Nortel Contivity 1050 Configuration Manual Download Page 11

Page: 11 / 178

Nortel VPN Router Configuration — Basic Features

Figures

Figure 1

Typical PDN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26

Figure 2

VPN service models . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27

Figure 3

Sample IP addressing scheme . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30

Figure 4

MVA on separate subnet from private physical interfaces . . . . . . . . . . . . 32

Figure 5

MVA on same subnet as private physical interface . . . . . . . . . . . . . . . . . 33

Figure 6

MVA managing from a remote PC . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33

Figure 7

Deployment Scenario . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41

Figure 8

Default configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60

Figure 9

Tunnel connection configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75

Figure 10

Inverse Split Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85

Figure 11

Inverse Split Tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 86

Figure 12

Edit > IPsec page for wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 88

Figure 13

LAN-to-Nortel VPN Router connection . . . . . . . . . . . . . . . . . . . . . . . . . . . 93

Figure 14

LAN > Interfaces window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98

Figure 15

LAN Interfaces > Add IP Address window . . . . . . . . . . . . . . . . . . . . . . . . 99

Figure 16

Asynchronous data over TCP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 105

Figure 17

SSH Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 112

Figure 18

Allowed Services window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 114

Figure 19

Typical branch office environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 120

Figure 20

Branch-to-branch with a firewall and a router . . . . . . . . . . . . . . . . . . . . . 121

Figure 21

Indirectly connected branch offices . . . . . . . . . . . . . . . . . . . . . . . . . . . . 122

Figure 22

VPN DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 125

Figure 23

Failover example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 126

Figure 24

Load balancing example . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 127

Figure 25

Setting up a branch office configuration . . . . . . . . . . . . . . . . . . . . . . . . . 129

Figure 26

Sample branch office configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . 134

Figure 27

Branch office control tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138

Figure 28

Sample control tunnel environment . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139

Figure 29

Example configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 148

Summary of Contents for Contivity 1050

Page 1: ...Version 7 00 Part No NN46110 500 311642 M Rev 01 February 2007 Document status Standard 600 Technology Park Drive Billerica MA 01821 4130 Nortel VPN Router Configuration Basic Features ...

Page 2: ... pertain to or accompany the delivery of this computer software the rights of the United States Government regarding its use reproduction and disclosure are as set forth in the Commercial Computer Software Restricted Rights clause at FAR 52 227 19 Statement of conditions In the interest of improving internal design operational function and or reliability Nortel Networks Inc reserves the right to m...

Page 3: ...ware c create derivative works or modifications unless expressly authorized or d sublicense rent or lease the Software Licensors of intellectual property to Nortel Networks are beneficiaries of this provision Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use Customer will promptly return the Software to Nortel Networks or certify i...

Page 4: ... certify its destruction c Customer is responsible for payment of any taxes including personal property taxes resulting from Customer s use of the Software Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations d Neither party may bring an action regardless of form more than two years after the cause of the action arose e The terms and co...

Page 5: ...om a specialist by using an Express Routing Code 21 Getting help through a Nortel distributor or reseller 21 New in this release 23 Features 23 Network Time Protocol NTP support for Daylight Savings Time 2007 change 23 Systemlog lifetime or disk size limit usage option 24 FTP server passive mode parameter 24 Source IPs access restriction to management 24 SSH server configurations 24 Chapter 1 Over...

Page 6: ... configuration 52 Welcome window 56 Chapter 3 Setting up the Nortel VPN Router 1010 1050 and 1100 59 Default configuration 59 Branch office quick start utility 61 Enterprise environment 62 Service provider environment 63 Deployment procedure 65 Branch office quick start template 67 Connecting for Internet access 67 Before you begin 67 Check that you received the following items 67 Cable the VPN Ro...

Page 7: ...Edit LAN Interface window 95 Multinetting 97 Configuring multinetting using the CLI 100 Adding an IP address 100 Deleting an IP address 100 Asynchronous data over TCP 105 Configuring Network Time Protocol NTP 106 Configuring system settings 108 Using proxy ARP 111 Using the SSH server to allow secure sessions 112 Using the GUI for SSH server 112 Enabling the SSH server 112 Configuring the SSH serv...

Page 8: ...rol tunnel types 138 Restricted mode 140 Nailed up control tunnels 140 Creating control tunnels 141 Adding a group 142 Adding a control tunnel 143 Configuring a control tunnel connection 144 Creating a user control tunnel from the serial interface 146 Chapter 8 Configuring IPSec mobility and persistent mode 147 IPSec mobility on Nortel VPN Router 149 Roaming performance factors 149 Logging and sta...

Page 9: ...changes 152 Initial contact payload ICP 153 Maximum roaming time 154 Persistent tunneling 155 Session persistence time 155 Configuring IPSec mobility and persistence 156 Configuring IPSec mobility 156 Appendix A Branch office quick start template 163 Glossary 165 Index 173 ...

Page 10: ...10 Contents NN46110 500 ...

Page 11: ...e for wildcard 88 Figure 13 LAN to Nortel VPN Router connection 93 Figure 14 LAN Interfaces window 98 Figure 15 LAN Interfaces Add IP Address window 99 Figure 16 Asynchronous data over TCP 105 Figure 17 SSH Server 112 Figure 18 Allowed Services window 114 Figure 19 Typical branch office environment 120 Figure 20 Branch to branch with a firewall and a router 121 Figure 21 Indirectly connected branc...

Page 12: ...12 Figures NN46110 500 Figure 30 Roaming from behind NAT to behind NAT 150 Figure 31 Roaming from behind NAT to no NAT 151 Figure 32 Groups edit IPSec window 157 ...

Page 13: ...Web interface configuration options 53 Table 4 Configuration checklist 53 Table 5 Subnet assignments 63 Table 6 BOQS parameters 66 Table 7 Split tunneling mode options 88 Table 8 Adding Deleting a secondary address 100 Table 9 Configuring OSPF over a secondary address 101 Table 10 Configuring RIP over a secondary address 102 Table 11 Configuration considerations 152 ...

Page 14: ...14 Tables NN46110 500 ...

Page 15: ...u have experience with windowing systems or graphical user interfaces GUIs and familiarity with network management Text conventions This guide uses the following text conventions angle brackets Indicate that you choose the text to enter based on the description inside the brackets Do not type the brackets when entering the command Example If the command syntax is ping ip_address you enter ping 192...

Page 16: ...ow ntp associations Example If the command syntax is default rsvp token bucket depth rate you can enter default rsvp default rsvp token bucket depth or default rsvp token bucket rate ellipsis points Indicate that you repeat the last element of the command as needed Example If the command syntax is more diskn directory file_name you enter more and the fully qualified name of the file italic text In...

Page 17: ... enter either terminal paging off or terminal paging on but not both ACK acknowledgement CA certificate authority CHAP Challenge Handshake Authentication protocol CRL certificate revocation list DN distinguished name DNS domain name system FIPS Federal Information Processing Standards FTP File Transfer Protocol IP Internet Protocol IKE IPsec Key Exchange ISAKMP Internet Security Association and Ke...

Page 18: ...Password Authentication Protocol PDN public data networks POP point of presence PPP Point to Point Protocol PPTP Point to Point Tunneling Protocol RSVP Resource Reservation Protocol RIP Routing Information Protocol SNMP Simple Network Management Protocol UDP User Datagram Protocol URL uniform resource locator VPN virtual private network VRRP Virtual Router Redundancy Protocol WAN wide area network...

Page 19: ...ration Advanced Features provides instructions for configuring advanced LAN and WAN settings PPP frame relay PPPoE ADSL and ATM T1CSU DSU dial services and BIS DLSw IPX and SSL VPN Nortel VPN Router Security Tunneling Protocols configuration information for the tunneling protocols IPsec L2TP PPTP and L2F Nortel VPN Router Configuration Routing provides instructions for configuring RIP OSPF and VRR...

Page 20: ...elp for Nortel products and services Finding the latest updates on the Nortel Web site The content of this documentation was current at the time the product was released To check for updates to the latest documentation and software for Nortel VPN Router click one of the following links Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Norte...

Page 21: ... Nortel Solutions Center In North America call 1 800 4NORTEL 1 800 466 7835 Outside North America go to the following web site to obtain the phone number for your region www nortel com callus Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers you can use an Express Routing Code ERC to quickly route your call to a specialist in your Nor...

Page 22: ...22 Preface NN46110 500 ...

Page 23: ...cess restriction to management SSH server configurations Features See the following sections for information about feature changes Network Time Protocol NTP support for Daylight Savings Time 2007 change NTP supports the 2007 Daylight Savings Time change in the United States and various Canadian provinces In 2007 Daylight Savings Time begins at 2 a m on the second Sunday in March and ends at 2 a m ...

Page 24: ...FTP connections to connect to the unit but you cannot perform directory listings or upload and download files For more information about the FTP server passive mode parameter see Step 7 in Configuring system settings on page 108 Source IPs access restriction to management This release enables an administrator to have more control over management services by restricting source IPs connections for m...

Page 25: ...can be installed as an IP access router or stateful packet firewall The Nortel VPN Router incorporates Nortel s Secure Routing Technology SRT SRT is a software framework that provides a security structure through all Nortel VPN Router operational components including IP routing VPN firewall and policy services This allows for management consistency and scalable performance even when running multip...

Page 26: ...It improves performance while lowering overhead which translates to significant corporate savings Virtual private networking A VPN is a private data communication channel that uses a public IP network as the basic transport for connecting corporate data centers remote offices mobile employees telecommuters customers suppliers and business partners Physically discontiguous networks are made to appe...

Page 27: ...ng features Licence keys can be obtained through Nortel s customer support The Nortel VPN Router provides several license key options Advanced Routing Nortel VPN Router Stateful Firewall VPN Tunnels Premium DSLw BGP only The Advanced Routing License key must be installed to enable OSPF on the Nortel VPN Router The Firewall License Key is required only when the redistribution capabilities of RIP an...

Page 28: ...anges to the Nortel VPN Router via Telnet You can access the command line interface by initiating a Telnet session to the Nortel VPN Router management IP address For further information see Nortel VPN Router Using the Command Line Interface Federal Information Processing Standard FIPS You must separately order purchase and implement a FIPS kit to be FIPS compliant This kit contains detailed docume...

Page 29: ...stallation guide that came with the Nortel VPN Router You should complete the hardware installation before starting this chapter IP addressing Figure 3 on page 30 shows sample IP address assignments in a network using a Nortel VPN Router Refer to Table 1 on page 30 to see the IP address associations Note If you are setting up a Nortel VPN Router 1010 1050 or 1100 see Chapter 3 Setting up the Norte...

Page 30: ... VPN Router System Routing Add Edit Default Route 10 2 3 6 Sample partners FTP server for inventory and price list 10 2 3 7 Firewall private network address 10 2 3 8 DHCP server IP address 10 2 1 1 to 10 2 1 254 Private Network Addresses Assigned to Remote Tunnel Sessions DHCP pool Servers User IP Addr 172 19 2 30 ISP assigned address And Nortel VPN Router Existing Firewall Existing Public Default...

Page 31: ...or management and is separate from other CLIP addresses Using a CLIP address ensures that there is no dependency on any particular physical interface This eliminates a single point of failure As long as there is a route through an interface to the MVA you can manage the Nortel VPN Router Access to the MVA is supported on a public interface through a VPN tunnel The following management protocols ar...

Page 32: ... manage the VPN Router from the public or private side To redistribute the MVA go to Routing Policy window Figure 4 shows MVA with the CLIP address on a subnet that is separate from any of the private physical interfaces Figure 4 MVA on separate subnet from private physical interfaces Figure 5 on page 33 shows MVA with the CLIP address on the same subnet as one of the private physical interfaces ...

Page 33: ...Nortel VPN Router Configuration Basic Features Figure 5 MVA on same subnet as private physical interface Figure 6 shows MVA using CLIP to manage from a remote PC tunneled from the public side Figure 6 MVA managing from a remote PC ...

Page 34: ...he PC press Enter Your terminal emulator must use the following communications parameters 9600 baud 8 data bits 1 stop bit No parity No flow control The Welcome window appears and you are prompted to supply a user name and password Welcome to the Nortel VPN Router Copyright 1999 2000 2001 Nortel Networks Version V07_00 140 Creation date Jan 7 2007 20 51 06 Date 04 27 2007 Unit Serial Number 17563 ...

Page 35: ...e Changes Please select a menu choice 0 9 B P C L R E 6 Type 0 and press Enter to display the Management IP Address menu Please select a menu choice 0 9 B P C L R E 0 Management IP Address menu M Management IP Address 192 168 249 44 R Return to the Main Menu Please select a menu choice M R Note This administrator s password is also the primary administrator s password This password guarantees acce...

Page 36: ...s of the system 1 Type 1 and press Enter to display the configured Interfaces Please select a menu choice 0 9 B P C L R E 1 Interface Menu 0 Slot 0 Port 1 Private LAN IP Address 47 17 163 163 Subnet Mask 255 255 255 240 Speed Duplex AutoNegotiate 1 Slot 1 Port 1 Public LAN IP Address Subnet Mask 0 0 0 0 Speed Duplex AutoNegotiate 2 Slot 2 Port 1 Public LAN IP Address Subnet Mask 0 0 0 0 Speed Dupl...

Page 37: ... skip Old IP Address 47 17 163 163 New IP Address 3 Enter a new IP address for the interface or press Enter to leave the current value The subnet mask menu appears Old Subnet Mask 255 255 255 240 New Subnet Mask 4 Enter the desired subnet mask and press Enter The Interface option menu appears Select the desired option and press Enter No change to IP Address Old Speed Duplex AutoNegotiate 1 AutoNeg...

Page 38: ... addressing the physical networks are consolidated onto a multinetted Nortel VPN Router interface Multinetting allows hosts to migrate to the new IP interface or maintain the previous IP address You can add Multinet IP addresses to the private side or the public side of the VPN Router Statistics and logging are done at the interface level and in most cases are not available separately for each sec...

Page 39: ...ace level specified under the primary address on the interface The same rules apply to all other secondary addresses NAT Support for NAT on multinetted addresses with a single set of rules for all interfaces in Nortel VPN Router NAT services available discretely for each subnet on a multi netted interface separately supported on each subnet address Diff Serv Call admission priority forwarding prio...

Page 40: ... interface level as specified under the Primary address on the interface The same rules apply to all other secondary addresses on the interface VRRP Supported when Primary address is used as the VRRP master backup address VRRP not applicable on sec ondary addresses Other routing RIP OSPF Static Routing protocols are configured separately on each address subnet on a multinetted interface DHCP serve...

Page 41: ...terfaces To change the management IP address complete the following procedure 1 Connect the serial cable supplied with your Nortel VPN Router from the Nortel VPN Router serial port to a terminal or a communications port of a PC 2 Power on the terminal or PC 3 Using a terminal emulation program such as HyperTerminal on the PC access the Nortel VPN Router Your terminal emulator must use the followin...

Page 42: ...r name admin 5 Enter the administrator s password setup Note The factory default user name is admin and the default password is setup Note This administrator s password is also the primary administrator s password This password guarantees access to the Nortel VPN Router through the serial port or a Web browser This administrator s user ID default admin and password default setup combination is als...

Page 43: ...ine Interface R Reset System to Factory Defaults E Exit Save and Invoke Changes Please select a menu choice 0 9 B P C L R E 6 Type 0 and press Enter to display the Management IP Address menu Please select a menu choice 0 9 B P C L R E 0 Management IP Address menu M Management IP Address 192 168 249 44 R Return to the Main Menu Please select a menu choice M R 7 Type M and press Enter to change the ...

Page 44: ... packet The IP address of a source client is logged in the syslog output whether the logon connection attempt is successful or not Configuring ACL through the CLI Use the following commands to configure ACL in CLI To set an ACL for HTTP enter the following NNCLI command CES config http access list the_name_of_an_acl To remove an ACL for HTTP enter the following command CES config no http access li...

Page 45: ...f the predefined ACLs 3 Click OK Configuring the serial interface The Serial Interface allows you to configure the IP address and subnet mask so that you can then use a Web browser for management Your terminal emulator must use the following communications parameters 9600 baud 8 data bits 1 stop bit No parity No flow control The Serial Interface configuration procedure is typically only necessary ...

Page 46: ... The Welcome window appears and you are prompted to supply a user name and password Nortel VPN Router Copyright c 1999 2007 Nortel Networks Inc Version V07_00 038 Creation date Oct 11 2006 09 52 35 Date 10 13 2006 Unit Serial Number 10167 Released Software Fully supported 4 Please enter the administrator s user name admin ...

Page 47: ...led Crash L Command Line Interface R Reset System to Factory Defaults E Exit Save and Invoke Changes Please select a menu choice 0 9 B P C L R E 7 Type 1 and press Enter to display the configured Interfaces Please select a menu choice 0 9 B P C L R E 1 Note The factory default user name is admin and the default password is setup Note This administrator s password is also the primary administrator ...

Page 48: ... AutoNegotiate 2 Slot 2 Port 1 Public LAN IP Address Subnet Mask 0 0 0 0 Speed Duplex AutoNegotiate 3 Slot 4 Port 1 Public WAN IP Address Subnet Mask 255 255 255 255 Line Format T1 Line Coding B8ZS HDLC Polarity normal Line Framing T1 ESF Line Build Out 0 0 dB Timing Source Loop Performance Report Message ANSI Utilized Channels Fractional T1 1 2 12345678902345678901234 Currently R Return to the Ma...

Page 49: ...urrent value The subnet mask menu appears Old Subnet Mask 255 255 255 240 New Subnet Mask 10 Enter the desired subnet mask and press Enter The Interface option menu appears Select the desired option and press Enter No change to IP Address Old Speed Duplex AutoNegotiate 1 AutoNegotiate Default 2 100 Mbs FullDuplex 3 100Mbs HalfDuplex 4 10Mbs FullDuplex 5 10Mbs HalfDuplex CR Leave unchanged Please s...

Page 50: ... with the normal software and configuration and transports both VPN traffic and management traffic To save your configuration into the Safe Mode boot directory 1 Select B System Boot options 2 Select 2 System Reset options 3 Select 1 Reset system to Normal Mode 4 Select 2 Reset system to Safe Mode Managing through a Web browser After you use the serial interface configuration launch a Web browser ...

Page 51: ...Enter the system default login and password in lowercase characters as follows Login admin Password setup At this point follow the Quick Start Configuration procedure or the Guided Configuration procedure Refer to Table 3 on page 53 for help in determining which procedure to use ...

Page 52: ...to use The PPTP client application is available on the Nortel CD for Windows 95 and it comes with Windows 98 and Windows NT Nortel also provides the IPsec client on the Nortel CD You should develop a complete network topology physical and logical of the environment in which you are testing the Nortel VPN Router This should include the following Details of physical communication links such as cable...

Page 53: ...intosh All protocols that exist within the network Table 3 shows the alternatives when first configuring your Nortel VPN Router Begin with either the Quick Start or the Guided Configuration After you are familiar with the Nortel VPN Router navigational menu and capabilities select Manage Switch Table 4 provides a place for you to record the information that you need to configure basic Nortel VPN R...

Page 54: ... private address Services Available Management Protocol HTTP private address HTTP public address SNMP private address SNMP public address FTP private address FTP public address TELNET private address TELNET public address CRL retrieval private address CRL retrieval public address Routing Static Routes Enabled Disabled Public Nortel VPN Router IP address Private Nortel VPN Router IP address Routing...

Page 55: ...onfirmed Alternate 2 host name or IP addresses public or private Port Shared secret confirmed Servers LDAP Internal or external Base DN Master IP address port or SSL Bind DN Bind password Confirmed Slave 1 IP address port or SSL Bind DN Bind password Confirmed Slave 2 IP address port or SSL Bind DN Bind password Confirmed Servers User IP Addr Broadcast Any DHCP or DHCP servers Primary IP address S...

Page 56: ...art or Guided Configuration Click on Manage from Notebook to run the Nortel VPN Router Manager in notebook display mode Click on Quick Start to begin the Quick Start Configuration This option allows you to configure interfaces set up PPTP tunnels for up to three users and establish a connection to the Nortel VPN Router If you prepare for the configuration as recommended the Quick Start can take as...

Page 57: ...xt sensitive help is available at each subsection to supplement the summary Provided you have the information required to set up the Nortel VPN Router the Guided Configuration is estimated to take two to three hours to complete depending on how extensive your configuration is The Nortel VPN Router navigational menu options include the top level configuration and monitoring areas of the Nortel VPN ...

Page 58: ...58 Chapter 2 Getting started NN46110 500 ...

Page 59: ...ovides support for five 5 tunnels at introduction and 30 tunnels for licensing The maximum tunnels include the sum of all branch office client and management tunnels combined For example if one management tunnel and two branch office tunnels are open only two client tunnels can be connected initially 27 client tunnels with the 30 tunnel license The license is for 25 additional tunnels LDAP support...

Page 60: ...from the DHCP server should include the default Nortel VPN Router and the DNS server DNS proxy is configured to forward DNS requests to an external DNS server The address of the DNS server is obtained during startup from the ISP s DHCP Network Address Translation NAT translates the private IP address space determined by default configuration of the DHCP server into one public address assigned to t...

Page 61: ... accept newly created secure connections from the Nortel VPN Router 1010 1050 or 1100 Therefore the BOQS must be used with the knowledge and approval of a network administrator It can only be initiated after IP addressing has been planned and the central office switch has been configured Then you can send the provisioning parameters to the remote branch office locations The Nortel VPN Router 1010 ...

Page 62: ... switches at the local sites you must configure routing and tunnels on the switch at the central office For routing you must do the following Enable global RIP service Enable RIP on private interface Disallow importing default routes in the group where responder tunnels are created For tunnels you must do the following Create one responder tunnel for each branch office Nortel VPN Router 1010 1050 ...

Page 63: ...e second address becomes the management IP address of the switch Each branch office must be in its own subnet Table 5 shows how offices with approximately 50 workstations can each have subnets assigned Service provider environment Service providers generally have an isolated NOC from which all devices are managed The addressing scheme could be different from a central office and require a separate...

Page 64: ...branch office Because static routing is used in control tunnels you do not have to enable routing protocols on the NOC switch Use the following guidelines All responder tunnels should be created in one group or in subgroups of one group for easy management Connection Name of the tunnel should correspond to NOC tunnel name and created in an enabled state with local filter set to Permit All Text Pre...

Page 65: ...modem and the local network Ethernet segment The end user restarts the PC to request a new IP address from the branch office DHCP server not all operating systems require rebooting The end user opens the Web browser and types http 192 168 1 2 then clicks on Manage Switch and enters admin and setup as the username and password The BOQS displays one window to collect the IP and VPN configuration par...

Page 66: ... addresses but you must separate them with commas This field is optional and can be left empty Private network IP address Subnet address of the branch office network Private network mask Subnet mask of the branch office network Network Operation Center tunnel configuration Network operation center tunnel name Name of the branch office tunnel configured on NOC switch same as initiator id on the NOC...

Page 67: ... through a cable or DSL modem This set of instructions in also provided on the readme that is shipped with the hardware Before you begin Before you connect the Nortel VPN Router 1010 1050 or 1100 you must have the following Internet connection If your DSL or cable modem is not yet installed contact your Internet service provider ISP The ISP may need the LAN 1 MAC address on the back of the VPN Rou...

Page 68: ...the LAN 0 port and then connect the PCs to the switch or hub To connect PCs and other devices to the Nortel VPN Router 1050 or 1100 use standard Ethernet cables to connect the devices to the LAN 0 ports labeled A D 2 If you have a Nortel VPN Router 1100 that has one or two optional interface cards connect the appropriate cables to the ports on the interface cards 3 Using a standard Ethernet cable ...

Page 69: ...her operating systems see the user documentation a Choose Start Settings Network and Dial up Connections Local Area Connections b Click Properties c From the component list select Internet Protocol TCP IP and then click Properties d Select the Obtain an IP address automatically option and click OK 2 Reboot the PC to obtain a new IP address from the VPN Router 192 168 1 3 192 168 1 254 Test the VPN...

Page 70: ... 2 manage qs pyc 4 Click on Manage Switch and then type admin and setup as the user name and password 5 Follow the instructions on the window that appears PPPoE instructions If your ISP uses PPPoE to assign an IP address to your PCs connect the VPN Router to the Internet and then start the quick start tool as follows 1 Open a Web browser and enter the following URL in the browser window http 192 1...

Page 71: ...PCs connect the VPN Router to the Internet and then start the quick start tool as follows 1 Contact the ISP for the address to use 2 Open a Web browser and enter the following URL in the browser window http 192 168 1 2 3 Click on Manage Switch and then type admin and setup as the user name and password 4 From the menu bar choose System LAN to display the LAN Interfaces window and select Cancel Acq...

Page 72: ...50 and 1100 use a compact flash disk instead of a traditional hard disk that provides 64 MB of flash disk storage Because of the limited storage capacity the following functionality is not provided Safe mode Java runtime plug in Graphs Japanese strings Context sensitive help The help files are located on the CD and on the Nortel documentation Web site When you click on the Help menu from the UI yo...

Page 73: ...accounting server is supported The data collection log DCLOG is not supported which means that the graphing capabilities of the UI are also not supported The core is not saved on the compact flash disk It is sent to an FTP server Configuration parameters for the FTP server are stored in flash The core file is placed on the server To set up the FTP coredump got to the FTP Coredump section of the Ad...

Page 74: ...74 Chapter 3 Setting up the Nortel VPN Router 1010 1050 and 1100 NN46110 500 ...

Page 75: ... the PDN public data network and to a remote user through a tunnel Figure 9 Tunnel connection configuration The connection attributes that you configure in the Nortel VPN Router enable the remote user to create a tunnel into the Nortel VPN Router However you are not configuring the connection from the remote user to the Internet Service Provider ISP at this point The actual connection to the Norte...

Page 76: ...rough the tunnel connection with a source IP address of 192 168 21 3 or any address other than 192 192 192 192 are dropped Furthermore you can enable filters on the Nortel VPN Router to limit the protocol types that can pass through a tunneled connection Password aging does not work for administrator accounts Also the following are client specific password management symptoms If you are using the ...

Page 77: ...ial In User Session RADIUS databases for authentication When using LDAP for authentication the user is always assigned to a group since LDAP also contains the user group and attribute information When authenticating a Point to Point Tunneling Protocol PPTP client against a RADIUS database the group for a user requesting a session can be returned from the RADIUS server as a RADIUS class attribute W...

Page 78: ...ll admission priority until existing callers disconnect 6 Specify the Forwarding Priority level from low to highest that you want to provide to sessions for users in this group Forwarding priority assures a certain level of latency and bandwidth allocation For example a group with the highest forwarding priority has the highest possible bandwidth service and the lowest level of latency Conversely ...

Page 79: ...rs to decode The default is Disabled 9 Enter the amount of Idle Timeout time a connection can be idle no data has been transmitted or received through the connection for the specified amount of time When the idle timeout expires the session is terminated This option helps prevent allocation of resources on the Nortel VPN Router for sessions that are no longer active The default Idle Timeout is 00 ...

Page 80: ...is no greater than the Token Bucket Depth When the queue exceeds the Token Bucket Depth incoming packets are dropped To guarantee reduced latency the Bucket Depths should be small Typically you should not change this setting Default is 3000 bytes 17 The Token Bucket Rate is the highest long term average data rate in Kbps required over time for the connection It informs the Nortel VPN Router and pa...

Page 81: ...llowed tunnel access to the Nortel VPN Router Tunneling protocol settings A user group Add users to the group A means such as DHCP or pool for assigning IP addresses to the client to allow user access All tunneling protocols are enabled on the public and private networks by default Since data in tunnels is encrypted the default setting guarantees that all interactions with the Nortel VPN Router ar...

Page 82: ...equired authentication and authentication order and configure required L2TP access concentrators For L2F choose Services L2F and select the required authentication and authentication order and configure required network access servers To add a user group 1 Go to Profiles Groups and click on Add 2 Enter a group name of up to 64 characters spaces are permitted For example you could use Research and ...

Page 83: ... regular name associated with a person for example Mario Smith This user can have different IDs and passwords for each tunnel type You can move the user to a another group by selecting a different group name 5 Enter a remote user static IP address to use in place of a pool client specified or DHCP server assigned IP address This IP address is associated with the Note To configure firewall user aut...

Page 84: ...field allows you to specifically assign a subnet mask to a remote IPsec client that obtains an IP address either from the IP address pool DHCP RADIUS or a static user configuration 7 Enter a User ID and password The User ID has a maximum length of 256 characters The User password has a maximum of 32 characters To search within a selected group and then configure a user s account 1 Go to Profiles U...

Page 85: ... example cn common name or sn surname to generate the associated user s profile Refer to your LDAP vendor s documentation for complete details Configuring inverse split tunneling Inverse split tunneling Figure 10 provides the flexibility of allowing remote users access to network resources outside of the mandatory tunnel while still maintaining most of the security advantages of this tunnel type F...

Page 86: ...ave a significant security advantage over split tunneling in that you specify the network resources that are allowed outside the tunnel Split tunneling allows access to any network resource outside of specified split tunnel networks Configuration is available through the GUI and the CLI of the Nortel VPN Router The Profile Groups window of the Nortel VPN Router GUI allows the addition of inverse s...

Page 87: ...ands the 0 0 0 0 to be all of the directly connected local subnets detected on the host Any additional subnets in a list are processed as before The 0 0 0 0 0 is simply a wildcard to be expanded After expansion traffic destined for these subnets is allowed to flow outside of the tunnel While this option is valid for both the Inverse Split and Inverse Split Locally Connected modes it is really only...

Page 88: ...nu The Split Tunneling menu is used to select the tunneling mode that is used by the selected group Table 7 shows the options Table 7 Split tunneling mode options Split Tunneling Selection Network Selection sent to NVC Disabled None Enabled Split Tunnel networks Enabled Inverse Inverse Split Tunnel Networks Enabled Inverse locally connected Inverse Split Tunnel Networks ...

Page 89: ...ork name For inverse split and inverse local options the inverse split tunnel networks are defined using this command split inverse tunnel network defined network name Example split tunnel group ipsec Base Mike Split Tunneling split tunneling enable split tunnel network 17 Net Example inverse split tunnel group ipsec Base Mike Inverse Split Tunneling split tunneling inverse split inverse tunnel ne...

Page 90: ...90 Chapter 4 Configuring user tunnels NN46110 500 ...

Page 91: ...ed by the system s address and domain name system DNS name The DNS name can be used instead of the IP address to identify the Nortel VPN Router and launch its management interface through a web browser The System Identity window allows you to optionally change your Nortel VPN RouterManagement IP address and provide the DNS Host Name and Domain Name Additionally you can assign up to three DNS addre...

Page 92: ...main Name box enter the Name of the Internet Domain into which this system is being placed This must be the same Internet Domain as the System Name in the Domain Name System DNS server A domain is a part of the Internet naming hierarchy that refers to general groupings of networks that are based on organization type or geography For example mycompany com is the domain name for a commercial com ent...

Page 93: ...stem board is configured to be private by default Connect its interface to your corporate LAN Additional interfaces that are inserted into the expansion slots are public by default The private LAN interface and the management IP address must be on the same network and the public LAN interface should be on a different network both physically and logically If your Nortel VPN Router has a single netw...

Page 94: ...re the IP address subnet mask and default route parameters You can set a cost value to give preferential routing when two or more public DHCP clients are configured In this situation DSL and cable modem are the preferred choice for connections to the internet Private indicates that an interface is attached to the private network and it can accept nontunneled networking protocols such as TCP IP FTP...

Page 95: ...lects the selection on the Services Firewall window This entry also shows the interface filter that is currently being used by the Nortel VPN Router Firewall This is the interface filter that is selected on the System LAN Interfaces Edit IP Address window If no interface filter has been selected the default of Deny All is used The Deny All and the Deny All default filter have the same effect The D...

Page 96: ...lly set the LAN interface s port speed and mode to match the speed and mode used by the connected station 100Mbs Full duplex 100Mbs Half duplex 10Mbs Full duplex 10Mbs Half duplex 2 You can provide an optional Description for the LAN interface The description appears on the LAN Interfaces window 3 Enter the MTU value The MTU sets the maximum size of a data packet transmitted from the interface It ...

Page 97: ...er an identification number for a VLAN ID in the range 1 4094 inclusive This is the VLAN identifier for the interface VLAN The default value is 1 9 Select Accept Untagged to accept Ingress inbound frames untagged or Discard Untagged to drop them 10 Select Tagged too tag Egress outbound frames Untagged is default 11 Click Configure Subinterfaces to configure and to view existing VLAN subinterfaces ...

Page 98: ...The Interface Filter option is not available for the secondary addresses Figure 14 LAN Interfaces window The LAN Interfaces Add IP Address window appears Figure 15 on page 99 shows the Add IP Address window Note Each interface has an Add Multinet button If you are configuring multinet for Fast Ethernet you click the Add Multinet button for Fast Ethernet If you are configuring multinet for Gigabit ...

Page 99: ...dress in the IP Address text box 3 Enter a subnet mask in the Subnet Mask text box 4 Click OK To delete an IP address 1 From the LAN Interfaces window select the secondary IP address to delete 2 Click Delete Note Secondary subnets can be deleted without having any effect on one another To delete the primary subnet remove all the secondary subnets ...

Page 100: ... ip address ip address mask secondary Deleting an IP address To delete an IP address 1 Navigate to config mode by entering the following command config 2 Select the interface in which the multinetted address needs to be deleted by entering the following command interface gigabitEthernet slot port 3 Delete a secondary address from the interface no ip address ip address mask Table 8 Adding Deleting ...

Page 101: ...ss Set the OSPF hello interval on a secondary address CES config if ip ospf hello interval 1 65535 secondary address Reset the OSPF hello interval on a secondary address CES config if no ip ospf hello interval secondary address Set the OSPF retransmit interval on a secondary address CES config if ip ospf retransmit interval 1 3600 secondary address Reset the OSPF retransmit interval on a secondary...

Page 102: ...ig if ip rip export bo static metric 1 15 secondary address Stop RIP from exporting branch office static routes on a secondary address CES config if no ip rip export bo static metric secondary address Set the RIP cost for exporting default routes on a secondary address CES config if ip rip export default metric 1 15 secondary address Stop RIP from exporting default routes on a secondary address CE...

Page 103: ... addresses 10 2 n n are directly reachable 3 Click Enabled to enable TCP MSS Maximum Segment Size clamping 4 Set the TCP MSS value in this field Disable importing of default routes using RIP CES config if no ip rip import default secondary address Enable RIP poison reverse on a secondary address CES config if ip rip poison reverse secondary address Disable RIP poison reverse on a secondary address...

Page 104: ...e Nortel VPN Router Firewall 6 Use the New Interface Filter link to go to the Profiles Filters window and create a new filter The default Interface Filter setting is Deny All You can copy an existing tunnel filter for use as an interface filter or vice versa However when you copy a filter the operation does not copy any components such as a rule port protocol or address that have the same name as ...

Page 105: ...larm host on a slow speed serial line Unlike synchronous transmission asynchronous transmission does not use clocking signals to time the data transmission Instead asynchronous transmission uses start and stop bits to control the transmission AOT is either a connection initiator or a listener but it cannot be both The selection of service is through AOT configuration Only a single TCP connection i...

Page 106: ...universal standard time The Nortel VPN Router supports up to eight NTP unicast servers and broadcast multicast servers The System Date and Time Network Time Protocol window allows you to set up NTP on the Nortel VPN Router NTP synchronizes the clocks of various devices across networks It also automatically adjusts the time of network devices so that they are synchronized within milliseconds The No...

Page 107: ...k Add to add a server a IP address of the NTP unicast server b Under Interface for security you can specify either a private or public interface The private interface is the management IP address When adding a public interface you can choose from a list of public interfaces If you are using the Nortel VPN Router Firewall you need to configure an interface filter to add NTP c Enter the Key ID This ...

Page 108: ...c and management traffic To configure the system settings 1 Go to the System Settings window 2 Click on the Enable check box to enable and disable Safe Mode 3 Type in the number of minutes to determine how the long the system operates in Safe Mode before attempting to reboot in Normal Mode 4 Configure the serial port under the Serial Port Configuration section The parameters that you must set to a...

Page 109: ...net FTP SNMP through the web interface When a session is established through PPP the serial interface acts as a private WAN interface with an internal IP address Auto Detect automatically detects whether the Nortel VPN Router is using PPP or serial menu mode at startup It cannot determine the Nortel VPN Router baud rate nor can it determine a change from PPP to serial menu mode except upon startup...

Page 110: ...on to change the port to the new baud rate 5 Select Log File Life Time or Log File Disk Limit The default log file life time is 60 days and the default log disk limit is 100 megabytes Select a value for the log file life time from the list 6 Check Write System Log To File to enable saving log data to a file 7 Select FTP server passive mode If you do not select this check box you can still use pass...

Page 111: ... route types All of these options are disabled by default for security reasons 3 Click on Enable Gratuitous ARP to send out a gratuitous ARP request on the private interface with the best matching subnet when a user tunnel is established 4 Under Tunnel to Tunnel Traffic select from Allow End User to End User to allow a remote user who is tunneled into the corporate Nortel VPN Router to access othe...

Page 112: ...e either the NVR GUI or CLI to configure the SSH server SSHv1 clients are not supported on the SSH server Using the GUI for SSH server Before using the SSH server you must first enable it and then set the parameters Enabling the SSH server To enable the SSH server 1 Select Servers SSH The SSH Server page appears as shown in Figure 17 Figure 17 SSH Server 2 To enable the SSH Server select the SSH S...

Page 113: ...he system 113 Nortel VPN Router Configuration Basic Features Configuring the SSH server To set the parameters for the SSH server 1 Select Services Available The Allowed Services page appears as shown in Figure 18 on page 114 ...

Page 114: ...igure 18 Allowed Services window 2 In the Port text box enter the SSH server port number 3 To enable filters select either the Public or the Private check box 4 Click OK Note If an SSL VPN card exists in the NVR the port for the SSH server cannot be 22 ...

Page 115: ...ivate enables private interface filters on the specified SSH server port public enables public interface filters on the specified SSH server port For example enter CES config ssh server port 432 Enabling or restarting the SSH server To enable or restart the SSH server from CLI Global Configuration Mode enter service ssh enable restart where enable enables the ssh server restart restarts the ssh se...

Page 116: ... the state enabled or disabled of the SSH server For example to display the current SSH server port for the Nortel VPN Router enter CES config show ssh server port For example to display the state enabled or disabled of the current SSH server for the Nortel VPN Router enter CES config show ssh server state Disabling the SSH server To disable the SSH server from CLI Global Configuration Mode enter ...

Page 117: ...s will require an export license from the US Department of Commerce Pursuant to such license the product can be marketed and sold only to a limited class of international users Any entity other than Nortel Inc that wants to export this product must first obtain license approval from the US Department of Commerce Further the user of this product cannot re export transfer or divert the product to an...

Page 118: ...118 Chapter 5 Configuring the system NN46110 500 ...

Page 119: ...ods You can apply local policy restrictions such as access hours filter sets and call admission priorities to limit connectivity into local subnetworks The Nortel VPN Router supports symmetric or peer to peer branch office tunnels with fixed endpoints and asymmetric branch office tunnels An asymmetric branch office tunnel is a branch office tunnel where one of the endpoints does not have a fixed I...

Page 120: ...nch Office Connection The default private LAN router the firewall must redirect packets intended for remote branch office subnets In this case as with any branch to branch configuration you must configure each branch Nortel VPN Router with the same encryption settings and pre shared key password Of course the accessible local and remote subnetwork addresses and subnet masks would be inverted in ea...

Page 121: ...r topology the two indirectly connected Nortel VPN Routers can create tunnels at will as long as each Nortel VPN Router properly includes all of the local and remote subnetworks and subnetwork masks as accessible networks Figure 21 on page 122 shows the relationship between three Nortel VPN Routers and the local and remote networks that must be configured for each link to allow indirectly connecte...

Page 122: ...nk is not supported with branch office tunnels It is only supported with end user tunnels 172 17 21 0 255 255 255 0 172 17 20 0 255 255 255 0 172 19 2 30 Boston New York Cleveland Local 172 17 21 0 255 255 255 0 172 17 20 0 255 255 255 0 192 149 20 0 255 255 255 0 Remote 192 149 21 0 255 255 255 0 192 155 64 2 192 149 20 0 255 255 255 0 Local 192 149 21 0 255 255 255 0 Remote 172 17 21 0 255 255 2...

Page 123: ... for the PPTP tunnel are processed and the Nortel VPN Router at the exit node of the branch office creates a new PPTP tunnel inside the branch office tunnel Even though the nested PPTP tunnel sessions are similar to a regular end user tunnels at the terminating Nortel VPN Router switch they are listed separately under the branch office as nested tunnels on the status page This indicates that the n...

Page 124: ... form of failover and load balancing VPN DNS IPSec asynchronous branch off tunnels on the Nortel VPN Router can be configured to use DNS name of a remote peer rather than IP address In Figure 22 on page 125 the initiator from the branch office brings up a tunnel to a responder in the central office Without the VNP DNS the initiator needs to know the IP address of the responder and reconfigure the ...

Page 125: ...n click on Select next to the connection that you want to configure 3 Click on Configure to go to the Connection Configuration window 4 In the Endpoints section enter the Remote IP Address or Host Name field enter a DNS name of a responder endpoint Round Robin DNS Round Robin DNS is used in IP networks to provide a form of load balancing Services on the Internet typically have more than one server...

Page 126: ...oint set to the domain name of the responder ces lab com When the initiator performs a DNS query the DNS server returns IP addresses 1 2 3 4 and 5 6 7 8 The initiator selects 1 2 3 4 because it is first in the list of addresses and establishes a tunnel If 1 2 3 4 goes down the initiator must reestablish the tunnel and send a new DNS query The DNS server returns addresses 5 6 7 8 and 1 2 3 4 becaus...

Page 127: ...alancing example Dynamic DNS Dynamic DNS DDNS allows a dynamically addressed host computer to use a static DNS name The DNS name system is used both throughout the Internet and corporations to provide both host to server and host to host communication for many applications A DNS name space is typically set up by the system administrator Increased use of dynamic IP based Internet connectivity and t...

Page 128: ...ou can associate multiple branch offices with the same group thereby saving setup time and increasing management efficiency For example you might plan on creating several VPN connections from various remote sales offices into your enterprise headquarters In this case you create all of the connections in the same group so they all have the same attributes such as hours of access encryption method a...

Page 129: ...0 No NAT selected permit all IPsec Text Pre Shared Key bostoncleveland Local cleveland_sales Remote 10 17 20 0 10 17 21 0 Local boston_hq Remote 192 168 20 0 Add a group for the Connection Review Tunnel Type Settings Profiles Branch Office Configure Connection Which Management Page to Use What to Do 1 2 3 Base boston IPsec vpn_to_cleveland Associate with Base boston group Boston Settings for Confi...

Page 130: ...ching groups You can then configure the specific group or groups that you want Enter the name your want to search for in the Search Criteria window and click on Search The Search All Groups Results window appears listing any groups that match all or part of the specified connection name You can select a Group and then use the Configure button to review or modify the group s attributes Adding a tun...

Page 131: ...her as the responder Only the Initiator can bring up the tunnel When the connection type is set to initiator there is no need to define a local endpoint You should only configure an IPsec tunnel type IPsec authentication requires an initiator ID Asynchronous branch office tunnels work only on public interfaces Responder where neither local or remote endpoints are required You must configure IPsec ...

Page 132: ...of the connection 8 Select to reset the Tunnel MTU When you change the MTU value you must reboot the Nortel VPN for the new value to take effect 9 Enter an MTU Value Enter a value from 576 through 1788 bytes The default value is 1788 10 Under NAT select either PortNAT or none NAT enables you to build your VPN without requiring that you reconfigure or rename your existing network NAT sets are defin...

Page 133: ...eate a branch office VPN connection between two Nortel VPN Routers In this example the local Nortel VPN Router is at the enterprise headquarters in Boston and the remote Nortel VPN Router is at a sales office in Cleveland When you set up a branch office connection you must perform the configuration procedure twice once for each of the two Nortel VPN Routers that make up the connection The branch o...

Page 134: ...gs on these pages when you configure the branch office connection The System Forwarding window must allow branch office to branch office traffic The Profiles Networks window must list the Nortel VPN Router s private networks In the sample configuration the local Nortel VPN Router s internal network name is boston_hq and the subnets are 10 17 20 0 and 10 17 21 0 The remote systems behind the remote...

Page 135: ...d Group window appears 5 Enter a name and then select your group from the group pull down menu Click OK The Branch Office window returns 6 In the Connections section click on Add The Add Connection window appears 7 Enter the connection name up to 128 characters 8 If this is to be a Control Tunnel select Enabled 9 Select Tunnel Type PPTP and Connection Type Peer to Peer Click OK 10 On the Connectio...

Page 136: ...36 Chapter 6 Configuring branch office tunnels NN46110 500 12 Click on the Test button on each end of the tunnel to verify connectivity 13 Try to ping from on PC to the other PC through the branch office ...

Page 137: ...and DNS servers from the Nortel VPN Router through the control tunnel Control tunnels allow you to easily configure secure tunnels to any Nortel VPN Router that you want to manage This allows you to set up an encrypted tunnel to a customer s Nortel VPN Router Through that tunnel you can perform all the necessary management tasks such as HTTP FTP SNMP and Telnet Figure 27 on page 138 shows a sample...

Page 138: ...that you want to manage The traffic inside the tunnels is limited to the Nortel VPN Router s management IP address only which is unique to control tunnels Figure 28 on page 139 shows a special branch office control tunnel from a network operations center in Cleveland and also a user control tunnel VPN Server 1 VPN Server 2 Control Tunnels el el FTP Server RADIUS Server Network Operations Center SN...

Page 139: ...ws network management personnel from anywhere in the world access to the management tasks If you work at a NOC in Cleveland and you manage a customer s Nortel VPN Router that is located in Boston you would want to use control tunnels On one end of the control tunnel the Nortel VPN Router under management access is always restricted to the management address only Access to the Boston Nortel VPN Rou...

Page 140: ...tials both to set up the tunnel if it is an end user and to log in as an administrator administrative access privileges Having the proper access privileges acts as a level of security Additionally since in restricted mode you are forced to manage the Nortel VPN Router through a tunnel you are guaranteeing data protection through encryption You enable Restricted mode through the Serial Interface me...

Page 141: ...e network operations center The pings must occur at an interval that is less than the Idle Timeout value These pings act as a liveliness detection and perform keepalive signals for the end connection and report to the sender that the packet was received or that there was no response 4 Click on Enabled Disabled is the default 5 Click on OK Creating control tunnels To create a special branch office ...

Page 142: ...d line interface If you enter an address other than the management IP address MGMT NAT creates a NAT set with a static rule The NAT set is called Control plus the name of the connection for example Control Boston This also creates a network definition that is named Control and the name of the connection The network definition contains the NAT management address In this case the branch office conne...

Page 143: ...want Enter the name your want to search for in the Search Criteria window and click Search The Search All Groups Results window appears listing any groups that match all or part of the specified connection name You can select a Group and then use the Configure button to review or modify the group s attributes Adding a control tunnel To add a Control Tunnel connection 1 On the Profiles Branch Offic...

Page 144: ... type is the traditional branch office tunnel where either side can initiate traffic Initiator where with asynchronous branch office tunnels ABOT one side must be configured as the initiator and the other as the responder Only the Initiator can bring up the tunnel When the connection type is set to initiator there is no need to define a local endpoint You should only configure an IPsec tunnel type...

Page 145: ...the key for example bostoncleveland then retype it in the Confirm Text String field If you create a branch office connection using any IPsec certificate and you choose IP address as the alternate name you must use the IP address of the public interface that is on the branch office end of the connection 8 Select to reset the Tunnel MTU When you change the MTU value you must reboot the Nortel VPN fo...

Page 146: ...ress of the local Nortel VPN Router Or you can establish a Web connection to the local Nortel VPN Router and attempt to configure it Creating a user control tunnel from the serial interface You can create a user tunnel using the serial interface Control tunnels allow the management of the Nortel VPN Router without access to anything on the network other than the management IP address This is used ...

Page 147: ...tion Breaking and reestablishing a secure connection could cause disruptions to applications running across the tunnel For example in Figure 29 on page 148 if a client has a wireless connection to the Internet and has established a secure tunnel to the corporate private network via access point 1 AP1 and the client s connection to AP1 goes down for some reason the client roams to the access point ...

Page 148: ...nt to the Internet When away from home mobile IP uses protocol tunneling to hide a mobile node s home address from intervening routers between its home network and its current location The home agent sends datagrams destined for the mobile node through a tunnel to the care of address After arriving at the end of the tunnel each datagram is then delivered to the mobile node However IP mobility tech...

Page 149: ... change The IP address change is then communicated to the Nortel VPN Router so that the IKE and IPSec SA databases are updated with the new address ISAKMP informational exchange messages are used to send the change to the Nortel VPN Router Once a notify message with a new client IP address is received by the Nortel VPN Router it updates its databases uses the received IP as the outer IP address an...

Page 150: ...served after roaming Roaming from behind NAT to behind NAT In Figure 30 before roaming the client was connected via access point 1 AP1 and NAT box 1 and had an IP1 IP address After roaming the client is connected via access point 2 AP2 and NAT box 2 and gets an IP address IP2 In this case the client IP address and UDP port have been changed after roaming When a new IP address has been received by ...

Page 151: ...fter roaming via AP1 and NAT box a situation that s the reverse of the one in Figure 31 In this case the IPSec connection will be dropped as NAT detection is made in IKE phase 1 and NAT traversal is negotiated in quick mode therefore with the tunnel already negotiated and established the change cannot take place unless re negotiation occurs Similar problems may arise when roaming from behind IPSec...

Page 152: ...N Client When operating in split tunneling mode the NVC periodically checks the routing table on the client s PC to determine if the table has been altered in any way This checking is done for security reasons to detect for intrusions and unauthorized access to the private network When a routing table change is detected the tunnel is brought down Table 11 Configuration considerations Initial NVC c...

Page 153: ...ed by the Idle Timeout If the client tries to reconnect and the previous session has not expired yet the client would not be able to log in as only one active session is allowed per user by default The Initial Contact Payload feature could be used in this situation to clear up old sessions This feature allows the server to terminate an old session if a new session has the same user ID as the old o...

Page 154: ...d by the Nortel VPN Router as the session has already been logged off A similar situation may arise with the client failover tuning timers If a rekey is initiated by the Nortel VPN Router during the roaming time it may not be able to reach the client for example it is out of area and the rekey may fail When the rekey fails the Nortel VPN Router will bring down the session and roaming will not succ...

Page 155: ...s configured on the Nortel VPN Router and tries to connect to those servers if the connection with the primary server is lost As each failover server destination is attempted you are prompted allowing you the option to cancel the operation If the user doesn t intervene the connection attempt continues With persistence enabled after going through the list of failover servers the client tries the pr...

Page 156: ...nection to the same Nortel VPN Router The original Nortel VPN Router is included in the list that the client tries to connect to If no servers are set in the failover list the original Nortel VPN Router is tried persistently Configuring IPSec mobility and persistence IPSec mobility is a licensed feature Contact your Nortel representative to obtain a license key To install the Advanced Routing lice...

Page 157: ...long the tunnel should stay in the suspended state or time allowed for the roaming to take effect IPSec Idle Timeout and rekey timeout settings must be taken into consideration when configuring Max Roaming Time Max Roaming Time should not exceed the Idle Timeout interval as with the Idle Timeout being less then Roaming time session could timeout prior to roaming completion 4 For Persistence select...

Page 158: ...apter to prove that there is IP connectivity To configure the Nortel VPN Router using CLI you need to either telnet to the Nortel VPN Router or connect to it through the Serial Interface option L on the menu Enter the privileged mode CES enable Password Enter configuration mode CES configure terminal Enter configuration commands one per line End with Ctrl z CES config To install advanced routing l...

Page 159: ...mobility enable To enable persistence CES config group ipsec persistence enable To disable persistence CES config group ipsec no persistence enable To change the maximum roaming time to for example 210 seconds CES config group ipsec max roamingtime 210 To change the persistence time to for example 1000 minutes CES config group ipsec persistent time 1000 To exit the IPSec group configuration mode C...

Page 160: ... DES with SHA1 Integrity Disabled ESP 56 bit DES with MD5 Integrity Disabled ESP 40 bit DES with SHA1 Integrity Disabled ESP 40 bit DES with MD5 Integrity Disabled ESP NULL Authentication Only with SHA1 Integrity Enabled ESP NULL Authentication Only with MD5 Integrity Enabled AH Authentication Only HMAC SHA1 Disabled AH Authentication Only HMAC MD5 Disabled IKE 56 bit DES with Group 1 768 bit prim...

Page 161: ...Dynamics SecurID Disabled External Authentication Group ID Not Configured External Authentication Text Password Not Configured Nat Traversal Disabled Nortel client requirements Action Not Configured Nortel client requirements Version Not Configured Nortel client requirements Message Not Configured Nortel client requirements Filter deny all Transport Mode Connections Enabled Mobility Enabled Anti R...

Page 162: ...162 Chapter 8 Configuring IPSec mobility and persistent mode NN46110 500 ...

Page 163: ... as who to contact for further information or questions Central office tunnel configuration Your value Central office tunnel name Central office tunnel password Central office public IP address Central office DNS server IP address Central office WINS sever IP address Private network IP address Private network mask Network Operation Center tunnel configuration Your value Network operation center tu...

Page 164: ...164 Branch office quick start template NN46110 500 ...

Page 165: ...of a transmission channel amount of data that can be sent through a given communications circuit certification authority CA An authority that issues digital certificates and manages the life cycle of certificates Challenge Handshake Authentication Protocol CHAP A peer entity authentication method for PPP using a randomly generated challenge and requiring a matching response that depends on a crypt...

Page 166: ...a query service used to look up host IP addresses based on host names DNS applications can perform name to address and address to name translations dynamic routes Routes that are learned via the switch s RIP support and are used for branch office connections and the private interface encryption The manipulation of a packet s data to prevent any but the intended recipient from reading the data encr...

Page 167: ...on between a router and one of its attached networks An interface to a network has a single IP address and mask associated with it Internet The single interconnected worldwide system of commercial government educational and other computer networks that share a set of protocols Internet Protocol IP The transport layer protocol used by the Internet Protocol family for transporting information among ...

Page 168: ...er security associations key agreement A method for negotiating a key value without transferring the key even in an encrypted form such as Diffie Helman Layer2 Tunneling Protocol L2TP Tunneling protocol that enables secure remote access to enterprise networks across the Internet Lightweight Directory Access Protocol LDAP Protocol based on directory entries that provide access for management and br...

Page 169: ... Translation NAT A mechanism that converts an internal network s private addressing scheme to an acceptable Internet address thereby enabling the internal systems to communicate on the Internet Network Time Protocol NTP Synchronizes the clocks of various devices across networks Open Shortest Path First OSPF OSPF is a link state routing protocol that maintains a database from which a routing table ...

Page 170: ...ormats and the rules two computers must follow to exchange those messages A protocol can describe low level details of machine to machine interfaces or high level exchanges between allocation programs public default route The default routes that are used for traffic that comes into the switch via a private interface or from the switch s private interface address Resource Reservation Protocol RSVP ...

Page 171: ...The simple split horizon scheme omits routes learned from one neighbor in updates sent back to that neighbor An extension to this method is called split horizon with poisoned reverse It includes the learned routes but assigns them a cost of infinity which causes an update static routes Routes that are manually configured in the switch s routing table stub network A network that only carries packet...

Page 172: ...onnectionless protocol that adds a level of reliability to an multiplexing to IP Uniform Resource Locator URL A standard for identifying objects on the Internet accessible through the Web Virtual Router Redundancy Protocol VRRP A protocol that handles private interface failures VRRP targets hosts that are configured with static next hop routing addresses or default VPN Routers It provides a means ...

Page 173: ...nfigurations 120 sample procedure 133 branch office quick start 61 paramenters 66 template 67 branch office quick start template template 163 branch office tunnel types asymmetric 119 peer to peer 119 C call admission priority 78 cards LAN 29 WAN 29 children of base group 76 Command Line Interface CLI 28 compact flash disk 72 configuration checklist 53 choices 56 perparing for 52 Web interface opt...

Page 174: ...S 127 E encryption settings for branch office 121 F FIPS overview 28 firewall branch office 120 interaction with branch office 121 license key 28 flash disk system compressed files 72 forwarding priority 78 G getting started 91 group associations 77 guided configuration requirements 57 I idle timeout 79 indirectly connected switches 121 inheritance group 81 interface ...

Page 175: ...ed 95 IPSec mobility configuring 156 logging 149 IPX 31 ISP tunnels 75 L LAN card 96 LAN interfaces 93 last name search 84 LDAP attribute search 85 license keys advanced routing 27 firewall 27 tunnel 27 licenses 56 log file configuration 110 life time 110 login 51 M MAC Pause 97 management Nortel VPN Router 56 management IP address 41 92 Multinetting 97 ...

Page 176: ... flash disk 72 default configuration parameters 60 ISP environment 63 setting up 67 P password 51 Peer to peer 131 144 persistent tunneling 89 155 port speed 96 private LAN 93 proxy ARP 111 public data network PDN 94 publications hard copy 20 Q Quick Start 56 R register 56 relative distinguished name 77 remote access 26 round robin DNS failover 126 load balancing 126 routing advanced licence key 2...

Page 177: ...cepts 25 Symmetric Branch Office tunnel 119 system identity 91 T technical publications 20 template 67 terminal emulator 34 41 45 tunnel license key 28 tunnel types 82 tunnels configuring 75 U Uniform Resource Locator URL 50 user ID search 84 user control tunnel serial interface 146 user groups adding 82 searching 84 user profile adding 82 user tunnels 81 V VPN DNS 124 VPN Router Access 25 ...

Page 178: ...178 Index NN46110 500 W Web browser interface 50 Web interface options 53 Welcome display 56 ...

Search results

Summary of Contents for Contivity 1050

Reviews:

Related manuals for Contivity 1050

Brands by name

Popular brands

Nortel Contivity 1050, Configuration Manual

Search results

Summary of Contents for Contivity 1050

Reviews:

Related manuals for Contivity 1050

Brands by name

Popular brands