EasyManuals Logo

GE MDS ORBIT ECR User Manual

GE MDS ORBIT ECR
463 pages
To Next Page IconTo Next Page
To Next Page IconTo Next Page
To Previous Page IconTo Previous Page
To Previous Page IconTo Previous Page
Page #409 background imageLoading...
Page #409 background image
MDS 05-6632A01, Rev. F MDS Orbit MCR/ECR Technical Manual 409
failure-retry-interval 1;
}
connection VPN-GWY-CONN-1 {
ike-peer VPN-GWY;
ipsec-policy IPSEC-POLICY-1;
local-ip-subnet 192.168.1.0/24;
remote-ip-subnet 192.168.2.0/16;
failure-retry-interval 1;
}
IMA-CONN-1 is used for attestation and VPN-GWY-CONN-1 is used for VPN data connection.
If more than one IPsec connection is configured on the unit, the unit initiates connections in round-robin
fashion. For example, MCR will follow the following sequence:
Attempt connection to IMA-SERVER
Attempt connection to VPN-SERVER (irrespective of IMA-SERVER connection outcome)
Attempt connection to IMA-SERVER after failure-retry-interval if previous attempt to connect with it
failed.
Attempt connection to IMA-SERVER after periodic-retry-interval if previous attempt to connect with
it succeeded.
Attempt connection to VPN-SERVER after failure-retry-interval if it failed previously or got
disconnected due to dead peer detection.
and so on…
Obtaining Configuration File Hash 7.2.1
The following example shows the use of a request to get the system configuration hash:
admin@(none) 22:09:59> request services vpn ipsec get-config-hash hash-algo sha384 hash
e60429aa127cb2f23e10ae00b6c1553fa9d1f598b2a206926ad0dcdf9a758622eec77ad559b32f
85ceea9013a961041f
[ok][2013-01-18 22:10:15]
This hash can then be loaded in IMA database.
7.3 Monitoring
The current attestation status of the IMA connection is displayed using same command as used to display
regular VPN data connection status. The example on the following page shows that the IMA connection
succeeded but the IMA Evaluation was “non-compliant” and IMA recommendation was “Quarantined”.
This will happen is the system configuration file hash loaded in IMA does not match the actual hash of
the current system configuration, indicating that system configuration was changed since last time the
hash was loaded in the IMA database.
> show services vpn
services vpn ipsec ipsec-status connections connection IMA-CONN-1
state disconnected
failure-reason none
last-timestamp 2013-01-18T21:24:26+00:00
ima-evaluation “non-compliant major”
ima-recommendation Quarantined

Table of Contents

Questions and Answers:

Question and Answer IconNeed help?

Do you have a question about the GE MDS ORBIT ECR and is the answer not in the manual?

GE MDS ORBIT ECR Specifications

General IconGeneral
BrandGE
ModelMDS ORBIT ECR
CategoryNetwork Router
LanguageEnglish

Related product manuals