Home » Lantronix Manuals » Electronics Accessories » Lantronix SLC 8000 Advanced Console Manager » Manual Viewer

Lantronix SLC 8000 Advanced Console Manager User Guide - Page 109

Key File for Local Peer, Certificate File for Local

View all Lantronix SLC 8000 Advanced Console Manager manuals

Add to My Manuals
Save this manual to your list of manuals

Page 109 highlights

6: Basic Parameters Certificate Authority for Local Peer Certificate File for Local Peer Key File for Local Peer A certificate can be uploaded to the SLC unit for peer authentication. The certificate for the local peer is used to authenticate any remote peer to the SLC, and contains a Certificate Authority file, a public certificate file, and a private key file. The public certificate file can be shared with any remote peer for authentication. The Certificate Authority and public certificate file must be in PEM format, e.g.: -----BEGIN CERTIFICATE----- (certificate in base64 encoding) -----END CERTIFICATE----- Perfect Forward Secrecy (PFS) SA Lifetime The key file must be in RSA private key file (PKCS#1) format, eg: -----BEGIN RSA PRIVATE KEY----- (private key in base64 encoding) -----END RSA PRIVATE KEY----- When a new IPSec SA is negotiated after the IPSec SA lifetime expires, a new Diffie-Hellman key exchange can be performed to generate a new session key to be used to encrypt the data being sent through the tunnel. If this is enabled, it provides greater security, since the old session keys are destroyed. This option is deprecated and is no longer supported. With strongSwan, PFS is automatically enabled by configuring ESP Encryption to use a DH Group (ESP Encryption without a DH Group will disable PFS). Using PFS introduces no significant performance overhead, unless rekeying is done more than 80 IPsec SAs per second. How long a particular instance of a connection should last, from successful negotiation to expiry, in seconds. Normally, the connection is renegotiated (via the keying channel) before it expires. The formula for how frequently rekeying (renegotiation) is done is: rekeytime = lifetime - (margintime + random(0, margintime * rekeyfuzz)) where the default margintime is 9m (or 540 seconds) and the default rekeyfuzz is 100%. For example, if the SA Lifetime is set to 3600 seconds (1 hour), how often the tunnel is rekeyed is calculated as: rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime maximum = 1h - (9m + 0m) = 51m So the rekeying time will vary between 42 minutes and 51 minutes. It is recommended that the SA Lifetime be set greater than 540 seconds; any values less than 540 seconds may require adjustments to the margintime and rekeyfuzz values (which can be set with a custom ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to come up and rekeying to function properly. Mode Configuration Client For more information see the strongSwan Expiry documentation. If this is enabled, the SLC unit can receive network configuration from the remote host. This allows the remote host to assign an IP address/netmask to the SLC side of the VPN tunnel. This option is deprecated and is no longer supported. SLC™ 8000 Advanced Console Manager User Guide 109

Section	Page
SLC™ 8000 Advanced Console Manager User Guide	1
Intellectual Property	2
Warranty	2
Contacts	2
GNU General Public License Notice	2
Disclaimer & Revisions	3
Revision History	4
Table of Contents	6
List of Figures	16
List of Tables	20
1: About this Guide	21
Purpose and Audience	21
Summary of Chapters	21
Additional Documentation	22
2: Introduction	23
Features	23
Console Management	23
Power	24
Integration with Other Secure Lantronix Products	24
Hardware	24
System Features	26
Protocols Supported	27
Access Control	27
Device Port Buffer	27
Configuration Options	28
Device Port and Console Port Interfaces	28
Network Connections	32
Front Panel USB Ports	33
Memory Card Port	33
Internal Modem	34
3: Installation	35
What's in the Box	35
Customize an SLC 8000	36
Product Label	37
Technical Specifications	37
Physical Installation	39
Connecting to a Device Port	39
Modular Expansion for I/O Module Bays	41
Connecting to Network Ports	42
Connecting Terminals	42
AC Input	43
Modem Installation	44
Battery Replacement	47
4: Quick Setup	51
Recommendations	51
Method #1 Using the Front Panel Display	52
Front Panel LCD Display and Keypads	52
Navigating	52
Entering the Settings	55
Restoring Factory Defaults	56
Limiting Sysadmin User Access	56
Method #2 Quick Setup on the Web Page	57
Network Settings	58
Date & Time Settings	59
Administrator Settings	59
Method #3 Quick Setup on the Command Line Interface	60
Next Step	63
5: Web and Command Line Interfaces	64
Web Manager	64
Logging in	66
Logging Out	66
Web Page Help	67
Command Line Interface	67
Logging In	67
Logging Out	68
Command Syntax	68
Command Line Help	68
Tips	68
6: Basic Parameters	71
Requirements	71
Network Port Settings	72
Ethernet Interfaces (Eth1 and Eth2)	75
Hostname & Name Servers	77
DNS Servers	77
DHCP-Acquired DNS Servers	77
TCP Keepalive Parameters	77
Gateway	78
Fail-Over Settings	79
Fail-Over Cellular Gateway Configuration	81
Advanced Cellular Gateway Configuration	83
Fail-Over Cellular Gateway Firmware	84
Load Cellular Gateway Firmware Options	84
Ethernet Counters	85
Network Commands	85
Ethernet Switch	85
Port Statistics	88
DHCP	90
DHCP Server Settings	91
DHCP Relay Settings	92
IP Filter	92
Viewing IP Filters	92
Mapping Rulesets	93
Enabling IP Filters	93
Configuring IP Filters	95
Rule Parameters	96
Updating an IP Filter	97
Deleting an IP Filter	97
IP Filter Commands	97
Routing	97
Dynamic Routing	98
Static Routing	98
Routing Commands	99
Forwarding	99
Forwarding Connections Commands	100
VPN Settings	100
Sample ipsec.conf Files	112
VPN Commands	117
Security	117
Performance Monitoring	120
Performance Monitoring - Add/Edit Probe	123
Performance Monitoring - Results	126
Performance Monitoring Commands	130
FQDN List	131
7: Services	132
System Logging and Other Services	132
SSH/Telnet/Logging	133
System Logging	134
Audit Log	134
SSH	135
SMTP	135
Telnet	136
Web SSH/Web Telnet Settings	136
Phone Home	137
SSH Commands	137
Logging Commands	137
SNMP	138
v1/v2c Communities	142
Version 3	142
V3 User Read-Only	142
V3 User Read-Write	143
V3 User Trap	143
Version 3 TLS (over TCP)	143
Services Commands	144
NFS and SMB/CIFS	145
SMB/CIFS Share	147
NFS and SMB/CIFS Commands	147
Secure Lantronix Network	148
Browser Issues	151
Troubleshooting Browser Issues	152
Web SSH/Telnet Copy and Paste	154
Secure Lantronix Network Commands	154
Date and Time	154
Date and Time Commands	156
Web Server	156
Admin Web Commands	158
Services - SSL Certificate	159
Services - Web Sessions	161
ConsoleFlow	162
ConsoleFlow Commands	168
8: USB/SD Card Port	169
USB/SD Card Storage	169
Manage Files on Storage Device	171
USB Modem Settings	172
Data Settings	174
Modem Settings	174
Text Mode	176
PPP Mode	176
IP Settings	177
USB Serial Settings	177
Data Settings	179
IP Settings	180
USB Commands	180
SD Card Commands	180
9: Device Ports	181
Connection Methods	181
Permissions	181
I/O Modules	182
Device Status	183
Device Ports	184
Telnet/SSH/TCP in Port Numbers	185
DevicePort Global Commands	185
Device Ports - Settings	186
Device Port Settings	188
IP Settings	190
Data Settings	191
Hardware Signal Triggers	192
Modem Settings (Device Ports)	193
Modem Settings: Text Mode	194
Modem Settings: PPP Mode	195
Port Status and Counters	196
Device Ports - Power Management	196
Device Ports - RPMs - Add Device	199
Device Port - Sensorsoft Device	201
Device Port Commands	202
Device Commands	202
Interacting with a Device Port	202
Device Ports - Logging and Events	203
Local Logging	203
NFS File Logging	203
USB and SD Card Logging	204
Token/Data Detection	204
Syslog Logging	204
Token & Data Detection	205
Local Logging	207
Log Viewing Attributes	207
NFS File Logging	207
USB / SD Card Logging	207
Syslog Logging	207
Logging Commands	208
Console Port	208
Console Port Commands	209
Internal Modem Settings	209
Setting Up Internal Modem Storage	209
Text Mode	212
PPP Mode	212
Internal Modem Commands	213
Xmodem	213
Host Lists	216
Host Parameters	217
Host Parameters	218
Host List Commands	219
Scripts	219
Scripts	222
Script Commands	226
Batch Script Syntax	226
Interface Script Syntax	226
Primary Commands	228
Secondary Commands	229
Control Flow Commands	231
Custom Script Syntax	232
Example Scripts	233
Sites	249
Site Commands	252
Access Lists	252
Access List Commands	254
Modem Dialing States	254
Dial In	254
Dial-back	255
Dial-on-demand	256
Dial-in & Dial-on-demand	256
Dial-back & Dial-on-demand	257
CBCP Server and CBCP Client	257
CBCP Server	257
CBCP Client	258
Key Sequences	258
10: Remote Power Managers	260
Devices - RPMs	260
RPMs - Add Device	263
RPMs - Manage Device	266
RPMs - Outlets	269
RPM Shutdown Procedure	270
Optimizing and Troubleshooting RPM Behavior	272
RPM Commands	273
11: Connections	274
Typical Setup Scenarios for the SLC Unit	274
Terminal Server	274
Remote Access Server	275
Reverse Terminal Server	275
Multiport Device Server	276
Console Server	276
Connection Configuration	277
Connection Commands	279
12: User Authentication	280
Authentication Commands	282
User Rights	282
Local and Remote User Settings	284
Sysadmin Account Default Login Values	285
Adding, Editing or Deleting a User	286
Shortcut	290
Local Users Commands	290
Remote User Rights Commands	290
NIS	291
NIS Commands	294
LDAP	294
LDAP Commands	298
RADIUS	299
RADIUS Commands	302
User Attributes & Permissions from LDAP Schema or RADIUS VSA	302
Kerberos	303
Kerberos Commands	306
TACACS+	306
TACACS+ Groups	307
TACACS+ Commands	310
Groups	311
Group Commands	314
SSH Keys	314
Imported Keys	314
Exported Keys	314
Imported Keys (SSH In)	316
Host & Login for Import	316
Exported Keys (SSH Out)	316
Host and Login for Export	317
SSH Commands	319
Custom Menus	319
Custom User Menu Commands	322
13: Maintenance	323
Firmware & Configurations	323
Zero Touch Provisioning Configuration Restore	323
Creating a Certificate	324
HTTPS Push Configuration Restore	326
Factory Reset with External Storage Device	327
Internal Temperature	329
Site Information	329
SLC Firmware	329
Boot Banks and Bootloader Settings	330
Load Firmware Via Options	331
Configuration Management	331
Manage Files	333
Administrative Commands	333
System Logs	334
System Log Commands	335
Audit Log	336
Audit Log Commands	337
Email Log	337
Logging Commands	337
Diagnostics	338
Diagnostic Commands	341
Status/Reports	341
View Report	341
Status Commands	343
Emailing Logs and Reports	343
Events	346
Events Commands	347
LCD/Keypad	348
Administrative LCD/Keypad Commands	349
Banners	349
Administrative Banner Commands	350
System Info	350
14: Application Examples	352
Telnet/SSH to a Remote Device	352
Dial-in (Text Mode) to a Remote Device	354
Local Serial Connection to Network Device via Telnet	355
15: Command Reference	357
Introduction to Commands	357
Command	357
Command Line Help	358
Tips	358
Access List Commands	359
set accesslist add\|edit	359
set accesslist add\|edit	359
set accesslist delete	359
showaccesslist	360
Administrative Commands	360
admin banner login	360
admin banner logout0	360
admin banner show	360
admin banner ssh	361
admin banner welcome	361
admin banner welcome	361
admin clear	361
admin config copy	362
admin config rename\|delete	362
admin config factorydefaults	362
admin config restore	363
admin config save	363
admin config checksum	363
admin config commands	364
admin config batch	364
admin config show	364
admin firmware bootbank	364
admin firmware bootcount	365
admin firmware bootlimit	365
admin firmware bootdelay	365
admin firmware highrestimers	365
admin firmware watchdog	366
admin firmware show	366
admin firmware update	366
admin firmware clearlog	366
admin ftp password	367
admin ftp server	367
admin ftp show	367
admin keypad	367
admin keypad password	367
admin keypad show	368
admin lcd reset	368
admin lcd default	368
admin lcd screens	368
admin lcd line1	369
admin lcd scrolling	369
admin memory show	369
admin memory swap add	369
admin memory swap delete	370
admin quicksetup	370
admin reboot	370
admin shutdown	370
admin site	370
admin sysinfo	371
admin sysinfo save <ZIP File Name> location <ftp\|sftp\|scp\|nfs\|usb\|sdcard>	371
[nfsdir <NFS Mounted Directory>] [usbport <U1\|U2>]	371
[host <IP Address or Name>] [login <User Login>]	371
[path <Path to Save File>]	371
admin version	371
admin web certificate import	371
admin web certificate reset	371
admin web certificate custom	372
admin web certificate custom	372
admin web certificate show	372
admin web group	372
admin web server	372
admin web sha2	372
admin web timeout	373
admin web terminate	373
admin web show	373
admin web banner	373
admin web iface	373
admin web cipher	374
admin web sha2	374
admin web tlsv10	374
admin web tlsv11	374
admin web tlsv12	374
admin web restart	375
admin chip resetmodem	375
admin eeprom	375
Audit Log Commands	376
show auditlog	376
show auditlog clear	376
Authentication Commands	377
set auth	377
show auth	377
show user	377
Kerberos Commands	378
set kerberos	378
show kerberos	378
LDAP Commands	379
set ldap	379
set ldap bindpassword	379
set ldap certificate import	380
set ldap certificate delete	380
show ldap	380
Local Users Commands	380
set localusers add\|edit	380
set localusers allowreuse	381
set local users complexpasswords	381
set localusers state	381
set localusers delete	381
set localusers lifetime	382
set localusers maxloginattempts	382
set localusers password	382
set localusers periodlockout	382
set localusers periodwarning	382
set localusers reusehistory	383
set localusers multipleadminlogins	383
set localusers consoleonlyadmin	383
show localusers	383
set localusers lock	383
set localusers unlock	384
set localusers permissions	384
NIS Commands	384
set nis	384
show nis	385
RADIUS Commands	385
set radius	385
set radius server	386
show radius	386
TACACS+ Commands	386
set tacacs+	386
show tacacs+	387
User Permissions Commands	387
set localusers group	387
set localusers lock	388
set localusers unlock	388
set localusers permissions	388
set <nis\|ldap\|radius\|kerberos\|tacacs+> permissions	388
show user	389
Remote User Commands	389
set remoteusers add\|edit	389
set remoteusers listonlyauth	389
set remoteusers denyaccessnocustomgroup	390
set remoteusers denyaccessnocustomgroup <enable\|disable>	390
set remoteusers lock\|unlock	390
set remoteusers delete	390
show remoteusers	390
set <nis\|ldap\|radius\|kerberos\|tacacs+> group	390
set cli	391
set cli menu	391
show cli	392
show user	392
set history	392
show history	392
Connection Commands	392
connect bidirection	392
connect direct	393
connect forward	394
connect global outgoingtimeout	394
connect listen deviceport	394
connect terminate	394
connect unidirection	394
show connections	395
show connections connid	395
ConsoleFlow Commands	396
set cflow client	396
set cflow statusinterval	396
set cflow fwupdate	396
set cflow rebootafterupdate	396
set cflow allowremoteconnection	396
set cflow auditlogmessages	397
set cflow connection	397
set cflow devicename	397
set cflow timeoutcli	397
set cflow digitalprobe	398
set cflow id	398
set cflow key	398
set cflow useproxy	398
set cflow proxypassword	398
show cflow	399
Console Port Commands	399
set consoleport	399
show consoleport	399
Custom User Menu Commands	400
set localusers	400

Match case Limit results 1 per page

6: Basic Parameters

SLC™ 8000 Advanced Console Manager User Guide

109

Certificate Authority for

Local Peer

A certificate can be uploaded to the SLC unit for peer authentication. The

certificate for the local peer is used to authenticate any remote peer to the

SLC, and contains a Certificate Authority file, a public certificate file, and a

private key file. The public certificate file can be shared with any remote

peer for authentication. The Certificate Authority and public certificate file

must be in PEM format, e.g.:

-----BEGIN CERTIFICATE-----

(certificate in base64 encoding)

-----END CERTIFICATE-----

The key file must be in RSA private key file (PKCS#1) format, eg:

-----BEGIN RSA PRIVATE KEY-----

(private key in base64 encoding)

-----END RSA PRIVATE KEY-----

Certificate File for Local

Peer

Key File for Local Peer

Perfect Forward Secrecy

(PFS)

When a new IPSec SA is negotiated after the IPSec SA lifetime expires, a

new Diffie-Hellman key exchange can be performed to generate a new

session key to be used to encrypt the data being sent through the tunnel. If

this is enabled, it provides greater security, since the old session keys are

destroyed.

This option is deprecated and is no longer supported.

With

strongSwan, PFS is automatically enabled by configuring ESP Encryption to

use a DH Group (ESP Encryption without a DH Group will disable PFS).

Using PFS introduces no significant performance overhead, unless

rekeying is done more than 80 IPsec SAs per second.

SA Lifetime

How long a particular instance of a connection should last, from successful

negotiation to expiry, in seconds. Normally, the connection is renegotiated

(via the keying channel) before it expires.

The formula for how frequently rekeying (renegotiation) is done is:

rekeytime = lifetime - (margintime + random(0,

margintime * rekeyfuzz))

where the default

margintime

is 9m (or 540 seconds) and the default

rekeyfuzz

is 100%. For example, if the SA Lifetime is set to 3600 seconds

(1 hour), how often the tunnel is rekeyed is calculated as:

rekeytime minimum = 1h - (9m + 9m) = 42m rekeytime

maximum = 1h - (9m + 0m) = 51m

So the rekeying time will vary between 42 minutes and 51 minutes.

It is recommended that the SA Lifetime be set greater than 540 seconds;

any values less than 540 seconds may require adjustments to the

margintime and rekeyfuzz values (which can be set with a custom

ipsec.conf file). Some peer devices (Cisco, etc) may require that the SA

Lifetime be set to a minimum of 3600 seconds in order for the VPN tunnel to

come up and rekeying to function properly.

For more information see the

strongSwan Expiry

documentation.

Mode Configuration Client

If this is enabled, the SLC unit can receive network configuration from the

remote host. This allows the remote host to assign an IP address/netmask

to the SLC side of the VPN tunnel.

This option is deprecated and is no

longer supported.