Nortel VPN Router, VPN Gateway Technical Configuration Guide
Engineering
> SOHO Secure Remote Access
Solution with Nortel VPN Gateway VPN Router 200
Enterprise Solutions Engineering
Document Date: September 2006 Document Version: 1.0
Page 1: ...uter VPN Gateway Technical Configuration Guide Engineering SOHO Secure Remote Access Solution with Nortel VPN Gateway VPN Router 200 Enterprise Solutions Engineering Document Date September 2006 Document Version 1 0 ...
Page 2: ...t confer any type of license to make sell or use any device based upon the teachings of the document Receipt of the document does not constitute a publication of any part hereof and Nortel explicitly retains exclusive ownership rights to all proprietary material contained herein This restriction does not limit the right to use information contained herein if it is obtained from any other source wi...
Page 3: ...VPN Gateway and Nortel VPN Router 200 The configurations in this example were successfully tested and may be used by the Nortel sales force to demonstrate RAS solution and Interoperability for customers and channel partners For further understanding Nortel Enterprise Secure RAS solution please refer to the Secure Remote Access Technical Solution Guide V1 0 The solution guide can be downloaded from...
Page 4: ... 5 IKE Profiles 18 2 5 6 Configure IKE Profile General Settings 20 2 5 7 Configure IP Addresses for the Two End Points of the BO Tunnel 21 2 5 8 Add Remote Network 22 2 5 9 Add Local Network 23 2 5 10 Configure Shared Secret for the BO Tunnel 24 2 6 BRANCH OFFICE TUNNEL MONITORING 25 2 6 1 Check BO Status on VR221 25 2 6 2 Check BO Status on NVG 26 2 6 3 Ping Test 26 2 7 BCM 200 CONFIGURATION 27 2...
Page 5: ...E IP SOFTPHONE 2050 PREVIOUS VERSION 45 4 4 1 Install and Configure IP Softphone 2050 45 4 4 2 Configure Server Type 46 4 4 3 IP Softphone 2050 Registering to BCM 47 List of Figures Figure 1 SOHO RAS using NVG and NVR200 5 Figure 2 VPN Gateway 3050 6 Figure 3 VPN Gateway 3070 6 Figure 4 VPN Router 200 VR200 7 Figure 5 LAB Topology 9 Figure 6 Console Configuration Parameters 17 Figure 7 Pinouts of ...
Page 6: ... access to the enterprise network for small offices and home offices SOHO where there is a need for continuous access to the enterprise network and a requirement to support IP Phones This solution supports both data applications and Voice over IP VoIP communications Multiple IP phones including IP soft phones can be supported behind a single DSL Fiber or Cable Modem broadband connection and full c...
Page 7: ...al hundred up to 2 000 concurrent SSL and IPSec VPN user connections Figure 2 VPN Gateway 3050 VPN Gateway 3070 a higher performance gateway designed for large enterprise and managed VPN service provider deployments The VPN Gateway 3070 scales to thousands of concurrent SSL and IPSec VPN user tunnels and provides hundreds of Mbps 3DES of aggregate VPN throughput Figure 3 VPN Gateway 3070 Key Custo...
Page 8: ...to that VPN Gateway are inspected for compliance to a security policy preventing end user devices from becoming a vehicle for viruses or other unwanted intrusions into the secure enterprise network through the VPN tunnel 1 1 2 Nortel SOHO VPN Router The VPN Router 200 series is an affordable all in one solution for tying small office and home office locations as well as teleworkers into a secure c...
Page 9: ...twork to small remote sites Supporting both IPSec and PPTP tunneling it can connect remote sites to a headquarters location or can connect to other branch sites or to other enterprises in either a hub and spoke or small mesh configuration The VPN Router 200 can also connect to a larger central site VPN Router in a variety of IPSec modes e g branch office or client mode to best fit an enterprise s ...
Page 10: ...rter private LAN is served as NVG manager BCM manager and FTP server The Ethereal network protocol analyzer is also installed on PC 2 for capturing and examining data from a live network Headquarter An IP Softphone 2050 is setup on PC 2 on headquarter private LAN for answering incoming and initialing outgoing telephone calls from to the SOHO and headquarter Headquarter BCM200 on private LAN is for...
Page 11: ...lso used as FTP client goes to the FTP server on PC 2 2 2 Hardware and Software SOHO VPN Router VR221 SW VE221 2 5 0 0 016 SOHO PC 1 WinXP IE 6 0 SOHO IP Phone 2004 Phase 1 SOHO IP Softphone 2050 build 385 or v2 Headquarter NVG V6 0 is simulated on a Dell PC Headquarter PC 2 WinXP IE 6 0 FTP server 3CServer V1 1 Headquarter BCM200 V3 7 BCM Demo A Image Headquarter T7208 terminal phone Headquarter ...
Page 12: ..._________________________________________ 11 External Distribution NORTEL 2 4 VPN Router 221 Configuration Before configuring the NVR221 make sure to reset it to factory default configuration On PC 1 start IE and open URL http 192 168 1 1 logon to VR221 with default user ID admin and password setup 2 4 1 Factory Default LAN Keep factory default LAN setting on VR221 see below ...
Page 13: ...VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 12 External Distribution NORTEL 2 4 2 Static Fixed WAN IP and Default Gateway Go to WAN WAN IP select fixed IP address ...
Page 14: ...___________________________________________________________________________________________________________ 13 External Distribution NORTEL 2 4 3 VPN IP Policy Go to VPN select Edit to start BO configuration Name the BO tunnel Add local and remote networks in IP policy and select them The result is shown below ...
Page 15: ...hared key is used for VR221 to establish the BO tunnel to the headquarter NVG Make sure the shared key is configured identical on both the NVR221 and the NVG In this example the key pre shared key is boc221nvg Note VR221 requires minimum of 8 characters When selecting Encryption and Authentication algorithms make sure they are compatible with the configuration on the headquarter NVG In this demo 3...
Page 16: ... _______________________________________________________________________________________________________________________ 15 External Distribution NORTEL 2 4 5 Advanced Parameter Click Advanced button from previous screen shown above and select both Phase1 and Phase2 as shown below Apply the changes ...
Page 17: ...o WAN WAN to LAN WAN to WAN For example if an initiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases these packets are dropped and logged by default If an initiation packet originates on the LAN this means that someone is trying to make a connection from the LAN to the Internet With the default pol...
Page 18: ...al setup configuration is required on the VPN Gateway NOTE Make sure that the host IP address management IP address MIP and Portal IP address that you entered during the Initial Setup are compatible with the IP address planned 2 5 1 Connecting to the VPN Gateway To establish a console connection with a VPN Gateway the following is required An ASCII terminal or a computer running ASCII terminal emu...
Page 19: ... server address 192 168 2 1 Generate new SSH host keys yes no yes no Enter a password for the admin user Re enter to confirm 2 5 3 Run VPN Quick Setup Wizard Run VPN quick setup wizard yes Creating default networks under cfg vpn 1 aaa network Creating default services under cfg vpn 1 aaa service Enter VPN Portal IP address 192 168 2 100 Is this VPN device used in combination with an Alteon switch ...
Page 20: ...ith VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 19 External Distribution NORTEL Add a new IKE Profile named ipsec BO c221 NVG ...
Page 21: ...with VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 20 External Distribution NORTEL 2 5 6 Configure IKE Profile General Settings ...
Page 22: ..._________________________________________________________________________________________________________________ 21 External Distribution NORTEL 2 5 7 Configure IP Addresses for the Two End Points of the BO Tunnel The remote end point of the BO tunnel is 192 168 2 241 and local end point is 192 168 2 100 ...
Page 23: ...1 0 September 2006 _______________________________________________________________________________________________________________________ 22 External Distribution NORTEL 2 5 8 Add Remote Network The remote network in NVG should be compatible with the IP Policy configured on VR221 ...
Page 24: ...V1 0 September 2006 _______________________________________________________________________________________________________________________ 23 External Distribution NORTEL 2 5 9 Add Local Network The local network in NVG should be compatible with the IP Policy configured on VR221 ...
Page 25: ...____________________________________________________________________________________________ 24 External Distribution NORTEL 2 5 10 Configure Shared Secret for the BO Tunnel The shared secret must be exactly the same as configured on the VR221 boc221nvg The VR221 requires the secrete password to contain at least 8 characters ...
Page 26: ...ernal Distribution NORTEL 2 6 Branch Office Tunnel Monitoring Now you are ready to test the connectivity of the IPSec BO tunnel Correct any configuration errors to make sure the BO tunnel is up and able to pass traffic between the remote and local network 2 6 1 Check BO Status on VR221 Go to VPN SA Monitor click the Refresh button If the BO is up it should be displayed in Current IPSec Security As...
Page 27: ... connectivity On PC 1 open a command window and issue a ping command to PC 2 Ping should be successful as shown below C Documents and Settings user ping 192 168 2 12 Pinging 192 168 2 12 with 32 bytes of data Reply from 192 168 2 12 bytes 32 time 4ms TTL 63 Reply from 192 168 2 12 bytes 32 time 4ms TTL 63 Reply from 192 168 2 12 bytes 32 time 4ms TTL 63 Reply from 192 168 2 12 bytes 32 time 4ms TT...
Page 28: ...he T7208 terminal phone to the BCM 4X16 Media Bay Module MBM This phone is used for answering incoming calls and making outgoing calls from to SOHO Connect PC 2 to LAN 1 for managing and configuring BCM 2 7 1 Configure IP Address on LAN 1 Interface In order to configure the BCM using the Unified Manager the LAN 1 IP address must be configured correctly through a terminal to the console port using ...
Page 29: ..._________________________________________________________________________________________________________ 28 External Distribution NORTEL 2 7 2 Default Gateway for BCM200 On PC 2 open IE and access http 192 168 2 40 for the BCM Unified Manager This will be used for further configuration 2 7 3 IP Terminals Version ...
Page 30: ..._________________________________________________________________________________________________________________ 29 External Distribution NORTEL 2 7 4 IP Terminal Auto Assign DNs By selecting Auto Assign DN IP phones will be granted phone numbers after registration to the BCM 2 7 5 IP Phone Features List ...
Page 31: ...ease refer to Appendix 2 8 1 IP Phone 2004 Configuration Setup DCHP 1 yes default gateway 192 168 1 1 S1 IP 192 168 2 40 BCM LAN 1 IP address S1 Port 7000 S1 Action 1 S1 Retry Count 2 S2 IP 192 168 2 40 BCM LAN 1 IP address S2 Port 7000 S2 Action 1 S2 Retry Count 2 VLAN 0 No cfg XAS 0 No 100F DUP 0 No 2 8 2 IP Phone Registration Success The IP Phone 2004 will initially connect to its remote commun...
Page 32: ...__ 31 External Distribution NORTEL 2 9 IP Softphone 2050 Configuration Make sure the BO tunnel is up The IP Softphone 2050 will try to register to the BCM after its initialization 2 9 1 Install and Configure Softphone 2050 On PC 1 and PC 2 install IP Softphone 2050 software V2 then go to File Settings for further configurations If you use older version of IP Softphone 2050 please refer to Appendix...
Page 33: ...ember 2006 _______________________________________________________________________________________________________________________ 32 External Distribution NORTEL 2 9 2 Configure Server Type Select Primary Server Type of BCM Server IP of 192 168 2 40 and Port of 7000 See below screenshot ...
Page 34: ..._______________________________ 33 External Distribution NORTEL 2 9 3 IP Softphone 2050 Registering to BCM IP Softphone 2050 V2 on PC 1 will initially connect to its communication server BCM for registration Once successfully registered the BCM will assign a DN to the IP Softphone The following screenshot shows the assigned DN 2428 On PC 2 the IP Softphone 2050 is assigned a DN of 2427 ...
Page 35: ..._____ 34 External Distribution NORTEL 2 9 4 Check IP Phone Status The BCM keeps the up to date status of its IP phone clients To check the current status of the IP Phone 2004 and the IP Softphone 2050 go to Service IP Telephone IP terminals Nortel IP Terminals as shown below The complete list of active DN can be displayed under System DNs Active Set DNs which including IP phones IP Softphones and ...
Page 36: ...call to T7208 over BO tunnel T7208 call to IP Softphone 2050 PC 1 over BO tunnel IP Softphone 2050 PC 2 call to T7208 Headquarter private T7208 call to IP Softphone 2050 PC 2 Headquarter private IP Softphone 2050 PC 2 call to IP Phone 2004 over BO tunnel IP Phone 2004 call to IP Softphone 2050 PC 2 over BO tunnel IP Softphone 2050 PC 2 call to IP Softphone 2050 PC 1 over BO tunnel IP Softphone 205...
Page 37: ...est 226 Closing data connection ftp 60 bytes received in 0 00Seconds 60000 00Kbytes sec ftp bin 200 Type set to I ftp mget 200 Type set to I mget capture zip y 200 PORT command successful 150 File status OK about to open data connection 226 File transfer successful ftp 19630596 bytes received in 83 56Seconds 234 92Kbytes sec mget ftp over BO bmp 200 PORT command successful 150 File status OK about...
Page 38: ...___________ 37 External Distribution NORTEL 2 11 3 IPSec BO Tunnel Traffic Statistics on NVG The traffic statistics over IPSec BO tunnels can be displayed on the NVG see below for example of encrypted traffic statistics in Kb sec 2 12 Traffic Statistics on NVR200 The traffic statistics in the poll intervals can be displayed on the NVR221 See below for example of TxPkts and RxPkts on the WAN and LA...
Page 39: ...168 2 12 for capturing Make phone calls and file transfers over SOHO and Headquarter The captured data can be used to demonstrate SOHO BO VPN security Stop Ethereal capturing and in the Ethereal Display Bar select the fields of Source or Destination looking for the IP addresses of the two end points of IPSec VPN tunnel In the LAB demo the IP addresses of the two end points of the IPSec BO tunnel a...
Page 40: ...captured data reveals that voice and data passing through the VPN tunnel between source destination of 192 168 2 241 and 192 168 2 100 are protected by the Encapsulating Security Payload ESP RFC2406 a key protocol in the IPsec The ESP provides confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP See below example of Ether...
Page 41: ...221 NVR251 Nortel VPN Router 251 DHCP Dynamic Host Configuration Protocol DNS Domain Name System DSL Digital Subscribe Line ISDN Integrated Synchronous Digital System ISP Internet Service Provider NTP Nortel Technical Publication Private Interface Intranet connection to a LAN Public Interface Internet connection to the outside world SOHO small office or home office TN Terminal Number CS1000 Succes...
Page 42: ...on Guide V1 0 Brad Black 2006 Secure VoIP for SOHO Telecommuter CS1000 NAT traversal solution TCG Shangli Lu V1 1 Feb 2005 Configuring and Troubleshooting the Contivity 221 VPN Switch V2 5 Nortel NTP VPN gateway User s guide V6 0 VPN Gateway 6 0 BBI application guide for VPN V6 0 VPN 6 0 CLI application guide for VPN V6 0 VPN gateway 6 0 application guide for ssl acceleration V6 0 VPN gateway 6 0 ...
Page 43: ... VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 42 External Distribution NORTEL 4 Appendix 4 1 VR200 Series Technical Specifications ...
Page 44: ..._____________________________________________________________________________________________ 43 External Distribution NORTEL 4 2 BCM Serial Cable The following BCM Serial Cable information is extracted from Nortel BCM NTP BCM200 400 Installation and Maintenance Guide Chapter of Business Communications Manager System Startup ...
Page 45: ... within the first two seconds of the initialization process your set will be initialized with previously entered parameters Powering down and powering up the phone set and trying again Figure 12 IP Phone Initialization As you enter parameters manually use the BKSPACE or CLEAR soft keys to edit the default entry BKSPACE will delete each character as the key is pressed CLEAR will delete the entire e...
Page 46: ...tion NORTEL 4 4 Configure IP Softphone 2050 Previous Version This section described the installation steps if you use previous version of IP Softphone 2050 4 4 1 Install and Configure IP Softphone 2050 On PC 1 install IP Softphone 2050 software then go to Start Settings Control Panel Right click i2050 Software Phone Properties to select Communication Server The Communication Server s IP is 192 168...
Page 47: ...VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 46 External Distribution NORTEL 4 4 2 Configure Server Type Select Server Type of BCM ...
Page 48: ...__________________________________________________________________ 47 External Distribution NORTEL 4 4 3 IP Softphone 2050 Registering to BCM IP Softphone 2050 on PC 1 will initial connection to its communication server BCM for registration Once successfully registered BCM will assign a DN to the soft phone Below screenshot shows the assigned DN 2428 ...
Page 49: ...rvice program contact Nortel Technical Support To obtain contact information online go to www nortel com contactus From the Technical Support page you can open a Customer Service Request online or find the telephone number for the nearest Technical Solutions Center If you are not connected to the Internet call 1 800 4NORTEL 1 800 466 7835 to learn the telephone number for the nearest Technical Sol...
