To set up the basic connections and the administrative user for the Blue Cedar gateway, perform the tasks in this order:

  • Configure the gateway ports (public and private)
  • Configure the administrative user for the gateway

Note: You can use SSH to configure the gateway. By default, SSH is enabled on port 22 of the gateway.

About the gateway ports

The ports on the gateway are ethernet ports. They have pre-assigned MAC addresses. You must configure the ports for Layer 3, specifically IPv4. Currently, the gateway only supports IPv4.

The gateway has two types of ports:

  • A public interface port for receiving all encrypted IPSec-tunneled data from outside of the gateway's network.

  • A private interface port for forwarding the inbound data after it has been decrypted by the gateway to the configured networks.

This is a template of the command to set the variables of the gateway ports:

% set ports ethernet0 description string address ip-address netmask subnet-mask 
gateway ip-address admin-state state addr-type type mtu num security level management setting

addr-type type

Type of IP address to use for the port

Values: static, dhcp, auto

Recommended: static or dhcp (auto is a new experimental feature)

address ip-addressIP address of the port. Only applicable when addr-type is static.
admin-state state

Link administrative state.

Values: up, down

description stringPort name
gateway ip-addressIP gateway address for the port
management setting

Boolean. Indicates if this port can be used for management purposes. The private interface (ethernet0) can be used to manage the gateway with SSH or HTTP(S) by setting this element to true.

Value: true if management allowed, false otherwise.


  • Private interface: true
  • Public interface: false (cannot be configured)

mtu numInterface MTU setting
netmask subnet-maskIP network mask of the port
security level

Indicates if this interface should be used for talking to the private or public network.


  • public: The interface receives/allows traffic on UDP port 4500.
  • private: The interface receives/allows traffic destined for a client connection/tunnel.


% set ports ethernet1 description "Public interface" address netmask 
gateway admin-state up addr-type static mtu 1410 security public management false 
% commit

Data configured:

ports ethernet1 {
  description "Public interface";
  addr-type   static;
  admin-state up;
  security    public;
  management  false;
  mtu         1410;

Configure the port for the private interface (ethernet0)

This port is used only for forwarding mobile app data to the appropriate network port. 

Use this template for configuring the parameters for the private interface:

% set ports ethernet0 address IP_address element attribute

See About the gateway ports for the list of available elements.

Note: The default values for admin-state, management, mtu, and security parameters are generally correct for a port. Typically you do not need to change the default values for those parameters.

The parameter values that you must set are unique for your company:

  • addr-type
  • address
  • gateway
  • netmask 

For example, if you have assigned the addr-type parameter as static, then you must configure the address and netmask parameters. Depending on the port you are configuring, the “gateway” parameter may or may not be required. This is dependent on your network topology.


% set ports ethernet0 address addr-type static netmask gateway

  • is the IP address of the private interface port
  • static is the IP address type for the private interface port
  • is the netmask
  • is the default gateway for the network that 192.168. 0.101 is a part of

When you have configured the port, you can use the show command in operational mode to see port settings that are similar to the following:

> show config configuration context default ports ethernet0
ports ethernet0 {
  description "Private interface";
  addr-type   static;
  admin-state up;
  security    private;      
  management  false;
  mtu         1500;

In this example:

  • "security private" indicates that this interface talks to a private network
  • "management false" indicates that this port is not used for management purposes

Configure the port for the public interface (ethernet1)

This port allows a Blue Cedar-secured app to connect to the gateway by creating an IPSec tunnel.

Use this template to configure the ethernet1 port:

% set ports ethernet1 address IP_address

See About the gateway ports for the list of available configuration options.


% set ports ethernet1 address netmask gateway
  • is the IP address of the public interface port.
  • is address for the subnet mask
  • is the default gateway for the network that is a part of.

Note: You can use CLI command completion to find out the name of port on your physical machine and also the attributes that must be configured (such as set ports ?).

As with the other interfaces, you can use the show command in operational mode to see port settings.

Configure the administrative user for the gateway CLI 

The administrative user is required for logging into non-console management interfaces.

To configure an administrative user, perform these two steps:

Set up a user as a member of the administrator group:

  • % set aaa auth-provider local user username password string group string_for_admin_group
  • For example, to assign jbrown with a password (fast2) to the administrator group named managers:

    % set aaa auth-provider local user jbrown password fast2 group managers

Set a group as the administrator group:

  • % set aaa auth-provider local group string_for_admin_group administrator true

    For example, to configure the group named managers as an administrator group:

    % set aaa auth-provider local group managers administrator true

    Note: The value of string_for_admin_group in this command should match the value of the string_for_admin_group set in the previous command for the user who is a member of the administrator group. In both of these examples, the value of the string_for_admin_group is managers.

On this page