Bay Networks Bay Dial VPN Configuration And Troubleshooting Manual Download Page 85 | Manualshive

Page: 85 / 186

Bay Networks Bay Dial VPN Configuration And Troubleshooting Manual Download Page 85

Configuring TMS Using Local RADIUS

115623B Rev. 00

BayStream Multiservice Software Version 7.2

6-5

Handling Access Messages

When it receives an incoming call, the NAS issues a standard access-request
message to the RADIUS server. The server determines that this is a tunnel user by
processing the Username and Called-Number attributes. If no match for the
domain or user name in the TMS database, the server returns an access-reject
message to the NAS.

If the server finds a match in its TMS database, it returns an access-accept
message. This message contains the following attributes for the RADIUS
message:

•

User name -- the original contents of the user field

•

Tunnel-type -- DVS or L2TP (required); for Dial VPN, this must be DVS.

•

Tunnel-media-type -- IP

•

Tunnel-server-endpoint --the server address and outbound line identifier

•

Authentication-server -- the remote authentication server(s) for this user

•

Accounting-server -- the remote accounting server(s) for this user

Using RADIUS Accounting

The NAS logs the tunnel-bound link sessions to the local provider’s RADIUS
server. This information does reflect the usage of the NAS ports, but it is different
from the customer (that is, the user’s home network) information, in that it may
not reflect link aggregation, and it is not based on remote user information.

The gateway generates its own accounting information, based on the traffic seen at
the gateway and reports this data to the customer’s RADIUS server.

The server that authenticates the tunnel also tracks resource usage through the
accounting messages it receives. The RADIUS client also preserves the Class
attribute and sends it in accounting start and stop messages to identify allocated
sessions. The user session’s authorization information flows from the customer
RADIUS server return message. The local tunnel client does not have the
validated user indentification until after the tunnel is formed.

«
...
83
84
85
86
87
...
»

Summary of Contents for Bay Dial VPN

Page 1: ...February 1998 Remote Annex Software Version 14 1 BayStream Multiservice Software Version 7 2 BayStream Site Manager Software Version 7 2 Configuring and Troubleshooting Bay Dial VPN Services DVS ...

Page 2: ... RAC Remote Annex System 5000 and the Bay Networks logo are trademarks of Bay Networks Inc Microsoft MS MS DOS Win32 Windows and Windows NT are registered trademarks of Microsoft Corporation All other trademarks and registered trademarks are the property of their respective owners Statement of Conditions In the interest of improving internal design operational function and or reliability Bay Netwo...

Page 3: ...therwise disclose to any third party the Software or any information about the operation design performance or implementation of the Software and user manuals that is confidential to Bay Networks and its licensors however Licensee may grant permission to its consultants subcontractors and agents to use the Software at Licensee s facility provided they have agreed to use the Software only in accord...

Page 4: ...manuals will cease being effective at the date of expiration of the Bay Networks copyright those restrictions relating to use and disclosure of Bay Networks confidential information shall continue in effect Licensee may terminate this license at any time The license will automatically terminate if Licensee fails to comply with any of the terms and conditions of the license Upon termination for any...

Page 5: ...twork 1 6 Customer Premise Equipment CPE 1 6 RADIUS Authentication Server 1 7 Dial VPN Network Planning Worksheet 1 7 At the Dial VPN Service Provider s Site 1 8 For Each Destination Site 1 9 For Each Remote Node 1 10 Additional Planning Information 1 11 Where to Go Next 1 11 Chapter 2 Dial VPN Network Concepts What is Tunneling 2 1 Implementing Dial VPN at Your Site 2 2 How Tunnel Management Work...

Page 6: ...n Information 3 2 Additional Configuration Considerations 3 3 Configuring the IP Interface 3 3 Configuring the Dial VPN Network Software 3 4 Configuring Local Authentication Using the ACP 3 5 Chapter 4 Configuring the Remote Annex Installing and Configuring the Annex Software 4 2 Loading Software and Booting the Annex 4 7 Configuring Active RIP 4 8 Defining Routes 4 8 Configuring the Annex to Adve...

Page 7: ...Setting Up Dial VPN to Use IPX 8 3 Configuring the Dial In Node for IPX 8 3 Configuring the Network Access Server for IPX 8 4 Configuring IPX on the CPE router with Site Manager 8 5 Configuring the CPE Router Frame Relay Connection with IPX 8 7 Configuring Standards Based IPX IPXCP 8 8 Configuring IPX on the Customer Network RADIUS Server 8 8 Chapter 9 Requirements Outside the Dial VPN Network Con...

Page 8: ...e Problems 11 8 Getting a Snapshot of the Current Status 11 9 Troubleshooting Specific Protocols 11 15 Troubleshooting a Site Manager Problem 11 15 Troubleshooting Remote Annex Problems 11 16 Tracing a Packet s Path at the Remote Annex 11 22 Troubleshooting Tunnel Problems 11 24 Appendix A Additional Planning Information Appendix B Syslog Messages Remote Annex Syslog Messages B 1 TMS Syslog Messag...

Page 9: ...115623B Rev 00 BayStream Multiservice Software Version 7 2 ix Configuring Active RIP C 9 Defining Routes C 9 Configuring the Annex to Advertise RIP Updates C 9 Glossary Index ...

Page 10: ...x BayStream Multiservice Software Version 7 2 115623B Rev 00 ...

Page 11: ...Encapsulation and Decapsulation Process 2 14 Figure 2 5 Sending a Packet to a Remote Node 2 17 Figure 2 6 Static Routes from a CPE Router to a Dial VPN Gateway 2 18 Figure 6 1 Simplified Dial VPN Network 6 2 Figure 6 2 Message Exchanges Supporting RADIUS TMS Operations 6 4 Figure 8 1 Dial VPN Network Using IPX 8 2 Figure 9 1 Static Route Between the CPE Router and the Gateway 9 2 Figure 10 1 Dial ...

Page 12: ......

Page 13: ...nts 6 10 Table 11 1 Problem Symptoms and Likely Causes 11 6 Table 11 2 Remote Annex Troubleshooting Chart 11 17 Table A 1 Network Information Worksheet A 1 Table B 1 Remote Annex Syslog Messages Relevant to Dial VPN B 1 Table B 2 TMS Syslog Messages B 4 Table C 1 Configuring Dial In Ports Quick2Config Annex C 2 Table C 2 Configuring Dial In Ports Using Annex Manager C 3 Table C 3 Setting Remote An...

Page 14: ......

Page 15: ...tabase for an erpcd based network Chapter 5 Configure the tunnel management database for a RADIUS only network Chapter 6 Configure the gateway Chapter 7 Configure IPX as the routing protocol Chapter 8 Configure the Bay Dial VPN requirements outside the service provider network Chapter 9 Manage a Bay Dial VPN services network Chapter 10 Troubleshoot a Bay Dial VPN services network Chapter 11 Consid...

Page 16: ...dinfo command Example ATM DXI Interfaces PVCs identifies the PVCs button in the window that appears when you select the Interfaces option from the ATM DXI menu brackets Indicate optional elements You can choose none one or all of the options ellipsis points Horizontal and vertical ellipsis points indicate omitted information italic text Indicates variable values in command syntax descriptions new ...

Page 17: ...DTE data terminal equipment DLCI Data Link Control Interface DNIS domain name information server erpcd expedited remote procedure call daemon FTP File Transfer Protocol GRE Generic Routing Encapsulation protocol GUI graphical user interface IETF Internet engineering task force IP Internet Protocol IPCP Internet Protocol Control Protocol IPX Internet Packet Exchange protocol IPXCP Internet Packet E...

Page 18: ... Go to support baynetworks com library tpubs Find the Bay Networks products for which you need documentation Then locate the specific category and model or version for your hardware or software product Using Adobe Acrobat Reader you can open the manuals and release notes search for the sections you need and print them on most standard printers You can download Acrobat Reader free from the Adobe Sy...

Page 19: ...y Networks Technical Solutions Centers Region Telephone number Fax number United States and Canada 800 2LANWAN then enter Express Routing Code ERC 290 when prompted to purchase or renew a service contract 978 916 8880 direct 978 916 3514 Europe 33 4 92 96 69 66 33 4 92 96 69 96 Asia Pacific 61 2 9927 8888 61 2 9927 8899 Latin America 561 988 7661 561 988 7550 Technical Solutions Center Telephone n...

Page 20: ...y Networks products Training programs can take place at your site or at a Bay Networks location For more information about training programs call one of the following numbers Region Telephone number United States and Canada 800 2LANWAN then enter Express Routing Code ERC 282 when prompted 978 916 3460 direct Europe Middle East and Africa 33 4 92 96 15 83 Asia Pacific 61 2 9927 8822 Tokyo and Japan...

Page 21: ... secure virtual direct pathway between two endpoints The process of encapsulating and decapsulating the datagram is called tunneling and the encapsulator and decapsulator are considered the endpoints of the tunnel In this case a tunnel is the pathway between the network access server NAS that receives the remote user s call and the gateway that connects to the remote user s home network through a ...

Page 22: ...ayStream Site Manager All the features of Remote Annex and of BayStream are available on your Dial VPN system How a Dial VPN Network Functions Any authorized remote user using a PC or dial up router who has access to a phone line and a modem can dial into your network through Dial VPN A remote node can be an individual user dialing in using IP or IPX or a dial up router using IP using either a pub...

Page 23: ...y ISP by calling a phone number associated with that destination network The network access server handles the call The service provider s network uses a standard IP connection between the remote access server shown here as a 5393 module in a 5000 MSX chassis and the gateway A frame relay PVC and a static route must exist between the gateway and the customer premise equipment CPE router to provide...

Page 24: ...hey essentially provide a checklist of components that you may want to have in your Dial VPN network Remote Dial In Node s Remote nodes can be laptop PCs portable hosts or dial up routers using PPP for dial up connections The portable host must have PPP client software and a TCP IP or IPX protocol stack loaded Dial VPN supports either dial up IP or IPX over PPP for dial in PC clients and IP over P...

Page 25: ...he endpoint of the IP routed tunnels that transport GRE encapsulated packets originated by remote nodes and encapsulated by the NAS The gateway also connects to the frame relay network between the service provider s network and the user s home network The gateway is the data terminal equipment DTE for frame relay PVCs connecting to multivendor RFC 1490 compliant routers on the customer premises by...

Page 26: ...S database The NAS and the RADIUS server communicate using IP over the service provider network The TMS database lets the NAS query for the addressing information it needs to construct the IP tunnel This query is based on the user domain name and on the policy and state information of the enterprise customer account when the remote user dials in As a Dial VPN network administrator you must provide...

Page 27: ... virtual circuit towards the CPE which receives the authentication request and forwards it to the RADIUS server Once the user is authenticated the RADIUS server grants access to the remote node by returning an authentication accept packet with RADIUS authorization information to the gateway through the CPE The gateway then forwards the user authorization to the NAS which initiates an IP tunnel to ...

Page 28: ...nnex 6300 5393 ___ Remote Access Concentrator 8000 5399 What is the IP address of the network port on the NAS _____________________________________________________ What type of Bay Networks gateway platform are you using ___ ASN ___ BCN ___ BLN or BLN 2 ___ 5380 in a System 5000 MSX chassis On the gateway what is the IP address of the gateway interface to your IP network __________________________...

Page 29: ...IP address ____________________________________________ If this is an erpcd based configuration on what UNIX workstation do the TMS and the local authentication server ACP reside name __________________________________________________ IP address ____________________________________________ If this is a RADIUS only configuration list the IP address of the RADIUS TMS server name ____________________...

Page 30: ... static route between the CPE router and the RADIUS client on the gateway What is the IP address of the RADIUS client to which you want to configure the static route _______________________________________ What is its subnet mask ________________________________________ For the static route between the CPE router and the remote node What is the IP address of the RADIUS client to which you want to ...

Page 31: ...ot have enough information yet to complete this table but if you fill it in as you go along it will provide documentation for your network You may also find this information useful when changing or troubleshooting your network Where to Go Next For a description of how a packet moves through a Dial VPN network and other background information that can help you visualize the data flow through the ne...

Page 32: ......

Page 33: ...change data with their corporate home network Regardless of where a remote node is located it can dial in to its Dial VPN service provider and connect to the home network What is Tunneling Tunneling is a way of forwarding multiprotocol traffic and addresses from remote nodes to a corporate network through a Dial VPN service provider s IP backbone network GRE is the tunneling mechanism It takes an ...

Page 34: ...h of the packet through the tunnel and the BAYDVS service provider network is the ISP network Figure 2 1 The Path of a Packet Implementing Dial VPN at Your Site To implement Dial VPN at your site first connect and configure the components to ensure proper operation The steps that follow suggest a possible order for configuring your network For detailed information on each of these steps refer to C...

Page 35: ...intermediate nodes For installation and startup information refer to the hardware documentation for each device Establish a remote connection between a gateway on the Dial VPN network and a CPE router on the home network using frame relay 2 Install the Tunnel Management System Annex and for the erpcd based solution Access Control Protocol software on the UNIX host that serves as the load host for ...

Page 36: ... the TMS database Refer to Chapter 5 for more information When configuring the TMS you can choose either local or remote authentication For both the erpcd based and RADIUS only solutions Dial VPN uses remote authentication that is a RADIUS server on the customer s home network provides authentication and assigns IP addresses 7 Configure the gateway including the RADIUS client using Site Manager Co...

Page 37: ...st as the Annex erpcd and Access Control Protocol ACP software TMS verifies that the user at the remote node is a Dial VPN user If the domain portion of the username exists in the TMS database ACP increases the number of current users by one and sends a Grant message to the Remote Annex The Grant message contains the tunnel addressing information needed to send a packet from the remote node to the...

Page 38: ... 5 for more information about the contents of the TMS database How the TMS Database Works The TMS database by default UNIX ndbm resides in the Tunnel Management Server which resides on the service provider s network The main function of this database is to verify the username or domain information supplied by the NAS It also supplies the NAS with the tunnel addressing information in the Grant mess...

Page 39: ...ests one Based on RFC 1541 and its extensions DHCP not only provides a scalable method of dynamically allocating IP addresses to remote users it also provides a way of managing the IP addresses dynamically assigned to dial in users The Bay Networks implementation of DHCP supports Standard DHCP operation as described in RFC 1541 Interoperation with standard DHCP servers Use of both primary and seco...

Page 40: ...dware address The DHCP server leases an IP address to each dial in user and dynamically maintains a table that links a user s IP and MAC addresses For users who need a fixed IP address a network manager can also specify a permanent assignment A single NAS can communicate with and maintain DHCP leases with up to as many DHCP servers as there are ports on the NAS up to 48 or 62 depending on the mode...

Page 41: ...Req Auth Req CHAP completion Connect NCP negotiation Disconnect Terminate msg MIP authentication request Open Communication MIP registration request MIP DAA response Acct Start Acct Stop MIP terminate request MIP terminate response Auth Resp w info MIP registration response DHCP Server RADIUS Server DVS0009B MIP authentication response MIP DAA request DHCP response ack DHCP discover request Acct R...

Page 42: ...n of the connection RADIUS also maintains a database of assigned addresses This prevents duplicate assignments if the server fails When the connection ends the released IP address returns to the pool at the end of the assignment queue To implement dynamic IP address allocation Dial VPN requires that the program BaySecure be installed on the RADIUS server on the customer s home network BaySecure is...

Page 43: ...nnections does not exceed the maximum number of users allowed If the user is not a tunnel candidate the NAS first treats the request as a proxy RADIUS request and attempts to authenticate this user in the usual way Refer to the description of proxy RADIUS in the BSAC Administration Guide for your platform 4 If the dial in request is a tunnel candidate the NAS starts the authentication process and ...

Page 44: ...o the gateway If the home network is configured to assign IP addresses using RADIUS either statically or dynamically the RADIUS server performs the address allocation If the RADIUS administrator has allocated a pool of assignable IP addresses for dial in users and if the RADIUS client on the gateway is configured for dynamic IP address assignment the RADIUS server assigns an address from that pool...

Page 45: ...xt sections explain how a packet moves through a Dial VPN network and returns to the remote node Figure 2 4 shows the process As the packet moves from the remote node to the home network different pieces of the Dial VPN network must encapsulate add and decapsulate strip off the protocol specific envelope around the data packet ...

Page 46: ...et Encapsulation and Decapsulation Process Flag Flag Address Control Protocol Data FCS CRKSs TFlag Control Version Protocol Type Data Tunnel ID Control Opening Flag Closing Flag Address Information FCS Data Remote annex Remote node Gateway CPE Router Data packet moves onto home network PPPpacket GRE packet Frame Relay packet DVS0003A ...

Page 47: ...ata and the Frame Check Sequence that shows the sequence order of the frame Refer to the BayStream manual Configuring Dial Services for more information about the PPP packet 2 The NAS strips off the PPP protocol specific fields and encapsulates the data into a GRE packet The GRE packet can move through the IP tunnel to the gateway The GRE packet contains checksum information and flag bits to indic...

Page 48: ...e CPE router on the corporate home network 5 The CPE router decapsulates the frame relay information and routes the data to the intended recipient on the home network How a Packet Returns to the Remote Node To send packets from the home network to a remote node Dial VPN essentially reverses the process described in the previous section The tunnel ensures that packets from the corporate home networ...

Page 49: ...fect on the actual packet routing Figure 2 6 shows the static routes used to return data from a home network to a gateway on the Dial VPN network The gateway sends the GRE packet to the remote node s care of address on the NAS and the NAS forwards the packet to the remote node DVS0013A Tunnel Network access server NAS Gateway PPP connection Service provider network Frame Relay connection Customer ...

Page 50: ...isconnects Either the NAS or TMS is not operating properly Tunnel renewal fails The administrator terminates the user connection If the NAS fails all tunnel users are disconnected and the active user counts are decremented However there is no quick way to determine when a NAS fails The logging connection may not be reset until after new tunnel users have connected When a NAS starts one of the firs...

Page 51: ...ace while tms_dbm is running the user sees an error message The error message may not state what caused the error If there is a shortage of disk space and erpcd cannot create a lock file or add a NAS to the TMS database TMS generates a syslog message and the user cannot make a connection to the NAS Note If you enter the reset security command a new user who tries to make a connection with the NAS ...

Page 52: ......

Page 53: ...re Requirements To set up a Dial VPN network you must install at least the following hardware A network access server which can be a Remote Annex 4000 6100 or 6300 a Remote Access Concentrator 8000 or a corresponding 5390 5391 5393 or 5399 processor in a 5000 MSX chassis A UNIX host for the TMS and the ACP server if this is an erpcd based network A Bay Networks BayStream gateway which can be an AS...

Page 54: ...er Troubleshooting other BayStream problems Troubleshooting and Testing Installing the Remote Annex or Remote Access Concentrator and adding or replacing hardware The installation manual for the specific Remote Annex or Remote Access Concentrator that you are installing Overview of Remote Annex or Remote Access Concentrator software and startup options Remote Annex Administrator s Guide for UNIX o...

Page 55: ...tion principles however apply to each element Refer to the installation instructions in the hardware installation guide for the specific Remote Annex or Remote Access Concentrator being installed Additional Configuration Considerations You must also load the boot image software and configure the Modem ports Individual and group security access rights for dial in Remote routing to other networks Ac...

Page 56: ...iguring the Dial VPN Network Software You install the software and configure each of the Dial VPN software components separately Install and configure the software on the Remote Annex or Remote Access Concentrator Install and build the Tunnel Management database and for an erpcd based network the Access Control Protocol database on the server s Install and configure BayStream software on the gatew...

Page 57: ...sample1 chap_secret annex end 2 Similarly if you are using PAP you create a file called acp_passwd for PAP acp_passwd for PAP If you are using CHAP as your authentication protocol you need to set the PAP password only if you enable CHAP with PAP fallback The following sample entry shows an encrypted acp password for PAP sample1 IQ3Qo0HXrsUoM 501 500 sample1 users user1 bin csh The user cannot ente...

Page 58: ...p_password information Security for CHAP and PAP acp_dialup information for IP and IPX addresses For a complete description of ACP security refer to the following documentation Remote Annex Administrator s Guide for UNIX Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Managing Remote Access Concentrators Using Command Line Interfaces ...

Page 59: ...he device Table 4 1 Where to Find Configuration Information For information on Refer to this document Using the Annex Manager to configure the Remote Annex Appendix C Using Quick2Config and Annex Manager Using the Annex Manager with Remote Access Concentrators Managing Remote Access Concentrators Using Annex Manager Remote Annex configuration and administration procedures and a detailed descriptio...

Page 60: ... the network configuration differs from the default values Refer to the hardware installation guides for the Remote Annex or Remote Access Concentrator being installed for the list of the ROM Monitor commands and their default values 2 Boot the Annex software standard installation The Annex used generically here to indicate either the Remote Annex or the Remote Access Concentrator gets its operati...

Page 61: ...ote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Managing Remote Access Concentrators Using Command Line Interfaces Set the primary preferred security host to the address of the primary TMS server You can also designate the secondary TMS server if any as the secondary preferred security host Accept the default value if the optional secondary security host is not in use ...

Page 62: ...d from the modems annex file default path usr spool erpcd bfs You can list the modems in the modems annex file using the modem l command on the Annex On a Remote Annex 4000 5390 enter the following configuration command sequence from the na or admin prompt set annex enable_security y set annex pref_secure1_host ip address of TMS host ACP or BSAC set annex pref_secure2_host ip address of secondary ...

Page 63: ... for sessions calls based on dialed number calling number and call type Each incoming call is compared against each SPB in order until there is a match If no match exists the Annex rejects the call pri The following SPB causes the Remote Annex 6300 5393 to answer all voice bearer calls with a modem begin_session modem bearer voice call_action modem set mode auto_detect end_session The following SP...

Page 64: ...t the annex prompt 6 Enable Syslogging This is not required but it is very useful in troubleshooting Appendix B Syslog Messages presents information on syslogs From the na or admin prompt set annex syslog_mask debug set annex syslog_host ip address of syslogging host To enable logging in an erpcd based system enable erpcd syslogging and create the appropriate log files on the host then restart the...

Page 65: ...t manual that explain the reasons for and consequences of making such changes 8 Reboot the Annex After booting the Annex use the ping command at the annex prompt to ensure that connectivity to the gateway exists If not check the routing table using the netstat r command and your configuration Loading Software and Booting the Annex To set the preferred load host enter the following sequence of comm...

Page 66: ...subnet address In this case enter the gateway s address using the ROM Monitor addr command The Annex automatically adds this gateway to its routing table Configuring Active RIP The following section assumes you have read the sections on active and passive RIP in the Remote Annex Administrator s Guide for UNIX Active RIP is enabled by default Once active RIP is enabled both passive and active RIP a...

Page 67: ... 1 and or RIP 2 Updates By default active RIP sends RIP version 2 updates to the IP broadcast address so that both RIP 1 and RIP 2 systems can receive them This assumes that rip_send_version is set to compatibility which is the default It also assumes the routers on your network accept both RIP 1 and RIP 2 updates Although discarding RIP 2 updates violates the RIP 1 RFC 1058 some RIP implementatio...

Page 68: ......

Page 69: ...tration and configuration of the tunnel happens at the service provider s site An administrator at the service provider site must configure the tunnel with various attributes its destination IP address the security protocols it supports its password and so on The these attributes are stored in the tunnel management system TMS database Dial VPN offers two ways of managing and using the TMS database...

Page 70: ...m program to create these entries as a file in usr annex the security directory Alternatively you can create a text file of entries using the syntax format that follows These entries are really TMS commands You can either type them at the UNIX command prompt or copy them from a text file and paste them at the UNIX command line prompt Create one TMS entry for each domain name that you want to authe...

Page 71: ...l If you do specify the hwalen parameter use the actual length in bytes of the hexadecimal value of the DLCI number the hardware address For example if the DLCI is 101 that is 0x65 the hardware address length is 1 byte For a hardware address of 400 0x190 the hardware address length is 2 bytes If you omit the hwalen parameter tms_dbm derives the length from the value of the hwaddr parameter If for ...

Page 72: ... Command Description add Creates a new TMS database entry Returns an error if the entry already exists clear Removes the specified information Using clear with the rases argument sets the current user counts to zero and deletes the RAS list Using clear with all clears the RASes and stats Returns an error if no matching entry exists not if you clear an already cleared entry delete Removes an existi...

Page 73: ...elp command remove Removes from the database the IP address of a RAS that is no longer in use Decrements the total active user count for each domain DNIS pair for which there is an active user count for the specified RAS Use this command if you remove a RAS from service show Displays the specified database information returns an error if no matching entry exists Note In addition to the parameters ...

Page 74: ...erpcd source code and rebuild Required for all but help for which it is optional With rekey you must specify domain new_domain and dnis new_dnis along with the original domain and dnis te te_addr Specifies the IP address of the frame relay port on the gateway in which the tunnel endpoint te resides The address 0 0 0 0 is not valid This is the tunnel endpoint nearest the remote user s home network ...

Page 75: ...teway and the CPE router For Dial VPN hwtype must be fr for frame relay If not specified the gateway is the CPE router hwaddr is a link address associated with the network If hwalen is four bytes or less you can specify this as a decimal number TMS converts it to a hexadecimal number To specify this value as a hexadecimal number prefix the number with 0x For a frame relay connection this argument ...

Page 76: ...y Not used for other commands sauth secondary_authentication_ server_addr Specifies the IP address of the secondary authentication server You must not specify a secondary server without specifying a primary server Optional for add and modify Not used for other commands pacct primary_accounting_ server_addr Specifies the IP address of the primary accounting server This is usually the address of the...

Page 77: ...red for add and modify Not used for other commands acctp accounting_protocol Specifies the accounting protocol used between the gateway and the accounting server The only valid value is radius Specify none to disable accounting If you specify this protocol you must also specify a primary server Required for add and modify Not used for other commands addrp dynamic_address_allocation _protocol Speci...

Page 78: ...f suff prefix suffix takey is the key that the authentication algorithm uses It can be up to 64 hexadecimal characters 0 9 A F a f in length spi is optional for add and modify Not used for other commands If you specify spi for tunnel authentication all three ta arguments are required for add and modify If you specify the ta arguments you must also specify the spi value The spi takey combination in...

Page 79: ...remote access servers that have active connections to the specified domain and the number of users connected to each RAS Clearing rases sets the current user counts and RAS list to 0 Showing stats displays the number of GRANTs and DENYs Clearing stats resets the GRANT and DENY counters to 0 Showing ordered displays the current list of remote access servers sorted in ascending order Showing all dis...

Page 80: ...Messages TMS like the other elements of Dial VPN writes its system and error messages to the system log file syslog These messages are interspersed with other syslog messages in chronological order of occurrence TMS on an erpcd based network uses the auth facility For the complete list of syslog messages refer to Appendix B Syslog Messages ...

Page 81: ...her process the authentication How It Works Upon receiving a call from a remote user the NAS determines whether the call is from a tunnel user The RADIUS server on the service provider s network recognizes the format of the VPN identifier in the user name and returns tunnel information to the NAS TMS database specifies Where dial in user authentication takes place Which servers authenticate dial i...

Page 82: ... particular user from a particular client If this count exceeds the specified limit the RADIUS server rejects the authentication request The resource tracking starts with the authentication request The server uses RADIUS accounting information to confirm and decrement the count The NAS recognizes the returned tunnel attributes of the authentication request and passes the information to its interna...

Page 83: ...he remote node and the customer s home network when the RADIUS server on the service provider s network maintains the TMS database In this dialogue the Access Request message from the NAS is the standard access request for an incoming call The provider RADIUS TMS server detects whether this is a tunnel candidate by parsing the Username and Called Number attributes If it does not find a valid domai...

Page 84: ... Annex NAS Provider RADIUS Server BNX Gateway Access response w Tunnel info Access request Access req CHAP complete Session start Acct req start Acct req start NCP negotiation Disconnect MIP auth req Open Communication MIP registration resp MIP terminate msg MIP terminate response Auth resp w info Acct resp Acct resp Customer RADIUS Server DVS0015A MIP auth resp w info MIP registration req Acct re...

Page 85: ...te authentication server s for this user Accounting server the remote accounting server s for this user Using RADIUS Accounting The NAS logs the tunnel bound link sessions to the local provider s RADIUS server This information does reflect the usage of the NAS ports but it is different from the customer that is the user s home network information in that it may not reflect link aggregation and it ...

Page 86: ...o the provider s RADIUS server Table 6 1 Service Provider Accounting Messages Message Type Field Name Contents User Start Message Acct Status Type Start NAS IP Address Port Port Type Connection origination of call Username The original contents of the user field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Dial VPN on...

Page 87: ... field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Dial VPN only DVS is valid Tunnel Media Type IP Acct Client Endpoint A string containing the IP address of the accounting client system and possibly other system specific identifiers Tunnel Server Endpoint A string containing the IP address of the tunnel server the c...

Page 88: ...e Virtual Username The original contents of the user field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Bay Dial VPN only DVS is valid Tunnel Media Type IP Acct Client Endpoint Provider NAS IP address A string containing the IP address of the accounting client system and possibly other system specific identifiers Tunn...

Page 89: ...tents of the user field Calling Station_ID Called Station ID Either or both if applicable Service Type As user authorized Tunnel Type DVS or L2TP for Bay Dial VPN only DVS is valid Tunnel Media Type IP Acct Client Endpoint A string containing the IP address of the accounting client system and possibly other system specific identifiers Tunnel Server Endpoint A string containing the IP address of th...

Page 90: ...alled station id 555 1212 dnis 555 1212 ID should be unique to the tunnel definition Maximum open tunnels default unlimited integer maxu unlimited integer Tunnel Type dvs tutype dvs Tunnel Server Endpoint 200 11 11 11 fr 0x0070 200 11 11 11 fr 120 te hwtype hwaddr hwalen no longer needed 200 11 11 11 fr 0x0070 200 11 11 11 fr 0x0070 BSAC properly recognizes the hard ware address in various hex len...

Page 91: ...C server This attribute is not used if the IP Pooling feature on the authenti cation server is active for same tunnel BSAC only and only for non MP calls Tunnel Password 32 HEX chars takey 32 HEX chars Make sure dictionary is set for HEX values on this attribute Annex Sec Profile Index 1234 spi 1234 If no spi or spi 0 then tatype tamode takey or their RADIUS equivalents are not needed Annex Tunnel...

Page 92: ......

Page 93: ...1 Using Site Manager select the module and slot that you want to configure 2 Add the circuit that you re going to configure on that interface 3 Select frame relay as the WAN protocol in the WAN Protocol window This enables frame relay on the interface you just selected You can customize frame relay later to suit your system s requirements 4 Select Mobile IP as the Layer 3 protocol in the Select Pr...

Page 94: ...guration Manager window select Protocol IP Mobile IP Security The Edit Mobile IP SPIs window opens from which you can set the security parameters a Add or set the Security Parameter Index SPI value The SPI is a value that uniquely identifies a set of keys used to apply security to messages that contain this value The SPI value is an integer in the range 256 through 65535 Setting the SPI value and ...

Page 95: ...able c If you want to enable dynamic IP addressing set the Dynamic Client Addressing parameter to Enable You must also ensure that the corresponding RADIUS server is configured to support dynamic IP address assignment and has a pool of assignable addresses d Specify the IP address of the RADIUS client e Accept the default values for all other parameters and click OK This returns you to the Dial VP...

Page 96: ...changes When you respond you return to the Dial VPN RADIUS window Keep clicking on Done until you reach the Configuration Manager window The RADIUS client configuration is now complete Note There can be only one RADIUS proxy client per slot and the slot must contain synchronous ports configured as frame relay Only one home agent can be configured per frame relay interface ...

Page 97: ...ameters needed on each component of the network Figure 8 1 shows the Novell network addresses assigned in this example The Dial VPN components of the network shown in Figure 8 1 consist of A laptop computer equipped with a PCMCIA modem configured to support IPX over PPP using the IPX Control Protocol IPXCP A Remote Annex Model 5393 residing in a System 5000 MSX chassis The Remote Annex acts as the...

Page 98: ...nager 132 245 54 20 root vega Bench 10 TMS erpod 132 245 54 9 root lima Annex Tms Console 132 245 55 15 Bench 13 Laptop computer 10 251 0 1 255 255 0 Phone 9 838 7929 Username Password Domain Telos Adtran 5393 1132 245 54 54 Console 132 245 54 244 5008 Encryption SPI______ 256 65535 Key____ 32 Hex digits TACO 5380 Router E1331 132 245 54 110 Internal IP address 11 3 0 1 S1312 FRCP 11 3 0 2 DLCI 10...

Page 99: ...ndows NT and DOS or Windows running FastLink II Configuring the Dial In Node for IPX Assuming that the dial in user is running a PC under Windows 95 the following steps describe how to configure the PC as a dial in node In the following descriptions the term Click refers to the right mouse button unless otherwise specified 1 Click on the Network Neighborhood icon 2 On the drop down menu click Prop...

Page 100: ... based IPX over PPP by means of the IPX Control Protocol IPXCP This lets a remote PC user dial into a NAS as an endpoint node on an IPX network The dial in user can also simultaneously run TCP IP over the same dial up connection Network access support of IPX is a software keyed feature that can be added to a basic unit or that is included with the Enterprise Feature Set The first step in configuri...

Page 101: ...network The following steps describe how to use Site Manager to configure IPX on a Bay Networks CPE router If the CPE router is not a Bay Networks device refer to the manufacturer s configuration instructions 1 From the Site Manager window use the Tools menu to select Configuration Manager in dynamic mode The path is Site Manager Tools Configuration Manager Dynamic 2 Click the interface on which y...

Page 102: ... encapsulation is correct for the interface you are configuring Click OK to accept your selection For example Figure 8 1 shows an Ethernet interface for this circuit so ETHERNET_II is the correct encapsulation type To see the list of valid values click Values The following list shows the relationship between interface types and encapsulation types 7 Click on File Exit to return to the main Configu...

Page 103: ...figuration Manager Dynamic 2 Click the interface that you want to configure This example configures frame relay on the circuit designated COM1 The Edit Connector window appears 3 Click Edit Circuit The frame relay Circuit Definition window appears 4 Click Services The frame relay Service list window appears 5 From the Protocols menu select Add Delete 6 Click the check boxes for the IPX and RIP SAP...

Page 104: ...es apply to configuring BSAC for other platforms To add IPX protocol support on the BSAC RADIUS server you must use a UNIX editor to edit the user s file in the directory etc raddb default and insert the following text Framed IPX Network 00 171 205 239 This is the dotted decimal equivalent of the hexadecimal address 00ABCDEF You can use the Windows 95 accessory Calculator in scientific mode to do ...

Page 105: ...ay Access WAN link s Novell network number so that no static routes are required The router knows the correct frame relay DLCI associated with that Novell network number because it is the router s synchronous interface Note To determine the value for the ipx_frame_type at the Novell server you can examine the AUTOEXEC NCF file or issue the Novell console command PROTOCOL The Novell command loadins...

Page 106: ......

Page 107: ...DIUS server software that supports Dial VPN The RADIUS server and the RADIUS client on the gateway must share the same primary secret Configuring the CPE router at the home destination network for frame relay and for Bay Networks routers an adjacent host and appropriate DLCIs For any CPE router there must also exist a static route from the CPE router to the RADIUS client on the gateway and a stati...

Page 108: ...home network and the Dial VPN gateway to ensure that responses sent to the remote node reach their intended recipient If the CPE router is a Bay Networks router it must also be configured with the gateway as an adjacent host Cisco routers use a different addressing scheme and therefore do not require that you configure an adjacent host Figure 9 1 shows a simplified view of a Dial VPN network with ...

Page 109: ...nage and configure the router You can use a cell based ASCII terminal or a PC running terminal emulation connected to the console port of the router to run the script file install bat to change the IP address of the router s initial startup interface The install bat file steps through the minimal configuration questions needed to manage the router with Site manager Once the router can talk with Si...

Page 110: ... Enter an appropriate subnet mask in the Subnet mask field 9 If appropriate enter a transmit broadcast address or accept the default value then click OK 10 On the main Configuration Manager window click the COM port connector button select Edit Circuit then select Interfaces 11 On the frame relay Interface List window make sure that the Management Type parameter is set to ANSI T1 617D When finishe...

Page 111: ...er than to the real address of the gateway router Then when the static route entries to the gateway router destination network of 11 3 0 0 are entered you can use the pseudo address 10 200 0 100 as the next hop address The adjacent host entry will come into play and tell the CPE router to get to that network it must send the traffic out DLCI 200 For a Bay Networks router the complete static route ...

Page 112: ...e adjacent host The physical address of the adjacent host DLCI number The adjacent host s encapsulation method in this case Ethernet Configuring a Static Route Between the CPE and the Gateway If you use Site Manager to configure a static route on the CPE at the user s home network we suggest that you accept the default parameter values where possible Use the path Configuration Manager Protocols IP...

Page 113: ...st important Dial VPN considerations in configuring the frame relay parameters If you are using Site Manager you can accept the default values for most frame relay parameters Do not change the Service Name parameter value that the router assigns Put all frame relay PVCs running virtual private network services that is Dial VPN in one service record Do not mix them with other routed PVCs in the sam...

Page 114: ... configure it The steps in general are 1 Configure each NAS to act as a RADIUS client Each NAS must be configured with the IP address of the BSAC server a secret password that is shared with the server and the make model of the NAS 2 Ensure that the machine on which you are running BSAC has the IP protocol configured 3 Run the BSAC Administrator program 4 Connect to your BSAC server using the defa...

Page 115: ...lement to the Remote Annex Administrator s Guide for UNIX BaySecure Access Control Administration Guide the version specific to your operating system Managing the Dial VPN network involves among other things the following standard network management activities Configuring the network components as described in previous chapters Monitoring traps events and statistics Managing the network files incl...

Page 116: ...h a PC and a PPP connection dial in to a network access server NAS at the edge of the Dial VPN network 2 The NAS sends a TMS lookup request to the TMS server asking whether this is an authorized tunnel user 3 The Tunnel Manager sends a TMS lookup reply to the NAS Assuming that this is a legitimate tunnel user the authentication process continues Otherwise the NAS may apply local authentication pro...

Page 117: ...ified and apply this profile to many users at once The Current Users display identifies the active users and their assigned IP addresses so RADIUS administrators can tell which user has which address In addition the administrator can release any assigned address that is no longer in use by selecting that address and clicking Clear Assigning Addresses All available IP addresses are in a queue The f...

Page 118: ...rk Each service that the NAS provides to a dial in user constitutes a session the beginning of the session is the point at which service is first provided and the end of the session is the point at which the service ends A user may have multiple sessions in parallel or series if the gateway supports that with each session generating a separate start and stop record with its own Session ID Figure 1...

Page 119: ... sends that information to the RADIUS LCP negotiation CHAP initiation Remote Node Local Node Accounting Server RAS TMS Gateway Grant w info Auth Info Req Auth Req CHAP completion Connect Addr Rel NCP negotiation Disconnect Terminate msg MIP authentication request Response Open Communiction MIP registration request MIP DAA response Acct Start Acct Stop MIP terminate request MIP terminate response A...

Page 120: ...acket it does not send an acknowledgment to the client Upgrading and Changing Your Dial VPN Network You add new devices to the network and establish new CPE connections using the same procedures that you used originally to set up your network For configuration procedures refer to Chapters 3 through 9 Be sure to update the network information in your worksheets for future reference For information ...

Page 121: ... UNIX Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX Managing Remote Access Concentrators Using Command Line Interfaces BaySecure Access Control Administration Guide for your particular operating system The documentation associated with the router software you are using What s in This Chapter This chapter summarizes troubleshooting information from a variety of sou...

Page 122: ...eature for the first time test it at a time or on a node that minimizes disruption to the network After verifying the change make the change and verify it on one node at a time in the network This will help you isolate and solve any problems that may occur as the result of the change 3 Select the proper tool for configuring the elements of your Dial VPN network When you create a new configuration ...

Page 123: ...storing files of that type For example if you change a BayStream platform s software image or configuration file save the file to each memory card that contains the same files To make sure that the files of the same name are consistent on multiple memory cards display the directory of each card and compare the sizes of each file 7 Handle memory cards carefully to prevent static damage Static elect...

Page 124: ... answers to the following questions 1 What are the symptoms of the problem Exactly what is happening What is not happening ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ The more information you have about the symptoms of the problem the more easily you can ...

Page 125: ...ound you are using may help you isolate the problem 5 What end stations are involved ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ ______________________________________________________________ Identifying the end stations involved can help you to determine...

Page 126: ...e most likely cause is Do the following Look here for information A single protocol on a single port The problem is most likely in the network layer or above Refer to the chapter on troubleshooting a network connection specifically the section on IP in the BayStream guide Troubleshooting and Testing A single protocol on multiple ports within one slot The problem is most likely in the configuration...

Page 127: ...ts within all slots in the BayStream platform An operational problem such problems interfere with the basic operation of the hardware and software These problems include Damaged router Power problems Blown fuse LEDs not lit Router won t boot Wrong boot PROM Incorrect BayStream software image for the BayStream platform BayStream software image and configuration file are not the same on all ports Lo...

Page 128: ... for example by the severity of the event messages the software entity reporting them and the number of the slot from which the entity reported them On the Annex side you can use the CLI who command to display the user name the jobs the user is running when the connection began any idle time and the source of the connection The CLI stats command displays general Annex statistics statistics for one...

Page 129: ...able the port Watch the event log Stop here if the software entity recovers b Reset the slot Watch the event log Stop here if the software entity recovers c Press the Reset button on the front panel for no more than one second This initiates a warm boot procedure which will keep the log intact Watch the event log Stop here if the software entity recovers d Save the log to a file and transfer it us...

Page 130: ...ct name Then configure and enable the object The Statistics Manager also lets you monitor a BayStream platform s status and performance You can access the statistical values in the MIB by using the following options in the Tools menu of the Statistics Manager window Caution Always save a copy of the entire log to your memory card when a fault appears The BayStream platform saves the log to a memor...

Page 131: ...statistics by using the netstat T command At the Remote Annex console enter the command netstat T to review the status of the current Dial VPN tunnels This command displays the following information Device Dev The destination port on which the tunnel terminates This can be any valid asynchronous port numbers for example asy2 for port 2 Protocol Proto The connection protocol Connection state State ...

Page 132: ...n on the GRE protocol packets Total packets received Total packets sent Count of packets with bad checksums Total packets dropped on transmit Total packets dropped on receive Refer to the description of the netstat command in the Remote Annex Administrator s Guide for UNIX the Remote Annex 6300 Supplement to the Remote Annex Administrator s Guide for UNIX or Managing Remote Access Concentrators Us...

Page 133: ... to a network analyzer and use the analyzer to parse the data We recommend that you use Packet Capture to capture data generated on remote BayStream platforms save it in Network General Sniffer format files and use TFTP or FTP to transfer the files to a site where you can open the files with a network analyzer For detailed instructions on using Packet Capture refer to the BayStream guide Troublesh...

Page 134: ...detailed notes as you perform each procedure These notes Give you an opportunity to pause and think clearly about the problem and the procedures you are following Writing things down can help you visualize and clarify the problem and what to do about it Provide you with a record of the tasks you performed This record is essential because You can refer to it during the procedure to recall whether y...

Page 135: ... be with the Internet Protocol IP refer to the BayStream manual Troubleshooting and Testing The following references have detailed protocol information including examples that may help you isolate and correct a problem They do not however have explicit troubleshooting information For information on Frame relay refer to the BayStream guides Configuring Frame Relay Services for IP Routing or Configu...

Page 136: ...er an Annex is running are due to improper configuration of the Annex or a host If you appear to have a problem with Remote Annex software refer to the Remote Annex Administrator s Guide for UNIX the Remote Annex 6300 supplement to the Remote Annex Administrator s Guide for UNIX or Managing Remote Access Concentrators Using Command Line Interfaces Table 11 2 summarizes some symptoms that can affec...

Page 137: ...y of these situations occurs do the following Make sure that the Annex port parameters are set correctly Check the cable connections paying close attention to the wiring of the Annex s DCD DSR and DTR control lines The superuser stats tap and control commands provide useful information When changing parameters using na or admin remember to use the reset annex command after entering the new values ...

Page 138: ...ast packet used a host address of all zeros network 0 Later refinements required a change to the broadcast address specifying a host address of all ones network 255 A host configured with a network 255 address will accept network 0 broadcasts Hosts configured with network 0 addressing will not see network 255 broadcasts You can configure the Annex for either method of addressing by setting the bro...

Page 139: ...seudo terminal entries in etc ttys Update the etc ttys file to contain the proper number of pseudo terminals as indicated by the actual device entries in dev All network ports are in use The rlogin or telnet command is rejected after the user name is entered in response to the login prompt The error message all network ports in use indicates that all available pseudo terminals are in use On BSD ho...

Page 140: ...ining user configured routes use netstat C 1 Verify that the Annex routed parameter is set to Y 2 If necessary reboot the Annex 3 See the description of enabling and disabling active RIP in the Remote Annex Administrator s Guide for UNIX Use the stats o command to display the status of the options annex stats o KEYED OPTIONS LAT keyed off Atalk keyed off tn3270 keyed off dialout RIP filtering keye...

Page 141: ... out For example a filter that discards outgoing UDP packets also discards RIP packets since RIP runs on UDP To list all the defined filters enter the following CLI superuser commands annex su password annex filter list Refer to the description of filtering in the Remote Annex Administrator s Guide for UNIX 10 Your hosts may be ignoring RIP version 2 updates Verify that the interface parameter rip...

Page 142: ...address 5 If your network is divided into subnets the IP subnet addresses and subnet masks may not be set correctly for the Annex and the SLIP and PPP ports Verify the configured IP subnet addresses and subnet masks for the Annex and the SLIP and PPP ports 6 If the Annex parameter routed is set to N passive RIP is disabled Reset the Annex parameter routed to Y 7 If subnet routes are not being lear...

Page 143: ...le goes from 4 to 6 a traceroute message was lost probably due to network congestion Speed The speed in bits per second of the interface over which the outbound or return packet was forwarded If the packet could not be forwarded ping t displays a zero in this field MTU The maximum transmission unit in bytes of the interface over which the outbound or return packet was forwarded The MTU is the larg...

Page 144: ...utbound packet as indicated by the asterisks under the Dir heading Note that the hop count remains at 1 since the packet crossed only one router annex ping t 132 254 33 4 PING hobbes 56 data bytes Dir Router Hops Speed b s MTU 132 254 99 2 1 19200 1024 132 254 33 3 1 0 0 Troubleshooting Tunnel Problems Since the TMS is an extension of the proprietary erpcd you can use essentially the same troubles...

Page 145: ... that RAS in the current users field of the TMS database for every domain dnis combination This disconnects the users on that RAS reducing the current number of sessions If the TMS erpcd itself fails the RAS detects the condition by the failure of the logging connection The RAS falls back to the secondary server if specified which should have the same TMS database configuration However unless the ...

Page 146: ......

Page 147: ...entation for your network You may also find this information useful when changing or troubleshooting your network Table A 1 Network Information Worksheet Requested Information Your Information Physical Connector Information Enter the slot number containing the link module that provides the initial IP network interface This module can reside in any slot that is designated for link module support No...

Page 148: ...erface connect to the same local area network LAN as the Site Manager workstation Example No IP Routing Protocol Information Use the IP Routing Protocol to configure this router remotely This is necessary only if you answered No to the previous question Example RIP See the following sections for details on the IP Routing Protocol you choose to configure RIP Configuration Information Should RIP lis...

Page 149: ...val in seconds Example 40 Router priority Example 1 Poll interval Example 20 If you are configuring OSPF neighbors what is the IP address for each neighbor Note Neighbors are defined only if the OSPF interface type is NBMA Example Not applicable sample format 192 32 156 8 192 32 156 9 Static Route to Site Manager Configuration Information Destination network Example 192 32 90 0 Destination network...

Page 150: ...dure Example 192 32 10 12 WAN Information The following information about enabling frame relay PPP and SMDS from the installation script is for experienced users only Normally these protocols are implemented from Site Manager on an additional interface Frame Relay Information To enable frame relay on a synchronous connector on this initial IP interface Enable frame relay on the interface Example Y...

Page 151: ...e 10 Acceptable loss of Echo Reply packets Example 3 Enable local authentication protocol None PAP or CHAP Example CHAP Local PAP ID for this interface Example LPAP Local PAP password optional Example LPWD Authentication protocol enabled on remote peer Example Yes Remote peer PAP ID Example RPAP Remote peer PAP password Example RPWD Enable PAP Fallback Example Yes Enable Link Quality Reporting LQR...

Page 152: ...xample csecret CHAP Local Name Example chaplocalname CHAP Periodic Timer Example 60 Allow PAP Reject Example Disable SMDS Information To enable SMDS on a synchronous connector on this initial IP interface Enable SMDS on the interface Example Yes Individual address Example C1617555433FFFF Group address Example E16175556667FFFF ARP address Example E16175550000FFF Table A 1 Network Information Worksh...

Page 153: ...Remote Annex syslog messages shown in Table B 1 Table B 1 Remote Annex Syslog Messages Relevant to Dial VPN Type Syslog Contents Meaning Debug ppp port DVS requesting user authentication from gateway_addr primary_authentication_server_addr secondary_authentication_server_addr The user has been identified as a tunnel user and authentication is being requested ppp port DVS requesting tunnel registra...

Page 154: ...ason An error occurred while authenticating a tunnel user ppp port ipcp configuration error IPCP disabled Even though the tunnel is provisioned for IPCP the port parameter settings are set so that IPCP is disabled This must be corrected before successful IPCP data transfer can occur ppp port ipcp configuration error IPXCP disabled Even though the tunnel is provisioned for IPXCP the port parameter ...

Page 155: ...wal failed reason An error occurred during the tunnel renewal phase When the system creates tunnels it uses an internal value to set the tunnel lifetime Before expiring the system reregisters or renews the tunnel This error occurs when there is a failure to renew the tunnel ACP Log File acp_logfile These are examples of typical accounting information for the Annex Annex_IP_Addr id port date time D...

Page 156: ...the installation directory Notice tms broke lock for domain DNIS The lock held by another process for the indicated domain DNIS pair was broken The occurrence of many of these messages could indicate that processes are hanging after they acquire a lock and before they let it go In any case check the database entry with the tms_dbm show command Alert tms could not read database This is a serious pr...

Page 157: ... error code that tms_request does not recognize This can occur only if the site has modified the code Notice tms domain DNIS user count already zero This message indicates a correction not a problem A user who was tunneled to the indicated domain DNIS pair disconnected from the NAS and the user count for that domain DNIS pair was already zero This can occur if an administrator has previously perfo...

Page 158: ...st type request_type The request message from a NAS contained the indicated unknown type This probably indicates incompatible NAS and erpcd versions Alert tms could not update database This is a serious problem indicating that the database is not accessible Check the installation directory and database file tms database access attributes Notice tms lock was broken for domain DNIS The lock for the ...

Page 159: ...ason An error occurred while authenticating a tunnel user ppp port ipcp configuration error IPCP disabled Even though the tunnel is provisioned for IPCP the port parameter settings are set so that IPCP is disabled This must be corrected before successful IPCP data transfer can occur ppp port ipcp configuration error IPXCP disabled Even though the tunnel is provisioned for IPXCP the port parameter ...

Page 160: ...tunnel lifetime Before expiring the system reregisters or renews the tunnel This error occurs when there is a failure to renew the tunnel ACP Log File acp_logfile These are examples of typical accounting information for the Annex Annex_IP_Addr id port date time DVS tunnel login username Success Login succeeded Annex_IP_Addr id port date time DVS tunnel logout username User logged out Annex_IP_Addr...

Page 161: ...Syslog Messages 115623B Rev 00 BayStream Multiservice Software Version 7 2 B 9 ...

Page 162: ... Windows refer to the Quick2Config Annex online help for details on configuring a Remote Annex If you use UNIX refer to the Annex Manager User s Guide for details about managing a Remote Annex Installing and Configuring the Remote Annex Software This section is an overview of the installation and configuration process highlighting areas of particular concern 1 Install the Remote Annex software Thi...

Page 163: ...stallation guide for your Remote Annex device for information on powerup and boot procedures 3 Set up the dial in port on the Annex for dial in and enable ACP security for PPP on all ports Table C 1 summarizes how to configure the dial in ports on the Remote Annex using Quick2Config Annex Note Dial VPN works only for native PPP you may not dial in as CLI then convert to PPP to use Dial VPN Table C...

Page 164: ...k on More Not applicable Set Security Preferred Host IP address of the preferred security host Click on OK to accept these settings Not applicable Security Setup Enable security for the following parameters Incoming Ports with Modems Incoming Ports without Modems Click on the appropriate boxes to enable security This automatically sets the enable_security parameter to y Set PPP Security Protocol C...

Page 165: ...he Remote Annex Configuring the pri section of the config file this way lets any user dial in to the 6300 5393 device The default path to the config file is usr spool erpcd bfs config annex 5 Enable system logging This is not required but it is very useful in troubleshooting Appendix B of the Dial VPN manual presents information on system logs Table C 4 lists the procedures to enable syslogging us...

Page 166: ... UNIX refer to your UNIX system documentation The erpcd utility uses the auth facility 6 Reboot the Remote Annex To reboot the Annex using either Quick2Config Annex or Annex Manager a From the Configure menu select the Boot option b Click on Apply Table C 4 Enabling System Logging Interface Actions Quick2Config Annex 1 Select the General Annex tab 2 Select All from the Logging menu 3 Display the A...

Page 167: ... explaining the purposes for and consequences of such changes When you configure the Remote Annex you have to decide how the Annex will communicate with the TMS This can be by means of a static route RIP or even the default compatibility mode Then you configure the environment as described in the Remote Annex Administrator s Guide for UNIX the Remote Annex 6300 Supplement to the Remote Annex Admin...

Page 168: ...nex Manager 1 From the Configure menu select the Boot option 2 Click on Apply Do not set the Annex interfaces to accept RIP 2 packets unless you are sure all nodes on your network or internet are advertising only RIP 2 updates Authenticating Incoming RIP 2 Updates and Requests To authenticate incoming RIP 2 messages use the command line interface to set the rip_auth parameter to a password contain...

Page 169: ...n and the Authentication field must contain a 16 byte unencrypted password The password in the message matches the value of the rip_auth parameter The Annex accepts all RIP 2 messages it authenticates but does not necessarily discard all unauthenticated messages it receives Table C 6 shows the conditions that determine whether the Annex accepts or discards a RIP message Although RIP 2 authenticati...

Page 170: ...d for passive RIP need not be defined after you enable active RIP you may want to define a default route and one or more static routes for other purposes For example a default router can act as a bottleneck through which all traffic to and from a network must pass You can also use static routes to reach routers that are not running active RIP To define default and static routes that remain across ...

Page 171: ...figure the Annex to accept RIP packets as shown in Table C 7 You may need to reset the appropriate port or Annex subsystem or reboot the Annex for changes to take effect 1 From the Configure menu select the Boot option 2 Click on Apply Table C 7 Configuring the Annex to Advertise RIP Packets Interface Actions Quick2Config Annex 1 Open the Network Annex tab 2 Select Option 1 broadcast address from ...

Page 172: ...Configuring and Troubleshooting Bay Dial VPN Services C 11 BayStream Multiservice Software Version 7 2 115623B Rev 00 ...

Page 173: ...f address A termination point of a tunnel heading towards the remote node The care of address which is usually the address of the Dial VPN network access server is specified to the gateway during the connection process When the gateway encapsulates the frame relay packet into a GRE packet it includes the care of address CHAP Challenge Handshake Authentication Protocol A method of establishing secu...

Page 174: ... those of another for instance between an IP network and a frame relay network A device that forwards traffic between networks based on network layer information and routing tables now known as a router Generic Routing Encapsulation GRE A method of encapsulating arbitrary network layer protocol information over another arbitrary network layer protocol The encapsulation allows the first network lay...

Page 175: ...rimary rate interface ISP Internet service provider See also service provider LCP Link Control Protocol A component of PPP that negotiates the link characteristics of a PPP session with the peer connection interface An example of a link characteristic is the maximum transmission unit MTU local authentication server The server on the Dial VPN network that exchanges authentication messages with the ...

Page 176: ...ed Network Control packets for example IP over PPP IPCP and IPX over PPP IPXCP PSTN Public switched telephone network RADIUS Remote Authentication Dial in User Service A system of distributed client server security that secures remote access to networks and network services against unauthorized access RADIUS client A program that resides on the gateway and sends authentication requests to the RADI...

Page 177: ...curity to messages that contain this value The SPI value is an integer in the range of 256 through 65535 Setting the SPI value and the keys to 0 in Site Manager turns off this security feature service provider A corporation that uses a transmission facility telecommunications equipment and network operation software to provide a telecommunications network as a commercial service Corporations subsc...

Page 178: ...MS A database of IP tunnel management information that resides on a server on the Dial VPN network This server provides information to the NAS to authenticate users via the RADIUS client on the Dial VPN gateway and to construct IP tunnels based on user dial in information from the remote node and information stored in the TMS database Virtual Private Network VPN A public wide area network WAN comp...

Page 179: ...es 11 13 ASN 1 5 3 1 3 4 asynchronous modem with 4000 5390 3 3 traffic 1 5 authentication by home site 5 2 local 3 5 RADIUS 1 7 authentication type 7 2 authentication_protocol TMS parameter 5 9 authp TMS parameter 5 9 B Backbone Node switch routers 1 2 backup copies 11 3 Bay Networks Technical Solutions Center 11 3 11 9 BayDVS 1 1 BaySecure Access Control 2 10 BayStream managing 10 1 platform 3 4 ...

Page 180: ...6 D data terminal equipment DTE 1 5 database alternatives 5 11 TMS 2 6 5 1 troubleshooting errors 11 25 decapsulation packet 1 1 process 2 14 default service record 9 7 delete tms_dbm command 5 4 destination site 3 3 diagnostic steps 11 9 diags command 11 9 Dial VPN configuration 1 4 configuring for IPX 8 3 enabling and activating 10 2 installing and configuring 3 1 overview 2 2 removing disabling...

Page 181: ...mand 11 17 hardware installation 3 2 hardware requirements 3 1 help tms_dbm command 5 4 home agent 7 2 home network 1 1 5 1 host portable 1 4 hosts command 11 18 hosts don t appear in hosts display message 11 18 hw_addr TMS parameter 5 7 hw_addr_len TMS parameter 5 7 hw_type TMS parameter 5 7 hwaddr tms_dbm parameter 5 3 hwaddr TMS parameter 5 7 hwalen TMS parameter 5 7 hwtype TMS parameter 5 7 I ...

Page 182: ...etWare network 8 1 NetWare server 9 8 network changing 10 6 configuration map 11 14 how it works 10 2 managing 10 1 status snapshot 11 9 network access server 1 1 1 5 configuring for IPX 8 4 Network General Sniffer format 11 13 network hardware requirements 3 1 network information worksheet A 1 network logins to BSD hosts are invisible message 11 19 network planning worksheet 1 7 A 1 network unrea...

Page 183: ... 11 PSTN 1 5 public switched telephone network PSTN 1 5 PVC 1 3 9 7 Q Quick Get statistics tool 11 11 Quick Start installation script install bat 1 7 procedure 3 3 R RADIUS 1 2 authentication request 1 7 client 1 5 1 7 9 1 client on gateway 7 3 Remote Authentication Dial In User Service remote authentication server 1 7 server 1 5 7 3 9 1 RADIUS server configuring for IPX 8 8 RADIUS only solution 6...

Page 184: ...cret primary 9 1 security access rights for dial in 3 3 ACP 4 2 C 2 security parameter index spi 5 2 7 2 security_protocol_index TMS parameter 5 10 server ACP 1 6 3 1 NetWare or Windows NT 9 8 RADIUS 1 5 1 7 7 3 9 1 TMS 5 1 servers_location TMS parameter 5 8 service record default 9 7 manual configuration 9 7 session not terminated message 11 17 session parameter block SPB 4 5 C 4 show tms_dbm com...

Page 185: ...cription 2 6 troubleshooting 11 25 TMS syslog messages B 4 tms_dbm command arguments 5 6 tms_dbm commands 5 4 tool configuration 11 2 traceroute facility RFC 1493 11 22 traffic asynchronous and synchronous 1 5 congestion 11 5 troubleshooting 11 1 preparation 11 4 Remote Annex problem 11 16 Site Manager problem 11 15 specific protocols 11 15 TMS database errors 11 25 tunnel problems 11 24 worksheet...

Page 186: ...v 00 V virtual private network VPN 1 1 VT100 terminal emulation 3 3 W WAN 3 1 7 1 WAN worksheet information A 4 who command 11 8 Windows NT based server 9 8 worksheet network planning 1 7 troubleshooting 11 4 wrong host address appears in host table message 11 18 ...

Reviews:

No comments

Brands by name

0 1 2 3 4 5 6 7 8 9 A B C D E F G H I J K L M N O P Q R S T U V W X Y Z

Popular brands

Load more brands