User manual

ManualsBrandsPanasonic ManualsNetworkingNetwork Router 7

Version 7.00

Part No. NN46110-500

311642-M Rev 01

February 2007

Document status: Standard

600 Technology Park Drive

Billerica, MA 01821-4130

Nortel VPN Router

Configuration — Basic

Features

Summary of content (178 pages)

PAGE 1
Version 7.00 Part No.
PAGE 2
Copyright © 2007 Nortel Networks. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc.
PAGE 3
Nortel Networks Inc. software license agreement This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.
PAGE 4
Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license.
PAGE 5
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 6
Contents Chapter 2 Getting started . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 IP addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29 Management virtual address . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31 Configuring MVA with the serial menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 7
Contents 7 Chapter 4 Configuring user tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Configuring group characteristics . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 78 Setting up user tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 81 Configuring inverse split tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85 Inverse split tunneling .
PAGE 8
Contents Chapter 6 Configuring branch office tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 PPTP nested tunnels . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 123 DNS for branch office tunnel endpoints . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 VPN DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 124 Round Robin DNS . . . . . . . . .
PAGE 9
Contents 9 Routing table changes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 152 Initial contact payload (ICP) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 153 Maximum roaming time . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 154 Persistent tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 155 Session persistence time . . .
PAGE 10
Contents NN46110-500
PAGE 11
Figures Figure 1 Typical PDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Figure 2 VPN service models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27 Figure 3 Sample IP addressing scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Figure 4 MVA on separate subnet from private physical interfaces . . . . . . . . . . . . 32 Figure 5 MVA on same subnet as private physical interface . .
PAGE 12
Figures Figure 30 Roaming from behind NAT to behind NAT . . . . . . . . . . . . . . . . . . . . . . . 150 Figure 31 Roaming from behind NAT to no NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . 151 Figure 32 Groups edit IPSec window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
PAGE 13
Tables Table 1 Sample IP addressing associations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30 Table 2 Services supported on a multinetted interface . . . . . . . . . . . . . . . . . . . . . 39 Table 3 Web interface configuration options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Table 4 Configuration checklist . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53 Table 5 Subnet assignments . . . . . . . . . . . . . . . . . . . . . . .
PAGE 14
Tables NN46110-500
PAGE 15
Preface This guide introduces the Nortel VPN Router. It also provides overview and basic configuration information to help you initially set up your Nortel VPN Router. Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router. This guide assumes that you have experience with windowing systems or graphical user interfaces (GUIs) and familiarity with network management.
PAGE 16
Preface braces ({}) Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is ldap-server source {external | internal}, you must enter either ldap-server source external or ldap-server source internal, but not both. brackets ([ ]) Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command.
PAGE 17
Preface 17 separator ( > ) Shows menu paths. Example: Choose Status > Health Check. vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is terminal paging {off | on}, you enter either terminal paging off or terminal paging on, but not both.
PAGE 18
Preface NN46110-500 NAT network address translation NOC network operations center NTP Network Time Protocol NVR Nortel VPN Router OSPF Open Shortest Path First OSS operations support systems PAP Password Authentication Protocol PDN public data networks POP point-of-presence PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol RSVP Resource Reservation Protocol RIP Routing Information Protocol SNMP Simple Network Management Protocol UDP User Datagram Protocol
PAGE 19
Preface 19 Related publications For more information about the Nortel VPN Router, refer to the following publications: • • • • • • • • • • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. Nortel VPN Router Configuration — SSL VPN Services provides instructions for configuring services on the Nortel SSL VPN Module 1000, including authentication, networks, user groups, and portal links.
PAGE 20
Preface Hard-copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to the www.nortel.com/support URL. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe* Acrobat Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to Adobe Systems at the www.adobe.
PAGE 21
Preface 21 • • • search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues sign up for automatic notification of new software and documentation for Nortel equipment open and manage technical support cases Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site, and you have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
PAGE 22
Preface NN46110-500
PAGE 23
New in this release The following sections details what is new in Nortel VPN Router Configuration — Basic Features for Release 7.0.
PAGE 24
New in this release Systemlog lifetime or disk size limit usage option VPN Router allows you to choose between setting a log file disk size limit or a log file lifetime for the Systemlog. Previous versions of the VPN Router only allowed the Systemlog to have a lifetime specified (default 60 days). For more information about the Systemlog lifetime and disk size limit option, see Step 5 in “Configuring system settings” on page 108.
PAGE 25
Chapter 1 Overview This chapter introduces the Nortel VPN Router. The Nortel VPN Router is a family of products that deliver security and IP services in a single integrated platform. With IP routing, Virtual Private Networking (VPN), stateful firewall, policy management and QoS services, a single Nortel VPN Router device offers the IP services that normally require multiple purpose devices.
PAGE 26
Chapter 1 Overview Nortel VPN Router access allows remote users to dial in to an Internet Service Provider (ISP) anywhere and reach corporate headquarters or branch offices. The Nortel VPN Router provides remote users access to corporate databases, mail servers, and file servers. Figure 1 shows a typical packet data network (PDN). Figure 1 Typical PDN The Nortel VPN Router allows ISPs to take over the role of point-of-presence (POP) providers of modem access.
PAGE 27
Chapter 1 Overview 27 Figure 2 VPN service models The Nortel VPN Router uses a combination of authorization, authentication, privacy, and access control for each user. Licensing features Licence keys can be obtained through Nortel’s customer support. The Nortel VPN Router provides several license key options: • • • • • • Advanced Routing Nortel VPN Router Stateful Firewall VPN Tunnels Premium DSLw BGP only The Advanced Routing License key must be installed to enable OSPF on the Nortel VPN Router.
PAGE 28
Chapter 1 Overview The Nortel VPN Router Stateful Firewall License key must be installed to enable the Nortel VPN Router Stateful firewall. Tunnel keys are specific to the Nortel VPN Router hardware model that you are using. Nortel VPN Router switches are manufactured to allow either access to the maximum number of tunnels (VPN bundle) or support for 5 tunnels (Base Unit). This feature offers reduced cost for users who want fewer tunnels.
PAGE 29
Chapter 2 Getting started This chapter describes methods for configuring and managing the Nortel VPN Router . Note: If you are setting up a Nortel VPN Router 1010, 1050 or 1100, see Chapter 3, “Setting up the Nortel VPN Router 1010, 1050, and 1100.” These VPN Routers have unique set up and configuration considerations.
PAGE 30
Chapter 2 Getting started Figure 3 Sample IP addressing scheme Public Private Existing Public Default Gateway Router 10.2.3.4 10.10.0.1 10.10.0.5 192.19.2.30 192.19.2.33 10.2.3.3 Existing Private Default Gateway Router 10.2.3.2 Nortel VPN Router Public Data Network 192.19.2.31 192.168.43.6 Web Server 192.19.2.32 Class C Subnetworks 255.255.255.0 Existing Firewall 10.2.3.6 10.2.3.7 Class A Subnetworks 255.0.0.0 10.2.3.8 DHCP Server 10.2.1.1 -To10.2.1.254 Remote User 172.19.2.30 And 10.
PAGE 31
Chapter 2 Getting started 31 Table 1 Sample IP addressing associations (continued) 10.2.1.23 DHCP-assigned IP address for a remote user 10.8.4.6 Sample remote user static IP address: Profiles > Users Edit 10.2.4.56 Sample client-specified address: Profiles > Groups Edit IPsec/PPTP/ L2TP/L2F The Nortel VPN Router supports the Internetwork Packet Exchange (IPX) protocol. This allows the Nortel VPN Router to transmit and receive IPX packets over PPTP.
PAGE 32
Chapter 2 Getting started • • • Identification CRL Retrieval CMP To enable or disable management protocols, go to Services > Available window. From this window, you can also specify whether to manage the VPN Router from the public or private side. To redistribute the MVA, go to Routing > Policy window. Figure 4 shows MVA with the CLIP address on a subnet that is separate from any of the private physical interfaces.
PAGE 33
Chapter 2 Getting started 33 Figure 5 MVA on same subnet as private physical interface Figure 6 shows MVA using CLIP to manage from a remote PC tunneled from the public side.
PAGE 34
Chapter 2 Getting started Configuring MVA with the serial menu To configure the MVA with the serial menu: 1 Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. 2 Power on the terminal or PC. 3 Using a terminal emulation program, such as HyperTerminal on the PC, press Enter.
PAGE 35
Chapter 2 Getting started 35 Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator. This person always has access to all windows and controls, including the serial port and the recovery disk. Only one primary administrator is allowed.
PAGE 36
Chapter 2 Getting started 7 Type M and press Enter to change the Management IP address. The current IP address appears. The Old Management IP Address field is blank on a new Nortel VPN Router. Please select a menu choice (M, R): M Type 0.0.0.0 to delete. Just type to skip. Old Management IP Address = 192.168.249.44 New Management IP Address = Configuring Interfaces Use the following procedure to configure the interfaces of the system.
PAGE 37
Chapter 2 Getting started 37 Utilized Channels (Fractional T1) 1 2 12345678902345678901234 Currently= R) Return to the Main Menu. Please select a menu choice: 2 Select 0 and press Enter to enter the Slot 0, Port 1, Private LAN menu and add the interface IP address. Please select a menu choice: 0 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate * Type 0.0.0.0 to delete. * Just type to skip. Old IP Address = 47.17.163.
PAGE 38
Chapter 2 Getting started 7 Type E and press Enter to save the settings and exit. You can then manage the Nortel VPN Router from a Web browser. Multinetting IP multinetting allows a maximum of eight addresses to be configured on a single Ethernet interface. The first IP address configured on the interface is the primary address. Subsequent IP addresses are secondary addresses, or subnets. All the subnets on a physical interface share the security rules configured for the primary subnet.
PAGE 39
Chapter 2 Getting started 39 Table 2 shows the services supported on a multinetted interface. Table 2 Services supported on a multinetted interface Service Nortel VPN Router Stateful Firewall Integration description Supported at the interface level specified under the Primary address on the interface. The same rules apply to all other secondary addresses on the interface.
PAGE 40
Chapter 2 Getting started Table 2 Services supported on a multinetted interface Service Integration description Authentication Protocols (RADIUS) Support for interface authentication at the interface level, as specified under the Primary address on the interface. The same rules apply to all other secondary addresses on the interface. VRRP Supported when Primary address is used as the VRRP master/backup address. VRRP not applicable on secondary addresses.
PAGE 41
Chapter 2 Getting started 41 Figure 7 Deployment Scenario Changing the management IP address To manage the system, the network must have a route to the management IP address through one of the system interfaces. To change the management IP address, complete the following procedure: 1 Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. 2 Power on the terminal or PC.
PAGE 42
Chapter 2 Getting started • • • 1 stop bit No parity No flow control The Welcome window appears and you are prompted to supply a user name and password. Nortel VPN Router Copyright (c) 1999-2007 Nortel Networks, Inc. Version: V07_00.038 Creation date: Oct 11 2006, 09:52:35 Date: 10/13/2006 Unit Serial Number: 10167 Released Software, Fully supported 4 Enter the administrator's user name, admin. 5 Enter the administrator's password, setup.
PAGE 43
Chapter 2 Getting started 43 The following menu appears: Main Menu: System is currently in NORMAL mode.
PAGE 44
Chapter 2 Getting started Restricting source IPs access to management You are able to filter management access of source IP addresses. Access Lists (ACLs) restrict connection of designated source IPs for management purposes over HTTP, FTP, TELNET and SNMP. Management traffic is intercepted and if the destination is System and the packet is for one of the four services above, the source IP address is matched against the ACL that is set for the particular service.
PAGE 45
Chapter 2 Getting started 45 To set an ACL for TELNET, enter the following NNCLI command: CES(config)#telnet access-list To remove an ACL for TELNET, enter the following command: CES(config)#no telnet access-list Accessing ACL through the GUI: To access ACLs from the GUI: 1 Select Services > Available. The Allowed Services window appears. 2 Select one of the predefined ACLs. 3 Click OK.
PAGE 46
Chapter 2 Getting started 3 Using a terminal emulation program, such as HyperTerminal on the PC, press Enter. The Welcome window appears and you are prompted to supply a user name and password. Nortel VPN Router Copyright (c) 1999-2007 Nortel Networks, Inc. Version: V07_00.
PAGE 47
Chapter 2 Getting started 47 5 Please enter the administrator's password: setup Note: The factory default user name is admin and the default password is setup. Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.
PAGE 48
Chapter 2 Getting started - Interface Menu 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate 1) Slot 1, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate 2) Slot 2, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate 3) Slot 4, Port 1, Public WAN IP Address = Subnet Mask = 255.255.255.
PAGE 49
Chapter 2 Getting started 49 8 Select 0 and press Enter to enter the Slot 0, Port 1, Private LAN menu and add the interface IP address. Please select a menu choice: 0 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate * Type 0.0.0.0 to delete. * Just type to skip. Old IP Address = 47.17.163.163 New IP Address = 9 Enter a new IP address for the interface or press Enter to leave the current value. The subnet mask menu appears.
PAGE 50
Chapter 2 Getting started Using boot modes The Nortel VPN Router can be booted in one of two system modes: Safe mode or Normal mode. Each mode has its own software image, configuration files, and LDAP database. Note: The Nortel VPN Router 1010, 1050, and 1100 do not implement safe mode. A system booted in Safe mode is only allowed to accept secured management tunnel establishment.
PAGE 51
Chapter 2 Getting started 51 3 Enter the system default login and password in lowercase characters, as follows: Login: admin Password: setup At this point, follow the Quick Start Configuration procedure or the Guided Configuration procedure. Refer to Table 3 on page 53 for help in determining which procedure to use.
PAGE 52
Chapter 2 Getting started Preparing for configuration To properly prepare for configuration of the Nortel VPN Router, you should have the following items available: • • • • A plan to distribute IP addresses to clients when connections are requested; for example, via a DHCP server or an internal client address pool (with an address pool you need a range of IP addresses). An Authentication database.
PAGE 53
Chapter 2 Getting started 53 • • • • • • Manufacturer of device as well as firmware version, throughput, and any special configuration requirements for any devices on the network. If you assign static IP addresses to any of these devices, record them and a brief explanation why they required static addresses. Include brief explanations with the layout. Domain architecture, including the existing domain hierarchy, names, and addressing scheme.
PAGE 54
Chapter 2 Getting started Table 4 Configuration checklist (continued) window System > Identity System > LAN System > WAN (if using T1, V.
PAGE 55
Chapter 2 Getting started 55 Table 4 Configuration checklist (continued) window Values required Servers > Radius Auth Servers > LDAP Servers > User IP Addr Your Values Access (enabled or disabled Server-Supported Option (enabled or disabled) Radius Servers (enabled or disabled) Primary host name or IP addresses, public or private, Port, Shared secret/confirmed Alternate 1 host name or IP addresses, public or private, Port, Shared secret/confirmed Alternate 2 host name or IP addresses, public or pri
PAGE 56
Chapter 2 Getting started Table 4 Configuration checklist (continued) window Admin > License Keys Install License Keys Admin > Auto Backup Values required Your Values Advanced routing install key Nortel VPN Router Stateful Firewall install key Automatic Backup file servers IP address of FTP servers for backup: Host Path User ID Password Welcome window The Welcome window allows access to any of the configuration areas for the Nortel VPN Router.
PAGE 57
Chapter 2 Getting started 57 • Click on Guided Config to begin the Guided Configuration. This option allows access to all Configuration Management facilities. The design and structure of the Guided Configuration, however, is such that you might want to follow the top-to-bottom layout provided. This approach walks you through the entire navigational menu from the Profiles to the Admin selections.
PAGE 58
Chapter 2 Getting started NN46110-500
PAGE 59
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 This chapter provides instructions for the network administrator who is responsible for the Nortel VPN Router 1010, 1050, and 1100 located at branch office sites. If you are at a branch office site and you need to connect the Nortel VPN Router 1010, 1050, or 1100 to the network, see “Connecting for Internet access” on page 67. (This information was also included with the VPN Router.
PAGE 60
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 Figure 8 Default configuration By default, the Nortel VPN Router 1010, 1050, and 1100 are configured with the following parameters: • • • • • • • NN46110-500 The DHCP server is configured on the switch’s private interface, with a default range of 192.168.1.3/24 to 192.168.1.255/24. By default, 192.168.1.1 and 192.168.1.2 are assigned to the branch office switch’s private and management interfaces, respectively.
PAGE 61
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 61 Branch office quick start utility The branch office quick start utility (BOQS) simplifies deployment of the Nortel VPN Router in the branch office environment. BOQS converts the Nortel VPN Router 1010, 1050, or 1100 device from an Internet access VPN Router into a secure access VPN Router by provisioning a VPN connection to a central office or optionally, to a network operation center (NOC).
PAGE 62
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 After the VPN services are provisioned, branch office networks are logically connected to a central office network or to a NOC network. Branch office end users can rerun BOQS multiple times to restore the initial VPN configuration or to fix data errors. BOQS supports two network topologies: • • Enterprise topology where the network operations center is located within the central office.
PAGE 63
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 63 • • • Set the Text Pre-Shared Key to the same name as central office tunnel password. Set Dynamic Routing to enabled. Set RIP to enabled. After the central office setup and the BOQS are complete, the Nortel VPN Router1010, 1050, or 1100 is directly accessible from the central office. This means that there is just one hop between the central office and the branch office.
PAGE 64
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 Every Nortel VPN Router 1010, 1050, and 1100 must have a distinct IP address that is visible from the NOC subnet. A NOC can assign any address reachable from a NOC network to a Nortel VPN Router 1010, 1050, or 1100. BOQS configures NAT on the NOC tunnel to translate the address specified in the “Branch office switch manage NAT IP address” and “management address from branch office private subnet.
PAGE 65
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 65 Deployment procedure The following sequence of events illustrates the deployment procedure. • • • • • • Factory configured Nortel VPN Router 1010, 1050, and 1100 boxes are shipped directly to the end customer. A provisioning worksheet is either sent or faxed from the network operations center separately from the device.
PAGE 66
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 Table 6 contains the BOQS parameters. Table 6 BOQS parameters Central office tunnel configuration Central office tunnel name Name of the branch office tunnel on the central office switch. Central office tunnel password Password for the branch office tunnel. Central office public IP address Public address of the central office switch (same for all branch offices).
PAGE 67
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 67 Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010, 1050 or 1100 users will need to enter on the BOQS window. See Appendix A, “Branch office quick start template,” for a copy of the template.
PAGE 68
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 • • • • • Power cord AC to DC external power supply Molded serial cable RJ-45 to DB9 Ethernet crossover cable (Nortel VPN Router 1010 only) Nortel VPN Router CD (Note: the documentation on this CD is for reference only) Cable the VPN Router and turn the power on To set up your Nortel VPN Router 1010, 1050, or 1100: 1 Connect a PC to the LAN 0 (private) port located on the front panel of the VPN Router.
PAGE 69
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 69 7 Press the power switch to the “on” position and wait for the VPN Router to boot. Note: The boot process can take as long as 3 minutes. Make sure that your PCs can obtain IP addresses automatically By default, DHCP server is enabled on the private side of the VPN Router to assign IP addresses to the PCs that you connect to the LAN 0 ports. 1 2 Make certain that each PC is configured to obtain its IP address automatically.
PAGE 70
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 • If your ISP uses static IP addressing, go to “Static IP instructions” on page 71.” Note: If you complete the steps in the appropriate section and your VPN Router is not up and running, contact the service provider or company that provided the VPN Router.
PAGE 71
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 71 6 Set the Administrative State option to Enabled. 7 From the Interface Filter list, choose permit all. 8 Click on OK. 9 Locate the provisioning worksheet sent by the company or provider that sent you the VPN Router. 10 Enter the following URL in your browser window: http://192.168.1.2/ manage/qs.pyc. 11 Click on Manage Switch, and then type admin and setup as the user name and password.
PAGE 72
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 12 In the Gateway Address field, type the default route address that the ISP provided. 13 Click on OK. 14 Locate the provisioning worksheet sent by the company or provider that sent you the VPN Router. 15 Enter the following URL in your browser window: http://192.168.1.2/ manage/qs.pyc. 16 Click on Manage Switch, and then type admin and setup as the user name and password. 17 Follow the instructions on the window that appears.
PAGE 73
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 73 • Numerous text files You can store two software images on the flash disk at the same time. Operational changes for the compact flash disk are: • • • • • The config file is saved every minute and the past three versions are kept. The config file is only written when the configuration changes. The on-disk system log (syslog) is not be supported. However, you can configure an external syslog server.
PAGE 74
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 NN46110-500
PAGE 75
Chapter 4 Configuring user tunnels The Nortel VPN Router uses the Internet and tunneling protocols to create secure connections. The following sections describe configuring the tunnel portion of the Nortel VPN Router. The configuration process includes setting up the authentication table and specific tunnel parameters, such as IPsec encryption, L2TP access concentrators, and L2F network access servers.
PAGE 76
Chapter 4 Configuring user tunnels The Nortel VPN Router associates all remote users with a group, which dictates the attributes that are assigned to a remote user session. A group can even consist of a single user, thereby creating a personal connection. The Nortel VPN Router organizes groups in a hierarchical manner. At the top of the hierarchy is the base group. The base group \Base contains the default characteristics that each new group inherits.
PAGE 77
Chapter 4 Configuring user tunnels 77 For example, \Base is the base group, Research and Development and Finance are child groups of the base group, and they are parent groups to groups below them. Groups are collections of users with the same access attributes and rights. If all users have identical characteristics, then only one group is necessary. You create multiple groups when you need different attributes.
PAGE 78
Chapter 4 Configuring user tunnels Configuring group characteristics In addition to assigning users to groups and providing authentication access, you can configure other group characteristics: NN46110-500 1 Go to the Profiles > Groups window and click on the Edit button next to the group that you want to configure. 2 Under the Connectivity section, click on the Configure button to change the any of the group characteristics.
PAGE 79
Chapter 4 Configuring user tunnels 79 • • • 9 Maximum password age is the time after which the login password expires. The Maximum Password Age range is from 0 (no password expiration) to 180 days (6 months). Default is 30 days. Users receive a warning that the password will expire each time they log in for two days prior to the expiration date. They also receive three warnings before access is denied.
PAGE 80
Chapter 4 Configuring user tunnels Port, and TCP Connection establishment. Go to the Profiles > Filters window to create tunnel filters. 13 Select Enable to enable IPX support for the group. 14 Enter the maximum number of PPP links in Maximum Number of Links field that you want the Nortel VPN Router to support. The range is 1 to 5; default is 1. The Multilink PPP (MP) implementation allows tunneling multilink connections to the Nortel VPN Router when the tunneling is being done by the ISP.
PAGE 81
Chapter 4 Configuring user tunnels 81 c Choose an Excess Action for traffic handling, either Drop or Mark. You can also choose Define new bandwidth rate to select a new bandwidth rate. 20 You can configure the TunnelGuard settings by refering to Nortel VPN Router Configuration —TunnelGuard . A group inherits attributes from its parent group.
PAGE 82
Chapter 4 Configuring user tunnels 1 Choose Services > Available. 2 Select the tunnel type. 3 Select the Management Protocol for the Nortel VPN Router’s private interface. 4 Use the RADIUS check boxes to permit RADIUS requests on the public and private interfaces of the Nortel VPN Router. If you enable RADIUS traffic, you must also enable RADIUS on the Services > RADIUS window. Configuring the Nortel VPN Router tunneling protocol settings is dependent on the tunnel type.
PAGE 83
Chapter 4 Configuring user tunnels 83 2 After selecting a group, you must click on Display to view the group members. This allows you to quickly change from viewing one group to another. The last names and first names of the selected group’s users appear, sorted by last name. 3 Click on Add to add a user to the group; the Add User window appears.
PAGE 84
Chapter 4 Configuring user tunnels Static IP Address option in the Profiles > Groups > Connectivity option (it is only used if the group allows it). If an IP address that is entered here is used instead of a DHCP server-assigned IP address, then only one login is allowed. 6 Enter the subnet mask. Assigning the correct subnet mask to a remote IPsec client is important when using split tunneling.
PAGE 85
Chapter 4 Configuring user tunnels 85 • LDAP search allows you to enter any LDAP database attribute that is part of the person, organizational Person, or inetOrgPerson object database (for example, cn=common name or sn=surname) to generate the associated user’s profile. Refer to your LDAP vendor’s documentation for complete details.
PAGE 86
Chapter 4 Configuring user tunnels The security of a mandatory tunnel is partially compromised by the addition of inverse split tunneling in a way similar to that of split tunneling. However, inverse split tunneling (Figure 11) does have a significant security advantage over split tunneling in that you specify the network resources that are allowed outside the tunnel. Split tunneling allows access to any network resource outside of specified split tunnel networks.
PAGE 87
Chapter 4 Configuring user tunnels 87 To select the split tunneling mode in which you wish to operate, the Split Tunneling drop down menu has been modified to include two new options. Enabled – Inverse and Enabled – Inverse (locally connected). The default will remain Disabled. Inverse split tunneling Using the 0.0.0.0/0 subnet wildcard The option to perform auto-detection of directly connected local subnets is configured by adding a subnet of 0.0.0.0 with a 0.0.0.
PAGE 88
Chapter 4 Configuring user tunnels Figure 12 Edit > IPsec page for wildcard 2 Select Enabled - Inverse or Enabled Locally Connected from the Split Tunneling menu. The Split Tunneling menu is used to select the tunneling mode that is used by the selected group. Table 7 shows the options.
PAGE 89
Chapter 4 Configuring user tunnels 89 3 Select None from the Split Tunnel Networks menu. 4 Select a network from the Inverse Split Tunnel Networks menu. 5 Go to the bottom of the page and click OK. Configuring tunneling modes using the CLI The tunneling mode is selected in the CLI using the following commands after entering group ipsec configuration mode.
PAGE 90
Chapter 4 Configuring user tunnels NN46110-500
PAGE 91
Chapter 5 Configuring the system This chapter describes how to configure various system-level features: • • • • • • • • • LAN interfaces WAN interfaces 802.1q VLAN subinterfaces MTU and TCP MSS Circuitless IP Asynchronous data over TCP NTP Safe mode configuration Proxy ARP Configuring the system identity Each Nortel VPN Router is uniquely identified by the system's address and domain name system (DNS) name.
PAGE 92
Chapter 5 Configuring the system 1 Enter a Management IP Address for the system. You need this address to contact all system services, such as HTTP, FTP, and SNMP. To be accessible, the Management IP Address must map to the same network as one of the private interfaces. For example, if you are planning on assigning IP address 10.2.3.3 with the subnet mask 255.255.0.0 to the private physical interface, the Management IP Address must reside in the 10.2.x.x network.
PAGE 93
Chapter 5 Configuring the system 93 10 Click on OK. The Nortel VPN Router checks all of the DNS addresses to see if they respond and then provides an operational or error status. The ISP Provided Server is not user configurable. It is provided by the ISP. The ISP may assign more than one DNS server, but only one of them (primary) is shown on the window. Setting up LAN interfaces The LAN interface that is available on the system board is configured to be private by default.
PAGE 94
Chapter 5 Configuring the system A host can send only enough packets to a public interface to establish a tunnel connection. If the tunnel is not established before a preset maximum number-of-packets-allowed counter is reached, then the packets from that host are discarded. Public indicates that this interface is attached to a public data network like the Internet.
PAGE 95
Chapter 5 Configuring the system 95 • From the Select Protocol list, select the tunneling protocol to use: IP is the standard Internet Protocol, and Point to Point Protocol over Ethernet (PPPoE) allows PPP to run over Ethernet. Note: You cannot use dynamic routing on PPPoE interfaces. DHCP is configured by default on the Nortel VPN Router 1010, 1050, and 1100 so you must first select Cancel Acquisition and then select PPPoE from the Select Protocol menu. You can use PPPoE on only one interface at a time.
PAGE 96
Chapter 5 Configuring the system Additional fields appear on the Edit LAN Interface window for optional network cards. LAN represents the physical port interface to which you assign an IP address. Slot n Interface n represents an optional LAN card in expansion Slot n using Interface n. 1 Under the Configuration section, use the Speed/Duplex field to automatically or manually configure the LAN interface’s port speed and mode.
PAGE 97
Chapter 5 Configuring the system 97 4 MAC Pause (Ethernet packet flow control) section enables the Nortel VPN Router to automatically adjust and control the flow of incoming and/or outgoing packets from any standard speed LAN device. Check to enable MAC Pause (Frame-based flow control) on the selected interface port. When enabled, specify the appropriate Pause parameters to be set in the hardware. 5 Specify a value for MAC Pause Ticks. 6 Select a value from the Free Receive FIFO Threshold list.
PAGE 98
Chapter 5 Configuring the system To add an IP address: 1 Click the Add Multinet button on the LAN Interfaces window. Figure 14 on page 98 shows the LAN > Interfaces window. From this window you can add, modify, or delete a multinet address using the GUI. The Interface Filter option is not available for the secondary addresses. Figure 14 LAN > Interfaces window Note: Each interface has an Add Multinet button.
PAGE 99
Chapter 5 Configuring the system 99 Figure 15 LAN Interfaces > Add IP Address window 2 Enter an IP address in the IP Address text box. 3 Enter a subnet mask in the Subnet Mask text box. 4 Click OK. To delete an IP address: 1 From the LAN Interfaces window, select the secondary IP address to delete. 2 Click Delete. Note: Secondary subnets can be deleted without having any effect on one another. To delete the primary subnet, remove all the secondary subnets.
PAGE 100
Chapter 5 Configuring the system Configuring multinetting using the CLI Table 8 shows the command syntax for configuring multinetting using the CLI.
PAGE 101
Chapter 5 Configuring the system 101 Table 9 displays the command syntax for configuring OSPF.
PAGE 102
Chapter 5 Configuring the system Table 9 Configuring OSPF over a secondary address Command description Command syntax Set the OSPF priority on a secondary address CES(config-if)# ip ospf priority <0-255> Reset the OSPF priority on a secondary CES(config-if)# no ip ospf priority Set the OSPF MD5 key on a secondary CES(config-if)# ip ospf message-digest-key address md5 Reset the OSPF MD5 key on a secondary address
PAGE 103
Chapter 5 Configuring the system 103 Table 10 Configuring RIP over a secondary address Command description Command syntax Disable importing of default routes using RIP CES(config-if)# no ip rip import-default Enable RIP poison reverse on a secondary address CES(config-if)# ip rip poison-reverse Disable RIP poison reverse on a secondary address CES(config-if)# no ip rip poison-reverse Set the RIP receive version on a secondary address CES(
PAGE 104
Chapter 5 Configuring the system The MSS should be 40 bytes less than the largest packet the implementation can re-assemble. 5 Interface filter shows whether or not the Nortel VPN Router Firewall is in use (this reflects the selection on the Services > Firewall window). This entry also shows the interface filter that is currently being used by the Nortel VPN Router Firewall.
PAGE 105
Chapter 5 Configuring the system 105 Asynchronous data over TCP Asynchronous data over TCP (AOT) is a protocol that enables transport of asynchronous data packets over a TCP/IP network. A TCP packet is de-capsulated and the data is then forward to the synchronous driver to the asynchronous device or host. The Asynchronous protocol is used for communication of an alarm device with an alarm host on a slow speed serial line.
PAGE 106
Chapter 5 Configuring the system 3 Select Public or Private for Service. 4 Click the Connection Originator to enable. 5 Specify the Peer IP address. 6 Specify the Local IP address. 7 Specify the Port Number, a value in the range 1000-9999. 8 Set the maximum Number of Ticks for character idle time out, up to 60. The minimum idle time is a tick of the system clock and is 16.6milliseconds. The configuration allows selection of 1 to 60 ticks.
PAGE 107
Chapter 5 Configuring the system 107 NTP supports the 2007 Daylight Savings Time change in the United States and various Canadian provinces. In 2007, Daylight Savings Time begins at 2 a.m. on the second Sunday in March and ends at 2 a.m. on the first Sunday in November. To configure NTP: 1 Click on the Enable check box. 2 If you want the Nortel VPN Router to listen for and respond to broadcast messages, check the Synchronize time with NTP Broadcast Server box.
PAGE 108
Chapter 5 Configuring the system 5 Click on the Return to the Date and Time window link to return to the previous window. Configuring system settings The Nortel VPN Router can be booted in one of the two system modes: safe mode or normal mode. Each mode has its own software image, configuration files, and LDAP database. A system booted in Safe mode is only allowed to accept secured management tunnel establishment.
PAGE 109
Chapter 5 Configuring the system 109 • • • Serial Menu (default). In this mode, a standard menu interface is presented. You can use an application such as Hyper Terminal, when directly connected to the Nortel VPN Router, to access the menu interface. The Nortel VPN Router uses the COM port for a serial menu terminal session. The Nortel VPN Router serial port baud rate is 9600 by default. When you change the serial interface baud rate, you must press the Reset button.
PAGE 110
Chapter 5 Configuring the system — — — — — NN46110-500 2400 1200 600 300 150 d Data, Parity, and Stop applies only when AoT is selected. e Enter the Modem Initialization string. Refer to the manufacturer’s documentation to learn the vendor-specific character initialization string. If you pre-configure the modem and use the Nortel VPN Router default initialization string (ATZ) it will provide the best results.
PAGE 111
Chapter 5 Configuring the system 111 Using proxy ARP You can configure the Nortel VPN Router to respond to ARP requests on any of its physical interfaces. The Nortel VPN Router responds to the following types of routes: • • • User tunnels are routes created for user tunnels. This entry is enabled by default and cannot be changed. Branch office tunnels are routes available through branch office connections. This option is disabled by default.
PAGE 112
Chapter 5 Configuring the system Using the SSH server to allow secure sessions You can enable an SSH server to allow secure CLI sessions, such as telnet, to the NVR. You also have the option of enabling the private and public interface filters, set the port for the SSH server, and restart the server. You can use either the NVR GUI or CLI to configure the SSH server. SSHv1 clients are not supported on the SSH server.
PAGE 113
Chapter 5 Configuring the system 113 Configuring the SSH server To set the parameters for the SSH server: 1 Select Services > Available. The Allowed Services page appears as shown in Figure 18 on page 114.
PAGE 114
Chapter 5 Configuring the system Figure 18 Allowed Services window 2 In the Port text box, enter the SSH server port number. Note: If an SSL VPN card exists in the NVR, the port for the SSH server cannot be 22. NN46110-500 3 To enable filters, select either the Public or the Private check box. 4 Click OK.
PAGE 115
Chapter 5 Configuring the system 115 Using the CLI for SSH server Defining an SSH server (CLI) To configure an SSH server on the Nortel VPN Router, from CLI Global Configuration Mode, enter: ssh-server {port | private | public } or no ssh-server { private | public } where: • • • portnum—specifies the SSH server port private—enables private interface filters on the specified SSH server port public—enables public interface filters on the specified SSH server port For example, enter: CES(config)#
PAGE 116
Chapter 5 Configuring the system Displaying the current settings for the SSH server To display the current settings for the SSH server, from CLI Global Configuration Mode, enter: show ssh-server { port | state } where: • • port—shows the SSH server port state—specifies the state (enabled or disabled) of the SSH server For example, to display the current SSH server port for the Nortel VPN Router, enter: CES(config)# show ssh-server port For example, to display the state (enabled or disabled) of the
PAGE 117
Chapter 5 Configuring the system 117 Restricted product - export license requirement This product incorporates encryption technology that is highly restricted and can require an export license from the US Department of Commerce, Bureau of Export Administration, prior to international shipment. A product that incorporates encryption with a key length up to 56 bits can be eligible for international shipment pursuant to a license exception.
PAGE 118
Chapter 5 Configuring the system NN46110-500
PAGE 119
Chapter 6 Configuring branch office tunnels The branch office feature allows you to configure a secure tunnel connection between two private networks. Typically, one private network is behind a locally configured Nortel VPN Router while the other is behind a remote Nortel VPN Router. Branch office configuration allows you to configure the accessible subnetworks behind each Nortel VPN Router.
PAGE 120
Chapter 6 Configuring branch office tunnels Figure 19 Typical branch office environment Triple DES Pre-Shared Key: bostoncleveland 172.17.20.x 255.255.255.0 192.149.20.X 255.255.255.0 192.149.21.x 255.255.255.0 172.17.21.x 255.255.255.0 Boston Gateway Cleveland Gateway PDN 172.19.2.30 Access Hours: 9-5 permit only dns/http 192.168.2.
PAGE 121
Chapter 6 Configuring branch office tunnels 121 Figure 20 Branch-to-branch with a firewall and a router LAN Public LAN 1 Firewall 4 Router 2 PDN 3 Nortel VPN Router Nortel VPN Router Public WAN Private LAN In the branch-to-branch illustration, the following interactions take place with a Nortel VPN Router: 1 The PC sends packets to the default route (the firewall). 2 The firewall redirects the packets to the local Nortel VPN Router branch office connection.
PAGE 122
Chapter 6 Configuring branch office tunnels Figure 21 Indirectly connected branch offices Local: Local: 172.17.20.0 255.255.255.0 172.17.21.0 255.255.255.0 Remote: 192.149.20.0 255.255.255.0 192.149.21.0 255.255.255.0 Remote: 192.149.20.0 255.255.255.0 192.149.21.0 255.255.255.0 172.17.20.0 255.255.255.0 172.17.21.0 255.255.255.0 172.17.20.0 255.255.255.0 192.149.20.0 255.255.255.0 172.17.21.0 255.255.255.0 192.149.21.0 255.255.255.0 Boston PDN PDN Cleveland New York 172.19.2.
PAGE 123
Chapter 6 Configuring branch office tunnels 123 PPTP nested tunnels Nested tunnels allow you to create a PPTP end user tunnel inside an IPSec branch office tunnel or an asynchronous branch office tunnel. You can have a nested tunnel from within the private network or from the public side. A nested tunnel from within the private network allows an end user to originate a PPTP connection from a client PC located on the on the private network.
PAGE 124
Chapter 6 Configuring branch office tunnels DNS for branch office tunnel endpoints When configuring branch office tunnels with the Nortel VPN Router, you can enter a DNS name for the tunnel endpoint. The Nortel VPN Router uses domain name address resolution to resolve the actual IP address of the endpoint. The Nortel VPN Router client already supports this ability.
PAGE 125
Chapter 6 Configuring branch office tunnels 125 Figure 22 VPN DNS When you configure an initiator for an asynchronous branch office tunnel, you can use a domain name of a remote peer instead of the IP address. 1 Go to Profiles > Branch Office. 2 In the Connections section, click on Select next to the connection that you want to configure. 3 Click on Configure to go to the Connection Configuration window.
PAGE 126
Chapter 6 Configuring branch office tunnels A DNS server will be aware of all the IP addresses that correspond to a particular domain name. When a user requests a lookup for that domain, the DNS will provide all the known addresses in a random order. The user can pick one of the addresses to communicate with the service. The Nortel VPN Router always uses the first address provided. If the first address is unresponsive, the Nortel VPN Router performs a new query.
PAGE 127
Chapter 6 Configuring branch office tunnels 127 branch offices are configured to use a domain name as a remote endpoint of the ABOT tunnel. When two initiators at the remote sites need to establish a tunnel, a DNS query resolves the configured domain name ces.lab.com to the IP address. DNS returns 1.2.3.4 and 5.6.7.8 for branch one and 5.6.7.8 and 1.2.3.4 for branch two using Round Robin DNS. The initiator at branch office one uses 1.2.3.4 as a remote point because it was the first response in the list.
PAGE 128
Chapter 6 Configuring branch office tunnels The Nortel VPN Client supports dynamic DNS registration. The Client Dynamic DNS Registration setting on the Profiles > Groups > Edit > IPsec window enables you to select whether to enable or disable DDNS. It is enabled by default. You can use this parameter only with the Nortel VPN Client. Also, your DNS server must support Dynamic DNS and be configured to allow Dynamic DNS registration.
PAGE 129
Chapter 6 Configuring branch office tunnels 129 Figure 25 Setting up a branch office configuration Settings for Configuration Example Which Management Page to Use? 1 Profiles > Branch Office Optional Step What to Do? Add a group for the Connection Boston Cleveland /Base/boston /Base/cleveland Review Connectivity Settings Review settings Review settings Review Tunnel Type Settings IPsec IPsec Profiles > Groups > Edit button 2 Profiles > Branch Office > Configure Connection Name the Connecti
PAGE 130
Chapter 6 Configuring branch office tunnels Adding a group To create a new group: 1 Select Profiles > Branch Office. 2 In Groups section, click Add. The Add Group window appears. 3 Enter a name and then select select the parent group whose attributes the new group inherits; for example, /Base. The group name can be a maximum of 64 characters (spaces are permitted).
PAGE 131
Chapter 6 Configuring branch office tunnels 131 Configuring a tunnel connection To configure a connection: 1 On the Profiles > Branch Office window, select the button next to the connection name and click on Configure. The Connection Configuration window appears. 2 Select the Tunnel Type for the connection from the list. The default type is IPsec. Click the drop-down list and select either IPsec, PPTP, or L2TP.
PAGE 132
Chapter 6 Configuring branch office tunnels 6 Click the Filters drop-down list and choose the filter that you want this branch office connection to use. The default is permit all. You can specify one filter. Packet filtering controls the types of access allowed for users of this branch connection. Filters are based on various parameters, including protocol ID, direction, IP addresses, source, port, and TCP connection establishment. Filters are defined on the Profiles > Filters window.
PAGE 133
Chapter 6 Configuring branch office tunnels 133 network, select it from the list and the Connection Configuration window appears. These networks have been previously set up on the Profiles > Networks window. 13 To add Remote Networks, click Add button to go to the Add Networks window and add the remote networks for the branch office configuration. Remote networks are the subnetworks on the private network of the remote VPN Router.
PAGE 134
Chapter 6 Configuring branch office tunnels Figure 26 Sample branch office configuration As the administrator of a branch office connection, you can manage the level of access that you give to users of the connection. You specify when the connection is used, what operations can be done through the connection, and which systems on the private networks can be accessed.
PAGE 135
Chapter 6 Configuring branch office tunnels 135 • The Profiles > Filters window must have the filters that you want to use for the branch office connection. For the example, the local Nortel VPN Router uses a filter of permit only dns/http, and the remote Nortel VPN Router uses permit all.
PAGE 136
Chapter 6 Configuring branch office tunnels 12 Click on the Test button on each end of the tunnel to verify connectivity. 13 Try to ping from on PC to the other PC through the branch office.
PAGE 137
Chapter 7 Configuring control tunnels Control tunnels are special tunnels that allow you to securely manage a Nortel VPN Router over the Internet. The primary reasons for creating control tunnels are secure management and network data integrity. Control tunnels provide secure access to a customer’s remote Nortel VPN Router so that you can manage it over a network.
PAGE 138
Chapter 7 Configuring control tunnels Figure 27 Branch office control tunnel VPN Server 2 VPN Server 3 VPN Server 4 VPN Server 5 VPN Server 1 VPN Server 6 el el Control Tunnels VPN Server RADIUS Server FTP Server SNMP Trap Host Web Client Network Operations Center Control tunnel types There are two types of control tunnels: a branch office control tunnel and a user control tunnel. With both tunnel types, you can establish a secure IPsec tunnel to a system that you want to manage.
PAGE 139
Chapter 7 Configuring control tunnels 139 Figure 28 Sample control tunnel environment Branch office control tunnels allow anyone on the configured network to communicate with the Nortel VPN Router being managed. This allows a Nortel VPN Router to communicate with various systems within a company’s network operations center or corporate headquarters (the Cleveland private network). A user control tunnel allows a Nortel VPN Client to communicate with a Nortel VPN Router that is being managed.
PAGE 140
Chapter 7 Configuring control tunnels In this environment, the remote Boston Nortel VPN Router is a control tunnel to the local Cleveland Nortel VPN Router. From any system on the Cleveland network, you can access the management address for the Boston Nortel VPN Router. This allows systems on the Cleveland network to initiate management operations on the Boston Nortel VPN Router, such as HTTP, FTP, and Telnet.
PAGE 141
Chapter 7 Configuring control tunnels 141 To create a nailed-up control tunnel using the nailed-up parameter: 1 Go to Profiles > Branch Office window and click on Edit next to the group that you want to have nailed up. 2 On the Edit Group window, in the Connectivity section click Configure. 3 On the Connectivity window, when you click on the Configure button next to the Nailed Up field, a drop-down list gives you the option to select Enabled or Disabled.
PAGE 142
Chapter 7 Configuring control tunnels 1 Initiate a Telnet session to the customer’s Nortel VPN Router. 2 Enter the appropriate control create string, following the required control create parameters already described. A sample string follows: control create boston bostoncleveland 132.19.2.20 132.19.2.30 192.168.2.3 192.168.20.0 255.255.255.0 Management Only (a special control tunnel filter) is used by default with control tunnels to maximize security. 3 To view Help, enter control help create.
PAGE 143
Chapter 7 Configuring control tunnels 143 3 Enter a name and then select select the parent group whose attributes the new group inherits; for example, /Base. The group name can be a maximum of 64 characters (spaces are permitted). The new group inherits the attributes (for example, Access Hours) of its parent group, which are then used by the branch office connection. Click OK. The Branch Office window returns.
PAGE 144
Chapter 7 Configuring control tunnels Configuring a control tunnel connection To configure a Control Tunnel connection: On the Connection Configuration window, you enter required configuration information for the local branch office connection, for example, static routing and the IPsec tunnel type. 1 On the Profiles > Branch Office window, select the button next to the connection name and click on Configure. The Connection Configuration window appears.
PAGE 145
Chapter 7 Configuring control tunnels 145 • In the remote endpoint address field, enter the address of the remote Nortel VPN Router (for example, 132.19.2.30) that you want to form the opposite end of the branch office connection. For Initiator connection types, you can enter the DNS host name. 6 Click the Filters drop-down list and choose the filter that you want this branch office connection to use. The default is permit all. You can specify one filter.
PAGE 146
Chapter 7 Configuring control tunnels 12 Click Create Local Network to go the Profiles > Networks window and define a local network. The Local networks are the subnetworks on the private internal network of the local VPN Router.If you want to edit an existing local network, select it from the list and the Connection Configuration window appears. These networks have been previously set up on the Profiles > Networks window.
PAGE 147
Chapter 8 Configuring IPSec mobility and persistent mode A large number of companies choose to secure access to their corporate networks via VPN using the IPSec protocol. IPSec allows corporate employees, located outside the corporate network to establish a secure tunnel to a private corporate network through the Internet. With the growing popularity of wireless access, it is important to have the ability to move freely among multiple networks without losing a secure connection.
PAGE 148
Chapter 8 Configuring IPSec mobility and persistent mode Figure 29 Example configuration One solution to this problem is to use mobile IP technology (described in RFC 3344) to maintain IPSec connections. In this configuration, the IP address of the mobile machine does not change when it moves from a home network to a foreign network. Each mobile node is always identified by its home address, regardless of its current point of attachment to the Internet.
PAGE 149
Chapter 8 Configuring IPSec mobility and persistent mode 149 IPSec mobility on Nortel VPN Router Nortel VPN Router provides a new concept of IPSec mobility. The Nortel VPN Router IPSec implementation allows support for mobile clients to maintain tunnel connectivity while roaming from one access point to another. It maintains TCP-based applications and provides minimum disruptions to UDP-based applications.
PAGE 150
Chapter 8 Configuring IPSec mobility and persistent mode The Nortel VPN Client status monitor reports if roaming is enabled for the session. The event log on the Nortel VPN Router reports on IPSec mobility actions. IPSec mobility and NAT If Nortel VPN Client is behind a NAT box with NAT traversal enabled and encapsulation for ESP protocol is used, UDP encapsulation is preserved after roaming.
PAGE 151
Chapter 8 Configuring IPSec mobility and persistent mode 151 Roaming from behind NAT to no NAT In Figure 31 before roaming a client was connected via AP1 and NAT box and had IP1 IP address. After roaming, the client is connected via AP2 without NAT, UDP encapsulation will be used. Figure 31 Roaming from behind NAT to no NAT Roaming from no NAT to behind NAT Before roaming, the client had access via AP2 and after roaming via AP1 and NAT box, a situation that’s the reverse of the one in Figure 31.
PAGE 152
Chapter 8 Configuring IPSec mobility and persistent mode IPSec mobility in NAT environment In some situations roaming in the environment of NAT devices might prevent users from taking full advantage of IPSec mobility feature. Table 11 illustrates some configuration caveats that will allow to increase roaming effectiveness in NAT environment.
PAGE 153
Chapter 8 Configuring IPSec mobility and persistent mode 153 When operating in IPSec mobility mode with split tunneling enabled, the Nortel VPN Client does not consider the routing table to be maliciously altered and will not bring down the tunnel in the following cases: • • • IP address change for any adapter Adapter has been removed Adapter is plugged in and connects Initial contact payload (ICP) If the Nortel VPN Client fails to notify the Nortel VPN Router of the logoff or tunnel termination due to n
PAGE 154
Chapter 8 Configuring IPSec mobility and persistent mode Maximum roaming time Maximum roaming time is the time used by the Nortel VPN Client to keep the tunnel from going down after the IP address on the physical interface (on which tunnel was brought up) has been lost. For example, if you move from area 1 (AP1) to area 2 (AP2) and the IP address on the interface is lost, it could take some time to establish contact with AP2 in area 2.
PAGE 155
Chapter 8 Configuring IPSec mobility and persistent mode 155 Persistent tunneling A persistent VPN connection provides the ability to maintain a VPN connection without user intervention for a designated period of time. After successfully establishing a tunnel session to the Nortel VPN Router, the Nortel VPN Client makes every attempt to maintain a viable VPN connection.
PAGE 156
Chapter 8 Configuring IPSec mobility and persistent mode Session persistence time should be longer than the roaming time as persistence starts only after roaming fails. There is no direct relation between persistence and any other timers on the Nortel VPN Router. However, the Nortel VPN Client will not enter persistence mode if the previous log off happened due to a log off message received from the Nortel VPN Router. This allows you to force a rogue user log off any time even when persistence is on.
PAGE 157
Chapter 8 Configuring IPSec mobility and persistent mode 157 Figure 32 Groups edit IPSec window 2 Scroll down to Mobility Support and select Enabled. The default is Disabled. 3 For Max Roaming Time(seconds), enter the number of seconds. The default is 120 seconds. Maximum roaming time (1-7200 seconds) specifies how long the tunnel should stay in the suspended state, or time allowed for the roaming to take effect.
PAGE 158
Chapter 8 Configuring IPSec mobility and persistent mode IPSec mobility performs at higher level than physical adapters. As a result, the PC on which the Nortel VPN Client runs can change between any physical adapters (wireless or wireline) and roaming will continue to work as long as there is IP connectivity between the Nortel VPN Router and the client with the newly acquired address/interface.
PAGE 159
Chapter 8 Configuring IPSec mobility and persistent mode 159 To enable IPSec mobility: CES(config-group/ipsec)#mobility enable To disable IPSec mobility: CES(config-group/ipsec)#no mobility enable To enable persistence: CES(config-group/ipsec)#persistence enable To disable persistence: CES(config-group/ipsec)#no persistence enable To change the maximum roaming time to, for example, 210 seconds: CES(config-group/ipsec)#max-roamingtime 210 To change the persistence time to, for example, 1000 minutes: CE
PAGE 160
Chapter 8 Configuring IPSec mobility and persistent mode To view the IPSec configuration for the group, for example Base: CES(config)#show groups ipsec "/Base" IPSEC Settings: Rekey Timeout : 08:00:00 Rekey Data Count : 0 Perfect Forward Secrecy : Enabled Banner : Not Configured Domain name : Not Configured Display Banner : Disabled Compression : Enabled Primary DNS Address : 0.0.0.0 Primary WINS Address : 0.0.0.0 Secondary DNS Address : 0.0.0.0 Secondary WINS Address : 0.0.0.
PAGE 161
Chapter 8 Configuring IPSec mobility and persistent mode 161 Configured Client web page Saver Password Required : Disabled Client screen Saver Activation Time : 5 Client Policy : Not Configured Client Policy : Not Configured LDAP Authentication - User Name and Password : Enabled LDAP Authentication - RSA Digital Signature : Enabled LDAP Authentication - Default Server Certificate : Not Configured External Authentication - User Name and Password : Disabled External Authentication - Security Dynamics SecurID
PAGE 162
Chapter 8 Configuring IPSec mobility and persistent mode NN46110-500
PAGE 163
Appendix A Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010/1050/1100 users will need to enter on the BOQS window. You can enter the appropriate values in the right-hand column and then fax, send, or E-mail the template to the local user along with any other information that they may need, such as who to contact for further information or questions.
PAGE 164
Branch office quick start template NN46110-500
PAGE 165
Glossary acknowledgement (ACK) A type of message sent to indicate that a block of data arrived at its destination without error. address masks IP addresses used to represent a series or range of IP addresses. authentication A security procedure where a user verifies his identity before accessing networks protected by a firewall. bandwidth The difference between the highest and lowest frequencies of a transmission channel; amount of data that can be sent through a given communications circuit.
PAGE 166
Glossary Diffie-Helman A key agreement algorithm that does key establishment, not encryption. However, the key it produces may be used for encryption, for further key management, or any other cryptography. digital certificate A certificate document in the form of a digital data object to which is appended a computed digital signature value that depends on the data object. distinguished name (DN) An identifier that uniquely represents an object in the X.500 Directory Information Tree. An X.
PAGE 167
Glossary 167 firewall A collection of hardware and software components that controls communication between two networks, such as a private network and the Internet. All information passed between the two networks must pass through the firewall. The firewall allows only authorized traffic to pass between the networks. VPN Router A communications device or program that passes data between networks having similar functions but dissimilar implementations.
PAGE 168
Glossary IP address The identifiers used by the protocols that govern Internet information exchange. The Internet Network Information Center assigns these numbers to uniquely identify different machines on the Internet. IPsec A tunneling protocol that offers a strong level of encryption, integrity protection. It uses digital certificates, password-based keys, and tokens for authentication.
PAGE 169
Glossary 169 management IP address The IP address that is used to manage all system services from a Web browser, such as HTTP, FTP, and SNMP. This address must be accessible from one of the switch's private physical interfaces. To be accessible, the Management IP Address must map to the same network as one of the private interfaces. medial access control (MAC) address The hardware address of a device connected to a shared media.
PAGE 170
Glossary Point-to-Point Protocol (PPP) A protocol that provides a method for transmitting packets over serial point-to-point links. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that is used as a security tool. port A transport layer demultiplexing value. Each application has a unique port number associated with it.
PAGE 171
Glossary 171 Routing Information Protocol (RIP) A distance vector, as opposed to link state, routing protocol. RSA digital signature A public-key encryptographic system that may be used for encryption and authentication. server A provider of resources, such as file servers and name servers. Simple Network Management Protocol (SNMP) The Internet standard protocol developed to manage nodes on an IP network.
PAGE 172
Glossary A method used by RIP in which a new routing table is sent almost immediately after a routing change has been made. This is in contrast to the poison reverse method, in which routes are updated after a cost of infinity is reached, a process that can take much time. User Datagram Protocol (UDP) An Internet standard transport layer protocol. It is a connectionless protocol that adds a level of reliability to an multiplexing to IP.
PAGE 173
Index A C access hours 78, 81, 119 call admission priority 78 accessible networks 120, 121 asymmetric branch office tunnel (ABOT) 119 asynchronous data over TCP (AOT) 105 authentication branch office 132, 145 authentication methods 119 B base group 76 branch office access hours 119 authentication 132, 145 authentication methods 119 configuring 119 encryption settings 121 indirectly connected switches 121 routing 132, 145 sample configurations 120 sample procedure 133 branch office quick start 61 p
PAGE 174
Index password 51 default route branch office 121 DHCP client 94 DNS branch office tunnel endpoints 124 host name 92 round robin DNS 125 Dynamic DNS (DDNS) 127 E encryption settings for branch office 121 F FIPS overview 28 firewall branch office 120 interaction with branch office 121 license key 28 flash disk system compressed files 72 forwarding priority 78 G getting started 91 group associations 77 guided configuration requirements 57 I idle timeout 79 indirectly connected switches 121 inheritan
PAGE 175
Index 175 filter 95 Internet domain 92 inverse split tunneling 85 IP address assigning 29 currently assigned 95 IPSec mobility configuring 156 logging 149 IPX 31 ISP tunnels 75 L LAN card 96 LAN interfaces 93 last name search 84 LDAP attribute search 85 license keys advanced routing 27 firewall 27 tunnel 27 licenses 56 log file configuration 110 life time 110 login 51 M MAC Pause 97 management Nortel VPN Router 56 management IP address 41, 92 Multinetting 97 Nortel VPN Router Configuration — Basic Featur
PAGE 176
Index N navigational menu 57 nested tunnels 123 Network Address Translation (NAT) 122 Network Time Protocol (NTP) 106 Nortel VPN Router 1010/1050/1100 branch office quick start 61 compact flash disk 72 default configuration parameters 60 ISP environment 63 setting up 67 P password 51 Peer to peer 131, 144 persistent tunneling 89, 155 port speed 96 private LAN 93 proxy ARP 111 public data network (PDN) 94 publications hard copy 20 Q Quick Start 56 R register 56 relative distinguished name 77 remote
PAGE 177
Index 177 S Safe mode 50, 108 search for users 84 serial interface 31, 45 services 56 split tunnel 76, 84 subnet mask 95 subnetworks 119 Switch concepts 25 Symmetric Branch Office tunnel 119 system identity 91 T technical publications 20 template 67 terminal emulator 34, 41, 45 tunnel license key 28 tunnel types 82 tunnels, configuring 75 U Uniform Resource Locator (URL) 50 user ID search 84 user control tunnel serial interface 146 user groups adding 82 searching 84 user profile adding 82 user tunnels 81
PAGE 178
Index W Web browser interface 50 Web interface options 53 Welcome display 56 NN46110-500