	330
SSH Commands	332
Custom Menus	333
Custom User Menu Commands	335
15: Maintenance	336
Firmware & Configurations	336
Zero Touch Provisioning Configuration Restore	336
Creating a Certificate	337
HTTPS Push Configuration Restore	339
Factory Reset with External Storage Device	340
Internal Temperature	342
Site Information	342
EMG Firmware	342
Boot Banks and Bootloader Settings	343
Load Firmware Via Options	344
Configuration Management	344
Manage Files	346
Administrative Commands	346
System Logs	347
System Log Commands	348
Audit Log	349
Audit Log Commands	349
Email Log	350
Logging Commands	350
Diagnostics	351
Diagnostic Commands	354
Status/Reports	354
View Report	354
Status Commands	356
Emailing Logs and Reports	357
Events	359
Events Commands	361
Banners	361
Administrative Banner Commands	362
System Info	363
16: Application Examples	365
Telnet/SSH to a Remote Device	366
Dial-in (Text Mode) to a Remote Device	368
Local Serial Connection to Network Device via Telnet	370
17: Command Reference	372
Introduction to Commands	372
Command	372
Command Line Help	373
Tips	373
Administrative Commands	374
admin banner login	374
admin banner logout	374
admin banner show	374
admin banner ssh	375
admin banner welcome	375
admin config checksum	375
admin config copy	375
admin config rename\|delete	375
admin config factorydefaults	376
admin config restore	376
admin config save	377
admin config show	377
admin eeprom	377
admin firmware bootbank	378
admin firmware bootcount	378
admin firmware bootlimit	378
admin firmware bootdelay	378
admin firmware highrestimers	379
admin firmware watchdog	379
admin firmware show	379
admin firmware update	379
admin firmware clearlog	379
admin ftp password	380
admin ftp server	380
admin ftp show	380
admin memory show	380
admin memory swap add	380
admin memory swap delete	381
admin quicksetup	381
admin reboot	381
admin shutdown	381
admin site	381
admin sysinfo	382
admin version	382
admin web certificate import	382
admin web certificate reset	382
admin web certificate custom	383
admin web certificate custom	383
admin web certificate show	383
admin web group	383
admin web server	383
admin web sha2	383
admin web timeout	384
admin web terminate	384
admin web show	384
admin web banner	384
admin web iface	384
admin web cipher	385
admin web sha2	385
admin web tlsv10	385
admin web tlsv11	385
admin web tlsv12	385
admin web restart	386
admin chip resetmodem	386
Audit Log Commands	386
show auditlog	386
Authentication Commands	387
set auth	387
show auth	387
show user	387
Kerberos Commands	388
set kerberos	388
show kerberos	388
LDAP Commands	389
set ldap	389
set ldap bindpassword	389
set ldap certificate import	390
set ldap certificate delete	390
show ldap	390
Local Users Commands	390
set localusers add\|edit	390
set localusers allowreuse	391
set local users complexpasswords	391
set localusers state	391
set localusers delete	391
set localusers lifetime	392
set localusers maxloginattempts	392
set localusers password	392
set localusers periodlockout	392
set localusers periodwarning	392
set localusers reusehistory	393
set localusers multipleadminlogins	393
set localusers consoleonlyadmin	393
show localusers	393
set localusers lock	393
set localusers unlock	394
set localusers permissions	394
NIS Commands	394
set nis	394
show nis	395
RADIUS Commands	395
set radius	395
set radius server	396
show radius	396
TACACS+ Commands	396
set tacacs+	396
show tacacs+	397
User Permissions Commands	398
set localusers group	398
set localusers lock	398
set localusers unlock	398
set localusers permissions	398
set <nis\|ldap\|radius\|kerberos\|tacacs+> permissions	399
show user	399
Remote User Commands	399
set remoteusers add\|edit	399
set remoteusers listonlyauth	400
set remoteusers denyaccessnocustomgroup	400
set remoteusers denyaccessnocustomgroup <enable\|disable>	400
set remoteusers lock\|unlock	400
set remoteusers delete	400
show remoteusers	400
set <nis\|ldap\|radius\|kerberos\|tacacs+> group	401
Cellular Modem Commands	401
set cellular	401
set cellular update	401
set cellular	402
show cellular	402
ConsoleFlow Commands	402
set cflow client	402
set cflow statusinterval	402
set cflow fwupdate	402
set cflow rebootafterupdate	403
set cflow connection	403
set cflow devicename	403
set cflow timeoutcli	403
set cflow digitalprobe	404
set cflow id	404
set cflow key	404
show cflow	404
CLI Commands	405
set cli	405
set cli menu	405
show cli	405
show user	406
set history	406
show history	406
Connection Commands	406
connect bidirection	406
connect direct	407
connect global outgoingtimeout	407
connect listen deviceport	408
connect terminate	408
connect unidirection	408
show connections	409
show connections connid	409
Console Port Commands	409
set consoleport	409
show consoleport	410
Custom User Menu Commands	410
set localusers	410
set menu add	410
set menu delete	411
set <nis\|ldap\|radius\|kerberos\|tacacs+> custommenu	411
set remoteusers add\|edit	411

Match case Limit results 1 per page

7: Networking

EMG™ Edge Management Gateway User Guide

125

Certificate Authority for

Local Peer

A certificate can be uploaded to the EMG unit for peer authentication. The

certificate for the local peer is used to authenticate any remote peer to the

EMG, and contains a Certificate Authority file, a public certificate file, and a

private key file. The public certificate file can be shared with any remote

peer for authentication. The Certificate Authority and public certificate file

must be in PEM format, e.g.:

-----BEGIN CERTIFICATE-----

(certificate in base64 encoding)

-----END CERTIFICATE-----

The key file must be in RSA private key file (PKCS#1) format, eg:

-----BEGIN RSA PRIVATE KEY-----

(private key in base64 encoding)

-----END RSA PRIVATE KEY-----

Certificate File for Local

Peer

Key File for Local Peer

SA Lifetime

How long a particular instance of a connection should last, from successful

negotiation to expiry, in seconds. Normally, the connection is renegotiated

(via the keying channel) before it expires.

The formula for how frequently rekeying (renegotiation) is done is:

rekeytime = lifetime - (margintime + random(0,

margintime * rekeyfuzz))

where the default

margintime

is 9m (or 540 seconds) and the default

rekeyfuzz

is 100%. For example, if the SA Lifetime is set to 3600 seconds

(1 hour), how often the tunnel is rekeyed is calculated as:

rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime

maximum = 1h - (9m + 0m) = 51m

So the rekeying time will vary between 42 minutes and 51 minutes.

It is recommended that the SA Lifetime be set greater than 540 seconds;

any values less than 540 seconds may require adjustments to the

margintime and rekeyfuzz values (which can be set with a custom

ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA

Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to

come up and rekeying to function properly.

For more information see the

strongSwan Expiry

documentation.

XAUTH Client

If this is enabled, the EMG will send authentication credentials to the remote

host if they are requested. XAUTH, or Extended Authentication, can be

used as an additional security measure on top of the Pre-Shared Key or

RSA Public Key. This is typically used with Cisco peers, where the Cisco

peer is acting as an XAUTH server.

XAUTH Login

(Client)

XAUTH Client

is enabled, this is the login used for authentication.

XAUTH Password/Retype

Password

XAUTH Client

is enabled, this is the password used for authentication.

Cisco Unity

If enabled, sends the Cisco Unity vendor ID payload (IKEv1 only), indicating

that the EMG is acting as a Cisco Unity compliant peer. This indicates to the

remote peer that

Mode Config

is supported (an IKE configuration method

that is widely adopted, documented

here