OpenROUTE Customer Support - VPN Configuration

VPN: The explanation and configuration

The explanation:

I am a router at either end of an encrypted Virtual Private Network (VPN).
I have two jobs to do.
I must encrypt (either keys or data) and I must authenticate.
I have made a private key.
I have the ability to do so because SKIP is enabled on my router and I have been restarted.
I will not show the user what that private key is.
This is a randomly generated number derived from the timing of delays of user key-strokes and perhaps other random input See section 6.0 of the skip functional spec

I will do a mathematical process on this number (the private key) using a MD5 authentication 'hash'. From this 'hash', I will derive a public key. When my administrator issues the command, ADD CERTIFICATE, I will do more modulus math.

The 'Add Certificate' command will generate a number using both my private key and the public key of the other station (router).
Note that in the configuration method seen below, I manually set up both routers. As I do so, I exchange the certificate, or Master Key. As I do this, I am helping the remote router to derive its public key. In the completion of this exchange I help the local router derive its public key.
I will then show the administrator what that Master Encryption key, or certificate, is.
I exchange this certificate with my peer router as will that router with me.
Example:
To do so:
I use the bulk algorithm (RC4-40, RC4-128, DES, 3DES) to encrypt the payload (IP Packet). The strength of this encryption is determined by modulus math, base 2, using a 'prime number'. These prime numbers are 512, 1024, 2048. The larger the prime number, the more secure is the encryption. I do the math involved in the bulk encryption of the payload in conjunction with a 'short-term key'.
For this implementation, the router issues the short-term key. A new one is generated every minute by default. The administrator can change this timer. I encrypt using modulus math according to algorithms (RC4-40, RC4-128, DES, 3DES), at the specified strength. I use the shared secret (or Master Encryption key) to decrypt the short-term key. I use the decrypted short-term key with the bulk encryption method to allow my encryption of the payload.
Payload
We do the modulus math using the bulk encryption and the short-term key
The part of the short-term key used is the private key.

Encrypted payload
Now my payload is encrypted. I then use a bulk authentication algorithm so that the other end knows about me and believes my signature to be authentic. This algorithm encrypts my public key.

SKIP header Encrypted payload

Skip header contains the encrypted public key and IP address. We used the Master Encryption Algorithm (at probably a stronger algorithm. Triple DES?)
Then we put an IP header specifying the tunnel end-point.

IP Header SKIP header Encrypted payload
Another way to look at it:
Starting from the short-term key, we will work backwards: The short-term key is a random number that is used to encrypt and decrypt user data that they send to each other. Each station needs access to this number to perform these tasks.
This number is encrypted using the shared secret, or Master Encryption Key. The shared secret, or Master Encryption Key is shared during configuration of the routers. Each router's certificate is configured to be the other's remote address.
Since each knows about each other's Master Encryption Key, it then can decrypt the short-term key. It then can deduce the public key and then the private key.
Let's define a few variables:
- PrK1= the private key in router 1.
- PrK2=the private key in router 2.
- PuK1= the public key in router 1
- PuK2=the public key in router 2.
- MEK1= the Master Encryption Key in router 1.
- MEK2= the Master Encryption Key in router 2.
If my Private Key is (PrK1) I do process "Public Key 1" ( PuK1) and get "Master Encryption Key") (MEK1).
The other secret is (MEK2) subjected to process (PuK2) yielding (PrK2).
Therefore, If I have both MEK1 and MEK2, and do the inverse of process PuKn, Each will get its own Private Key. Nobody ever has both secrets. Each communicating party has a 'shared secret' which is calculated with MY private key and YOUR public key. This is known as a Master Encryption Key.
One last take on it:
If both sides know each other's MEK, they can decrypt the short-term key.
If both sides know each other's MEK, they can deduce each other's public key.
If they know each other's public key, and know what algorithms to use, they also can authenticate each other. They each can deduce their private key.

If they know the bulk encryption algorithm and they know their own private key, they can de-encrypt the IP Packet, or payload.

Process:
I receive the packet. I verify the sender. I de-encrypt the SKIP header. I now know the IP address and the public key. I find this out because I know the shared secret (or Master Encryption Key). I discard the SKIP header. Then, since I know what bulk encryption algorithm is used, I can decrypt the payload and send it to the appropriate station.

The Configuration:
This document repeats itself. The first time through is a correct configuration. The second time through shows some errors and their corrections.

First, we name the router. We'll use this as the destination as we go on.
Config> SET HOSTNAME top

This will be the name the other router and use it as it's remote (destination). Config> LIST int

Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)
Notice there are no IP_Tunnels, yet.

Config> ADD INTERFACE ip
So we add a logical interface to be a tunnel.

Adding IP Tunnel as interface 3. Config> ENABLE SKIP 3

Then we enable SKIP on that tunnel.
Config>LIST int

Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)
Ifc 3, IP Tunnel (with SKIP)

Config> PROTOCOL 0

Now to add IP addresses for the interfaces and the tunnel.
Internet protocol user configuration

IP Config> ADD ADDRESS 0 1.1.2.2 255.255.255..0      LAN
IP Config> ADD ADDRESS 1 2.2.2.2 255.255.255.0      WAN
IP Config> ADD ADDRESS 3 0.0.0.3     IP_Tunnel
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): n

IP Config> ADD route This is the static route to the (remote) Ethernet network.

IP destination [0.0.0.0]? 1.1.1.0
Address mask [255.0.0.0]? 255.255.255.0
Via gateway at [0.0.0.0]? 0.0.0.3 Via the tunnel
Cost [1]?
IP config> SET DEFAULT NETWORK-GATEWAY 2.2.2.1
gateway's cost [0]?

For the rest of the traffic including VPN call set-up.

IP config> LIST ad
IP addresses for each interface:

IP config> LIST ro
route to 1.1.1.0,255.255.255.0 via 0.0.0.3, cost 1
route to 0.0.0.0,0.0.0.0 via 2.2.2.1, cost 0

IP config>ex

Time needs to be set BEFORE you generate your certificate!!
Config> TIME se
year [1997]?
month [12]?
date [22]?
hour [12]?
minute [19]?
second [35]?

Config> NETWORK 3
Circuit Configuration

Circuit Config <NET-3> iptnl
IP Tunnel Configuration
IP Tunnel Config <NET-3> ADD REMOTE bottom
What is the name of the remote?
IP Tunnel Config <NET-3> SET DESTINATION-ADDRESS bottom
Which remote to go to?
IP Tunnel Destination Address? 2.2.2.1
Through where?

IP Tunnel Config <NET-3> ex
Circuit Config <NET-3> SET DESTINATION bottom
Yes, we should set it here, too.

Because setting it in the tunnel config>makes it just ONE of the destinations the tunnel can accept. But setting it at Circuit Config (AN INTERFACE!! ), you're telling that particular circuit which of the tunnel destinations belongs to it. If it has a destination set, it will accept no others, if it's set to 'unknown', it's not so choosy who connects to it, as long as Tunnel Config ok's the name.

Circuit Config <NET-3> list
Destination Name: bottom

Circuit Config <NET-3> skip
SKIP Configuration

SKIP Config <NET-3> SET REMOTE-NAME bottom MD5/UDH
Here we identify the remote host in the Certificate Discovery Process. Read section 3.1 paragraph 3 of the Skip FS.

Peer's MD5/UDH Signature? Ex
We'll cut and paste this from the other router where do the "add cert" command. For now we skip it.

MD5/UDH signature must be entered in hexadecimal.

SKIP Config <NET-3> ex
Circuit Config <NET-3>ex
Config> TIME se
After the routers are configured and restarted, we have to set the time on both routers and they must agree as to that time.
year [1997]?
month [12]?
date [22]?
hour [12]?
minute [19]?
second [35]?

Config> NETWORK 3
Circuit Configuration
Circuit Config <NET-3> skip
SKIP Configuration
SKIP Config <NET-3> ADD CERTIFICATE 512
New certificate's MD5/UDH signature is F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2
This command won't work until the time is set.

SKIP Config <NET-3> SET LOCAL-NAME bottom LOCAL/UDH 512
SKIP Config <NET-3> LIST remote

Destination

NSID

Remote Name

bottom

MD5/UDH

E000-0000-0000-0000-0000-0000-0000-0000

Note that this number is screwy. We need to correct it as soon as we do the "add cert" for the other router.

SKIP Config <NET-3>LIST local

Destination	NSID	Local Name
DEFAULT	None
bottom	LOCAL/UDH	Local 512-bit Certficate MD5 Signature

SKIP Config <NET-3>LIST cert

Mod. Len	Valid From	Valid To	Received From	Signature
512	12/22/97	12/22/02	Local Config	F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

going to the bottom router

Starting at 1020000OpenROUTE(tm) Software
OpenROUTE is a registered trademark of OpenROUTE Networks, Inc.
MOS Operator Control
*

* TALK 6
Gateway user configuration

Config> TIME se
year [0]? 1998
month [0]? 12
date [0]? 22
hour [0]? 12
minute[0]? 22
second [0]? 5

Config> LIST int
Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)

Config> ADD INTERFACE IP-TUNNEL
Adding IP Tunnel as interface 3.
Config> ENABLE SKIP 3
Config> PROTOCOL IP
Internet protocol user configuration

IP config> ADD ADDRESS 0 1.1.1.1 255.255.255.0
IP config> ADD ADDRESS 1 2.2.2.1 255.255.255.0
IP config> ADD ADDRESS 3 0.0.0.3
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): n
IP config> SET DEFAULT NETWORK-GATEWAY 2.2.2.2
For the rest of the IP traffic
gateway's cost [0]?

IP config> ADD ROUTE 1.1.2.0 255.255.255.0
For the SKIP TRAFFIC
Via gateway at [0.0.0.0]? 0.0.0.3
Cost [1]?

IP config> LIST ro
route to 0.0.0.0,0.0.0.0 via 2.2.2.2, cost 0
route to 1.1.2.0,255.255.255.0 via 0.0.0.3, cost 1

IP config> LIST ad
IP addresses for each interface:
intf 0 1.1.1.1 255.255.255.0 IP address is: Numbered
intf 1 2.2.2.1 255.255.255.0 IP address is: Numbered
intf 2 IP disabled on this interface
intf 3 0.0.0.3 0.0.0.0 IP address is: Unnumbered

IP config>ex
Config> NETWORK 3
Circuit Config <NET-3> ipt
IP Tunnel Configuration
IP Tunnel Config <NET-3> ADD REMOTE top
IP Tunnel Config <NET-3> SET DESTINATION-ADDRESS top 2.2.2.2
IP Tunnel Config <NET-3> list

Name	Source Address	Dest. Address	Packet MTU	MTU Disc.	Disc Int	ICMP Timeout
Default	(auto)	(none)	(auto)	ON	3600	5000
Top	(auto)	2.2.2.2	(auto)	ON	3600	5000

Maximum number of simultaneous tunnel users: 16

IP Tunnel Config <NET-3> ex
Circuit Config <NET-3> SET DESTINATION top
Circuit Config <NET-3> skip
SKIP Configuration
SKIP Config <NET-3> ADD CERTIFICATE 512
New certificate's MD5/UDH signature is F913-2954-DD42-CC07-CAE3-0966-8544-3816
SKIP Config <NET-3> SET REMOTE-NAME top MD5/UDH
Peer's MD5/UDH Signature? F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2
Here we've gone up the page to the other router's "ADD CERT" command and 'cut and paste'.

SKIP Config <NET-3> SET LOCAL-NAME top LOCAL/UDH 512
This adds 'top', strangely enough, as the local name, too. It declares a local, Unsigned Diffie-Hellman certificate with a modulus of 512.
Read Justine's stuff on this command. Might help.

SKIP Config <NET-3> LIST local

Destination	NSID	Local Name
DEFAULT	None
top	LOCAL/UDH	Local 512-bit Certficate MD5 Signature

SKIP Config <NET-3> LIST re

Destination

NSID

Remote Name

top

MD5/UDH

F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

SKIP Config <NET-3> LIST cert

Mod.
Len

Valid
From

Valid
To

Received
From

Signature

512

12/22/97

12/22/02

Local Config

F913-2954-DD42-CC07-CAE3-0966-8544-3816

SKIP Config <NET-3> ex
Config <NET-3> ex
Config > ^P
* RESTART y

OpenROUTE(tm) Software
OpenROUTE is a registered trademark of OpenROUTE Networks, Inc.
MOS Operator Control

* TALK 6
Gateway user configuration

Config> TIME se
year [0]? 1998
1997 month [0]? 12
date [0]? 22
hour [0]? 12
minute [0]? 27
second [0]? 06

Going to the top router

Config>Net 3
Config <NET-3> Skip

Skip Config <NET-3> SET REMOTE-NAME bottom MD5/UDH
Peer's MD5/UDH Signature? F913-2954-DD42-CC07-CAE3-0966-8544-3816
This we cut and pasted from the other router's "ADD CERT" command.

SKIP Config <NET-3> LIST REMOTE-NAME

Destination	NSID	Remote Name
bottom	MD5/UDH	F913-2954-DD42-CC07-CAE3-0966-8544-3816

SKIP Config <NET-3> LIST cert

Mod. Len	Valid From	Valid To	Received From	Signature
512	12/22/97	12/22/02	Local Config	F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

SKIP Config <NET-3> LIST local

Destination	NSID	Local Name
DEFAULT	None
bottom	LOCAL/UDH	Local 512-bit Certficate MD5 Signature

SKIP Config <NET-3> ex
Config <NET-3> ex
Config > ^P
* RESTART y

OpenROUTE(tm) Software
OpenROUTE is a registered trademark of OpenROUTE Networks, Inc.
MOS Operator Control

* TALK 6
Gateway user configuration

Config>TIME se
year [0]? 1998
month [0]? 12
date [0]? 22
hour [0]? 12
minute [0]? 32
second [0]? 10

Go to Talk 5

Config>^P
* TALK 5
+ Protocop IP
IP> ping 1.1.2.2
PING 1.1.2.2: 56 data bytes 64 bytes from 1.1.2.2: icmp_seq=0. time=16. ms
64 bytes from 1.1.2.2: icmp_seq=1. time=16. ms

----1.1.2.2 PING Statistics----

2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 16/16/16

IP>

maybe also show IP traces?? IP.7s certainly. display sub all and see what else is there.

IP> ex
+ ^P
* TALK 6

Config>ev
Event Logging System

ELS Config> display sub all all

ELS Config>ex
Config>^P
* TALK 2

IPT.001: Inv dst (unknown)
SKIP.023: CDP GET F913-2954-DD42-CC07-CAE3-0966-8544-3816 rcvd from 2.2.2.2 SKIP.028: CDP Response Pkt sent to 2.2.2.2
IPT.009: Rstrt MTU disc, MTU=1500, dest top (2.2.2.2)
SKIP.029: CDP Query name F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2 to 2.2.2.2
SKIP.027: CDP Response Pkt rcvd from 2.2.2.2
IPT.003: Rcv SKIP pkt from top (2.2.2.2)
SKIP.013: Chg flow top, mstr=DES-CBC, bulk=DES-CBC, auth=MD5, comp=NONE, N=12/22/1997 12:00:00
SKIP.006: Rekeying, dest top
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.003: Rcv SKIP pkt from top (2.2.2.2)
IPT.003: Rcv SKIP pkt from top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)

Now, it's O.K.

Now for the errors

*TALK 6

Config> SET HOSTNAME top

Config> LIST int
Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)

Config> ADD INTERFACE ip
Adding IP Tunnel as interface 3.

Config> ENABLE SKIP 3
Config> LIST int
Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)
Ifc 3, IP Tunnel (with SKIP)

Config> PROTOCOL IP
Internet protocol user configuration

IP config> ADD ADDRESS 0 1.1.1.1 255.255.255..0 LAN
IP config> ADD ADDRESS 1 2.2.2.1255.255.255.0 WAN
IP config> ADD ADDRESS 3 0.0.0.3 IP_Tunnel
Is this interface a tunnel to a single SKIP PC or workstation(Yes or [No]): n

IP config> ADD ro
To the hidden network.
IP destination [0.0.0.0]? 1.1.2.0
Address mask [255.0.0.0]? 255.255.255.0
Via gateway at [0.0.0.0]? 0.0.0.3 (Via the tunnel)
Cost [1]?

IP config> SET DEFAULT NETWORK-GATEWAY 2.2.2.2
gateway's cost [0]?0 For the rest of the traffic including VPN call set-up.

IP config> LIST ad
IP addresses for each interface:

intf 0 1.1.1.1 255.255.255.0 IP address is: Numbered
intf 1 2.2.2.1 255.255.255.0 IP address is: Numbered
intf 2 IP disabled on this interface
intf 3 0.0.0.3 0.0.0.0 IP address is: Unnumbered

IP config> LIST ro
route to 1.1.2.0,255.255.255.0 via 0.0.0.3, cost 1
route to 0.0.0.0,0.0.0.0 via 2.2.2.2, cost 0

IP config>ex
Config> NETWORK 3
Circuit Configuration

Circuit Config <NET-3> ipt
IP Tunnel Configuration

IP Tunnel Config <NET-3> ADD REMOTE bottom
IP Tunnel Config <NET-3> SET DESTINATION-ADDRESS bottom
IP Tunnel Destination Address? 2.2.2.2
IP Tunnel Config <NET-3> ex
Circuit Config <NET-3> li
Destination Name: bottom

Circuit Config <NET-3> sk
SKIP Configuration

SKIP Config <NET-3> SET REMOTE-NAME bottom MD5/UDH
Peer's MD5/UDH Signature? Ex
We'll cut and paste this from the other router where do the add cert command. For now we skip it.
MD5/UDH signature must be entered in hexadecimal.

SKIP Config <NET-3> ex
Circuit Config <NET-3>ex

Config> TIME se
year [1997]?
month [12]?
date [22]?
hour [12]?
minute [19]?
second [35]?

Config> NETWORK 3
Circuit Configuration

Circuit Config <NET-3> sk
SKIP Configuration
SKIP Config<NET-3> ADD CERTIFICATE 512
New certificate's MD5/UDH signature is F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

SKIP Config <NET-3> SET LOCAL-NAME bottom LOCAL/UDH 512

SKIP Config <NET-3> LIST re

Destination	NSID	Local Name
bottom	MD5/UDH	E000-0000-0000-0000-0000-0000-0000-0000

SKIP Config <NET-3> LIST lo

Destination	NSID	Local Name
DEFAULT	None
bottom	LOCAL/UDH	Local 512-bit Certficate MD5 Signature

SKIP Config <NET-3>LIST cert

Mod. Len	Valid From	Valid TO	Received From	Signature
512	12/22/97	12/22/02	Local Config	F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

Going to the bottom router

Starting at 1020000OpenROUTE(tm) Software
OpenROUTE is a registered trademark of OpenROUTE Networks, Inc.

MOS Operator Control

* TALK 6
Gateway user configuration

Config> TIME li
Time has not been set. Time Host: 0.0.0.0 Sync Interval: 0 seconds
GMT Offset: 0 minutes

Config> TIME se
year [0]? 1997
month [0]? 12
date [0]? 22
hour [0]? 12
minute [0]? 22
second [0]? 5

Config> LIST int
Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)

Config> ADD INTERFACE IP-TUNNEL
Adding IP Tunnel as interface 3.

Config> ENABLE SKIP 3

Config> PROTOCOL IP
Internet protocol user configuration

IP config> ADD ADDRESS 0 1.1.1.1 255.255.255.0
IP config> ADD ADDRESS 1 2.2.2.1 255.255.255.0
IP config> ADD ADDRESS 3 0.0.0.3
Is this interface a tunnel to a single SKIP PC orworkstation(Yes or [No]):n
IP config> SET DEFAULT NETWORK-GATEWAY 2.2.2.2 For the rest of the traffic
gateway's cost [0]?

IP config> ADD ROUTE 1.1.2.0 255.255.255.0 For the SKIP TRAFFIC
Via gateway at [0.0.0.0]? 0.0.0.3
Cost [1]?

IP config> LIST ro
route to 0.0.0.0,0.0.0.0 via 2.2.2.2, cost 0
route to 1.1.2.0,255.255.255.0 via 0.0.0.3, cost 1

IP config>ex
Config> NETWORK 3
Circuit Configuration

Circuit Config <NET-3> li
Destination Name: (unknown) oops!

Circuit Config <NET-3> ipt
IP Tunnel Configuration

IP Tunnel Config <NET-3> ADD REMOTE top
IP Tunnel Config <NET-3> SET DESTINATION-ADDRESS top 2.2.2.2
IP Tunnel Config <NET-3>li

Name	Source Address	Destination Address	Packet MTU	MTU Disc.	Discovery Interval	ICMP Timeout
DEFAULT	(automatic)	2.2.2.2	(automatic)	ON	3600	5000
top	(automatic)	(none)	(automatic)	ON	3600	5000

Maximum number of simultaneous tunnel users: 16

IP Tunnel Config <NET-3> ex

Circuit Config <NET-3> sk
SKIP Configuration
SKIP Config <NET-3> SET LOCAL-NAME top LOCAL/UDH
No certificates are available.
Use ADD CERTIFICATE to create them.

SKIP Config <NET-3> ADD CERTIFICATE 512
New certificate's MD5/UDH signature is F913-2954-DD42-CC07-CAE3-0966-8544-3816

SKIP Config <NET-3> SET REMOTE-NAME top MD5/UDH
Peer's MD5/UDH Signature? F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

Here we go up the page to the other router's ADD CERT command and 'cut and paste'.

SKIP Config <NET-3> LIST re

Destination	NSID	Remote Name
top	MD5/UDH	F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

SKIP Config <NET-3> LISTlo

Destination	NSID	Local Name
top	None

Need to re-enter the command to "set local"
Last time we tried to set it, There had not been a certificate added, yet.

SKIP Config <NET-3> SET LOCAL-NAME top LOCAL/UDH 512

SKIP Config <NET-3> LIST lo

Destination	NSID	Local Name
DEFAULT	None
top	LOCAL/UDH	Local 512-bit Certficate MD5 Signature

Now that we have had the certificate added, it works like a charm.

SKIP Config <NET> LIST re

Destination	NSID	Remote Name
top	MD5/UDH	F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

SKIP Config <NET-3> LIST cert

Mod.
Len

Valid
From

Valid
To

Received
From

Signature

512

12/22/97

12/22/02

Local Config
F913-2954-DD42-CC07-CAE3-0966-8544-3816

SKIP Config <NET-3>^P
* RESTART y

OpenROUTE(tm) Software
OpenROUTE is a registered trademark of OpenROUTE Networks, Inc.

MOS Oerator Control

* TALK 6
Gateway user configuration

Config> TIME se
year [0]? 1997
month [0]? 12
date [0]? 22
hour [0]? 12
minute [0]? 27
second [0]? 06

Going to the top router

Config>NET 3
Config <NET> Skip
SKIP Config <NET> SET REMOTE-NAME bottom MD5/UDH
Peer's MD5/UDH Signature? F913-2954-DD42-CC07-CAE3-0966-8544-3816
This we cut and pasted from the other router's "ADD CERT" command.

SKIP Config <NET> LIST REMOTE-NAME

Destination	NSID	Remote Name
bottom	MD5/UDH	F913-2954-DD42-CC07-CAE3-0966-8544-3816

SKIP Config <NET-3> LIST cert

Mod. Len	Valid From	Valid To	Received From	Signature
512	12/22/97	12/22/02	Local Config	F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2

SKIP Config <NET-3> LIST lo

Destination	NSID	Local Name
DEFAULT	None
bottom	LOCAL/UDH	Local 512-bit Certficate MD5 Signature

SKIP Config <NET-3> ^P

* RESTART y

OpenROUTE(tm) Software MOS Operator Control

* TALK 6
Gateway user configuration

Config> TIME se
year [0]? 1997
month [0]? 12
date [0]? 22
hour [0]? 12
minute [0]? 28
second [0]? 47

Config>^P
* TALK 5
+ ev
Event Logging System user console

ELS> NODISPLAY SUBSYSTEM all all

ELS> DISPLAY SUBSYSTEM skip all

ELS> DISPLAY SUBSYSTEM ipt all

ELS>ex
+ PROTOCOL 0

IP>i

Interface IP	Address(es)	Mask(s)
Eth/0	1.1.2.2	255.255.255.0
PPP/0	2.2.2.2	255.255.255.0
IPT/0	0.0.0.0	0.0.0.0

ELS>ex

+ Protocol 0

IP>ping 1.1.1.1
PING 1.1.1.1: 56 data bytes

*TALK 2
This is the first time you have run OpenROUTE (tm) 3.1.0[Z172].
Please see the release notes for information about important changes to the configuration information for going to OpenROUTE (tm) 3.1.0[Z172]. After updating the configuration information, give the Config> UPDATE VERSION-OF-SRAM command.
GW.001:
Copyright 1984 Massachusetts Institute of Technology,
Copyright 1989 The Regents of the University of California
GW.002: Portable CGW top Rel OpenROUTE(tm) 3.1.0[Z172] strtd
GW.005: Bffrs: 400 avail 400 idle fair 103 low 80
No activity. We must check to see if the time has been set.

* TALK 6
Gateway user configuration

Config> TIME li
Time has not been set.
Time Host: 0.0.0.0 Sync Interval: 0 seconds
GMT Offset: 0 minutes

Config> TIME se
year[0]? 1997
month [0]? 12
date [0]? 22
hour [0]? 12
minute [0]? 32
second [0]? 10

Config>^P

* TALK 5
+ev
Event Logging System user console

ELS> NODISPLAY SUBSYSTEM all all
ELS> DISPLAY SUBSYSTEM skip all
ELS> DISPLAY SUBSYSTEM ipt all
ELS>ex
+ PROTOCOL 0

IP>i

Interface	IP Address(es)	Mask(s)
Eth/0	1.1.1.1	255.255.255.0
PPP/0	2.2.2.1	255.255.255.0
IPT/0	0.0.0.0	0.0.0.0

IP>ping 1.1.2.2
PING 1.1.2.2: 56 data bytes 64 bytes from 1.1.2.2: icmp_seq=0. time=0. ms

IP>ex

+^P

* TALK 2
This is the first time you have run OpenROUTE (tm) 3.1.0[Z172].
Please see the release notes for information about important changes to the configuration information for going to OpenROUTE (tm) 3.1.0[Z172].
After updating the configuration information, give the Config> UPDATE VERSION-OF-SRAM command.
GW.001:
Copyright 1984 Massachusetts Institute of Technology,
Copyright 1989 The Regents of the University of California GW.002: Portable CGW bottom Rel OpenROUTE (tm) 3.1.0[Z172] strtd
GW.005: Bffrs: 400 avail 400 idle fair 103 low 80

+^P

* TALK 6

Config> LIST int
Ifc 0, Ethernet/IEEE 802.3 (via device LAN)
Ifc 1, Point to Point (via device WAN1)
Ifc 2, Point to Point (via device WAN2)
Ifc 3, IP Tunnel (with SKIP)

Config> NETWORK 3
Circuit Configuration

Circuit Config <NET-3> li
Destination Name: (unknown)

Circuit Config<NET-3> ipt
IP Tunnel Configuration

IP Tunnel Config <NET-3> li

Name	Source Address	Destination Address	Packet MTU	MTU Disc.	Disc. Interval	ICMP Timeout
Default	(automatic)	(none)	(auto)	ON	3600	5000
top	(automatic)	2.2.2.2	(auto)	ON	3600	5000

Maximum number of simultaneous tunnel users: 16

IP Tunnel Config <NET-3>ex

Circuit Config <NET-3>ex

Config>^P

* TALK 5

+ PROTOCOL 0

IP>ping
1.1.2.2 PING 1.1.2.2: 56 data bytes
64 bytes from 1.1.2.2: icmp_seq=0. time=16. ms
64 bytes from 1.1.2.2: icmp_seq=1. time=16. ms
----1.1.2.2 PING Statistics----
2 packets transmitted, 2 packets received, 0% packet loss
round-trip (ms) min/avg/max = 16/16/16

IP>ex

+^P

* TALK 2
IPT.001: Inv dst (unknown)
SKIP.023: CDP GET F913-2954-DD42-CC07-CAE3-0966-8544-3816 rcvd from 2.2.2.2
SKIP.028: CDP Response Pkt sent to 2.2.2.2
IPT.009: Rstrt MTU disc, MTU=1500, dest top (2.2.2.2)
SKIP.029: CDP Query name F5D9-C387-5EED-070F-23CA-ACD8-70AA-1CA2 to 2.2.2.2
SKIP.027: CDP Response Pkt rcvd from 2.2.2.2
IPT.003: Rcv SKIP pkt from top (2.2.2.2)
SKIP.013: Chg flow top, mstr=DES-CBC, bulk=DES-CBC, auth=MD5, comp=NONE, N=12/22/1997 12:00:00
SKIP.006: Rekeying, dest top
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.003: Rcv SKIP pkt from top (2.2.2.2)
IPT.003: Rcv SKIP pkt from top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)
IPT.004: Snd SKIP pkt to top (2.2.2.2)

Now, on to the manual:

Back