manualshive.com logo in svg

Nortel 200 Series, Техническое конфигурационное руководство, Страница: 8 / 49

Поделиться
Скачать
Nortel 200 Series Скачать руководство пользователя страница 8

 
Technical Configuration Guide: 
SOHO Secure RAS with VPN Gateway and VPN Router 

   V1.0               September, 2006 

 

 

_______________________________________________________________________________________________________________________ 

7

 

 

 

 

                    External Distribution     

 

 

 

 

 

    

NORTEL           

 

deploy a single Nortel VPN Gateway provisioned with thousands of concurrent SSL and/or IPSec users to suit 
their specific remote access requirements.  

 

High Scalability and Performance  

The VPN Gateways scales up to thousands of concurrent SSL and IPSec VPN user tunnels and provides 
hundreds of Mbps of aggregate 3DES VPN throughput. Additional feature license keys can be purchased to 
expand the VPN Gateway's user capacity and function with each VPN Gateway capable of server up to 255 
unique domains. VPN Gateways can also be clustered in groups of up to 32 units. Adding a VPN Gateway to the 
cluster is a simple plug-n-play procedure with the Single System Image (SSI) management capability.  

 

Strong Remote Endpoint Security  

The VPN Gateways provide a suite of safeguard features to protect against malicious intent and user negligence. 
The VPN Gateway 3050/3070 supports the Nortel VPN Tunnel Guard feature which enforces endpoint security 
checking for both client and client-less VPN endpoints. VPN Tunnel Guard enables the administrator to define 
endpoint security policies on the VPN Gateway itself and ensure all remote users/devices connecting to that VPN 
Gateway are inspected for compliance to a security policy, preventing end-user devices from becoming a vehicle 
for viruses or other unwanted intrusions into the secure enterprise network through the VPN tunnel. 

1.1.2  Nortel SOHO VPN Router  

The VPN Router 200 series is an affordable all-in-one solution for tying small office and home office locations as 
well as teleworkers into a secure corporate network. 

The VPN Router 200 series of VPN devices (formerly known as Contivity) are the answer to enterprises requiring 
low-cost secure connectivity across the Internet or managed IP networks. Designed for telecommuter and small 
office/home offices, the VPN Router 200 series provides Virtual Private Networking (VPN), firewall, IP routing, 
URL/content filtering and optional integrated DSL in a compact easy-to-manage platform. Consisting of the VPN 
Router 221 and 251 models, the VPN Router 200 series provides options for small sites seeking secure Internet 
connectivity along with firewall-based perimeter defense functions in a single device. Both models have an 
integrated four-port Ethernet switch for connecting local LAN devices. The VPN Router 221 provides Ethernet-to-
Ethernet connectivity while the VPN Router 251 offers integrated ADSL conforming to international standards 
allowing global deployment.

   

 

 

Figure 4:  VPN Router 200 (VR200) 

 

 

Low-cost IP Security for Small Sites  

With its low-cost and integrated services, the VPN Router 200 is an affordable device for small sites that might 
previously have felt such an IP security solution was too costly. It combines the advanced IP-VPN, firewall, 

Содержание 200 Series

Страница 1: ...uter VPN Gateway Technical Configuration Guide Engineering SOHO Secure Remote Access Solution with Nortel VPN Gateway VPN Router 200 Enterprise Solutions Engineering Document Date September 2006 Document Version 1 0 ...

Страница 2: ...t confer any type of license to make sell or use any device based upon the teachings of the document Receipt of the document does not constitute a publication of any part hereof and Nortel explicitly retains exclusive ownership rights to all proprietary material contained herein This restriction does not limit the right to use information contained herein if it is obtained from any other source wi...

Страница 3: ...VPN Gateway and Nortel VPN Router 200 The configurations in this example were successfully tested and may be used by the Nortel sales force to demonstrate RAS solution and Interoperability for customers and channel partners For further understanding Nortel Enterprise Secure RAS solution please refer to the Secure Remote Access Technical Solution Guide V1 0 The solution guide can be downloaded from...

Страница 4: ... 5 IKE Profiles 18 2 5 6 Configure IKE Profile General Settings 20 2 5 7 Configure IP Addresses for the Two End Points of the BO Tunnel 21 2 5 8 Add Remote Network 22 2 5 9 Add Local Network 23 2 5 10 Configure Shared Secret for the BO Tunnel 24 2 6 BRANCH OFFICE TUNNEL MONITORING 25 2 6 1 Check BO Status on VR221 25 2 6 2 Check BO Status on NVG 26 2 6 3 Ping Test 26 2 7 BCM 200 CONFIGURATION 27 2...

Страница 5: ...E IP SOFTPHONE 2050 PREVIOUS VERSION 45 4 4 1 Install and Configure IP Softphone 2050 45 4 4 2 Configure Server Type 46 4 4 3 IP Softphone 2050 Registering to BCM 47 List of Figures Figure 1 SOHO RAS using NVG and NVR200 5 Figure 2 VPN Gateway 3050 6 Figure 3 VPN Gateway 3070 6 Figure 4 VPN Router 200 VR200 7 Figure 5 LAB Topology 9 Figure 6 Console Configuration Parameters 17 Figure 7 Pinouts of ...

Страница 6: ... access to the enterprise network for small offices and home offices SOHO where there is a need for continuous access to the enterprise network and a requirement to support IP Phones This solution supports both data applications and Voice over IP VoIP communications Multiple IP phones including IP soft phones can be supported behind a single DSL Fiber or Cable Modem broadband connection and full c...

Страница 7: ...al hundred up to 2 000 concurrent SSL and IPSec VPN user connections Figure 2 VPN Gateway 3050 VPN Gateway 3070 a higher performance gateway designed for large enterprise and managed VPN service provider deployments The VPN Gateway 3070 scales to thousands of concurrent SSL and IPSec VPN user tunnels and provides hundreds of Mbps 3DES of aggregate VPN throughput Figure 3 VPN Gateway 3070 Key Custo...

Страница 8: ...to that VPN Gateway are inspected for compliance to a security policy preventing end user devices from becoming a vehicle for viruses or other unwanted intrusions into the secure enterprise network through the VPN tunnel 1 1 2 Nortel SOHO VPN Router The VPN Router 200 series is an affordable all in one solution for tying small office and home office locations as well as teleworkers into a secure c...

Страница 9: ...twork to small remote sites Supporting both IPSec and PPTP tunneling it can connect remote sites to a headquarters location or can connect to other branch sites or to other enterprises in either a hub and spoke or small mesh configuration The VPN Router 200 can also connect to a larger central site VPN Router in a variety of IPSec modes e g branch office or client mode to best fit an enterprise s ...

Страница 10: ...rter private LAN is served as NVG manager BCM manager and FTP server The Ethereal network protocol analyzer is also installed on PC 2 for capturing and examining data from a live network Headquarter An IP Softphone 2050 is setup on PC 2 on headquarter private LAN for answering incoming and initialing outgoing telephone calls from to the SOHO and headquarter Headquarter BCM200 on private LAN is for...

Страница 11: ...lso used as FTP client goes to the FTP server on PC 2 2 2 Hardware and Software SOHO VPN Router VR221 SW VE221 2 5 0 0 016 SOHO PC 1 WinXP IE 6 0 SOHO IP Phone 2004 Phase 1 SOHO IP Softphone 2050 build 385 or v2 Headquarter NVG V6 0 is simulated on a Dell PC Headquarter PC 2 WinXP IE 6 0 FTP server 3CServer V1 1 Headquarter BCM200 V3 7 BCM Demo A Image Headquarter T7208 terminal phone Headquarter ...

Страница 12: ..._________________________________________ 11 External Distribution NORTEL 2 4 VPN Router 221 Configuration Before configuring the NVR221 make sure to reset it to factory default configuration On PC 1 start IE and open URL http 192 168 1 1 logon to VR221 with default user ID admin and password setup 2 4 1 Factory Default LAN Keep factory default LAN setting on VR221 see below ...

Страница 13: ...VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 12 External Distribution NORTEL 2 4 2 Static Fixed WAN IP and Default Gateway Go to WAN WAN IP select fixed IP address ...

Страница 14: ...___________________________________________________________________________________________________________ 13 External Distribution NORTEL 2 4 3 VPN IP Policy Go to VPN select Edit to start BO configuration Name the BO tunnel Add local and remote networks in IP policy and select them The result is shown below ...

Страница 15: ...hared key is used for VR221 to establish the BO tunnel to the headquarter NVG Make sure the shared key is configured identical on both the NVR221 and the NVG In this example the key pre shared key is boc221nvg Note VR221 requires minimum of 8 characters When selecting Encryption and Authentication algorithms make sure they are compatible with the configuration on the headquarter NVG In this demo 3...

Страница 16: ... _______________________________________________________________________________________________________________________ 15 External Distribution NORTEL 2 4 5 Advanced Parameter Click Advanced button from previous screen shown above and select both Phase1 and Phase2 as shown below Apply the changes ...

Страница 17: ...o WAN WAN to LAN WAN to WAN For example if an initiation packet originates on the WAN this means that someone is trying to make a connection from the Internet into the LAN Except in a few special cases these packets are dropped and logged by default If an initiation packet originates on the LAN this means that someone is trying to make a connection from the LAN to the Internet With the default pol...

Страница 18: ...al setup configuration is required on the VPN Gateway NOTE Make sure that the host IP address management IP address MIP and Portal IP address that you entered during the Initial Setup are compatible with the IP address planned 2 5 1 Connecting to the VPN Gateway To establish a console connection with a VPN Gateway the following is required An ASCII terminal or a computer running ASCII terminal emu...

Страница 19: ... server address 192 168 2 1 Generate new SSH host keys yes no yes no Enter a password for the admin user Re enter to confirm 2 5 3 Run VPN Quick Setup Wizard Run VPN quick setup wizard yes Creating default networks under cfg vpn 1 aaa network Creating default services under cfg vpn 1 aaa service Enter VPN Portal IP address 192 168 2 100 Is this VPN device used in combination with an Alteon switch ...

Страница 20: ...ith VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 19 External Distribution NORTEL Add a new IKE Profile named ipsec BO c221 NVG ...

Страница 21: ...with VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 20 External Distribution NORTEL 2 5 6 Configure IKE Profile General Settings ...

Страница 22: ..._________________________________________________________________________________________________________________ 21 External Distribution NORTEL 2 5 7 Configure IP Addresses for the Two End Points of the BO Tunnel The remote end point of the BO tunnel is 192 168 2 241 and local end point is 192 168 2 100 ...

Страница 23: ...1 0 September 2006 _______________________________________________________________________________________________________________________ 22 External Distribution NORTEL 2 5 8 Add Remote Network The remote network in NVG should be compatible with the IP Policy configured on VR221 ...

Страница 24: ...V1 0 September 2006 _______________________________________________________________________________________________________________________ 23 External Distribution NORTEL 2 5 9 Add Local Network The local network in NVG should be compatible with the IP Policy configured on VR221 ...

Страница 25: ...____________________________________________________________________________________________ 24 External Distribution NORTEL 2 5 10 Configure Shared Secret for the BO Tunnel The shared secret must be exactly the same as configured on the VR221 boc221nvg The VR221 requires the secrete password to contain at least 8 characters ...

Страница 26: ...ernal Distribution NORTEL 2 6 Branch Office Tunnel Monitoring Now you are ready to test the connectivity of the IPSec BO tunnel Correct any configuration errors to make sure the BO tunnel is up and able to pass traffic between the remote and local network 2 6 1 Check BO Status on VR221 Go to VPN SA Monitor click the Refresh button If the BO is up it should be displayed in Current IPSec Security As...

Страница 27: ... connectivity On PC 1 open a command window and issue a ping command to PC 2 Ping should be successful as shown below C Documents and Settings user ping 192 168 2 12 Pinging 192 168 2 12 with 32 bytes of data Reply from 192 168 2 12 bytes 32 time 4ms TTL 63 Reply from 192 168 2 12 bytes 32 time 4ms TTL 63 Reply from 192 168 2 12 bytes 32 time 4ms TTL 63 Reply from 192 168 2 12 bytes 32 time 4ms TT...

Страница 28: ...he T7208 terminal phone to the BCM 4X16 Media Bay Module MBM This phone is used for answering incoming calls and making outgoing calls from to SOHO Connect PC 2 to LAN 1 for managing and configuring BCM 2 7 1 Configure IP Address on LAN 1 Interface In order to configure the BCM using the Unified Manager the LAN 1 IP address must be configured correctly through a terminal to the console port using ...

Страница 29: ..._________________________________________________________________________________________________________ 28 External Distribution NORTEL 2 7 2 Default Gateway for BCM200 On PC 2 open IE and access http 192 168 2 40 for the BCM Unified Manager This will be used for further configuration 2 7 3 IP Terminals Version ...

Страница 30: ..._________________________________________________________________________________________________________________ 29 External Distribution NORTEL 2 7 4 IP Terminal Auto Assign DNs By selecting Auto Assign DN IP phones will be granted phone numbers after registration to the BCM 2 7 5 IP Phone Features List ...

Страница 31: ...ease refer to Appendix 2 8 1 IP Phone 2004 Configuration Setup DCHP 1 yes default gateway 192 168 1 1 S1 IP 192 168 2 40 BCM LAN 1 IP address S1 Port 7000 S1 Action 1 S1 Retry Count 2 S2 IP 192 168 2 40 BCM LAN 1 IP address S2 Port 7000 S2 Action 1 S2 Retry Count 2 VLAN 0 No cfg XAS 0 No 100F DUP 0 No 2 8 2 IP Phone Registration Success The IP Phone 2004 will initially connect to its remote commun...

Страница 32: ...__ 31 External Distribution NORTEL 2 9 IP Softphone 2050 Configuration Make sure the BO tunnel is up The IP Softphone 2050 will try to register to the BCM after its initialization 2 9 1 Install and Configure Softphone 2050 On PC 1 and PC 2 install IP Softphone 2050 software V2 then go to File Settings for further configurations If you use older version of IP Softphone 2050 please refer to Appendix...

Страница 33: ...ember 2006 _______________________________________________________________________________________________________________________ 32 External Distribution NORTEL 2 9 2 Configure Server Type Select Primary Server Type of BCM Server IP of 192 168 2 40 and Port of 7000 See below screenshot ...

Страница 34: ..._______________________________ 33 External Distribution NORTEL 2 9 3 IP Softphone 2050 Registering to BCM IP Softphone 2050 V2 on PC 1 will initially connect to its communication server BCM for registration Once successfully registered the BCM will assign a DN to the IP Softphone The following screenshot shows the assigned DN 2428 On PC 2 the IP Softphone 2050 is assigned a DN of 2427 ...

Страница 35: ..._____ 34 External Distribution NORTEL 2 9 4 Check IP Phone Status The BCM keeps the up to date status of its IP phone clients To check the current status of the IP Phone 2004 and the IP Softphone 2050 go to Service IP Telephone IP terminals Nortel IP Terminals as shown below The complete list of active DN can be displayed under System DNs Active Set DNs which including IP phones IP Softphones and ...

Страница 36: ...call to T7208 over BO tunnel T7208 call to IP Softphone 2050 PC 1 over BO tunnel IP Softphone 2050 PC 2 call to T7208 Headquarter private T7208 call to IP Softphone 2050 PC 2 Headquarter private IP Softphone 2050 PC 2 call to IP Phone 2004 over BO tunnel IP Phone 2004 call to IP Softphone 2050 PC 2 over BO tunnel IP Softphone 2050 PC 2 call to IP Softphone 2050 PC 1 over BO tunnel IP Softphone 205...

Страница 37: ...est 226 Closing data connection ftp 60 bytes received in 0 00Seconds 60000 00Kbytes sec ftp bin 200 Type set to I ftp mget 200 Type set to I mget capture zip y 200 PORT command successful 150 File status OK about to open data connection 226 File transfer successful ftp 19630596 bytes received in 83 56Seconds 234 92Kbytes sec mget ftp over BO bmp 200 PORT command successful 150 File status OK about...

Страница 38: ...___________ 37 External Distribution NORTEL 2 11 3 IPSec BO Tunnel Traffic Statistics on NVG The traffic statistics over IPSec BO tunnels can be displayed on the NVG see below for example of encrypted traffic statistics in Kb sec 2 12 Traffic Statistics on NVR200 The traffic statistics in the poll intervals can be displayed on the NVR221 See below for example of TxPkts and RxPkts on the WAN and LA...

Страница 39: ...168 2 12 for capturing Make phone calls and file transfers over SOHO and Headquarter The captured data can be used to demonstrate SOHO BO VPN security Stop Ethereal capturing and in the Ethereal Display Bar select the fields of Source or Destination looking for the IP addresses of the two end points of IPSec VPN tunnel In the LAB demo the IP addresses of the two end points of the IPSec BO tunnel a...

Страница 40: ...captured data reveals that voice and data passing through the VPN tunnel between source destination of 192 168 2 241 and 192 168 2 100 are protected by the Encapsulating Security Payload ESP RFC2406 a key protocol in the IPsec The ESP provides confidentiality and integrity by encrypting data to be protected and placing the encrypted data in the data portion of the IP ESP See below example of Ether...

Страница 41: ...221 NVR251 Nortel VPN Router 251 DHCP Dynamic Host Configuration Protocol DNS Domain Name System DSL Digital Subscribe Line ISDN Integrated Synchronous Digital System ISP Internet Service Provider NTP Nortel Technical Publication Private Interface Intranet connection to a LAN Public Interface Internet connection to the outside world SOHO small office or home office TN Terminal Number CS1000 Succes...

Страница 42: ...on Guide V1 0 Brad Black 2006 Secure VoIP for SOHO Telecommuter CS1000 NAT traversal solution TCG Shangli Lu V1 1 Feb 2005 Configuring and Troubleshooting the Contivity 221 VPN Switch V2 5 Nortel NTP VPN gateway User s guide V6 0 VPN Gateway 6 0 BBI application guide for VPN V6 0 VPN 6 0 CLI application guide for VPN V6 0 VPN gateway 6 0 application guide for ssl acceleration V6 0 VPN gateway 6 0 ...

Страница 43: ... VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 42 External Distribution NORTEL 4 Appendix 4 1 VR200 Series Technical Specifications ...

Страница 44: ..._____________________________________________________________________________________________ 43 External Distribution NORTEL 4 2 BCM Serial Cable The following BCM Serial Cable information is extracted from Nortel BCM NTP BCM200 400 Installation and Maintenance Guide Chapter of Business Communications Manager System Startup ...

Страница 45: ... within the first two seconds of the initialization process your set will be initialized with previously entered parameters Powering down and powering up the phone set and trying again Figure 12 IP Phone Initialization As you enter parameters manually use the BKSPACE or CLEAR soft keys to edit the default entry BKSPACE will delete each character as the key is pressed CLEAR will delete the entire e...

Страница 46: ...tion NORTEL 4 4 Configure IP Softphone 2050 Previous Version This section described the installation steps if you use previous version of IP Softphone 2050 4 4 1 Install and Configure IP Softphone 2050 On PC 1 install IP Softphone 2050 software then go to Start Settings Control Panel Right click i2050 Software Phone Properties to select Communication Server The Communication Server s IP is 192 168...

Страница 47: ...VPN Gateway and VPN Router V1 0 September 2006 _______________________________________________________________________________________________________________________ 46 External Distribution NORTEL 4 4 2 Configure Server Type Select Server Type of BCM ...

Страница 48: ...__________________________________________________________________ 47 External Distribution NORTEL 4 4 3 IP Softphone 2050 Registering to BCM IP Softphone 2050 on PC 1 will initial connection to its communication server BCM for registration Once successfully registered BCM will assign a DN to the soft phone Below screenshot shows the assigned DN 2428 ...

Страница 49: ...rvice program contact Nortel Technical Support To obtain contact information online go to www nortel com contactus From the Technical Support page you can open a Customer Service Request online or find the telephone number for the nearest Technical Solutions Center If you are not connected to the Internet call 1 800 4NORTEL 1 800 466 7835 to learn the telephone number for the nearest Technical Sol...

Отзывы:

Нет отзывов