Black Door User`s Guide - Engage Communication, Inc.
Contents
1. Chapter 5 BlackeDoor Operation and Configuration Engage Communication BlackDoor User s Guide Show Security Info AES Off AES is configured Off The BlackDoor is sending and receiving unencrypted data Data is not secure SHOW SECURITY INFO details the Key AES and Rekey States Key State Key Configured The key is non zero No Key The key is zero AES State Off No contact with remote unit or AES configured off On AES state confirmed initial key exchanged if Rekey On Number of Rekeys The number of times the BlackDoor has exchanged with its peers Show BlackDoor Info The BlackDoor lists the IP address of the remote BlackDoor and the state of the Tunnel The Tunnel states are explained below Init State The BlackDoor has not made contact with the remote BlackDoor Authorizing The BlackDoor has made contact with the remote BlackDoor and is verifying its identity Both BlackDoors must be configured with the same key for their identities to be confirmed Key Exchange The BlackDoor is in the process of changing to a new key Tunnel State The BlackDoor is sending and receiving encrypted data The Tunnel State is the only state in which data is encrypted and secure in Tunnel Mode AES Off AES is configured Off The BlackDoor is sending and receiving unencrypted data Data is not secure SNMP Support All Engage products support SNMP Simple Network Management Protocol version 1 SNMP sup port2. name LAN1 interface lan2 Note The LAN1 port is the public interface commonly receives data and LAN2 is the private port and generally sends data Syntax for Command Parameters one of the parameters in set is required one of the parameters in set is allowed optional 16 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide System Level or General Commands PASSWD Allows setting or modifying the login password The BlacksDoor ships with no password set On entering the passwd command the user is prompted to enter and confirm the new password BYE QUIT LOGOUT Any of these commands will terminate the Telnet session If you have unsaved configuration chang es you will be prompted to save or discard the new configuration RESET CAUSE Resets the BlacksDoor Reset Cause displays a code for the cause of the last reset Up to 8 reset causes may be stored A cause of zero is a normal reset which is either an upgrade a configuration change or the reset command HELP HELP ALL CONFIG SHOW Provides Help information on a selected list of topics Typing help with no argument provides the Help summary screen which is the top level list of commands CLEAR BLACK SECURITY LANA LAN2 All Clears the statistics for the BlackDoor Security or the port statistics on the selected port LAN1 LAN2 or ALL TERM NN Allows the user to tailor the number of display
3. Terms and Concepts Before using the Engage BlacksDoor you should be familiar with the terms and concepts that de scribe TCP IP If you are experienced with internet routers these terms may already be familiar to you General Networking Terms Network A network is a collection of computers server devices and communication devices connected to gether and capable of communication with one another through a transmission medium Internet An internet is any grouping of two or more networks connected by one or more internet routers Network Services Network services are the capabilities that the network system delivers to users such as print servers file servers and electronic mail Addresses Transmitting information in a network system is made possible by an addressing scheme that identi fies the sender and destination of the transmission using network and node addresses Data is trans mitted to and from these addresses in the form of packets Routing Table A routing table is maintained in each router This table lists all networks and routers in the internet and enables routers to determine the most efficient route for each packet The routing table serves as a logical map of the internet specifying the address of the next router in the path to a given destination network and the distance in hops The router uses the routing table to determine where and whether to forward a packet Each router periodically broadcasts its
4. Chapter 3 Installation Engage Communication BlackeDoor User s Guide The BlacksDoor GIG provides specific information with SPD and RD TD indicatiors providing status on packet activity on the Ehternet interface SPD LED color information 1000BaseT Green LED 100BaseT Amber LED 10BaseT No LED RD TD LED will be Yellow when there is activity on the port Internal Switches BlackeDoor contain an internal four position DIP Switch which is accessible by removing the unit rear panel and sliding out the motherboard The default setting for all DIP switches is OFF Switch 1 Power cycling the unit with DIP Switch 1 ON forces the BlacksDoor to return to Base Flash operation parameters shown in SHOW CONFIG are not cleared This includes operation from Base Flash and deleting any download upgrades Ensure Switch 1 is returned to the OFF posi tion after clearing an upgrade so future upgrades can be performed successfully Switch 2 Must be in the OFF position for normal operation Switch 3 This switch must also be set to OFF for normal operation Switch 4 DIP Switch 4 can cause internal loopbacks and should be left OFF NOTE The BlacksDoor GIG does not have a switch at this time 14 Chapter 3 Installation Chapter 4 Command Line Interface Command Line access to the BlackeDoor family may be via a serial connection to the Console port or a Telnet connection to the Ethernet interface Telnet part of the
5. 256 bit Key The BlackDoor s GENKEY function generates a 256 bit random number The BlackDoor at each end of the link needs to have its AES key set identically by using the ENTERKEY command The easiest way to enter the AES KEY into both units is to copy and paste the result of GENKEY to a txt file and edit it so that it is a single string of charcters then paste it into each unit using the EN TERKEY command The BlackDoor supports automatically scheduled rekeying by having REKEY ON and configuring the REKEY PERIOD 5 Chapter 2 Installation QuickStart Engage Communication BlackeDoor User s Guide BlackDoor Example Configurations Server to Client Bridge Configuration Example Below is an example of a configuration of the Bridging configuration of the BlacksDoor Server to Cli entwith SNMP Traps turned off and Autonegotionation turned on so that Speed and Duplex will be set automatically The IP Address are all on the Same Subnet i e 192 168 1 x AES in on Bridge Mode Server Host Name BlackDoor Server Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation On IP Address 192 168 1 52 24 Port On IP State RUNNING Interface LAN2 Auto Negotiation On IP Address 192 168 1 53 24 Port On IP State RUNNING Black Capabilities Bridge Tunnel Mode Bridge Client IP Address 192 168
6. cation Restricted rights legend Use duplication or disclosure by the U S government is subject to restrictions set forth in subparagraph c 1 ii of the Rights in Technical Data and Computer Software clause in DFARS 52 227 7013 and in similar clauses in the FAR and NASA FAR Supplement Information in this document is subject to change without notice and does not represent a commitment on the part of Engage Communication Inc FCC Radio Frequency Interference Statement This equipment has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules These limits are designed to provide reasonable protection against harmful interference when the equipment is operat ed in a commercial environment This equipment generates uses and can radiate radio frequency energy and if not installed and used in accordance with the instruction manual may cause harmful interference to radio communications Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense NOTE Shielded ethernet cables must be used with the Engage IPeTube to ensure compliance with FCC Part 15 Class A limits CAUTION To reduce the risk of fire use only No 26 AWG or larger listed Telecommunication cables Equipment Malfunction If trouble is experienced with a BlackDoor please contact the Engage Communication
7. 115200 baud 1 stop bit no parity 8 bit data flow control none LAN Configuration Parameters The BlacksDoor has two 10 100 1000BaseT Ethernet interfaces LAN1 and LAN2 LAN1 is Unen crypted and LAN2 is Encrypted The following parameters must match the configuration of the LAN interface to which it is connected PORT ON OFF Turns on or off LAN interface AUTONEGOTIATION ON OFF Auto negotiation currently doesn t work for the BlacksDoor GIG must be set to OFF The LAN interfaces must be manually set to match the port that they are connected too The BlacksDoor GIG provides specific information with SPD and RD TD indicatiors providing status on packet activity on the Ehternet interface SPD LED color information 1000BaseT Green LED 100BaseT Amber LED 10BaseT No LED RD TD LED will be Yellow when there is activity on the port DUPLEX HALF FULL Sets the duplex mode for the Ethernet interface This command only takes effect when Auto negotia tion is configured to OFF SPEED 10 100 1 Sets the line rate in Mbps for the Ethernet interface This command only takes effect wnen Auto Ne gotiation is configured to OFF 10 10Mbps 100 100Mbps 1 1000Mbps IP ADDRESS address mask The interface IP address and subnet mask are required for connection to the network and access with telnet or connectivity tests with ping The IP ADDRESS must unique within the network s IP address range The subnet ma
8. S Government organizations and others to protect sensitive information Key Management Automated 256 bit key management configurations ensure timely key transitions and eliminate the operational and maintenance costs of managing an encrypted network with manual key distribution Management An IP Ethernet interface enables ease of management configuration and upgradeability Manage ment is accomplished with a Command Line Interface that is accessed through a Console or Telnet connection Templates of the most common configurations provide for an Edit and Paste configura tion The Black Door s SNMP MIB and supports interface status change traps 26 Engage Communication BlackDoor User s Guide Black Bridge The BlackDoor transparently monitors all the packet traffic Non Local Packets are encrypted at the Mac layer and tunneled to the destination network Note the devices on the bridged networks must be in the same IP Network AES ENCRYPTED BRIDGE UNENCRYPTED ENCRYPTED UNENCRYPTED LAN LAN LAN LAN 1 2 2 1 Network A Network A Network A 192 168 1 x 192 168 1 x 192 168 1 x 26 Chapter 5 BlackesDoor Operation and Configuration Engage Communication BlackDoor User s Guide Black Tunnel Interconnects Ethernet LANs through an IP Transparent Encrypted Tunnel Orignal packets are en tirely encrypted and then encapsulated into an IP packet that is forwarded to the destination network AES ENCRYPTED TUNNEL
9. TCP IP Protocol Suite provides a general communications facility defining a stan dard method of interfacing terminal devices to each other Any standard Telnet application can be used to communicate to an Engage BlacksDoor product provided there is IP connectivity between the User Host and the unit For communication through the Console port standard terminal communication software is used Console Communication BlackeDoor serial communication to the console port needs to be configured for 9600 baud 1 stop bit no parity 8 bit fixed flow control none Black Door GIG serial communication to the console port needs to be configured for 115200 baud 1 stop bit no parity 8 bit fixed flow control none The BlacksDoor and BlacksDoor GIG console ports have a RJ45 connector A RJ45 to DB9 adapter and an 8 wire straight cable are provided with the BlacksDoor for use with standard PC 9 pin COM ports Logging in to the BlacksDoor family e ATelnet session is opened by providing the IP address of the BlacksDoor On opening a Command Line Interface CLI session via the Console port or Telnet the login prompt requires entry of a login ID e The default login ID root e The BlackeDoor is shipped with no password set Passwords are set or modified with the passwd command detailed below Overview of Commands The Engage CLI supports shorthand character entry At most 3 characters are required for the pars ing of commands For example
10. being encrypted This mode should only be used during debug to assess whether the packet path is operating without encryption enabled REKEY ON Turns Rekeying ON REKEY OFF Turns Rekeying OFF REKEY PERIOD NN Days Hours Minutes Sets the cryptoperiod for the Rekey function The cryptoperiod can be set to maximum of 45 days NN is the number Days Hours or Minutes of the cryptoperiod NN defaults to a unit of Minutes if Days or Hours are not specified 23 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide Config Commands BlackDoor Configuration Mode Bridge Tunnel Route Selects the BlackDoor operating mode Bridge or Tunnel or Route Bridge In Bridge Mode both LAN ports are assigned the same IP address Tunnel Tunnel IP Address lt ip address gt lt ip address gt specifies the IP address of the remote BlackDoor Tunnel UDP Port lt udp port number gt lt udp port number gt specifies the UDP port for the Tunnel The port number must be the same for the local and remote BlackDoor BlackDoor Route Mode In Route Mode the BlackDoor is a router with traffic for selected routes encrypted at the LAN2 port The selected routes designate a peer BlackDoor as the gateway and the peer decrypts the traffic BlackDoor Servers and Clients are configured in the same manner as in Bridge and Tunnel Mode Since the BlackDoor in Route Mode is a router LAN1 and LAN2 are configured on di
11. lines to their terminal screen size PING dest address src address number spray Sends an ICMP ECHO message to the specified address Any source address from an interface on the BlacksDoor can be used This can be useful to test routes across a LAN or WAN interface By default only 1 message packet is sent Anumeric value can be entered to send more than one message Also SPRAY can be used to continually send messages until the ESC key is pressed UPGRADE TFTP Server Addr Filename TFTP trivial file transfer protocol provides a means for upgrading BlacksDoor firmware in a TCP IP environment A TFTP upgrade may be accomplished from a CD provided by Engage Communication if the user can configure their own local TFTP server and place the appropriate upgrade file from the CD or from Engage Tech Support on the server Once a connection to a TFTP server site has been established issue the upgrade command UPGRADE 157 22 234 129 upgrade_filename upg Note that an BlacksDoor which is running an upgrade must go through a reset when performing an upgrade This may cause the Telnet connection to drop If this does occur simply re establish the Telnet connection 17 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide SHOW Commands SHOW INTERFACE LAN LAN2 INFO STATISTICS Provides details on either LAN interface If no interface is specified either the current interface per INT
12. mount kit available Dimensions 9 0 x 7 3 x 1 63 inches Weight approximately 2 Ibs excluding external power adapter 39 Appendices Engage Communication Black Door User s Guide BlackeDoor Switch Settings Black Door systems contain an internal four position DIP Switch which is accessible by removing the unit rear panel and sliding out the motherboard The default setting for all DIP switches is OFF Switch 1 Power cycling the unit with DIP Switch 1 ON forces the BlacksDoor to return to Base Flach operation parameters shown in SHOW CONFIG are not cleared This includes operation from Base Flash and deleting any download upgrades Ensure Switch 1 is returned to the OFF posi tion after clearing an upgrade so future upgrades can be performed successfully Switch 2 Must be in the OFF position for normal operation Switch 3 This switch must also be set to OFF for normal operation Switch 4 DIP Switch 4 can cause internal loopbacks and should be left OFF Note The BlackeDoor GIG does not have an internal four position DIP Switch 39 Appendices Engage Communication BlackeDoor User s Guide Console Port Information RJ45 Console Port Pinout RJ45 pin Signal Name TxData RxData RTS CTS Gnd DTR NO RO A DW Black sDoor RJ45 db9F Null Modem Adapter RJ45 pin db9pin yO RAD Ww DO o10owh Black Door GIG RJ45 db9F Null Modem Adapter RJ45 pin db9pin 6 2 5 3 4 5 39 Appendices Glossary
13. routing table to other routers on each of its directly connected networks enabling them to compare and update their own tables with the most recent record of con nected networks and routes In this way routing tables are kept current as changes are made on the internet Hop A hop is a unit count between networks on the internet A hop signifies one router away Node Device on the network 42 Engage Communication BlacksDoor User s Guide TCP IP Networking Terms FTP File Transfer Protocol gives users the ability to transfer files between IP hosts It uses TCP to provide connection initiation and reliable data transfer Host A computer with one or more uses that can act as an endpoint of communication if it has TCP IP ICMP Internet Control Message Protocol provides a means for intermediate gateways and hosts to commu nicate There are several types of ICMP messages and they are used for several purposes including IP flow control routing table correction and host availability IP Internet Protocol which routes the data IP Datagram The basic unit of information passed across an IP Internet It contains address information and data PING Packet InterNet Groper is a program which uses an ICMP echo request message to check if the specified IP address is accessible from the current host Port A destination point used by transport level protocols to distinguish among multiple destinations within a given host comp
14. the system automatically logs you out If logged off you must simply log on again TERM NN Allows the user to tailor the number of display lines to their terminal screen size SNMP ON OFF Turns on or off SNMP management SNMP COMMUNITYNAME Set or modify Tube SNMP community name This string is used for authentication for SNMP SetRe quests and SNMP traps SNMP TRAPS ON OFF Turns on or off generation of SNMPv1 Traps The Destination Address for these traps must be con figured to be an SNMP management station capable of decoding SNMPv 1 traps SNMP TRAPS ADDRESS address Sets the Destination IP Address to which the Tube will send SNMPv1 Traps Chapter 5 BlackeDoor Operation and Configuration Engage Communication BlackDoor User s Guide BlacksDoor Interface Specific Parameters Console Configuration Parameters The console port is an RJ45 port and uses an RJ45 DB9 adapter included with the unit and can be connected directly to a desktop or laptop computer for access to the BlacksDoor GIG The console port configuration is 9600 baud 1 stop bit no parity 8 bit data flow control none LAN Configuration Parameters The BlacksDoor has two 10 100BaseT Ethernet interfaces LAN1 and LAN2 LAN1 is Unencrypted and LAN2 is Encrypted The following parameters must match the configuration of the LAN interface to which it is connected PORT ON OFF Turns on or off LAN interface AUTONEGOTIATION ON OFF Enable or
15. 1 55 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Bridge Mode Client Host Name BlackDoor Client Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation On IP Address 192 168 1 54 24 Port On IP State RUNNING Interface LAN2 Auto Negotiation On IP Address 192 168 1 55 24 Port On IP State RUNNING Black Capabilities Bridge Tunnel Mode Bridge Server IP Address 192 168 1 53 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Chapter 2 Installation QuickStart Engage Communication BlackeDoor User s Guide Server to Client Tunnel Configuration Example Below is an example of a configuration of a Tunneling configuration of the BlacksDoor Server to Client with SNMP Traps turned off and Autonegotionation turned on so that Speed and Duplex will be set automatically AES is on Tunnel Mode Server Host Name BlackDoor Server Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation On IP Address 192 168 1 52 24 Port On IP State RUNNING Interface LAN2 Auto Negotiation On IP Address 192 168 2 52 24 Port On IP State RUNNING Black Capabilities Bridge Tunnel Mode Tunnel Client
16. 24 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide Route Mode Configuration steps 1 Set the Mode to Route and define the BlackDoor peers Mode Route Server IP Address 192 168 2 54 Server IP Address 192 168 2 56 Tunnel UDP Port 3175 2 Set up the static routes In configuration mode configure the static routes IP Route 192 168 3 0 24 192 168 2 54 1 LAN2 IP Route 192 168 4 0 24 192 168 2 56 1 LAN2 Note the gateways are Server peers The route will be designated as Type Black indicating packets for that gateway are encrypted 25 Chapter 4 Command Line Interface Chapter 5 BlackeDoor Family Operation 4 Configuration This chapter provides operational theory and configuration details specific to the BlacksDoor The BlacksDoor has unique requirements regarding its interface to other equipment BlackeDoor and Black sDoor GIG Operation The Black Door transparently AES encrypts Ethernet networks Ethernet Voice Video or Data pack ets that are destined for a device located on a remote network or a different local network segment are AES encrypted at the Data Link Network or Transport Layer and then tunneled bridged or routed to the destination network At the destination network the packets are decrypted and the original Ethernet packets are securely delivered to the destination Ethernet device Advanced Encryption Standard FIPS approved symmetric encryption algorithm that may be used by U
17. AN and SECURITY interfaces The user must specify which interface is being configured with the command INTERFACE LAN LAN2 To move up one level from Interface Config mode to Config mode enter the interface command with no argument To change between interfaces when in Interface Config mode specify the new interface For example name LAN1 INTERFACE LAN1 AUTONEGOTIATION ON OFF Auto negotiation currently doesn t work for the BlacksDoor GIG must be set to OFF The LAN interfaces must be manually set to match the port that they are connected too The BlacksDoor GIG provides specific information with SPD and RD TD indicatiors providing status on packet activity on the Ehternet interface SPD LED color information 1000BaseT Green LED 100BaseT Amber LED 10BaseT No LED RD TD LED will be Yellow when there is activity on the port DUPLEX HALF FULL Sets the duplex mode for the Ethernet interface This command only takes effect when Auto negotia tion is configured to OFF Warning If the device connected to LAN1 uses Auto Negotiation and LAN1 is configured to use full duplex without Auto Negotiation the other device may operate in half duplex mode by default and successful operation cannot be guaranteed SPEED 10 100 1 Sets the line rate in Mbps for the Ethernet interface This command only takes effect when Auto nego tiation is configured to OFF 10 10Mbps 100 100Mbps 1 1000Mbps MAXF
18. BlackDoors At the system level enter this command and it will create a key to input into both units The Key must be identical for decryption to work ENTERKEY N XXXXXxX the actual key is 64 hex characters On both units issue the ENTERKEY command and provide the key generated by the output of the master s GENKEY command The output of the GENKEY command can be copied into an editor and prefaced with ENTERKEY command and pasted onto the CLI when in configuration mode Be sure to remove the linefeed and or return characters in the key Multiple keys may be stored to have unique key relationships with multiple peers N can be a number from 0 to 20 to identify the key This number can be used to specify the key in the Client or Server peer specification Key 0 is the default used when N is not specified Server Client IP Address lt ip address gt key n Delete lt ip address gt Specifies the peer Server or Client The peer is identified by its IP Address Peers are delelted from the configuration by specifying its IP Address A Server unit may have up to 20 Client or Server peers A Client unit may have only one Server peer Optionally a key number may be specified The key would have been previously configured with the ENTERKEY command Key 0 is the default used when Key is not specified AES ON OFF AES ON Turns encryption ON Packets are forwarded encrypted AES OFF Turns encryption OFF Packets are forwarded without
19. DomainName Interface LAN2 Auto Negotiation Off Speed in Mbps 1 Duplex Mode Full MaxFrameSize 1514 DHCPClient Off IP Address 192 168 2 54 24 Port On IP State RUNNING DDNS Off OurDomainName Black Capabilities Bridge Tunnel Route Mode Tunnel Server IP Address 192 168 2 55 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Tunnel Mode Client Host Name BlackDoor Client Host Contact No contact specified Host Location No location specified OurDNSServer IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation Off Speed in Mbps 1 Duplex Mode Full MaxFrameSize 1514 DHCPClient Off IP Address 192 168 1 55 24 Port On IP State RUNNING DDNS Off OurDomainName Interface LAN2 Auto Negotiation Off Speed in Mbps 1 Duplex Mode Full MaxFrameSize 1514 DHCPClient Off IP Address 192 168 2 55 24 Port On IP State RUNNING DDNS Off OurDomainName Black Capabilities Bridge Tunnel Route Mode Tunnel Server IP Address 192 168 2 54 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Chapter 2 Installation QuickStart Engage Communication BlackeDoor User s Guide Server Tunnel Configuration with Multiple Clients Example Below is an example of a configuration of a Tunneling configuration of the BlacksDoor Server with multiple Clients with SNMP Traps turned off and Autonegotion
20. ERFACE command will be used or all interfaces will be shown INFO details the port type port state etc STATISTICS lists the packets transmitted received etc SHOW ROUTER provides general configuration and status information including the Ethernet hard ware address and the firmware version SHOW IP STATISTICS provides detailed statistics on IP packets only SHOW SECURITY STATISTICS provides detailed statistics on Security Engine SHOW BLACK STATISTICS provides detailed statistics on BlackDoor SHOW CONFIG ALL provides a list of all configuration parameters No argument is the same as ALL This list provides the basis for storing an BlacksDoor configuration into a local text file The full configuration can be edited offline SHOW CONFIG INTERFACE LAN 1 LAN2 If no interface is specified either the current interface per the INTERFACE command will be used or all interfaces will be shown SHOW CONFIG ROUTER lists BlacksDoor Hostname Software Revision Mac Address etc SHOW SECURITY INFO details the Key AES and Rekey States SHOW BLACK INFO details the BlackDoor State Bridge Tunnel Router The BlackDoor lists the IP address of the remote BlackDoor and the state of the Tunnel The Tunnel states are explained below Init State The BlackDoor has not made contact with the remote BlackDoor Authorizing The BlackDoor has made contact with the remote BlackDoor and is verifying its identity Both BlackDoors must be co
21. IP Address 192 168 2 54 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Tunnel Mode Client Host Name BlackDoor Client Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation On IP Address 192 168 1 54 24 Port On IP State RUNNING Interface LAN2 Auto Negotiation On IP Address 192 168 2 54 24 Port On IP State RUNNING Black Capabilities Bridge Tunnel Mode Tunnel Server IP Address 192 168 2 52 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Chapter 2 Installation QuickStart Engage Communication BlackeDoor User s Guide Server to Server Tunnel Configuration Example Below is an example of a configuration of a Tunneling configuration of the Black sDoor Server to Server with SNMP Traps turned off and Autonegotionation turned on so that Speed and Duplex will be set automatically The IP Address are all on the Same Subnet i e 192 168 1 x AES is on Tunnel Mode Server to Server Local Host Name BlackDoor Local Server Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 AutoNegotiation On IP Address 192 168 1 50 24 Port On Interface LAN2 AutoNegotiation On IP Address 192 168 2 50 24 Port On Blac
22. RAMESIZE 1514 1552 MaxFrameSize MTU defines the maximum length of an ethernet frame For the LAN port The pos sible values are 1514 to 1552 The default value is 1514 for normal traffic The setting equal to 1518 is needed to make room for accomodating an Ethernet header that includes an 802 1q VLAN tag In general the MaxFrameSize for a LAN port can be set to 1518 unless there is a host on the network that cannot accept a frame of that size In Route Mode if it is expected that a decpryted packet would be routed back on LAN2 it is best to have MaxFrameSize equal on LAN1 and LAN2 IP ADDRESS address mask The interface IP address and subnet mask are required for configuration with telnet or connectivity tests with ping The subnet mask can be entered in long or short form This configuration parameter applies to LAN1 only Examples IP ADDRESS 192 168 1 1 255 255 255 0 IP ADDRESS 192 168 1 1 24 IP DEFAULT ROUTER address Configures the IP address of the default router or gateway for this Ethernet interface This must be an IP address on the same network as the BlacksDoor Ethernet interface The default Router is not required if the BlackDoor is to be managed from within the same IP subnet 22 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide Config Security Commands GENKEY Arandom 256 bit key is generated with the GENKEY command This key is to be used for the encryp tion function on the
23. SCOMNDOUDAAA KR WWWW w W YNNN anaana n mb Sy oo ma a 3 a a a a a a WOO WOO WON N ND gt gt Engage Communication BlackeDoor User s Guide Chapter 4 Command Line Interface Console Communication Logging in to the Black Door family Overview of Commands Categories Online Help Configuration Modes Syntax for Command Parameters System Level or General Commands SHOW Commands CONFIGURATION Commands Config Commands Black Door Config Interface Commands Black Door GIG Config Interface Commands Config Security Commands Config Commands Chapter 5 BlackeDoor Family Operation amp Configuration BlacksDoor and BlacksDoor GIG Operation Black Bridge Black Tunnel BlacksDoor and Black sDoor GIG Installation Steps Black Door Cabling Black Door GIG Cabiling BlacksDoor Configuration Parameters Black Door Family System Parameters BlacksDoor Interface Specific Parameters BlacksDoor GIG Interface Specific Parameters Black Door Security Parameters Show Security Info Show BlackDoor Info SNMP Support SNMPv1 Traps Chapter 6 Troubleshooting Unable to Communicate with the BlacksDoor Using BlacksDoor Statistics for Debug Appendix A BlacksDoor Specifications Ethernet Port LAN Protocol 15 15 15 15 16 16 16 16 17 18 19 19 21 22 23 24 26 26 26 27 28 29 29 29 29 30 31 32 33 34 34 34 35 36 36 36 37 39 39 39 39 Engage Communicati
24. Service Center If the equipment is causing harm to the telephone network the telecommunications service provider may request that you disconnect the equipment until the problem is resolved Engage Communication Service Center Phone U S 1 831 688 1021 Fax 1 831 688 1421 Email support engageinc com Web www engageinc com Engage Communication BlackeDoor User s Guide Table of Contents Chapter 1 Introduction Management Unit Ports and Indicators Console Port LAN Interface About this Guide Organization Intended Audience Chapter 2 Installation QuickStart Communication with the BlacksDoor and BlacksDoor GIG Console Port Telnet Editing amp Pasting Configurations Cabling Configuration Parameters System Parameters Interface Specific Parameters Black Door Security Parameters BlackDoor Example Configurations Server to Client Bridge Configuration Example Server to Client Tunnel Configuration Example Server to Server Tunnel Configuration Example Server to Server Tunnel Configuration Example Blacke Door GIG Server Tunnel Configuration with Multiple Clients Example Chapter 3 Installation of the BlackeDoor Products Installing the Hardware Locating the BlacksDoor products Powering the Black Door Powering the BlacksDoor GIG Console Port Configuring the LAN Ethernet Interfaces BlacksDoor Ethernet Interfaces BlackeDoor GIG Status LEDs Power Status Ethernet Internal Switches
25. UNENCRYPTED ENCRYPTED UNENCRYPTED LAN LAN LAN LAN 1 2 2 1 Network A Network B Network A 192 168 1 x Public or Private IP 192 168 1 x lt i ee Network A 192 168 1 x is transparently bridged through public private network B 26 Chapter 5 BlackesDoor Operation and Configuration Engage Communication BlackDoor User s Guide BlackeDoor and BlackeDoor GIG Installation Steps The process of installing an BlacksDoor involves the following steps Planning for BlackeDoor interconnect Installing the BlackeDoor hardware Configuring System Networking and Security parameters Making Ethernet cabling connections Verifying the BlackeDoor connection BlackeDoor Cabling The BlackeDoor uses standard 10 100BaseT Ethernet cabling to connect to an Ethernet switch or hub Ethernet Crossover cable required to directly connect to a PC or another BlackDoor s Ethernet interface Refer to the Appendices for the details of the wiring of this cable BlackeDoor GIG Cabiling The BlacksDoor uses standard 10 100 1000BaseT Ethernet cabling CAT6 to connect to an Ethernet switch or hub Ethernet Crossover cable required to directly connect to a PC or another BlackDoor s Ethernet interface Refer to the Appendices for the details of the wiring of this cable BlackeDoor Configuration Parameters The setup of the Black sDoor involves configuration of the BlackeDoor System Parameters Interface Specific Parameters BlackeDoor Securi
26. ation turned on so that Speed and Duplex will be set automatically AES is on Tunnel Mode Server Host Name BlackDoor Server Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation On IP Address 192 168 1 52 24 Port On IP State RUNNING Interface LAN2 Auto Negotiation On IP Address 192 168 2 52 24 Port On IP State RUNNING Black Capabilities Bridge Tunnel Mode Tunnel Client IP Address 192 168 2 54 Client IP Address 192 168 2 55 Client IP Address 192 168 2 56 Client IP Address 192 168 2 57 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day 10 Chapter 2 Installation QuickStart Chapter 3 Installation of the BlackeDoor Products This chapter provides details on the physical location and connections required for the installation of Engage BlacksDoor equipment Also covered is the initial communication with the BlacksDoor References are made to the BlacksDoor Command Line Interface as well as Configuration and Opera tion These topics are covered in detail in later chapters The use of Engage BlacksDoor systems to create a bridge between two Ethernet LANs over an IP network requires one BlacksDoor unit at each end A standard BlacksDoor package includes BlackeDoor unit with installed LAN interface Console port adapter and cable Pow
27. disable IEEE 802 3 Auto Negotiation on the Ethernet interface The LAN Ethernet DuPLEX and SPEED are negotiated If Negotiation does not occur the Ethernet interface defaults to 10BaseT Half Duplex Warning If the device connected to LAN1 uses Auto Negotiation and LAN1 is configured to use full duplex without Auto Negotiation the other device may operate in half duplex mode by default and successful operation cannot be guaranteed DUPLEX HALF FULL Sets the duplex mode for the Ethernet interface This command only takes effect when Auto negotia tion is configured to OFF SPEED 10 100 Sets the line rate in Mbps for the Ethernet interface This command only takes effect when Auto Ne gotiation is configured to OFF IP ADDRESS address mask The interface IP address and subnet mask are required for connection to the network and access with telnet or connectivity tests with ping The IP ADDRESS must unique within the network s IP address range The subnet mask can be entered in long or short form Example IP ADDRESS aaa bbb ccc ddd ee Chapter 5 BlacksDoor Operation and Configuration Engage Communication BlackDoor User s Guide BlacksDoor GIG Interface Specific Parameters Console Configuration Parameters The console port is an RJ45 port and uses an RJ45 DB9 adapter included with the unit and can be connected directly to a desktop or laptop computer for access to the BlacksDoor GIG The console port configuration is
28. er Converter 110 or 220 VAC input 12 to 30 VDC output Documentation Compact Disk with BlackeDoor User s Guide and configuration examples Installing the Hardware Locating the Black sDoor products Site consideration is important for proper operation of the BlacksDoor and BlacksDoor GIG The user should install the unit in an environment providing lt Awell ventilated indoor location e Access within six feet of a power outlet e Two feet additional clearance around the unit to permit easy cable connection As an option the units can be mounted in a standard 19 inch equipment rack rack mounts are avail able from Engage Powering the BlackeDoor Engage BlackeDoor units utilize an external universal power adapter with 100 240 VAC 50 60 Hertz Input with a DC output of 12 Volts DC at 2 5A The appropriate power adapter cord is provided with each unit Ensure the power adapter is not con nected to power then plug the DC adapter into the circular rear panel POWER connector Connect the power adapter to an appropriate AC power outlet and check the POWER LED on the front panel of the Engage BlackeDoor The POWER LED is GREEN 11 Engage Communication BlackeDoor User s Guide Powering the BlacksDoor GIG Engage BlacksDoor GIG units utilize an external universal power adapter with 100 240 VAC 50 60 Hertz Input with a DC output of 12 Volts DC at 4 1A The appropriate power adapter cord is provided with each unit Ensure the po
29. fferent networks Selected routes are encrypted on LAN2 and decrypted before forwarding on LAN1 Thus LAN2 is the encrypted network and LAN1 is the unencrypted network Static routes are defined to effect encryption for that route If the specification of the gateway for a static route is a BlackDoor peer packets for that route are encrypted and sent to the BlackDoor peer to be unencrypted and routed If the gateway is not a BlackDoor peer the packet is sent to the gate way unencrypted Route IP Route lt route gt lt network mask gt lt gateway ip address gt lt cost gt lt port gt DLCI Black The lt route gt lt network mask gt specify the route s network number and mask A route of 0 0 0 0 specifies a default route The lt gateway ip address gt is the IP address of the gateway The lt cost gt is the routing cost expressed in hops The lt port gt is the LAN1 or LAN2 port interface for the route Select LAN2 for Mode Route The DLCI is optional and not used for Route Mode Black is optional and forces the route to be a Black route Omission of this parameter is recommend ed since the route will automatically be typed as Black if the gateway is a BlackDoor peer Behavior is undefined if type Black is forced and the gateway is not a BlackDoor peer IP Delete lt route gt Deletes a route from the static route table IP Delete 255 255 255 255 Deletes all the routes from the static route table
30. g One device the DCE provides the transmit and the receive timing to the second device the DTE Data Communication Equipment DCE This interfaces to the communication service s transmission reception medium and includes T1 Voice Data Multiplexors 64 56 Kilobit DSU CSU s and Fiber Optic Modems The DCE provides the transmit and receive data pathways along with their synchronous clocking signals that are used by the Engage Router s DTE interface for full duplex communication between the remotely intercon nected networks Data Terminal Equipment DTE This equipment such as an Engage Router attaches to the terminal side of Data Communication Equipment Data Carrier Detect DCD A signal that indicates to the DTE that the DCE is receiving a signal from a remote DCE Data Terminal Ready DTR Prepares the DCE to be connected to the phone line then the connection can be established by dial ing Enables the DCE to answer an incoming call on a switched line 44 Glossary
31. generated when the device runs out of free buffers for packet processing engage TrapDeafness this trap is generated when an interface on the box has not received packets for a long period of time engage TrapTubeEnetRxAbsent this trap is generated when an Black Door does not receive IPTube encapsulated IP packets on its LAN interface when it expects For more detail on the industry standard traps please see http www faqs org rfcs rfc1157 html 26 Chapter 5 BlackeDoor Operation and Configuration Chapter 6 Troubleshooting Communication and Network systems are subject to problems from a variety of sources Fortunately an organized troubleshooting approach usually leads to the area of the problem in short order It is essential to distinguish between problems caused by the LAN network system the WAN equipment communication equipment and the BlacksDoor configuration This troubleshooting chapter is structured with symptoms in the order the user might encounter them Unable to Communicate with the BlacksDoor Installations first require communication with the BlacksDoor through console access or from the network usually the same network as the BlacksDoor itself Proceed through the following symptoms if you are unable to communicate with the local BlacksDoor using Telnet Ping etc IP Addressing should be double checked if accessing the unit via the network Ethernet General Cause Network Cabling is faulty Solutio
32. gram is the best tool for troubleshooting TCP IP connectivity As a sanity check first ensure you can ping the local router If unsuccessful go back to Can t Communicate using telnet with the BlacksDoor Can t IP Ping Remote BlacksDoor Cause Ping workstation does not have Default Gateway or Router set In the workstation s IP con figuration alongside workstation s own IP address and subnet mask you must provide the IP address of the device a router to which all packets destined off the local net should be sent Cause default router on the net serving as Default Gateway for all net workstations does not know about the remote IP net where the remote BlacksDoor is located Solution Under these circumstances the two BlacksDoor units are on different networks or subnets the DEFAULT ROUTER address must be configured Using BlacksDoor Statistics for Debug Can IP Ping Remote BlackeDoor but no traffic View the Show Black Info statistics BlackDoor Client show black info Black Info Server Host 20 Peers Allowed Tunnel Mode 2 Peers Configured 192 168 2 52 Tunnel State 1 Rekey 192 168 2 50 Init State 5 Rekeys If the peer IP Address can be pinged successfully then the Init State probably means the keys don t match When entering the key copy the genkey result and paste it into a txt document Then remove the line feed and return characters Copy and paste the same key after the enterkey com mand for both units Tun
33. he BlacksDoor and Black Door GIG needs to be configured with a number of parameters for proper operation on the network including Ethernet IP address and subnet mask Default gateway if the IP data target is on another IP network The configuration procedure depends on the network environment in which the BlackeDoor equipment is to be installed Note Itis strongly suggested that you configure the BlackeDoor with its unique network identity be fore making any Ethernet or Wide Area connections Ethernet Interfaces BlackeDoor Engage BlackeDoor systems utilize 10 100BaseT Ethernet cable to connect to the Local Area Net work Each system provides a 10 100BaseT interface on the front panel for connection to an Ether 12 Chapter 3 Installation Engage Communication BlackeDoor User s Guide net switch or hub using a straight thru Ethernet cable For direct connection to a PC or other LAN device the user should obtain a 10 100BaseT crossover cable LAN1 connects to the Internal Network that is to be encrypted and LAN2 connects interconnecting network 10 100BaseT Ethernet cabling and crossover pinouts are provided in the Appendices Ethernet Interfaces BlacksDoor GIG Power Status Engage BlacksDoor GIG systems utilize 10 100 1000BaseT Ethernet cable to connect to the Local Area Network Each system provides a 10 100 1000BaseT interface on the front panel for connection to an Ethernet switch or hub using a straight thru E
34. i Enya tion BlackeDoor BlackeDoor GIG User s Guide Engage Communication Inc 9565 Soquel Drive Suite 200 Aptos California 95003 TEL 831 688 1021 FAX 831 688 1421 www engageinc com support engageinc com Revision 7 Seller warrants to the Original Buyer that any unit shipped to the Original Buyer under normal and proper use be free from defects in material and workmanship for a period of 24 months from the date of shipment to the Original Buyer This warranty will not be extended to items repaired by anyone other than the Seller or its authorized agent The foregoing warranty is exclu sive and in lieu of all other warranties of merchantability fitness for purpose or any other type whether express or implied A All claims for breach of the foregoing warranty shall be deemed waived un less notice of such claim is received by Seller during the applicable warranty period and unless the items to be defective are returned to Seller within thirty 30 days after such claim Failure of Seller to receive written notice of any such claim within the applicable time period shall be deemed an absolute and unconditional waiver by buyer of such claim irrespec tive of whether the facts giving rise to such a claim shall have been discovered or whether processing further manufactur ing other use or resale of such items shall have then taken place B Buyer s exclusive remedy and Seller s total liability for any and all losses and da
35. is to be accessed from an IP Network that is not part of the BlackDoor s IP Address Range and an IP Route to that network is not available then a default router must be specified The Default Router can be specified at the System level or at the LAN interface level If the LAN interface Default Router is configured it is used The Default Router is typically the BlackDoor s local IP WAN Router Example IP DEFAULT ROUTER aaa bbb ccc ddd TELNET ON OFF Turns on or off Telnet management Access to the management interface when Telnet is turned OFF is restricted to the Console Port and to SNMP if turned ON USER TIMEOUT Off 1 60 This setting can be turned Off or set to the number of minutes you can leave your console or telnet session idle before the system automatically logs you out If logged off you must simply log on again TERM NN Allows the user to tailor the number of display lines to their terminal screen size 19 Chapter 4 Command Line Interface Engage Communication Black Door User s Guide SNMP ON OFF Turns on or off SNMP management SNMP COMMUNITYNAME Set or modify Tube SNMP community name This string is used for authentication for SNMP SetRe quests and SNMP traps SNMP TRAPS ON OFF Turns on or off generation of SNMPv1 Traps The Destination Address for these traps must be con figured to be an SNMP management station capable of decoding SNMPv 1 traps SNMP TRAPS ADDRESS address Sets the Destinatio
36. k Capabilities Bridge Tunnel Mode Tunnel Server IP Address 192 168 2 51 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Tunnel Mode Server to Server Remote Host Name BlackDoor Remote Server Host Contact No contact specified Host Location No location specified IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 AutoNegotiation On IP Address 192 168 1 51 24 Port On Interface LAN2 AutoNegotiation On IP Address 192 168 2 51 24 Port On Black Capabilities Bridge Tunnel Mode Tunnel Server IP Address 192 168 2 50 Tunnel UDP Port 3175 Security AES On Rekey On Rekey Period 1 Day Chapter 2 Installation QuickStart Engage Communication BlackeDoor User s Guide Server to Server Tunnel Configuration Example BlacksDoor GIG Below is an example of a BlacksDoor GIG configuration with Tunneling of the BlacksDoor Server to Server with SNMP Traps turned off and Autonegotionation turned off so Speed and Duplex must be manually set Tunnel Mode Server Host Name BlackDoor Server Host Contact No contact specified Host Location No location specified OurDNSServer IP Default router Telnet On UserTimeout Off SNMP Off SNMP Traps Off Interface LAN1 Auto Negotiation Off Speed in Mbps 1 Duplex Mode Full MaxFrameSize 1514 DHCPClient Off IP Address 192 168 1 54 24 Port On IP State RUNNING DDNS Off Our
37. low control none BlackeDoor GIG Console Configuration Parameters The console port is an RJ45 port and uses an RJ45 DB9 adapter included with the unit and can be connected directly to a desktop or laptop computer for access to the BlacksDoor GIG The console port configuration is 115200 baud 1 stop bit no parity 8 bit data flow control none BlacksDoor LAN Configuration Parameters The BlacksDoor has two 10 100 BaseT Ethernet interfaces LAN1 and LAN2 LAN1 is Unencrypted and LAN2 is Encrypted The following parameters must match the configuration of the LAN interface to which it is connected Autonegotiation Duplex and Speed Chapter 2 Installation QuickStart Engage Communication Black eDoor User s Guide BlacksDoor GIG LAN Configuration Parameters The BlacksDoor has two 10 100 1000 BaseT Ethernet interfaces LAN1 and LAN2 LAN1 is Unen crypted and LAN2 is Encrypted The following parameters must match the configuration of the LAN interface to which it is connected Duplex and Speed MaxFileSize MTU must also be set for normal traffic use 1514 bytes for VLAN traffic use 1518 bytes Maximum setting can be as large as 1552 Note Autonegotiation is currently unavailiable as an option for the BlackeDoor GIG BlacksDoor Security Parameters The BlackDoor AES S encryption and decryption uses a 256 bit key The key is entered as 64 hex characters An internal FIPS 140 approved Random number generator is used to generate the AES
38. mages arising out of any cause whatsoever whether such cause be based in contract negligence strict liability other tort or otherwise shall in no event exceed the repair price of the work to which such cause arises In no event shall Seller be liable for incidental consequential or punitive damages resulting from any such cause Seller may at its sole option either repair or replace defective goods or work and shall have no further obligations to Buyer Return of the defective items to Seller shall be at Buyer s risk and expense C Seller shall not be liable for failure to perform its obligations under the con tract if such failure results directly or indirectly from or is contributed to by any act of God or of Buyer riot fire explosion accident flood sabotage epidemics delays in transportation lack of or inability to obtain raw materials components labor fuel or supplies governmental laws regulations or orders other circumstances beyond Seller s reasonable control whether similar or dissimilar to the foregoing or labor trouble strike lockout or injunction whether or not such labor event is within the reasonable control of Seller Copyright 2000 2012 Engage Communication Inc All rights reserved This document may not in part or in entirety be copied photocopied reproduced translated or reduced to any electronic medium or machine readable form without first obtaining the express written consent of Engage Communi
39. n Verify cabling is good by swapping BlacksDoor cabling with a known good cable and con nection Check the status LEDs on the 10 100BaseT switch to confirm a good connection If neces sary create a stand alone LAN with just the workstation and the BlacksDoor High Ethernet Error Count Cause Bad cabling or building wiring Solution Check all cabling Swap to known good port on 10 100BaseT switch or hub to troubleshoot testing with large Ping Packets to ascertain quality of Ethernet Connection To eliminate issues with building wiring connect the BlacksDoor with a known good Ethernet cable in the same room as the Ethernet hub Cause Can not connect to a hub at 100 Mbps with autonegotiate turned on Connection drops to 10 Mbps at half duplex Solution Change LAN1 interface to match what the hub is configured for by first turning Autonegoti ate OFF Can t Communicate using Telnet with the BlackeDoor Cause IP address is not set properly on the BlacksDoor Solution The Console Port which requires an RJ45 to DBY adapter included with the product provides direct access to the command line interface of the BlackeDoor The Console port utilizes the CLI detailed in Chapter 4 Command Line Interface Details of the connector pins are in the Appendi ces Here the IP address can be double checked for accuracy Cause Workstation not on the same subnet as the BlackeDoor Solution During an initial configuration of an BlacksDoor comm
40. n IP Address to which the Tube will send SNMPv1 Traps 20 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide BlacksDoor Config Interface Commands Configuration of the BlacksDoor requires setting parameters for the LAN and SECURITY interfaces The user must specify which interface is being configured with the command INTERFACE LAN1 LAN2 To move up one level from Interface Config mode to Config mode enter the interface command with no argument To change between interfaces when in Interface Config mode specify the new interface For example name LAN1 INTERFACE LAN 1 AUTONEGOTIATION ON OFF Enable or disable IEEE 802 3 Auto negotiation on the Ethernet interface Warning If the device con nected to LAN1 uses Auto Negotiation and LAN1 is configured to use full duplex without Auto Nego tiation the other device may operate in half duplex mode by default and successful operation cannot be guaranteed DUPLEX HALF FULL Sets the duplex mode for the Ethernet interface This command only takes effect when Auto negotia tion is configured to OFF Warning If the device connected to LAN1 uses Auto Negotiation and LAN1 is configured to use full duplex without Auto Negotiation the other device may operate in half duplex mode by default and successful operation cannot be guaranteed SPEED 10 100 Sets the line rate in Mbps for the Ethernet interface This command only takes effect when Au
41. nel State means the connection is up and running with encryption if AES is configured On 37 Chapter 6 Troubleshooting Engage Communication BlackeDoor User s Guide Verify that AES encription is On Use Show Security Info to view AES Encription status BlackDoor Clinet show security info Security Info AES State On Note that if more than one peer is configured AES will not be On unless ALL peers are in Tunnel State 38 Chapter 6 Troubleshooting Engage Communication BlackeDoor User s Guide Appendix A Black sDoor Specifications Ethernet Port 10 100 Base T Full Half Ethernet BlackeDoor 10 100 1000 Base T Full Half Ethernet BlackeDoor GIG LAN Protocol e IP TCP UDP ICMP e Assured Delivery Protocol Quality of Service Support d IP Type of Service TOS CLI configurable IANA Registered UDP Port 3175 TFTP Online Upgrade Capable FLASH ROMs BlackeDoor is fully operational during upgrade Currently not availiable on the BlackeDoor GIG Management Telnet support with Edit and Paste Template Files Console Port for Out of Band Management SNMP support MIB MIB II Remote configuration amp monitoring Power Supply BlackeDoor External 12 Volts AC 2 5Amp with standard AC plug International power supplies available BlackeDoor GIG External 12 Volts AC 4 1Amp with standard AC plug Interna tional power supplies available Physical Standard 19 inch rack
42. nfigured with the same key for their identities to be confirmed Key Exchange The BlackDoor is in the process of changing to a new key Tunnel State The BlackDoor is sending and receiving encrypted data The Tunnel State is the only state in which data is encrypted and secure AES Off AES is configured Off The BlackDoor is sending and receiving unencrypted data Data is not secure SHOW CONFIG IP ALL details the IP configuration No argument is the same as ALL which pro vides IP configuration items which don t pertain to a specific port i e default router etc 18 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide CONFIGURATION Commands Config Commands Enter the configuration mode at which point the following commands may be used SAVE Save the changes and exit Configuration mode END SAVE Exit Configuration mode The optional SAVE instructs the BlacksDoor to save configuration changes RESTORE Restores the current BlacksDoor configuration ignoring any changes which have been made during the current Telnet CONFIG session HOST NAME Provide a unique name for the Black Door Example HOST NAME Aptos BlacksDoor HOST CONTACT Provide name of the individual or department that manages the BlackDoor Example HOST CONTACT Aptos NOC HOST LOCATION Specify Location of the BlacksDoor Example HOST LOCATION 17th Floor Telco Closet 12 DEFAULT ROUTER If the BlacksDoor
43. nstallation and normal operation of the units and provides descriptions of causes and solutions to these issues Appendices BlacksDoor specifications connector pinouts and crossover wiring details and includes diagrams of the units Glossary Telecommunication and TCP IP terminology Intended Audience This manual is intended for administrators of telecommunication and network systems The technical content is written for readers who have basic computer telecommunication and networking experi ence It is important that any administrator responsible for the installation and operation of Engage BlacksDoor products be familiar with IP networking and data communication concepts such as net work addressing These terms are central to an understanding of BlacksDoor functionality and are covered in the Glossary section 2 Chapter 1 Introduction Chapter 2 Installation QuickStart This QuickStart Chapter is intended for users who understand how they want their BlacksDoor and BlacksDoor GIG installed and configured and only require the mechanics of performing that installa tion Communication with the BlackeDoor and BlacksDoor GIG Console Port Telnet Initial communication with the BlacksDoor product is made through the Console port utilizing the Command Line interface The CLI is detailed in Chapter 4 Command Line Interface The Console port on the BlacksDoor uses an RJ45 jack An RJ45 DB9 adapter is provided in the shi
44. nt to a UDP port with no listener SNMP group contains statistics for the SNMP protocol including packets re ceived and transmitted error packets and number of set requests For more detail MIB II is fully specified in RFC1213 available at http www faqs org rfcs rfc1213 html SNMPv1 Traps The BlacksDoor supports generation of SNMPv1 Traps Traps are messages sent from the device s LAN port when specific events occur The following traps may be generated e e coldStart this trap is generated if the Tube reinitializes itself after a configuration change warmstart this trap is generated if the Tube reinitializes itself after a reset which does not involve a configuration change linkUp this trap is generated when a physical interface transitions from being disconnected to connected linkDown this trap is generated when a physical interface transitions from being connected to disconnected authenticationFailure this trap is generated when a login to the user interface or an SNMPv1 SetRequest failed because an incorrect password was given enterprisespecific these are Engage proprietary traps We define the following subcategories e e engage TrapRxOverrun this trap is generated when excessive receiver overruns are happening on an interface engageTrapTxUnderrun this trap is generated when excessive transmitter un derruns are happening on an interface engage TrapBufferExhaustion this trap is
45. o an Ethernet switch router or hub The cabling used to connect the BlacksDoor LAN Ports to a switch router or hub is straight through Ethernet cabling Refer to the Appendices for the details of the wiring and pinouts of this cable A crossover 10 100BaseT cable can be used for direct connection to a single router wireless radio or other Ethernet device The BlacksDoor GIG must use 1000BaseT Ethernet cabling CAT6 to connect to any Gigabit Ehter net device Configuration Parameters The setup of the Black sDoor involves configuration of the System Parameters Interface Specific Parameters Security Parameters The SHOW CONFIG command lists the configuration parameters of the system the LAN ports and the Security Parameters The SHOW INFO command lists the status of the LAN ports and the Secu rity Engine Parameters System parameters are Host Name Host Contact Host Location the Systems Default router Telnet on off and timeout SNMP on off SNMP Community Name SNMP Traps on off and traps on off Host Name Host Contact Host Location are useful parameters to identify the BlackDoor Interface Specific Parameters BlackeDoor Console Configuration Parameters The console port is an RJ45 port and uses an RJ45 DB9 adapter included with the unit and can be connected directly to a desktop or laptop computer for access to the BlackeDoor The console port configuration is 9600 baud 1 stop bit no parity 8 bit data f
46. on BlackeDoor User s Guide Quality of Service Support TFTP Online Upgrade Capable FLASH ROMs Management Power Supply Physical Black Door Switch Settings Console Port Information RJ45 Console Port Pinout BlacksDoor RJ45 db9F Null Modem Adapter Black Door GIG RJ45 db9F Null Modem Adapter Glossary Terms and Concepts General Networking Terms TCP IP Networking Terms Communication Link Definitions 39 39 39 39 39 40 41 41 41 41 42 42 42 43 44 Chapter 1 Introduction The BlackeDoor and BlackeDoor GIG User s Guide provides the information users require to install configure and operate the BlacksDoor product developed and manufactured by Engage Communica tion Inc The BlacksDoor family protects the confidentiality and integrity of Intranet and Internet Ethernet net works with the strongest commercially available cryptography The BlacksDoor Ethernet Encryptor which supports Point to Point and Multipoint information assurance configurations with unique dy namic keys is specifically designed for real time wireline backbones and the full spectrum of outdoor Wireless WAN technologies including Free Space Optics licensed and unlicensed Radios The BlacksDoor transparently AES encrypts Ethernet networks Ethernet Voice Video or Data pack ets that are destined for a device located on a remote network or a different local network segment are AES encrypted at the Link Network or Transport Layer and
47. pment which in addition to providing a physical interface permits direct connection to DTE equip ment such as the COM connections of a PC Once a serial connection between a workstation and the Black Door console port is established and a carriage return lt CR gt is entered a Login prompt will appear The default login is root No password is needed for first time login Once an IP address has been assigned and a serial line connected the user can log into the unit via the Ethernet network and continue configuration using telnet Editing amp Pasting Configurations Users of either CLI have the option of editing a standard BlacksDoor configuration in a text editor and pasting that configuration to the BlacksDoor Edit the desired configuration using a simple text editor Connect to the unit through Telnet or the Console port then enter the configuration mode with the command config Paste the edited text comments and all to the BlacksDoor then issue the command save The unit will reset and come up with the new configuration NOTE Pasting configurations into the BlackeDoor GIG does not work at this time To save a Black Door or BlacksDoor GIG configuration to a file issue the command show configu ration all and copy the output of the command to a file with your text editor Engage Communication BlackeDoor User s Guide System Cabling The BlacksDoor uses standard 10 100BaseT Ethernet cabling to connect t
48. provides access via IP to groups of administrative configuration related and statistical infor mation objects about the Engage device An IP network connection to the device and a PC with an application which provides an SNMP version 1 client are required An SNMP client will query the device and display the information objects and their values to the user Groups of SNMP information objects are referred to as MIBs Management Information Base All En gage products support most of MIB II MIB 2 The subgroups of information in MIB II are as follows System group contains system information such as a designated system identi fier location and vendor ID Engage Interface group contains information about the network connections on the de vice including interface type link status packets transmitted and received e AT group contains information about the ARP entries on the device including the values for MAC Address and IP Address for each entry Chapter 5 BlackeDoor Operation and Configuration Engage Communication BlackDoor User s Guide IP group contains IP statistics and configuration on the device including IP pack ets received packets discarded and IP address and subnet mask ICMP group contains statistics for ICMP statistics including packets sent for redi rect port unreachable or echo requests Ping UDP group contains statistics for UDP including packets received and transmit ted and packets se
49. s to the unit is more convenient LAN1 is the unencrypted Ethernet Network while LAN2 is the encrypted network The LAN SPD indicators show 1000Mbps with green 100Mbps Engage Communication BlackeDoor User s Guide with amber and no light with 10Mbps connectivity The LAN RD TD will show when the port is receiv ing or transmitting data The IND1 indicator will light approximately every 2 seconds showing that the unit is up and operational About this Guide Organization Chapter 1 Introduction provides an overview of the BlacksDoor BlacksDoor GIG User s Guide as well as feature descriptions Chapter 2 QuickStart provides a concise description of the installation and configuration process plus examples to get the experienced user up and running in a minimum amount of time Chapter 3 Installation of the Black Door gives a detailed step by step of the installation and initial configuration of the units It covers the physical environment and connections required to install the units then steps the administrator through the configuration process of the console port and LAN con nections Chapter 4 Command Line Interface provides a command by command description of the upper level interface as well as the interfaces to the various ports Chapter 5 Operation and Configuration details the configuration and ongoing operation of the BlacksDoor Chapter 6 Troubleshooting reviews some of the common issues that may occur during i
50. show configuration can be entered as sh con The CLI is not case sensitive Description of the commands uses both upper and lower case for syntax definitions and examples A full description of the command line interface follows 15 Engage Communication BlackeDoor User s Guide Categories The command set can be divided into four categories General Show e Config Config Interface Online Help Included in the General commands is the HELP HELP CONFIG and HELP SHOW commands pro viding information on the entire command set Configuration Modes For the Config and config Interface commands Engage employs a modal approach The user en ters the Config mode makes changes then Saves those changes On Saving the changes the user leaves the Config mode The Config interface mode within the Config mode is used to set parameters for a specified inter face Once in the Configuration mode the user enters the INTERFACE command All subsequent commands apply to the specified interface The command prompt indicates the mode of operation name the single indicates standard Telnet mode name indicates the unit is in the Config mode name LAN1 the unit is in Config Interface mode for LAN Port 1 To move up one level from Interface Config mode to Config mode enter the INTERFACE command with no argument To change between interfaces when in Interface Config mode specify the new interface For example
51. sk can be entered in long or short form Example IP ADDRESS aaa bbb ccc ddd ee Chapter 5 BlackeDoor Operation and Configuration Engage Communication BlackDoor User s Guide BlackeDoor Security Parameters The BlackDoor AES S encryption and decryption uses a 256 bit key The key is entered as 64 hex characters An internal FIPS 140 approved Random number generator is used to generate the AES 256 bit Key The BlackDoor s GENKEY function generates a 256 bit random number The BlackDoor at each end of the link needs to have its AES key set identically by using the ENTERKEY command The BlackDoor supports automatically scheduled rekeying by having REKEY ON and configuring the REKEY PERIOD The BlackDoor must be in Configuration Mode in order to change the Security parameters GENKEY Arandom 256 bit key is generated with the GENKEY command This key is to be used for the encryp tion function on the BlackDoors At the system level enter this command and it will create a key to input into both units The Key must be identical for the decryption to work ENTERKEY N XXXXXxX the actual key is 64 hex characters On both units issue the ENTERKEY command and provide the key generated by the output of the master s GENKEY command The output of the GENKEY command can be copied into an editor and prefaced with ENTERKEY command and pasted onto the CLI when in configuration mode Be sure to remove the linefeed and or return characters in
52. the key Multiple keys may be stored to have unique key relationships with multiple peers N can be a number from 0 to 20 to identify the key This number can be used to specify the key in the Client or Server peer specification Key 0 is the default used when N is not specified Server Client IP Address lt ip address gt key n Delete lt ip address gt Specifies the peer Server or Client The peer is identified by its IP Address Peers are delelted from the configuration by specifying its IP Address A Server unit may have up to 20 Client or Server peers A Client unit may have only one Server peer Optionally a key number may be specified The key would have been previously configured with the ENTERKEY command Key 0 is the default used when Key is not specified Example Deleting Server Client IP entries IP Delete 192 168 2 55 AES ON OFF AES ON Turns encryption ON Packets are forwarded encrypted AES OFF Turns encryption OFF Packets are forwarded without being encrypted This mode should only be used during debug to assess whether the packet path is operating without encryption enabled REKEY ON Turns Rekeying ON REKEY OFF Turns Rekeying OFF REKEY PERIOD NN Days Hours Minutes Sets the cryptoperiod for the Rekey function The cryptoperiod can be set to maximum of 45 days NN is the number Days Hours or Minutes of the cryptoperiod NN defaults to a unit of Minutes if Days or Hours are not specified
53. then tunneled bridged or routed to the destination network At the destination network the packets are decrypted and the original Ether net packets are securely delivered to the destination Ethernet device Protocols supported include legacy protocols such as NetBEUI IPX AppleTalk and Decnet Legacy applications that utilize non routable protocols are able to access services across an IP point to point connection Management Management of the BlacksDoor is accomplished with a Command Line Interface CLI that is ac cessed through the console port or a telnet connection Templates of the most common configurations provide for an Edit and Paste approach Unit Ports and Indicators Console Port Aconsole port for Out of Band management access to the unit LAN Interface The BlacksDoor Provides two 10 100 BaseT Full Half Ethernet LAN interfaces with autonegotiation or configurable speed and duplex Management via the LAN ports is enabled when remote access to the unit is more convenient LAN1 is the unencrypted Ethernet Network LAN2 port is the encrypted network The LAN LNK indicators show connectivity with a green light The BlacksDoor GIG provides two 10 100 1000 BaseT Full Ethernet LAN interfaces Currently these interfaces must be manually configured for proper communication Please see Chapter 2 Installation QuickStart for configuration settings for the LAN ports Management via the LAN ports can be en abled when remote acces
54. thernet cable For direct connection to a PC or other LAN device the user should obtain a 10 100 1000BaseT crossover cable LAN1 connects to the Internal Network that is to be encrypted and LAN2 connects interconnecting network 10 100 1000BaseT Ethernet cabling and crossover pinouts are provided in the Appendices Status LEDs LEDs provide Power Console and LAN Interface status BlacksDoor front panel the Power LED will be green if power has been properly connected and turned on BlacksDoor GIG rear panel the PR LED will be green if power has been properly connected and turned on BlacksDoor The IND1 LED flashes on and off every second when the CPU timer process is active The IND2 LED is undefined at this time The IND3 LED is green when the BlackDoor has established an encrypted tunnel with its peer BlacksDoor GIG The IND1 LED flashes on and off every second when the CPU timer process is active Ethernet The BlacksDoor provides specific information with RD and TD indicators providing status on packet transmission and receipt respectively on the Ethernet interface e When receiving the RD will show a steady or flashing GREEN e When transmitting the TD will show a steady or flashing GREEN e If after power on the BlackeDoor is unable to acquire a unique network address on the LAN both TD and RD will be solid green Note during full duplex high packet rate both TD and RD will be on simultaneously also 13
55. to nego tiation is configured to OFF MaxFrameSize 1514 1552 MaxFrameSize MTU defines the maximum length of an ethernet frame For the LAN port The pos sible values are 1514 to 1552 The default value is 1514 for normal traffic The setting equal to 1518 is needed to make room for accomodating an Ethernet header that includes an 802 1q VLAN tag In general the MaxFrameSize for a LAN port can be set to 1518 unless there is a host on the network that cannot accept a frame of that size In Route Mode if it is expected that a decpryted packet would be routed back on LAN2 it is best to have MaxFrameSize equal on LAN1 and LAN2 IP ADDRESS address mask The interface IP address and subnet mask are required for configuration with telnet or connectivity tests with ping The subnet mask can be entered in long or short form This configuration parameter applies to LAN1 only Examples IP ADDRESS 192 168 1 1 255 255 255 0 IP ADDRESS 192 168 1 1 24 IP DEFAULT ROUTER address Configures the IP address of the default router or gateway for this Ethernet interface This must be an IP address on the same network as the BlacksDoor Ethernet interface The default Router is not required if the BlackDoor is to be managed from within the same IP subnet 21 Chapter 4 Command Line Interface Engage Communication BlackeDoor User s Guide BlacksDoor GIG Config Interface Commands Configuration of the BlacksDoor requires setting parameters for the L
56. ty Parameters 26 Chapter 5 BlackeDoor Operation and Configuration Engage Communication BlackDoor User s Guide BlackeDoor Family System Parameters System parameters are the Host Name Host Contact Host Location the Systems Default router Tel net on off and timeout SNMP on off SNMP Community Name SNMP Traps on off and traps on off Host Name Host Contact Host Location are useful parameters to identify the BlackDoor HOST NAME Provide a unique name for the BlacksDoor Example HOST NAME Aptos BlacksDoor HOST CONTACT Provide name of the individual or department that manages the BlackDoor Example HOST CONTACT Aptos NOC HOST LOCATION Specify Location of the BlacksDoor Example HOST LOCATION 17th Floor Telco Closet 12 DEFAULT ROUTER If the Black Door is to be accessed from an IP Network that is not part of the BlackDoor s IP Address Range and an IP Route to that network is not available then a default router must be specified The Default Router is specified at the System level The Default Router is typically the BlackDoor s local IP WAN Router Example IP DEFAULT ROUTER aaa bbb ccc ddd TELNET ON OFF Turns on or off Telnet management Access to the management interface when Telnet is turned OFF is restricted to the Console Port and to SNMP if turned ON USER TIMEOUT Off 1 60 This setting can be turned Off or set to the number of minutes you can leave your console or telnet session idle before
57. unication should come from within the same net subnet With no default router the BlacksDoor will not be able to reply to communica tion off its own subnet Cause IP stack on the workstation not configured 36 Engage Communication BlackeDoor User s Guide Solution Ensure that other devices on the same LAN can be pinged or otherwise seen Can t communicate to the BlacksDoor Console Port Cause Baud Rate Stop Bits etc set wrong on communication application Solution Ensure the communication software is configured for a fixed asynchronous data rate of 9600 bps 1 stop bit no parity 8 bit fixed and that the Flow control is set to none Cause Transmit and Receive Data swapped Solution The console port is configured as a DTE port For connection to a DCE device such as a modem a Null Modem adapter is required BlacksDoor Off Net IP Interconnect Verification In most applications the BlacksDoor will be located on different IP networks and the interconnection is through a routed connection At each end of the routed connection the Tube s default router IP address needs to be pointed to the first router in the path to that remote IP subnet Through a Telnet connection to a BlacksDoor it is possible to verify the ability of the unit to ping its local default router and to ping the remote BlacksDoor Note the console port does not support the Ping Command as it does not have an IP Address TCP IP Connection An IP Ping pro
58. uter SubNet Address An extension of the IP addressing scheme which enables an IP site to use a single IP address for multiple physical networks Subnetting is applicable when a network grows beyond the number of hosts allowed for the IP address class of the site TCP Transmission Control Protocol ensures reliable sequential delivery of data TCP at each end of the connection ensures that the data is delivered to the application accurately sequential completely and free of duplicates The application passes a stream of bytes to TCP which breaks it into pieces adds a header forming a segment and then passes each segment to IP for transmission Telnet The TCP IP standard protocol for remote terminal connection service A user can Telnet from the local host to a host at a remote site UDP User Datagram Protocol provides a simple efficient protocol which is connectionless and thus un reliable The IP address contained in the UDP header is used to direct the datagram to a specific destination host Well Known Port Any set of port numbers reserved for specific uses with transport level protocols TCP amp UDP Well known ports exist for echo servers time servers telnet and FTP servers 43 Glossary Engage Communication BlacksDoor User s Guide Communication Link Definitions Synchronous Serial Interfaces A serial interface between two devices which provides for bi directional data transfer as well as clock in
59. wer adapter is not con nected to power then plug the DC adapter into the circular rear panel POWER connector Connect the power adapter to an appropriate AC power outlet and check the POWER LED on the rear panel of the Engage BlacksDoor GIG The POWER LED is GREEN Console Port The BlacksDoor includes a Console port for initial configuration It may be used for serial communi cation from a local workstation or for remote connection via a modem The Console port utilizes an RJ45 DB9 jack BlacksDoor console port is configured as a DTE Data Terminal Equipment port This allows direct connection to a DCE Data Communication Equipment device such as a modem An RJ45 to DBY adapter is provided with the BlacksDoor and Black Door GIG permitting direct con nection to DTE equipment such as the COM1 interface of a PC Pinouts for the Console port as well as Engage supplied adapters are provided in the Appendices Communication to the BlackeDoor console port should be set for 9600 baud 1 stop bit no parity 8 bit fixed flow control none Communication to the BlackeDoor GIG console port should be set for 115200 baud 1 stop bit no parity 8 bit fixed flow control none Once a serial connection between a workstation and the BlacksDoor console port is established and a carriage return lt CR gt is entered a Login prompt will appear The default login is root A password is not needed until it is user set Configuring the LAN T
Download Pdf Manuals
Related Search