Configuring basic connections and administrative user for the gateway
To set up the basic connections and the administrative user for the Blue Cedar gateway, perform the tasks in this order:
- Configure the gateway ports (public and private)
- Configure the administrative user for the gateway
Note: You can use SSH to configure the gateway. By default, SSH is enabled on port 22 of the gateway.
About the gateway ports
The ports on the gateway are ethernet ports. They have pre-assigned MAC addresses. You must configure the ports for Layer 3, specifically IPv4. Currently, the gateway only supports IPv4.
The gateway has two types of ports:
A public interface port for receiving all encrypted IPSec-tunneled data from outside of the gateway's network.
- A private interface port for forwarding the inbound data after it has been decrypted by the gateway to the configured networks.
This is a template of the command to set the variables of the gateway ports:
% set ports ethernet0 description string address ip-address netmask subnet-mask
gateway ip-address admin-state state addr-type type mtu num security level management setting| Parameter | Description |
|---|---|
| addr-type type | Type of IP address to use for the port Values: static, dhcp, auto Recommended: static or dhcp (auto is a new experimental feature) |
| address ip-address | IP address of the port. Only applicable when addr-type is static. |
| admin-state state | Link administrative state. Values: up, down |
| description string | Port name |
| gateway ip-address | IP gateway address for the port |
| management setting | Boolean. Indicates if this port can be used for management purposes. The private interface (ethernet0) can be used to manage the gateway with SSH or HTTP(S) by setting this element to true. Value: true if management allowed, false otherwise. Defaults:
|
| mtu num | Interface MTU setting |
| netmask subnet-mask | IP network mask of the port |
| security level | Indicates if this interface should be used for talking to the private or public network. Values:
|
Example
% set ports ethernet1 description "Public interface" address 192.168.32.5 netmask 255.255.255.0
gateway 192.168.32.1 admin-state up addr-type static mtu 1410 security public management false
% commitData configured:
ports ethernet1 {
description "Public interface";
addr-type static;
netmask 255.255.255.0;
gateway 192.168.32.1;
admin-state up;
security public;
management false;
mtu 1410;
address 192.168.32.5;
}Configure the port for the private interface (ethernet0)
This port is used only for forwarding mobile app data to the appropriate network port.
Use this template for configuring the parameters for the private interface:
% set ports ethernet0 address IP_address element attributeSee About the gateway ports for the list of available elements.
Note: The default values for admin-state, management, mtu, and security parameters are generally correct for a port. Typically you do not need to change the default values for those parameters.
The parameter values that you must set are unique for your company:
- addr-type
- address
- gateway
- netmask
For example, if you have assigned the addr-type parameter as static, then you must configure the address and netmask parameters. Depending on the port you are configuring, the “gateway” parameter may or may not be required. This is dependent on your network topology.
Example
% set ports ethernet0 address 192.168.0.101 addr-type static netmask 255.255.0.0 gateway 192.168.0.1- 192.168.0.101 is the IP address of the private interface port
- static is the IP address type for the private interface port
- 255.255.0.0 is the netmask
- 192.168.0.1 is the default gateway for the network that 192.168. 0.101 is a part of
When you have configured the port, you can use the show command in operational mode to see port settings that are similar to the following:
> show config configuration context default ports ethernet0
ports ethernet0 {
description "Private interface";
addr-type static;
address 192.168.0.101;
netmask 255.255.0.0;
gateway 192.168.0.1;
admin-state up;
security private;
management false;
mtu 1500;
}In this example:
- "security private" indicates that this interface talks to a private network
- "management false" indicates that this port is not used for management purposes
Configure the port for the public interface (ethernet1)
This port allows a Blue Cedar-secured app to connect to the gateway by creating an IPSec tunnel.
Use this template to configure the ethernet1 port:
% set ports ethernet1 address IP_addressSee About the gateway ports for the list of available configuration options.
Example
% set ports ethernet1 address 192.168.3.79 netmask 255.255.255.0 gateway 192.168.3.1- 192.168.3.79 is the IP address of the public interface port.
- 255.255.255.0 is address for the subnet mask
- 192.168.3.1 is the default gateway for the network that 192.168.3.79 is a part of.
Note: You can use CLI command completion to find out the name of port on your physical machine and also the attributes that must be configured (such as set ports ?).
As with the other interfaces, you can use the show command in operational mode to see port settings.
Configure the administrative user for the gateway CLI
The administrative user is required for logging into non-console management interfaces.
To configure an administrative user, perform these two steps:
Set up a user as a member of the administrator group:
- BASH
% set aaa auth-provider local user username password string group string_for_admin_group
For example, to assign jbrown with a password (fast2) to the administrator group named managers:
BASH% set aaa auth-provider local user jbrown password fast2 group managers
Set a group as the administrator group:
- BASH
% set aaa auth-provider local group string_for_admin_group administrator true
For example, to configure the group named managers as an administrator group:BASH% set aaa auth-provider local group managers administrator trueNote: The value of string_for_admin_group in this command should match the value of the string_for_admin_group set in the previous command for the user who is a member of the administrator group. In both of these examples, the value of the string_for_admin_group is managers.