Version 7.00 Part No.
Copyright © 2007 Nortel Networks. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved.
3. Limitation of Remedies.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Configuring SNMP traps to send notification when an IP address pool reaches the configured threshold . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32 Chapter 2 Status and logging. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Sessions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 36 Reports . . . . . . . . . . . . . . . . . . . . . .
Contents 7 Using SFTP to transfer backup files . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59 Stopping the transfer of backup files using SFTP . . . . . . . . . . . . . . . . . . . . . . 59 Disabling new logins . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Upgrading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60 Checking available disk space . . . . . . . . . . . . .
Contents System problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 96 Solving routing problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Client address redistribution problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 Solving firewall problems . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 99 Chapter 5 Packet capture . .
Contents 9 Viewing a packet capture output file on a PC . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Installing Ethereal software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125 Saving, downloading, and viewing PCAP files . . . . . . . . . . . . . . . . . . . . . . . . . . 126 Viewing a PCAP file with Sniffer Pro . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127 Deleting capture objects and disabling packet capture . . . . . . . . . .
Contents Appendix B Using serial PPP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Establishing a serial PPP connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 165 Setting up a Dial-Up Networking connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . 166 Setting up the modem . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 167 Setting up the VPN Router . . . . . . . . . . . .
Contents 11 IPX client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 223 Windows 95 and Windows 98 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Windows NT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 IPX group configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 224 Sample IPX VPN Router topology . . . . . . .
Contents NN46110-602
Figures Figure 1 Admin > SNMP Traps window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Figure 2 Event logs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42 Figure 3 Capture and display filters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43 Figure 4 Configure Display Entity Figure 5 Recovery Diskette window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Figures NN46110-602
Tables Table 1 Field IDs for data collection records . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40 Table 2 Troubleshooting tools . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71 Table 3 Trap categories . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 149 Table 4 VPN Router traps MIB descriptions . . . . . . . . . . . . . . . . . . . . . . . . . . . . 150 Table 5 DIP switch configuration . . . . . . . . . . .
Tables NN46110-602
Preface This guide provides information about how to manage and troubleshoot the Nortel VPN Router. Before you begin This guide is for network managers who monitor and maintain the Nortel VPN Router. This guide assumes that you have experience with system administration and familiarity with network management. Text conventions This guide uses the following text conventions: angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets.
Preface braces ({}) Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is ldap-server source {external | internal}, you must enter either ldap-server source external or ldap-server source internal, but not both. brackets ([ ]) Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command.
Preface 19 vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is terminal paging {off | on}, you enter either terminal paging off or terminal paging on, but not both.
Preface NN46110-602 L2TP Layer 2 Tunneling Protocol LAN local area network LDAP Lightweight Directory Access Protocol NAT Network Address Translation OSI Open Systems Interconnection OSPF Open Shortest Path First PAP Password Authentication Protocol PCAP packet capture PDN public data network POP point of presence PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol RADIUS Remote Authentication Dial-In User Service RIP Routing Information Protocol SNMP Simple
Preface 21 Related publications For more information about the Nortel VPN Router, see the following publications: • • • • • • • • • • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. Nortel VPN Router Configuration — Basic Features (NN46110-500) introduces the product and provides information about initial setup and configuration.
Preface Hard-copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to www.nortelnetworks.com/documentation, find the product for which you need documentation, then locate the specific category and model or version for your hardware or software product. Use Adobe Reader to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to the Adobe Web site at the www.adobe.
Preface 23 Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Preface Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.
New in this release The following section details what is new in Nortel VPN Router Troubleshooting for Release 7.0.
New in this release Automatic backups You can now back up a file or a directory, as well as trigger a backup, when a file changes. Previously, you could only back up system, configuration, and log files. You can use either the graphical user interface (GUI) or the command line interface (CLI) to configure automated backup. You can also now use a Secure File Transfer Protocol (SFTP) client as well as File Transfer Protocol (FTP) to transfer backup files.
Chapter 1 VPN Router administration This chapter introduces administrator settings, tools, system configuration, and file management. It also includes information about SNMP traps. Administrator settings The VPN Router supports multiple administrators. You can assign different rights to allow or prevent administrative users from managing or viewing the VPN Router and user configuration information. You assign administrative privileges and rights on the Profiles > User > Edit window.
Chapter 1 VPN Router administration You use the Administrator Settings window to do the following: • • • • change the primary administrator user ID and password control the Administrator Idle Timeout Setting for all administrators control the default language control the serial port settings There is only one primary administrator.
Chapter 1 VPN Router administration 29 Dynamic password Two types of administrative users exist on the VPN Router: • • one super-user (Administrator) as many administrative users as needed There is dynamic password support for administrative users only. The Administrator still requires a static password. RADIUS manages the dynamic password. The external RADIUS service acts as an intermediary between the VPN Router and the dynamic password authentication system.
Chapter 1 VPN Router administration The Traceroute tool measures a network round-trip delay. Messages are sent per hop and the wait occurs between each message. If the address is unreachable, it uses the following formula to determine how long it takes for the Traceroute to time out. maximum hops (30) x the wait timeout (5) x 3 seconds The Address Resolution Protocol (ARP) dynamically discovers the low-level physical network hardware address that corresponds to the high-level IP address for a host.
Chapter 1 VPN Router administration 31 Simple Network Management Protocol (SNMP) Use the Admin > SNMP window to do the following: • • designate the remote SNMP management stations that are authorized to send SNMP Gets to the VPN Router enable specific MIBs Note: A Nortel proprietary MIB is included on the Nortel CD. Click the CesTraps.mib file to load the MIB. See Appendix A, “MIB support,” for a description of the CesTraps.mib. SNMP counters measure packet attributes based on the outer IP header.
Chapter 1 VPN Router administration The traps displayed on the group windows—in particular the Hardware Trap Configuration and the Service Trap Configuration windows—reflect the hardware and software available on your VPN Router. For example, if you have a VPN Router with no WAN interface cards, the traps for WAN interfaces do not appear on the Hardware Trap Configuration window. Note: The Health Check window reports the results of many of the selections you make on the SNMP Traps window.
Chapter 1 VPN Router administration 33 Figure 1 Admin > SNMP Traps window 2 Enter a host name or IP address in the Host Name or IP Address text box. 3 Enter a name in the Community Name text box. 4 Click Enable. 5 Click OK. 6 Under the Trap Groups section on the SNMP Traps window, click Configure beside Service. 7 Click OK. The Service Trap Configuration window appears. 8 Click Enable for User IP Address Pool. 9 Click OK. The Address Pool window appears.
Chapter 1 VPN Router administration To configure the amount: CES(config)#ip local pool exhausted-amount NN46110-602
Chapter 2 Status and logging The Status windows show which users are logged on, their traffic demands, and a summary of the VPN Router’s hardware configuration, including available memory and disk space.
Chapter 2 Status and logging Most events are sent to the event log first. Significant events from the event log are sent to the system log. (Not all data that the system log saves comes from the event log.) From the system log, the VPN Router filters security entries for the security log and configuration entries for the configuration log.
Chapter 2 Status and logging 37 If you have multiple VPN Routers throughout the world, use the Greenwich Mean Time (GMT) standard to synchronize the various log files so that the timestamps are directly comparable. System The Status > System window shows the VPN Router’s up time, software and hardware configurations, and the current status of key devices.
Chapter 2 Status and logging Accounting The accounting log provides information about user sessions. This log provides last and first names, user ID, tunnel type, session start and end dates, and the number of packets and bytes transferred. You can use most of these fields to search the log. Accounting records Accounting records are detailed logs that record the various activities performed by the VPN Router.
Chapter 2 Status and logging 39 The data collection system stores records in text-based files stored in the system/ dclog subdirectory. The system stores the most recent 60 days of data. The system stores daily files, summary files, and summary history files. Ongoing administration tasks include monitoring the configuration files, backing up and restoring the VPN Router or the LDAP database, and upgrading images and clients.
Chapter 2 Status and logging • • Summary file that always has exactly five records containing summary data in a file called summary.dc. These values are used to give historical graphs and reports about specific values. Summary history file that contains records representing cumulative daily data for the most recent 60 days in a file called summs.dc. Each day’s summary is represented by four records. These records are for the current, total, average, and maximum values for the day.
Chapter 2 Status and logging 41 Table 1 Field IDs for data collection records (continued) Field identification Collected field value Description 10 MEMUSE Filtered memory usage measurement {integer representing a percent between 0 and 100} 11 BOXPACKETSIN Number of Inbound Packets 12 BOXPACKETSOUT Number of Outbound Packets 13 BOXBYTESIN Number of Inbound bytes 14 BOXBYTESOUT Number of Outbound bytes 15 BOXDROPPEDPACK Number of discarded packets ETS 16 FAILEDAUTHATTE MPTS 17 LASTFIELD
Chapter 2 Status and logging As the event log adds information, the oldest entries are overwritten. The event log retains the latest 2000 entries and discards old entries when it is refreshed. To configure event logging: 1 Select Status > Event Log. The Event Log window appears. (Figure 2) Figure 2 Event logs NN46110-602 2 In the Save Events to section, enter a filename and click Save to manually save the current event log at any time.
Chapter 2 Status and logging 43 Figure 3 Capture and display filters 5 You configure the capture filter and display filter using Entity-Subentity or Severity. To configure the capture filter or display filter: a Click Configure Capture Entity or Configure Display Entity. Figure 4 shows the Configure Display Entity window.
Chapter 2 Status and logging Figure 4 Configure Display Entity b Select an Entity from the list. c Select a Subentity from the list. d Click Add to add the selected entity-subentity pair to the filter. e Click Accept to complete your changes to the filter. f Click Remove to delete a selected item from the list. g Click Configure Capture Severity or Configure Display Severity to configure the level of severity that you want to display on the window from the log.
Chapter 2 Status and logging 45 System log The system log contains all system events that are considered significant enough to be written to disk, including those displayed in the configuration and security logs.
Chapter 2 Status and logging • • • communications with servers LDAP Remote Authentication Dial-In User Service (RADIUS) Configuration log The Configuration log records all configuration changes.
Chapter 3 Administrative tasks This chapter describes administrative tasks that help you operate the VPN Router. These tasks provide details on scheduling backups, upgrading the software image, saving configuration files, performing file maintenance, creating recovery diskettes, and system shutdown. Shutdown You use the Shutdown options to shut down immediately, to wait until current users are logged off, or to wait until a designated time.
Chapter 3 Administrative tasks Recovery In the unlikely event that there is a hard disk crash, use the Recovery window to configure a recovery diskette to restore the software image and file system to the hard drive of the VPN Router. The recovery diskette is included with your VPN Router. You can also use this window to create additional copies of the recovery diskette, as well as to reformat a diskette. Note: The VPN Router 1000, 1010, 1050, and 1100 do not have a floppy drive in the unit.
Chapter 3 Administrative tasks 49 This supplies a minimal configuration utility so that you can view the VPN Router from a Web browser. 3 In the Web browser, enter the management IP address of the VPN Router.
Chapter 3 Administrative tasks • Select Restore Factory Configuration, then click Restore to return the VPN Router to its original factory default configuration. This erases data contained in flash memory and also in the configuration file. Warning: Selecting this option requires you to rebuild your entire configuration from scratch. An online message specifies the result of the Factory Configuration reset action. • Click Restore to restore the VPN Router’s previously backed-up configuration.
Chapter 3 Administrative tasks 51 You can use a new factory default software image and file system to restore the VPN Router’s hard disk. Specify the name or address and path of the network file server onto which the software from the Nortel CD is installed. Note: This restores the disk to an operable but clean condition (for example, configuration values are at factory defaults). To view the serial number when the VPN Router is operational, select Status > System.
Chapter 3 Administrative tasks 12 Click Synchronize to immediately synchronize the primary and secondary disks. Thereafter, the disks automatically synchronize every hour. 13 From the list, select the drive on which you want to upgrade the system boot software. 14 If the system boot sector is corrupted, click Upgrade to rewrite the boot software to the hard disk. 15 To restart the system, remove the diskette and press Reset on the back of the VPN Router.
Chapter 3 Administrative tasks 53 You must create a directory on the File Transfer Protocol (FTP) or Secure File Transfer Protocol (SFTP) server before running automatic backup. If you specify a path in the Admin > Auto backup window and the directory does not exist on the FTP or SFTP server, the automatic backup fails and The host path does not exist message is logged in the Event log. Note: Automatic backup does not recognize a path beginning with the slash (/) character as it did in previous releases.
Chapter 3 Administrative tasks To enable automatic backup when a file or a directory changes: 1 Select Admin > Auto Backup. The Automatic Backup window appears. (Figure 6) Figure 6 Automatic backup window 2 Click Enabled to enable the associated host backup file server. 3 Enter the backup file server host name or IP address. 4 Enter the backup file server path, for example, test. 5 Click sftp to transport the backup files using an SFTP client.
Chapter 3 Administrative tasks 55 7 To back up at certain intervals of time, click Interval and in the Interval text box specify in hours the time period after which the system automatically backs up changed files. The minimum interval is 1 hour, and the maximum is 8064 (336 days). The default is 5 hours. 8 If you chose either the Specific Time option or the Interval option, select the Backup Days you want to trigger the specific backup.
Chapter 3 Administrative tasks Figure 7 Specific Automatic Backup window 14 To see the list of files for a directory, highlight the name of a directory and click Display. The files for that directory appear in the Files list. 15 To select the file that you want to back up, highlight the name of the file and click Select. The name of the file you selected appears beside File name. 16 To select the directory that you want to back up, highlight the name of the file and click Select.
Chapter 3 Administrative tasks 57 22 Click Backup to run the backup to each enabled server now. This action also synchronizes the hard disk drives when there is more than one hard drive in a device. Otherwise, the hard disks synchronize automatically every 60 minutes. A new window appears with the backup information at the top of the window. 23 Click OK.
Chapter 3 Administrative tasks Backing up specific files and directories To back up specific files and directories, with the option to delete them after backup, enter: exception backup advanced {1 | 2 | 3} {full | partial | specific [ ] [overwrite] [delete]} For example, to set the target of the exception backup to a directory /ideX/system/ log, enter: CES(config)# exception backup advanced 1 specific /ideX/system/log/ overwrite Stopping the backup of specific files and directories To stop
Chapter 3 Administrative tasks 59 Stopping the backup of changes to specific files or directories To stop backing up the changes for specific files or directories for a particular server, enter: no exception backup advanced {1 | 2 | 3} specific For example, to stop backing up files that changed in backup server number 1, enter: CES(config)# no exception backup advanced 1 specific Using SFTP to transfer backup files To use SFTP to transfer the backup files, from CLI Global Configuration Mode, enter: CES(c
Chapter 3 Administrative tasks Disabling new logins You can prevent clients from connecting to the VPN Router without affecting the users currently connected by using this feature to disable new logins. When new logins is disabled, no new IPsec connections are established. To disable new logins: 1 Select Admin > Shutdown. 2 Click Disable new logins. (Figure 8) Figure 8 Disable new logins If you do not want to reboot the switch after you disable new logins, click None in the System Shutdown section.
Chapter 3 Administrative tasks 61 • • • Nortel Web site your own FTP site if you previously downloaded the software from the Nortel FTP site Nortel software CD If an FTP server does not use standard FTP port numbers, you cannot use it to download FTP servers for Nortel software. For more information, contact Nortel Customer support. Note: You cannot upgrade the software through a branch office tunnel that is translating the management address with dynamic Network Address Translation (NAT).
Chapter 3 Administrative tasks Before you upgrade your software, use one of the following methods to make sure there is enough available disk space: • • From the GUI, select Status > Statistics > File System. The last line lists the free space on the disk. From the CLI, enter show status statistics system file-system. The last line lists the free space on the disk. Note: Some restrictions apply if you have a VPN Router 1010, 1050, or 1100.
Chapter 3 Administrative tasks 63 5 Type 5 (Create A User Control Tunnel (IPsec) Profile). 6 Enter the user ID that you plan to use to log in remotely to the VPN Router. 7 Enter the password that you plan to use. 8 Enter the password again. 9 When you are prompted for an IP address, you can enter a static IP address that is assigned to the user during the control tunnel connection. If an address pool is configured, you do not need to enter a static IP address.
Chapter 3 Administrative tasks b Click Backup to start the backup immediately. This saves your entire hard drive, including the LDAP and configuration files. Retrieving the new software For Version 4.80 and later, the VPN Router release image is available in a compressed .zip file so that each individual file does not download separately. The VPN Router decompresses the image as it retrieves it. You must then apply the new image.
Chapter 3 Administrative tasks 65 Figure 9 shows an example upgrade to V04_80.114 from server 192.32.250.64. The file V04_80.114.tar.gz must be located at the root of the FTP directory. Figure 9 FTP menu example When you FTP to the FTP server from another PC, you see the location of the file. D:\ftp>ftp 192.32.250.64 Connected to 192.32.250.64. 220 entrust-ca Microsoft FTP Service (Version 2.0). User (192.32.250.64:(none)): anon 331 Password required for anon. Password: 230 User anon logged in.
Chapter 3 Administrative tasks • • User ID: type the login ID required to gain access to the FTP server where the new VPN Router software is located. Password and Confirm Password: type the password (twice) that corresponds to the user ID you just entered. 4 After filling in all the required fields, click Retrieve new version to disk. The New version retrieval window displays the progress of your download and indicates whether the retrieval was successful.
Chapter 3 Administrative tasks 67 — Response Timeout for RADIUS Accounting Server — External RADIUS Accounting Server b Click OK. Applying the software After you start the apply process, do not make any queries on the VPN Router. Queries try to access files and can cause problems during the upgrade process. To apply the new software: 1 Select Admin > Upgrades. 2 From the Apply New Version list, select the software version that you just downloaded. 3 Click Apply to start the upgrade process.
Chapter 3 Administrative tasks 6 Select a system shutdown type of None and click OK. You have successfully upgraded your switch.
Chapter 4 Troubleshooting This chapter introduces the concepts and practices of advanced network configuration and troubleshooting for the Nortel VPN Router. Its purpose is two-fold: to provide configuration details to consult when setting up or modifying the extranet, and to serve as a resource when diagnosing client and network problems.
Chapter 4 Troubleshooting Troubleshooting remote access problems typically starts at the client end when the remote user cannot establish a connection, loses a connection, or has difficulty browsing the network or printing. When connectivity problems occur and the source of the problem is unknown, it is usually best to follow the OSI network architecture layers.
Chapter 4 Troubleshooting 71 Microsoft Point-to-Point Tunneling Protocol (PPTP) Dial-Up Networking Monitor provides network statistics on device, connection, and network protocols that help monitor traffic flow and assess PPTP connection performance. For more information on the PPTP Dial-Up Networking Monitor, see the PPTP help or your Microsoft PPTP client documentation.
Chapter 4 Troubleshooting Solving connectivity problems This section lists many of the common connectivity problems that occur and their recommended solutions. Problems, and some typical client user responses that can help with diagnosis, are categorized as follows: Modem and dial-up problems “I cannot browse the Web or check my e-mail over my dial-up connection.” “I cannot ping my ISP site.
Chapter 4 Troubleshooting 73 1 Confirm that the modem is attached and working properly by running a terminal emulation program at their remote workstation, such as, Hyperterminal*, and issuing the AT command. If the response is AT OK, the modem is operating correctly. 2 Verify that there is a PPP dial-up connection over the internet. To do this, before trying to establish an extranet access or PPTP connection, have them try Web browsing www.nortel.com or another Web site.
Chapter 4 Troubleshooting Remote host not responding Cause: This indicates that the VPN Router never responded to the IPsec connection attempt or that User Datagram Protocol (UDP) port 500 is blocked. Action: Verify that the VPN Router is accessible by pinging the host name or IP address that you filled in the destination field. To ping a host called extranet.corp.com, for example, open an MS-DOS command prompt and type ping extranet.corp.com.
Chapter 4 Troubleshooting 75 Action: Verify that the user name you entered is correct and retype the password before trying the connection again. No proposal chosen Cause: The VPN Router you are connecting to is not configured to handle the authentication method configured under the current connection profile. Action: Verify that you are using the correct IPsec parameters, such as a choice of ESP-3DES with SHA1. Make sure it matches what the client (for example, an International client) can do.
Chapter 4 Troubleshooting Action: Click Connect to re-establish the extranet connection. If this works, the connection was probably lost due to the Idle Timeout configured on the VPN Router. If no data is transferred through the extranet connection for a long period of time, normally 15 minutes or more, the VPN Router automatically disconnects the connection.
Chapter 4 Troubleshooting 77 Action: Validate that the VPN Client is configured with a DNS entry. For Windows NT 4.0, open a command prompt and enter ipconfig/all. Verify that a DNS server entry is listed. For Windows 95, from the Start menu on the task bar, select Run and enter winipcfg. Select Nortel VPN Router Extranet Access Adapter from the list of adapters and click More Info. Record the information displayed under the DNS Server entry and verify it with the network administrator.
Chapter 4 Troubleshooting Cannot access Web servers on the Internet after establishing a VPN Client connection Cause: For both PPTP and IPsec, this condition occurs as a result of all network traffic passing through the corporate network. Typically, firewalls and other security measures on the corporate network limit access to the Internet. Action: The administrator can set up a default route on the VPN Router to forward traffic to the Internet.
Chapter 4 Troubleshooting 79 Alternatively, on NT 4.0, Windows 98, and Windows 95, complete the following steps to change your workstation to be a member of a workgroup instead of a domain: 1 From the Start menu, select Settings > Control Panel. In the Control Panel, double-click Network. The Network Control Panel applet appears. 2 Select the Identification tab. In Windows 95, you can modify the entries on the Identification tab; on NT 4.0, you must click Change to change the entries.
Chapter 4 Troubleshooting • Start from the top down to go in the opposite direction, looking at PPP first and working down to the physical connection. An important point to remember when taking this approach is that at the higher protocol layers, there are more options to misconfigure, but changing them is easier and generally involves less effort. A key point to remember when diagnosing WAN link problems is to involve the T1 service provider in the troubleshooting effort.
Chapter 4 Troubleshooting 81 Check the HDLC framing Assuming that the T1/V.35 interface is operating correctly, use the following steps to determine whether the HDLC layer is up and running properly, and to provide information for Nortel Customer Support for further diagnosis: 1 Check that there are no input or output errors reported on the Manager WAN statistics window. Also look to see if the input and output counters are incrementing at all.
Chapter 4 Troubleshooting 4 If the PPP layer still does not come up, enable the interface debugger to generate large amounts of packet traces in the event log. Report this information to Nortel Customer Support for further diagnosis. Hardware encryption accelerator connectivity If the hardware encryption accelerator fails, all sessions are automatically moved over so that the software can handle them.
Chapter 4 Troubleshooting 83 • • • • • • DHCP Server assigns IP addresses to clients WINS Server provides a translation of the NetBIOS domain name to the IP address DNS Server provides a translation of the IP Host name to the IP address Master Browser is an elected host that maintains lists of all NetBIOS resources Domain Controller maintains a list of all clients in the NetBIOS domain and manages administrative requests such as logins VPN Router terminates tunnels and routes Microsoft networking requests
Chapter 4 Troubleshooting The client system’s NetBIOS name must be unique in the private network to which the client is connecting. Do not use the same name as your office desktop machine or something like my computer. Uniqueness is required. What is the preferred way to access neighbors on the network? Microsoft recommends against browsing the Network Neighborhood when tunneling. Another way to access a network resource is through the run command.
Chapter 4 Troubleshooting 85 The renewal interval governs how often a client must reregister its name with the WINS server. It begins trying at one-half of the renewal interval. The extinction interval governs the length of time between when a client name is released and when it becomes extinct. These intervals are the most important to control when using dynamic addresses. There is a trade-off in setting these intervals.
Chapter 4 Troubleshooting In the WINS mappings entry, enter a show database command. Note the entry for -__MSBROWSE__. This is the machine that is actually the elected master browser, and it changes frequently. If this entry is pointing to an invalid machine, it can cause problems.
Chapter 4 Troubleshooting 87 To specify a computer as the preferred master browser, set the parameter for IsDomainMasterBrowser to True or Yes in the following registry path: \HKEY_LOCAL_MACHINE\System\CurrentControlSet\Services\Browser\ Parameters Unless the computer is configured as the preferred master browser, the parameter entry is always False or No. There is no user interface for making these changes; you must modify the registry.
Chapter 4 Troubleshooting When 10.1.2.3 broadcasts to find a network neighbor, it (incorrectly) sends to 10.255.255.255. Normal routing functionality does not forward such a packet. The VPN Router finds the best match among its physical interfaces (10.1 in this case) and modifies the broadcast to be correct for that interface (10.1.255.255 here). In this example, if the VPN Router’s 10.1 interface was configured with any subnet mask other than 255.255.0.
Chapter 4 Troubleshooting 89 After about 10 to 15 seconds, NetBIOS gives up on the primary interface, moves to the correct tunnel interface, and starts to browse the Network Neighborhood. Why can't I browse another client in a different tunnel? Cause: If you are not using a WINS server, this is not possible because network browsing requires broadcasts from one tunnel to another. Action: Use a WINS server to browse another client in a different tunnel.
Chapter 4 Troubleshooting You must create a connection definition for your initial Internet link through your service provider. A separate connection definition is needed for creating the PPTP tunnel. A common configuration problem experienced during initial PPTP setup is the failure to select the PPTP VPN adapter (instead of the modem) on the PPTP connection definition in Dialup Networking.
Chapter 4 Troubleshooting 91 My downloaded DNS servers for my tunnel connection do not work Cause: The Microsoft Windows 95/98 and Windows NT operating systems attempt to ping new DNS servers before adding them to the current list of servers. Action: As a quick test, try to ping (with the tunnel connection active) the DNS servers that the extranet device is downloading at tunnel startup. If you cannot ping the servers, a basic connectivity problem using the tunnel connection exists.
Chapter 4 Troubleshooting • • • • • • • • How to Troubleshoot TCP/IP Connectivity with Windows NT Remote Access Service (RAS) Error Code List for Windows NT 4.0 RAS Error 720 When Dialing Out Troubleshooting PPTP Connectivity Issues in Windows NT 4.
Chapter 4 Troubleshooting 93 • For ActiveX Scripts, Java, and JavaScript*, you must enable both ActiveX and Java programs in Internet Explorer, and enable both Java and JavaScript in Netscape Communicator for proper VPN Router Web management windows. These options are enabled by default on both Web browsers.
Chapter 4 Troubleshooting Clearing your Web browser cache when upgrading To avoid problems when upgrading software revision levels, Nortel recommends that you clear your browser cache and exit the browser and all associated windows (such as mail and news readers). See the following section for browser cache clearing instructions. Clearing cache A browser caches windows to improve performance when the same window is requested again.
Chapter 4 Troubleshooting 95 Document not found message Cause: This message is returned when the HTTP server cannot find the requested window. This can happen because the Java navigation index file is out of synch with the rest of the system. A corrupted or incorrectly cached index file can also cause this problem. Action: Clear your browser cache or restart your browser to correct this problem.
Chapter 4 Troubleshooting Action: Close help windows after viewing them. Distorted background images Cause: In Netscape versions prior to 4.0, where you configured your Windows 95, Windows 98, or Windows NT system for 8-bit color (256 colors or less), images can appear distorted in the navigational area. Action: To avoid this situation, increase the color display setting to 256 or greater.
Chapter 4 Troubleshooting 97 Action: If necessary, remove the front bezel as described in the installation guide, then push the bottom of the power supply in to reseat it. Cannot convert from an internal address pool to an external DHCP server Cause: You cannot convert IP address distribution from an internal address pool to an external DHCP server while sessions are active. Action: Select Admin > Shutdown, and select Disable Logins after Restart.
Chapter 4 Troubleshooting Action: Power-cycle the system using the green power button on the back of the VPN Router. Solving routing problems The following sections describe routing problems. Client address redistribution problems The number of current Utunnel host users can display more than the configured maximum. Cause: This is not an error and is the running state of the system.
Chapter 4 Troubleshooting 99 Solving firewall problems An error occurred while parsing the policy Description: The policy that you are attempting to view or edit cannot be opened because it does not conform to the required format. This is caused by an error in the LDAP database or a problem with the connection to the VPN Router. Action: 1 Close the Stateful Firewall Manager. 2 Close all instances of the browser used to load the Stateful Firewall Manager.
Chapter 4 Troubleshooting Authorization failed. Please try again. Description: This error occurs when the wrong authentication credentials are entered. The user is re-prompted for credentials until they are either correct or the user clicks Cancel. Action: No action required. Unable to communicate with the VPN Router Description: The Stateful Firewall Manager cannot establish a connection to the VPN Router. This is caused by a network error, or the VPN Router is not responding to requests.
Chapter 4 Troubleshooting 101 Action: To ensure that the most current data is loaded: 1 Close the current policy, if opened. Saving is not permitted until this error is remedied. 2 From the policy selection window, select All from the Refresh menu. System files were not loaded properly Description: This error occurred because the files necessary to load the Stateful Firewall Manager were either not downloaded from the VPN Router properly or were not initialized properly.
Chapter 4 Troubleshooting NN46110-602
Chapter 5 Packet capture Packet capture (PCAP) is a troubleshooting tool that network administrators and customer support personnel use, in conjunction with other tools such as statistics, logging, network analyzers, and testers, to remotely troubleshoot VPN Router and network problems. Packet capture is especially useful for troubleshooting the VPN Router 1010/1050/1100, which is typically located in a small office where no technical expertise is available.
Chapter 5 Packet capture PCAP initially occurs to the RAM buffer. A low priority task writes the RAM buffer to disk files, called the disk capture files. Although you can set the maximum size of this file, when the maximum file size is reached, PCAP can continue writing the captured data. You specify the directory where to save the files, and you use the automatic backup option (specific backup) to copy or move the files to another machine.
Chapter 5 Packet capture 105 • • limit the traffic that the filters capture automatically start and stop packet capture with triggers Note: The VPN Router does not provide tools for opening and viewing captured data. You must offload the PCAP files to view them. Security features Packet capture on the VPN Router provides the following features to enhance security: • • • • • Packet capture is disabled by default. You can enable packet capture using the CLI through the serial port only.
Chapter 5 Packet capture Capture types The VPN Router captures packets from the following sources: • • • Physical interfaces, including the following: — Asynchronous digital subscriber line (ADSL)/asynchronous transfer mode (ATM) — Fast Ethernet and Gigabit Ethernet, including traffic that is not directed to the VPN Router (promiscuous mode) — Dial (V.
Chapter 5 Packet capture 107 Tunnel captures saved to disk are encapsulated with raw IP encapsulation. When you convert these files to file formats that do not support raw IP encapsulation (including Sniffer), L2 encapsulation is required. You can configure a capture object for an existing tunnel or for tunnels that are not initiated. You can also enable persistent mode for tunnel capture objects.
Chapter 5 Packet capture A global IP capture object captures packets beginning from the IP header; no Layer 2 header is saved in the capture file. Because both encrypted and decrypted packets are captured, global IP packet capture is useful in troubleshooting certain VPN issues. Note: If capture objects for physical interfaces or tunnels are running at the same time as a global IP capture object, performance on the VPN Router is affected.
Chapter 5 Packet capture 109 • • A start trigger causes the system to wait for a specific packet before it starts saving packets to the capture buffer. A stop trigger causes the system to stop saving traffic in the capture buffer after a specific packet matching the stop trigger is encountered. The packet capture object, however, is not fully stopped. Start trigger can still restart the capture. A trigger works only for the direction for which the capture is configured.
Chapter 5 Packet capture You can create new capture objects until the maximum block size reaches 25 Mbyte. (The VPN Router does not allow you to reduce the maximum block size to less than 25 Mbyte.) If you allocate too much memory to packet capture buffers, you receive an error message suggesting a smaller buffer size. To check the maximum block size, select Status > Statistics and click Memory in the Resources section. Scroll to the bottom of the window to find the maximum block size.
Chapter 5 Packet capture 111 • • Delete a capture object or capture files when you no longer need them to free up memory or disk space. Do not run capture objects for physical interfaces or tunnels at the same time that you run the global IP capture object (some packets are captured more than once). Enabling packet capture on a VPN Router You must have a serial connection to capture packets. You cannot enable packet capture through a Telnet session.
Chapter 5 Packet capture 6 Enter the administrator’s user name and password. Please enter the administrator's user name: admin Please enter the administrator's password: ***** The serial main menu appears. Main Menu: System is currently in NORMAL mode.
Chapter 5 Packet capture 113 10 If you want, you can now change the VPN Router administrator password. CES#configure terminal Enter configuration commands, one per line. End with Ctrl/z. CES(config)#adminname password CES(config)#exit CES# After you enable packet capture, it remains enabled until you explicitly disable it with the no capture enable command or until you reboot the VPN Router. You can now configure and start packet capture objects.
Chapter 5 Packet capture For example, enter: CES(capture-ethernet)#filepath /ideX/system/log Note: To back up later using the autobackup functionality, the specified file path for the PCAP files must be a directory under /ideX/system. Setting the size of the RAM buffer To set the RAM buffer size, from CLI Capture Configuration Mode enter: buffersize where size is the size of the RAM buffer.
Chapter 5 Packet capture 115 For example, enter: CES(capture-ethernet)#maxfiles 99 Saving captured data To set the PCAP capture mode to loss or no loss, from CLI Capture Configuration Mode enter: capture-all or No capture-all For example, enter: CES(capture-ethernet)#capture-all Configuring and running packet capture objects This section provides instructions for creating, configuring, starting, and stopping capture objects, as well as instructions for saving captured traffic to a file on disk.
Chapter 5 Packet capture For example, enter the following command: CES# capture add test1 ? atm ATM interface capture bri Bri interface capture dial Dial interface capture FastEthernet Fast Ethernet interface capture GigabitEthernet Gigabit Ethernet interface capture global Global RAW IP capture serial Serial interface capture tunnel Tunnel capture 2 Create a capture object by specifying an object name and type.
Chapter 5 Packet capture 117 To configure a capture object: 1 Navigate to Capture Configuration mode by entering the capture command with the object name. CES#capture ether0 CES(capture-ethernet)# The resulting prompt shows the type of capture object (physical interface, tunnel, or global IP). 2 Display all parameters that you can configure for that type of capture object.
Chapter 5 Packet capture Tunnel capture parameters Capture objects for tunnels have several unique parameters. The following example creates a tunnel object called bot1, navigates to Capture Configuration mode, and displays the commands for tunnel objects. The commands in bold are the commands that are available only for tunnel objects. For more information about tunnel capture objects, see “Tunnel captures” on page 106.
Chapter 5 Packet capture 119 Global IP parameters The configurable parameters for the global IP capture object are the same as the parameters available for physical interface objects. The following example creates a global capture object called rawip, navigates to Capture Configuration mode, and displays the commands for the global capture object. For more information about global IP capture objects, see “Global IP captures” on page 107.
Chapter 5 Packet capture In the following example, the show capture command is run with no object name to display a list of all the capture objects configured on the VPN Router. CES# show capture Name Type bot1 TUNNEL ether0 ETHERNET rawip1 GLOBAL CES# Size 1048576 1048576 1048576 Buffer use 0% 7% 0% Count 0 984 0 State EMPTY STOPPED EMPTY The following example shows the type of output you see when you enter the show capture command for a specific capture object.
Chapter 5 Packet capture 121 Sample packet capture configurations This section provides sample configurations and the commands used to create them. Interface capture object using a filter and direction In the following example, you configure a capture object called test-filter-in on Fast Ethernet interface 0/1. This object captures inbound FTP traffic only. Note: The filter used in this example is a predefined VPN Router filter.
Chapter 5 Packet capture To view the status of the running capture object, as well as its configuration, use the show capture command. (In this example, 20 frames are captured in the buffer.
Chapter 5 Packet capture 123 To create and use this capture object, you run commands like the ones illustrated in this example. These commands do the following: 1 Create a capture object called test-trigger on Fast Ethernet interface 0/1. 2 Enter Capture Configuration mode for the object. 3 Set the start trigger to permit FTP. 4 Set the stop trigger to permit Telnet. 5 Exit Capture Configuration mode. 6 Start the capture.
Chapter 5 Packet capture After Telnet traffic activates the stop trigger, the show capture command resembles the following example. The Capture state field now shows that the capture was stopped by the stop trigger.
Chapter 5 Packet capture 125 4 Exit Capture Configuration mode. 5 Start the capture. CES#capture add test-remote-ip tunnel CES#capture test-remote-ip CES(capture-tunnel)#remoteip 192.168.100.1 CES(capture-tunnel)#exit CES#capture test-remote-ip start CES# To stop the capture and save the buffer contents to a file called test6.cap, enter the following commands: CES#capture test-remote-ip stop CES#capture test-remote-ip save test6.cap Saving capture test-trigger to file /ide0/test6.cap please wait . . .
Chapter 5 Packet capture 3 Click ethereal-setup-n.nn.n.exe. 4 Click a download site and save the executable file on your hard drive. 5 Double-click the executable file to install Ethereal software in the c:\Program Files\Ethereal directory. 6 After you install the software, click the Ethereal application to open the Ethereal window.
Chapter 5 Packet capture 127 6 Enter the password that you entered when you enabled packet capture (see “Enabling packet capture on a VPN Router” on page 111). Note: If you plan to use Sniffer Pro to view the capture file, go to the next section, “Viewing a PCAP file with Sniffer Pro” on page 127. 7 From the open Ethereal window, disable Enable network name resolution.
Chapter 5 Packet capture T1 frame relay capture: editcap -F ngsniffer d:\pcap\fr.cap frelay.syc 5 From Sniffer Pro, open the .enc file or the .syc file to view the trace. For a global IP trace or tunnel trace, you must perform an extra step on Sniffer Pro because only Layer 3 traffic is recorded in the PCAP capture. 6 Before opening a global IP or tunnel trace, set the Protocol Forcing option in Sniffer Pro to view the correct Layer 3 information. a Click Tools > Options > Protocol Forcing.
Chapter 5 Packet capture 129 To delete a packet capture object: 1 Display all configured capture objects on the VPN Router to locate the object or objects that you want to delete.
Chapter 5 Packet capture NN46110-602
Appendix A MIB support The VPN Router supports the management information base (MIB) for use with network management protocols in TCP/IP-based Internets and TCP/IPX-based networks. The VPN Router supports SNMP Gets only. It does not support SNMP Sets. Nortel also provides proprietary MIBs for the VPN Router’s SNMP trap support. The MIBs, cestraps.mib and newoak.mib, are available on the VPN Router distribution CD in the Doc directory.
Appendix A MIB support RFC 1724—RIP Version 2 MIB Extension The VPN Router supports RFC 1724, RIP Version 2 MIB Extension. As stated in the introduction to the RFC, the RFC “defines a portion of the Management Information Base (MIB) for use with network management protocols in TCP/ IP-based internets. In particular, it defines the objects for managing RIP Version 2.
Appendix A MIB support 133 RFC 2787—VRRP MIB The VPN Router supports RFC 2787, Definitions of Managed Objects for the Virtual Router Redundancy Protocol. As stated in the introduction, RFC 2787 “defines an extension to the Management Information Base (MIB) for use with SNMP-based network management. In particular, it defines objects for configuring, monitoring, and controlling routers that employ the Virtual Router Redundancy Protocol (VRRP).
Appendix A MIB support RFC 1573—IanaIfType MIB This MIB contains the enumerations for rfc2233 ifTable.ifType. These enumerations describe the various types of interfaces that ifTable can support. RFC 2233—If MIB This MIB is the latest evolution of rfc1213 Interfaces group, plus several new objects. RFC 2571—Snmp-Framework MIB This MIB provides textual conventions and object definitions used in the SNMP agent architecture.
Appendix A MIB support 135 — hrNetworkTable — hrPrinterTable — hrDiskStorageTable hrDiskStorageCapacity — hrPartitionTable hrPartitionSize — hrFSTable hrFSLastFullBackupDate hrFSLastPartialBackupDate • hrSWRun Group hrSWRun • hrSWRunPerf Group hrSWRunPerf • • hrSWRunTable — hrSWRunIndex — hrSWRunName — hrSWRunType — hrSWRunStatus — hrSWRunPriority hrSWRunPerfTable — hrSWRunPerfCPU RFC2495—DS1 MIB These objects are used with a DS1/E1/DS2/E2 interface.
Appendix A MIB support RFC2863 Interface MIB (64 bit counters support) The support for the following entries was added in the interface table: ifHCInOctets, ifHCInUcastPkts, ifHCOutOctets and ifHCOutUcastPkts. These counters already existed and were extended from Counter32 to Counter64. VPN Router MIB This MIB contains VPN Router proprietary MIB data. For instance the ping MIB is contained in this file.
Appendix A MIB support 137 cestraps.mib—Nortel proprietary MIB This section lists the contents of the cestraps.mib, the Nortel MIB for the VPN Router.
Appendix A MIB support -- The second means packets were dropped due to a detected spoofed address -- The third should never happen, but means the status has been set to a bogus value.
Appendix A MIB support 139 newoak.mib This section provides the contents of the newoak.mib, which defines the newoak enterprise ID, the contivity object identifier, and the sysObjectIDs for each VPN Router model. -- This MIB module uses the extended OBJECT-TYPE macro as -- defined in [9], and the TRAP-TYPE macro as defined in [10]. newoak OBJECT IDENTIFIER ::= { enterprises 2505 } -- The following MODULE-IDENTITY definition can be commented out if the MIB parser -- you are using has trouble parsing it.
Appendix A MIB support Hardware-related traps hardwareTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 1} -- Trap #1001 hardDisk1Status OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Hard Disk Number 1 Status." ::= {hardwareTrapInfo 1} -- Trap #1002 hardDisk0Status OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Hard Disk Number 0 Status.
Appendix A MIB support 141 ACCESS read-only STATUS mandatory DESCRIPTION "Status of the first CPU fan." ::= {hardwareTrapInfo 6} -- Trap #1007 fanTwoStatus OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the second CPU fan." ::= {hardwareTrapInfo 7} -- Trap #1008 chassisFanStatus OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the Chassis fan.
Appendix A MIB support ACCESS read-only STATUS mandatory DESCRIPTION "Status of 2.5VA power." ::= {hardwareTrapInfo 12} -- Trap #10013 twoDotFiveVB OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of 2.5VB power." ::= {hardwareTrapInfo 13} -- Trap #10014 twelveVoltsPositive OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of +12 Volt power.
Appendix A MIB support 143 ACCESS read-only STATUS mandatory DESCRIPTION "The chassis intrusion sensor indicates that the unit has been opened." ::= {hardwareTrapInfo 18} -- Trap #10019 dualPowerSupply OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the redundant power supplies." ::= {hardwareTrapInfo 19} -- Trap #10020 t1WANStatus OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of T1 WAN card(s).
Appendix A MIB support Server-related traps serverTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 2} -- Trap #3001 radiusAcctServer OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of External Radius Accounting Server." ::= {serverTrapInfo 1} -- Trap #3002 backupServer OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of External Disk Backup Server.
Appendix A MIB support 145 ACCESS read-only STATUS mandatory DESCRIPTION "Status of DNS Server." ::= {serverTrapInfo 6} -- Trap #3007 SNMPServer OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of SNMP Server." ::= {serverTrapInfo 7} -- Trap #3008 IPAddressPool OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of the IP address pool.
Appendix A MIB support Software-related traps softwareTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 3} -- Trap #5001 NetBuffers OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Network buffer usage." ::= {softwareTrapInfo 1} -- Trap #5002 fireWall OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Status of internal firewall.
Appendix A MIB support 147 Intrusion-related traps intrusionTrapInfo OBJECT IDENTIFIER ::= {ContivitySnmpTraps 5} -- Trap #201 securityIntrusion OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Login Security Intrusion." ::= {intrusionTrapInfo 1} System-related traps -- Trap #401 powerUpTrap OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "Power Up.
Appendix A MIB support Information passed with every trap SeverityLevel OBJECT-TYPE SYNTAX INTEGER { fatal(1), major(2), minor(3), informational(4), insignificant(5), reversal(6) } ACCESS read-only STATUS mandatory DESCRIPTION "Severity of specific trap." ::= {ContivitySnmpTraps 7} systemName OBJECT-TYPE SYNTAX DisplayString ACCESS read-only STATUS mandatory DESCRIPTION "System Name.
Appendix A MIB support 149 Table 3 provides trap categories and explanations. Table 3 Trap categories Hardware 1.3.6.1.4.1.2505.1.1.0.1001 hardDisk1StatusTrap 1.3.6.1.4.1.2505.1.1.0.1002 hardDisk0StatusTrap 1.3.6.1.4.1.2505.1.1.0.1003 memoryUsageTrap 1.3.6.1.4.1.2505.1.1.0.1004 lanCardStatusTrap 1.3.6.1.4.1.2505.1.1.0.1005 cpuTwoStatusTrap 1.3.6.1.4.1.2505.1.1.0.1006 fanOneStatusTrap 1.3.6.1.4.1.2505.1.1.0.1007 fanTwoStatusTrap 1.3.6.1.4.1.2505.1.1.0.1008 chassisFanStatusTrap 1.3.6.1.4.1.
Appendix A MIB support Table 3 Trap categories (continued) Server 1.3.6.1.4.1.2505.1.2.0.3007 snmpServerTrap 1.3.6.1.4.1.2505.1.2.0.3008 ipAddressPoolTrap 1.3.6.1.4.1.2505.1.2.0.3009 extLDAPServerTrap 1.3.6.1.4.1.2505.1.2.0.30010 radiusAuthServerTrap 1.3.6.1.4.1.2505.1.2.0.30011 certificateServerTrap Software 1.3.6.1.4.1.2505.1.3.0.5001 netBuffersTrap 1.3.6.1.4.1.2505.1.3.0.5002 FireWallTrap 1.3.6.1.4.1.2505.1.3.0.5003 FipsStatusTrap Failed Login 1.3.6.1.4.1.2505.1.4.0.
Appendix A MIB support 151 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.1009 fiveVoltsPosStatusTrap Status of the +5 Volt power. Proprietary 1.3.6.1.4.1.2505.1.1.0.10010 fiveVoltsMinusTrap Status of -5 Volt power. Proprietary 1.3.6.1.4.1.2505.1.1.0.10011 threeVoltsPositiveTrap Status of +3 Volt power. Proprietary 1.3.6.1.4.1.2505.1.1.0.10012 twoDotFiveVATrap Status of 2.5VA power. Proprietary 1.3.6.1.4.1.2505.1.1.0.10013 twoDotFiveVBTrap Status of 2.5VB power.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10020 t1WANStatusTrap Status of T1 WAN card(s); Possible values for Wanic: Alert: Invalid Device X. Warning: Device WanicX disabled. Alert: Device WanicX down. Warning: Device WanicX not initialized. Warning: Device WanicX PPP negotiating. Alert: Device WanicX PPP down. Alert: Device WanicX FR no support. Alert: Device WanicX Unknown DL. Possible values for T1: Alert: Invalid Device X.
Appendix A MIB support 153 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10022 hwAccelTrap Status of hardware accelerator card. Possible Values: Invalid hardware accelerator unit %d. Unknown hardware accelerator unit %d. Healthy: Bulk Accelerator in slot %d: Unit %d Status 1— ATTACHED. Warning: Bulk Accelerator in slot %d: Unit %d Status 2— DISABLED. Healthy: Bulk Accelerator in slot %d: Unit %d Status 3—ACTIVE.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10024 v90WANStatusTrap Status of V.90 Interface card. Possible Values: Please note that X corresponds to the unit number of the card. Alert: V.90 Invalid index X. Disabled: Device IntModem-X disabled. Healthy: Device IntModem-X: PPP is UP. Alert: Device IntModem-X down. Warning: Device IntModem-X not initialized. Alert: Device IntModem-X: Call is UP. Internal Error. Warning: Device IntModem-X is Down.
Appendix A MIB support 155 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.1.0.10026 serUartStatusTrap Status of Serial (COM) port/ interface. Possible Values: Please note that X corresponds to the unit number of the serial interface. Alert: COM port Invalid index X Healthy: Device COMX is set for Serial Menu. Disabled: Device COMX disabled Warning: Device COMX not initialized. Healthy: Device COMX: PPP is UP. Alert: Device COMX: Call is UP. Internal Error.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.2.0.3005 loadBalancingServerTrap Status of Load Balancing Server. Proprietary 1.3.6.1.4.1.2505.1.2.0.3006 dnsServerTrap Status of DNS Server. Proprietary 1.3.6.1.4.1.2505.1.2.0.3007 snmpServerTrap Status of SNMP Server. Proprietary 1.3.6.1.4.1.2505.1.2.0.3008 ipAddressPoolTrap Status of the IP address pool. Proprietary 1.3.6.1.4.1.2505.1.2.0.
Appendix A MIB support 157 Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.2.0.30014 dhcpServerTrap Status of DHCP Server. Possible Values: Disabled: DHCP Server is Disabled. Alert: DHCP Server is NOT configured. Alert: DHCP Server is configured and operational, Using backup config. Alert: No IP Address available for subnet. Alert: DHCP Server is configured and server is DOWN. Healthy: DHCP Server is Operational. Warning: Subnet low on IP Addresses.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Proprietary 1.3.6.1.4.1.2505.1.3.0.5007 sslVpnStatusTrap Status of SSL-VPN Accelerator. Possible Values: Disabled: Disabled—The unit is administratively disabled. Disabled: HW not installed— There is no SSL-VPN Accelerator installed. Warning: Initialization in progress—The unit is being intialized. Warning: Configuration errors— See eventlog for details. Healthy: Operational—The unit is operational.
Appendix A MIB support 159 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.2 linkDown A linkDown trap signifies that the sending protocol entity recognizes a failure in one of the communication links represented in the agent's configuration. Varbind list: ifIndex—ifIndex of the interface. ifAdminStatus—ifAdminStatus of the interface. ifOperStatus—ifOperStatus of the interface. ifDescr—ifDescr of the interface. ifType—ifType, this provides discrimination of interfaces that are tunnels.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.3 NN46110-602 linkUp A linkUp trap signifies that the sending protocol entity recognizes that one of the communication links represented in the agent's configuration is up. Varbind list: ifIndex—ifIndex of the interface. ifAdminStatus—ifAdminStatus of the interface. ifOperStatus—ifOperStatus of the interface. ifDescr—ifDescr of the interface.
Appendix A MIB support 161 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.5 authenticationFailure n authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, received a protocol message that is not properly authenticated. The snmpEnableAuthenTraps object indicates whether this trap is generated. snmpAuthenOperation-ces identifies the operation( ie. GetRequest, GetNextRequest,... ) was attempted.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.2 NN46110-602 linkDown A linkDown trap signifies that the sending protocol entity recognizes a failure in one of the communication links represented in the agent's configuration. Varbind list: ifIndex—ifIndex of the interface. ifAdminStatus—ifAdminStatus of the interface. ifOperStatus—ifOperStatus of the interface. ifDescr—ifDescr of the interface.
Appendix A MIB support 163 Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.3 linkUp A linkUp trap signifies that the sending protocol entity recognizes that one of the communication links represented in the agent's configuration is up. Varbind list: ifIndex—ifIndex of the interface ifAdminStatus—ifAdminStatus of the interface. ifOperStatus—ifOperStatus of the interface. ifDescr—ifDescr of the interface. ifType—ifType, this provides discrimination of interfaces that are tunnels.
Appendix A MIB support Table 4 VPN Router traps MIB descriptions Standard 1.3.6.1.2.1.11.0.5 authenticationFailure An authenticationFailure trap signifies that the SNMPv2 entity, acting in an agent role, received a protocol message that is not properly authenticated. The snmpEnableAuthenTraps object indicates whether this trap is generated. snmpAuthenOperation-ces identifies the operation (GetRequest, GetNextRequest,... ) was attempted.
Appendix B Using serial PPP You use Serial Point-to-Point Protocol (PPP) to manage the VPN Router from a remote location using PPP and the serial interface. If the VPN Router becomes unreachable over the Internet, you can still dial up and manage it through the serial interface menu. With this feature, the serial interface becomes like a private WAN interface. You can manage through it or even tunnel through it. You can enable Serial PPP support on the System > Settings window.
Appendix B Using serial PPP Setting up a Dial-Up Networking connection To establish a Serial PPP connection using a Microsoft Dial-Up Networking connection from the client system: 1 Double-click My Computer. 2 Double-click the Microsoft Dial-Up Networking icon. 3 Set the COM port baud rate on the client system so that it is compatible with the VPN Router’s baud rate. It is best to set the rates the same to establish a connection.
Appendix B Using serial PPP 167 Setting up the modem The following procedure assumes that you are using a 3Com/US Robotics 56K x2 modem. It describes how to set up a modem to communicate with the VPN Router using a dial-up networking connection. Table 5 lists the DIP switch settings.
Appendix B Using serial PPP • to access all management services (HTTP, Telnet, FTP, SNMP) through the Web interface. Once you establish a session through PPP, the serial interface acts as a private WAN interface with an internal IP address (0.0.1.35). Auto detect—automatically detects whether the connected device is using PPP or serial menu mode at startup. The VPN Router cannot determine the device’s baud rate, nor can it determine a change from PPP to serial menu mode, except upon startup.
Appendix B Using serial PPP 169 Dialing in to the VPN Router Use the standard dial-up networking procedure to connect to the VPN Router. After connecting, you can then manage the VPN Router using either Telnet (for the command line interface) or the browser-based GUI. Use the VPN Router’s management IP address for the Telnet session or the browser’s destination URL. Troubleshooting Serial PPP When the serial port is set up for PPP only, you can still do inband Web management.
Appendix B Using serial PPP Cause: You were dialed in and managing the VPN Router remotely using PPP and you changed the baud rate and applied it, but now you cannot manage the VPN Router. Action: To manage the VPN Router, disconnect the dial-up connection and try to re-establish it. This gives the modem a chance to renegotiate the baud rate with the VPN Router. Cause: You are set up to use PPP but want to use the serial port for the serial menu. Action: Choose the serial port mode Serial Menu.
Appendix B Using serial PPP 171 Action: Make sure that the modem that is connected to the VPN Router has hardware flow control enabled. PPP option settings The following settings describe the VPN Router’s behavior when negotiating serial PPP. For IP: • • • • • IP Address negotiation is enabled. The VPN Router needs the peer’s IP address to make a connection. The peer should not suggest an IP address for the VPN Router. The VPN Router uses its management IP address. The VPN Router rejects VJ compression.
Appendix B Using serial PPP NN46110-602
Appendix C System messages System forwarding (syslog) uses the system logging daemon (syslogd) to forward information from the VPN Router system log to different host machines. This appendix provides a listing of possible syslog messages that the VPN Router can write to a remote system. A description and the recommended corrective action, if any, follows each message.
Appendix C System messages tCert: Shutdown complete Description: This informational message indicates that the task responsible for certificate maintenance is shut down. This is usually part of the normal system shutdown. Action: No action required. tCert: task creation failed Description: The task responsible for X.509 certificate maintenance on the VPN Router failed to start properly. This most likely indicates severe resource exhaustion on the VPN Router. Action: Reboot the VPN Router.
Appendix C System messages 175 2 Manually verify the tunnel-related certificate fingerprints. Perform this procedure any time you suspect tampering. ISAKMP messages ISAKMP [13] No proposal chosen in message from xxx (a.b.c.d) In many cases, a Session:IPsec message precedes the ISAKMP message. If the Session:IPsec message indicates an error, then the Session message describes the cause and required action.
Appendix C System messages Action: Make sure the PFS settings on both sides match. Either enable PFS on the remote side, or disable PFS locally. ISAKMP [13] Error notification (No proposal chosen) received from xxx (a.b.c.d) Description: The proposal made by the local VPN Router is rejected by a VPN Client. This usually indicates that the client is using an international version (56-bit) while the VPN Router has stronger encryption enabled.
Appendix C System messages 177 ISAKMP [13] Error notification (Authentication failure) received from xxx (a.b.c.d) Description: A VPN Client attempted to connect, but the user supplied the wrong password. Action: Make sure that the user and the VPN Router have the same password. Description: A remote branch office rejected your VPN Router’s attempt to authenticate. Action: Contact the administrator of the remote system. If the remote system is a VPN Router, the cause is noted in that system log.
Appendix C System messages ISAKMP [13] Invalid ID information in message from xxx (a.b.c.d) Description: One side of the connection is configured to support dynamic routing while the other side is configured for static routing. Branch office is xxx. Action: Configure both sides to use the same routing type. Description: Both sides are configured to support static routing, however the local and remote network definitions of the two sides do not match. Branch office is xxx.
Appendix C System messages 179 Action: Remove the existing static route or change the route for the remote network to be a subset or superset of the static route. SSL messages Checking chain: invalid parent cert, xxx Description: The given certificate in the chain is not valid. This indicates that the certificate installed at the external LDAP server is expired or is invalid in some other way. Action: Verify that the certificate is valid or use a certificate that you know is valid.
Appendix C System messages No matching trusted CA certs Description: None of the certificates in the chain are trusted CA certificates. You can receive this message if the CA certificate is not installed or is not marked as trusted on the VPN Router. Action: Make sure the CA certificate is installed and that the certificate is marked as trusted on your VPN Router. Database messages Configuration file: xxx does not exist Description: The slapd.
Appendix C System messages 181 Action: Make sure the backup file has an 8.3 file name. LDIF file: could not restore xxx Description: The internal LDAP server database cannot be restored from the specified LDIF file. This indicates that the LDIF file does not exist. Action: Choose an LDIF file that currently resides on the VPN Router disk.
Appendix C System messages CaAuthServerCollection: authenticate xxx cert [xxx] invalid signature by [xxx] - xxx Description: The certificate passed in with the authentication request does not have a valid signature, based on the CA certificate configured on the VPN Router. This indicates either an incorrect certificate at the remote side (either a client or branch office), or an incorrect CA certificate installed on the VPN Router.
Appendix C System messages 183 Action: Start the LDAP server, or change the external LDAP server configuration to make it accessible. Security: store new system subnet mask xxx failed—xxx Description: The system subnet mask cannot be stored in the VPN Router configuration LDAP entry. This can indicate that the LDAP server is not accessible. Action: Start the LDAP server, or change the external LDAP server configuration to make it accessible.
Appendix C System messages Action: Start the LDAP server, or change the external LDAP server configuration to make it accessible. Error deleting entry [xxx]—xxx Description: An error occurred while deleting an LDAP entry. This indicates that the LDAP server is not accessible. Action: Start the LDAP server, or change the external LDAP server configuration to make it accessible. Error deleting tree [xxx]—xxx Description: An error occurred while deleting a tree of LDAP entries.
Appendix C System messages 185 xxx xxx being referenced by xxx Description: The LDAP entry is referenced by another LDAP entry (for example, a filter set referenced by a User Group or Branch Office Connection). Action: Remove all references to the LDAP entry in question, then delete the entry. Session: xxx uid invalid—authentication failed Description: The given IPsec hashed UID is not found in the LDAP database. This occurs if the UID typed in at the client is invalid or the account no longer exists.
Appendix C System messages Session: xxx[xxx]:xxx xxx auth method not allowed Description: The authentication method of the incoming request is not allowed in the group that the session is bound to. The session is bound to a group by one of the following: • • • • the group that the user’s account is in (in LDAP) RADIUS default group RADIUS class attribute CA authentication server's default group Action: Enable the authentication method for the bound group.
Appendix C System messages 187 Session: xxx[xxx]:xxx IP address assignment failed Description: An address cannot be assigned to the session. This occurs if the static address for the session is in use or if the address pool is exhausted. Action: Expand the number of addresses in the pool, or change the static address on the account.
Appendix C System messages Session: xxx[xxx]:xxx account not allowed now Description: The session request is outside the permitted hours of access. Action: Change the Access Hours setting assigned to the group on the Profiles > Groups > Edit > Connectivity window. Session: xxx[xxx]:xxx authentication failed using xxx Description: The credentials for the session cannot be validated by any of the authentication servers. Action: 1 Make sure you are using the correct credentials.
Appendix C System messages 189 Session: xxx[xxx]:xxx invalid password—master admin authentication failed Description: The primary administrator password is invalid. This results from using the wrong password or from making a mistake while typing the password. Action: Make sure you are using the correct password, and make sure you typed it correctly. Session: xxx[xxx]:xxx login rejected - new logins disabled Description: New logins are currently disabled.
Appendix C System messages Session: xxx[xxx]:xxx pool address [xxx] already in use Description: The returned static pool address is currently is use. This error occurs if another tunnel is using this address through a static address configuration or another address pool. The error also occurs if a static host route using this address is added. Action: No action is necessary. The VPN Router tries to allocate a different address.
Appendix C System messages 191 RADIUS accounting messages RADIUS: Cannot send accounting request to , possibly due to DNS translation failure Description: This message indicates a connection failure. While sending a request, an error occurred due to a socket creation problem. This usually indicates a DNS resolution problem.
Appendix C System messages RADIUS: network socket failure with , recvfrom error: Description: This message indicates a connection failure. An error occurred while receiving the response. Action: Retry authentication attempt and verify that RADIUS server packets are properly formed. RADIUS: server failed Description: This message indicates a connection failure. An error occurred while receiving the response.
Appendix C System messages 193 Action: Retry authentication attempt and verify that RADIUS server packets are properly formed. Unsupported response type () received from server Description: This message indicates that an invalid response was received. The response packet type is not one of the expected types: Access-Accept, Access-Reject, or Access-Challenge. Action: Retry authentication attempt and verify that RADIUS server packets are properly formed.
Appendix C System messages RADIUS authentication messages RADIUS: Cannot send request to , possibly due to DNS translation failure Description: This message indicates a connection failure. While sending a request, an error occurred due to a socket creation problem. This usually indicates a DNS resolution problem.
Appendix C System messages 195 RADIUS: server timed out authenticating Description: This message indicates a connection failure. The connection timed out while waiting for a response. Action: Verify the following: • • • RADIUS server’s IP address and port number are correct RADIUS server is available Shared secret is correct RADIUS: network socket failure with , recvfrom error: Description: This message indicates a connection failure.
Appendix C System messages RADIUS: sent invalid response packet for Description: This message indicates that an invalid response was received. The length of the response packet is not equal to the number of bytes received. Action: Retry authentication attempt and verify that RADIUS server packets are properly formed. Non-matching id in server response Description: This message indicates that an invalid response was received.
Appendix C System messages 197 Action: Verify that the shared secrets match. RADIUS: sent packet with invalid response authenticator for Description: This message indicates that an invalid response was received. The computed authenticator does not match the value in the packet. Action: Verify that the shared secrets match. RADIUS server returned access challenge Description: This message indicates that a valid access-challenge response was received. Action: No action required.
Appendix C System messages RADIUS: access DENIED by server Description: This message indicates that a valid access-reject response was received. Action: No action required. Response OK Description: This message indicates that a valid access-accept response was received. Action: No action required. RADIUS: access OK by server Description: This message indicates that a valid access-accept response was received. Action: No action required.
Appendix C System messages 199 Action: No action required. Closing OSPF-RTM connection Description: OSPF closed the RTM connection, which occurs if the administrator disables OSPF from Routing > OSPF window. Action: No action required. Ospf_Global.State changed from ENABLED to DISABLED by user 'admin' @ x.x.x.x Description: The administrator disabled OSPF from the Routing > OSPF window. Action: No action required.
Appendix C System messages Can not accept x.x.x.x as router id Description: OSPF can not accept the given router ID in the Routing > OSPF window. Action: You must change router ID in the Routing > OSPF window. Invalid router IDs are 127.0.0.1 and 0.0.0.0. LoadOspfAreas Failed Description: OSPF failed to load all areas of information from the config file. This happens if the config file is damaged. Action: Delete all OSPF areas, recreate them from the Routing > OSPF window, and reboot the VPN Router.
Appendix C System messages 201 VR xxx: Starting xxx as Backup for xxx Description: Logged when starting as a backup for an address. The parameters are: • • • The VRID of this VR The reason for starting, either because it was enabled or the interface went up The IP address Action: No action required. VR xxx: Starting xxx as master delayed Backup for xxx Description: Logged when master delay mode is in effect.
Appendix C System messages Unable to get configuration for VR xxx Description: This is an error event that is logged when VRRP is enabled but the common configuration parameters are missing. These are the items set in the Routing > VRRP window. Action: No action required. RIP xxx: RIP Enabled Description: Logged when RIP is globally enabled. Action: No action required. RIP xxx: RIP Disabled Description: Logged when RIP is globally disabled. Action: No action required.
Appendix C System messages 203 RIP xxx: Circuit xxx deleted Description: Logged when the RIP circuit is deleted. The parameter stands for circuit ID. Action: No action required. RIP xxx: Unable to register with UDP Description: Logged when you cannot register with UDP protocol. Action: No action required. RIP xxx: setsockopt RIP socket xxx SO_RCVBUF xxx failed Description: Logged when RIP receive buffers are not large enough.
Appendix C System messages RIP xxx: Unable to spawn timer task xxx for RIP Description: Logged when RIP fails to spawn the timer task. The parameter stands for the name of the task. Action: No action required. RIP xxx: cid xxx mismatched auth password from xxx Description: Logged when RIP authentication fails while receiving RIP packets. The first parameter is the circuit ID on which it was receiving RIP packets and the second parameter is the IP address from which it received RIP packets.
Appendix C System messages 205 Interface [nnn] replaced, deleting from config Description: This indicates the card type specified in the configuration file does not match the card currently in the slot. The interface is deleted from the configuration. This applies when the replaced card has more ports than the current card. Action: No action required.
Appendix C System messages NN46110-602
Appendix D Configuring for interoperability This chapter explains the requirements and procedures for setting up different vendor hardware or software to interoperate with the VPN Router. You can use these instructions to establish encrypted tunnels to and from the VPN Router with the noted vendors. These requirements and procedures are subject to change based on hardware and software changes by the vendors. Procedures are available for the following products: • • • • Cisco* 2514 router, Version 11.
Appendix D Configuring for interoperability Figure 11 VPN Router and Cisco 2514 network topology NN46110-602
Appendix D Configuring for interoperability 209 The following is a show config command: Cisco2514# show config Using 1088 out of 32762 bytes version 11.3 no service password-encryption hostname Cisco2514 enable secret 5 $1$aSJB$Xz/o4I4IqCY.FT2RH372/1 enable password password ! crypto isakmp policy 1 hash md5 authentication pre-share lifetime 3000 crypto isakmp key test address 8.1.10.42 ! crypto ipsec transform-set esp1 esp-des esp-md5-hmac ! crypto map bay 11 ipsec-isakmp set peer 8.1.10.
Appendix D Configuring for interoperability dialer-list 1 protocol ipx permit snmp-server community public RO line con 0 line aux 0 line vty 0 4 password terminal login end Configuring the VPN Router for Cisco interoperability To configure the VPN Router for Cisco interoperability: 1 Select to Profiles > Networks and click Edit. 2 Create any local accessible networks that you want available. 3 Enter the IP address for the new subnet; for example, 10.18.0.45.
Appendix D Configuring for interoperability 211 Configuring the SafeNet/Soft-PK Security Policy Database Editor, Version 1.0s To set up the VPN Router to establish encrypted tunnel connections with the IRE Soft-PK Security Policy Client as illustrated in Figure 12, configure the windows as described on following pages.
Appendix D Configuring for interoperability Connecting to IRE SafeNET/Soft-PK Security Policy Client To set up the VPN Router to establish encrypted tunnel connections with the IRE SafeNet/Soft-PK Security Policy Client, do the following: 1 Open the SafeNet/Soft-PK Security Policy Client, and click File: New. The following window configures the network so that any packets going to the 10.18.0.0 subnet goes through the VPN Router’s 8.1.10.42 interface to establish a tunnel.
Appendix D Configuring for interoperability 213 • 8.1.10.42 The SafeNet/Soft PX Security Policy Editor dialog box appears. 6 Click My Identity to configure the SafeNet client, and select the following: • • • 7 Select Certificate: None ID Type: IP Address Port: All Click Pre-Shared Key. The Pre-Shared Key dialog box appears. 8 In the Pre-Shared Key dialog box, click Enter Key, then enter the preshared key. 9 Click OK.
Appendix D Configuring for interoperability The SafeNet/Soft-PK Security Policy Editor dialog box appears. 10 From Security Policy: Select Phase 1 Negotiation Mode, click Main Mode. 11 Click Enable Replay Detection.
Appendix D Configuring for interoperability 215 • • • • • Authentication Method: Pre-Shared key Encrypt Alg: DES Hash Alg: MD5 SA Life: Seconds and 3000 (Seconds) Key Group: Diffie-Hellman Group 1 13 On the Key Exchange (Phase 2), Proposal 1 window, enable the following: • • • • • Encapsulation Protocol (ESP) Encrypt Alg: DES Hash Alg: MD5 Encapsulation: Tunnel SA Life: Seconds and 3000 (Seconds) Configuring the VPN Router for IRE interoperability To configure the VPN Router for IRE interoperability: 1
Appendix D Configuring for interoperability 9 For some vendors, if you want to turn off Vendor ID and/or Perfect Forward Secrecy (PFS), do that on the Profiles > Groups > IPsec: Configure window.
Appendix D Configuring for interoperability 217 Considerations for using third-party clients There are several considerations regarding the use of third-party clients with VPN Router: • • Client Dynamic Addressing—Many third-party clients now support the Aggressive mode method of establishing a security association.
Appendix D Configuring for interoperability • • • • • • NN46110-602 Load Balancing—Traditional load balancers often do not work with the IPsec protocol because of the security features on individual packets and separate key management and data channels. The VPN Router has built-in load balancing features for IPsec client terminations that allow two VPN Router to load balance and failover connections. This feature works with third-party clients.
Appendix D Configuring for interoperability 219 • • (are correctly decrypted, and authenticated) are accepted; other packets are dropped. If any attempt is made to change the station address of the client, the tunnel is automatically closed. Third-party clients do not necessarily have this security. Tight integration with MS-DUN and IPASS—This allows one-click access that dials and authorizes the ISP connection and then creates the VPN connection automatically.
Appendix D Configuring for interoperability then select a default server certificate from the list. You configure servers from the System > Certificates window. 7 Select Profiles > Branch Office, click Edit, scroll down to the IPsec section and click Configure. The Branch Office window appears. 8 Select the encryption type supported by your third-party client. 9 Select Enable or Disable for the VendorID. 10 Set Perfect Forward Secrecy (PFS) to match the client side.
Appendix D Configuring for interoperability 221 Figure 13 Split tunneling example 10.10.0.1 10.2.3.4 10.10.0.5 Public Data Network Printer 192.19.2.33 192.168.43.6 Archive 10.2.3.3 10.2.3.2 Mail Server VPN Router 192.19.2.32 Remote User 192.19.2.31 To configure the VPN Router as a user tunnel: 1 Select Profiles > Groups and click Add. Enter a group name of up to 64 characters (spaces are permitted); for example, Research and Development.
Appendix D Configuring for interoperability 6 Selections in the Encryption fields are dependent on the type of encryption that your third-party client supports. 7 Enable Perfect Forward Secrecy (PFS). PFS ensures that if one key is compromised, subsequent keys are not compromised. 8 In the Forced Logoff dialog box, specify a time after which all active users are automatically logged off. The default is 0, which means the option is turned off. The possible range is 00:00:01 to 23:59:59.
Appendix D Configuring for interoperability 223 Network addresses form the basis of the IPX internetwork addressing scheme for sending packets between network segments. Every network segment of an internetwork is assigned a unique network address by which routers forward packets to their final destination network. On the VPN Router, all public interfaces are treated as a single network segment with a unique network address.
Appendix D Configuring for interoperability Windows 95 and Windows 98 When running Windows 95 or Windows 98, load the intraNetWare* client, which is available from the Novell Web site: http://www.novell.com Note: The NetWare client for Windows 95 and Windows 98 does not function properly; therefore, you must use the Novell intraNetWare client when using IPX with PPTP.
Appendix D Configuring for interoperability 225 Figure 14 IPX topology Note: The private LAN can also carry IP and IPX traffic simultaneously. The IP addresses are not shown in this figure.
Appendix D Configuring for interoperability NN46110-602
Index A accounting data 40 records 38, 39 accounting log 38 active sessions 96 ActiveX Scripts 93 administrator settings 28 connectivity problems overview 69 solving 72 conventions, text 17 D data collection records 40 data storage 38 administrator privileges 27 database error messages 180 authentication failed 74 DHCP server 83 B dial-up monitor 71 problems 72 background images 96 Dial-Up Networking 89 backups 52 branch office error messages 178 DNS server 90, 93 browser error messages 94
Index SSL 179 event log 35, 41 External DHCP server 97 extinction interval 84 timeout 84 Extranet Access client monitor 70 connection problems 73 ipconfig command 71 IPSec password 74 username 74 IPX 222 IPX client 223 ISAKMP error messages 175 J Java 92, 93, 95 F factory default 49 configuration 50 file management 30 JavaScript 93 jetpack.
Index 229 modem hardware errors 82 renewal interval 84 MS-DOS naming convention 97 Reset button 52 multiple Help windows 95 restart failure 97 N routing error messages error messages routing 198 NetBEUI 77, 83 NetBIOS 77, 83, 84, 88 Netscape Communicator 92 netstats command 71 NetWare client 224 Network Neighborhood 84 newoak.
Index RADIUS accounting 191 RADIUS authentication 194 routing 198 security 181 SSL 179 V verify interval 84 W T WAN interfaces display 80 T1/V.