RIP authentication mode of USG firewalls

77

The RIP authentication mode of USG2000, USG5000, and USG6000 is configured as follows:
rip authentication-mode

Command function:
The rip authentication-mode command is used to configure the RIP-2 packet authentication mode and parameters. Each authentication supports only one authentication word. The new authentication word overwrites the old authentication word.

The undo rip authentication-mode command is used to cancel all authentication.

Command format:
rip authentication-mode { simple password | md5 { nonstandard password key-id | usual password } }

undo rip authentication-mode

Parameter description:
Parameter Parameter Description Value
simple Plain-text authentication mode -
Message Digest 5 (MD5) The MD5 is used for cipher-text authentication. -
nonstandard It indicates that the MD5-based authentication packets are in the non-standard packet format (private standard). -
password Keyword for cipher text authentication The character string can be:
Plain text with a length ranging from 1 to 16
Cipher text with a length of 32
All passwords used to query profiles are in cipher text.

usual It indicates that the MD5-based authentication packets are in the universal packet format (IETF standard). -
key-id MD5 Cipher text authentication identifier Value range: 1-255

Example:
# Set the MD5 authentication in the universal format and the authentication word to rose.

system-view,
[sysname] interface GigabitEthernet 0/0/1
[sysname-GigabitEthernet 0/0/1] rip authentication-mode md5 usual rose

Other related questions:
RIP configuration of USG firewalls
Configure the RIP on the USG2000 or USG5000 as follows: 1. Run the system-view command to enter the system view. 2. Run the rip [ process-id ] command to enable the RIP route process and enter the RIP view. If the RIP commands are configured in the interface view before the RIP is enabled, the configuration only takes effect after the RIP is enabled. 3. Run the network network-address command to enable the RIP in the specified network segment. The RIP runs only at the interface in the specified network segment. For other interfaces, the RIP does not receive and send routes or does not forward the interface route. Therefore, after the RIP is enabled, you must specify the network segment. The network-address indicates the address in the natural network segment. By default, the RIP is disabled at all interfaces after it is enabled. Note: The RIP does not support different addresses specified for different RIP processes of the same physical interface. 4. By default, the interface receives RIP-1 and RIP-2 packets but sends only RIP-1 packets. When the interface version is RIP-2, you can specify the packet sending mode. If the RIP version is not configured for the interface, the global version shall prevail. Configure the global RIP version by running the version { 1 | 2 } command. Configure the RIP version for the interface. a. Run the system-view command to enter the system view. b. Run the interface interface-type interface-number command to enter the interface view. c. Run the rip version { 1 | 2 [ broadcast | multicast ] } command to specify the RIP version of the interface.

Configuring the RIP priority on the firewall
The method for modifying the RIP priority on the USG2000&5000&6000 is as follows: -Modifying the RIP priority: [USG]rip [USG-rip-1]preference 80

Method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000
The method used to configure the NAS-Initialized VPN (RADIUS authentication) on the USG2000 and USG5000 is as follows: A user connects to the LAC based on PPPoE and is authenticated by the RADIUS server. 1. Configure the LAC. a. Configure the default route. Assume that the next hop address on the path from the LAC to the LNS is 202.38.160.2. system-view [USG] sysname LAC [LAC] ip route-static 0.0.0.0 0.0.0.0 202.38.160.2 b. Create the virtual interface template and bind it with the interface. [LAC] interface Virtual-Template 1 [LAC-Virtual-Template1] ppp authentication-mode chap [LAC-Virtual-Template1] quit [LAC] interface GigabitEthernet 0/0/5 [LAC-GigabitEthernet0/0/5] pppoe-server bind virtual-template 1 [LAC-GigabitEthernet0/0/5] quit Note: You need to bind the virtual interface template with the interface that is connected to the dial-up user, so as to achieve the PPPoE Server function. c. Enable the L2TP. [LAC] l2tp enable d. Create and configure the L2TP group. [LAC] l2tp-group 1 [LAC-l2tp1] start l2tp ip 202.38.161.1 domain net1 [LAC-l2tp1] tunnel authentication [LAC-l2tp1] tunnel password cipher Hello123 [LAC-l2tp1] tunnel name LAC [LAC-l2tp1] quit e. Create the authentication scheme. [LAC] aaa [LAC-aaa] authentication-scheme auth1 [LAC-aaa-authen-auth1] authentication-mode radius [LAC-aaa-authen-auth1] return f. Configure the RADIUS template. system-view [LAC] radius-server template temp [LAC-radius-temp] radius-server authentication 10.1.1.2 1812 [LAC-radius-temp] radius-server user-name domain-included g. By default, the radius-server user-name domain-included command has been configured. [LAC-radius-temp] radius-server shared-key key1 [LAC-radius-temp] quit h. Configure the domain, and apply the RADIUS template and authentication scheme. [LAC] aaa [LAC-aaa] domain net1 [LAC-aaa-domain-net1] authentication-scheme auth1 [LAC-aaa-domain-net1] radius-server temp [LAC-aaa-domain-net1] quit 2. Configure the LNS. a. Create the virtual interface template. system-view [USG] sysname LNS [LNS] interface Virtual-Template 1 b. Configure the virtual interface template. [LNS-Virtual-Template1] ip address 10.2.1.1 24 [LNS-Virtual-Template1] ppp authentication-mode chap [LNS-Virtual-Template1] quit c. Enable the L2TP. [LNS] l2tp enable d. Create and configure the L2TP group. [LNS] l2tp-group 1 [LNS-l2tp1] allow l2tp virtual-template 1 [LNS-l2tp1] tunnel authentication [LAC-l2tp1] tunnel name LNS [LNS-l2tp1] tunnel password cipher Hello123 [LNS-l2tp1] quit a. Create the authentication scheme. [LNS] aaa [LNS-aaa] authentication-scheme auth1 [LNS-aaa-authen-auth1] authentication-mode radius [LNS-aaa-authen-auth1] return b. Configure the RADIUS template. system-view [LNS] radius-server template temp [LNS-radius-temp] radius-server authentication 10.1.2.2 1812 [LNS-radius-temp] radius-server user-name domain-included c. By default, the radius-server user-name domain-included command has been configured. [LNS-radius-temp] radius-server shared-key key1 [LNS-radius-temp] quit d. Configure the domain, and apply the RADIUS template and authentication scheme. [LNS] aaa [LNS-aaa] domain net1 [LNS-aaa-domain-net1] authentication-scheme auth1 [LNS-aaa-domain-net1] radius-server temp e. Configure the IP address pool. [LNS-aaa-domain-net1] ip pool 1 10.2.1.2 10.2.1.99 [LNS-aaa-domain-net1] quit f. Allocate an address in the IP address pool to the peer interface. [LNS] interface virtual-template 1 [LNS-Virtual-Template1] remote address pool 1 [LNS-Virtual-Template1] quit

Method used to configure the management IP address in transparent mode on USG firewalls
In transparent mode on the USG2000, USG5000, and USG6000, all interfaces are converted to L2 interfaces, and IP addresses cannot be configured. Therefore, management IP addresses must be configured for L3 virtual interfaces of the VLANIF. Taking VLANIF 1 as an example, the configuration is as follows (the configuration can be modified based on actual situations): [USG_A] interface vlanif 1 [USG_A-GigabitEthernet0/0/1] ip address 192.168.0.2 24 [USG_A-GigabitEthernet0/0/1] quit

USG firewall security association
USG firewall security association What is security association (SA)? The IPSec SA is a unidirectional logical connection created for security purposes. The SA is bidirectional and requires an IPSec SA in each direction. The number of SAs depends on the security protocol. If either the AH or ESP is used to protect traffic between peers, two SAs, one in each direction, exist between the peers. If both the AH and the ESP are used, four SAs, two in each direction corresponding to the AH and the ESP, exist between the peers. Therefore, an IPSec SA is not equivalent to a connection. The IPSec SA is uniquely identified by a triplet. The triplet includes the following elements: Security Parameter Index (SPI) The SPI is a 32-bit value that is generated to uniquely identify an SA. The SPI is carried in the AH and ESP headers. The SPI, destination IP address, and security protocol number uniquely identify an IPSec SA. Destination IP address Security protocol number (AH or ESP) Creation mode The IPSec SA is classified into two types: SA that is manually created and SA that is created by means of IKE automatic negotiation (isakmp). Major differences between two types of SAs are as follows: Different key generation modes In manual mode, all parameters required by the IPSec SA, including encryption and verification keys, are manually configured or manually updated. In IKE mode, encryption and verification keys required by the IPSec SA are generated by the DH algorithm and can be dynamically updated. The key management cost is low and the security is high. Different IPSec SA lifetime In manual mode, once an IPSec SA is created, it permanently exists. In IKE mode, the IPSec SA establishment is triggered by the data flow, and the SA lifetime is controlled by lifetime parameters configured on both ends.

If you have more questions, you can seek help from following ways:
To iKnow To Live Chat
Scroll to top