Enterasys ANG-1100 Release Note
Enhanced support for vpn clients
Hide thumbs
Also See for ANG-1100:
- User manual (78 pages) ,
- Release note (4 pages) ,
- Release notes (3 pages)
Advertisement
Quick Links
Release 3.5 Enhanced Support for VPN Clients
Overview
Rel. 3.5 Release Notes
This document describes Aurorean System Software Release 3.5 support for
Microsoft Windows XP VPN clients and enhanced ANG-1100 connectivity.
Features of the release include:
! Remote access inter-operability between Windows XP/2000 clients and
Aurorean Network Gateways, with support for:
–
Layer 2 Tunnel Protocol (L2TP)/IPSec with IKE
–
PPP Extensible Authentication Protocol (EAP)
–
RADIUS extensions for EAP
–
Certificate support within IKE/IPSec
–
Certificate enrollment with Microsoft Windows 2000 Certificate
Authorities on the Aurorean Policy Server-3000/7000
! Network Extension Mode (NEM) for routing of the trusted subnet
connected to an ANG-1100 making those attached devices available to the
corporate network
! Peer to Peer Mode for tunneling between ANG-1100s to connect nodes on
both attached subnets
! Site to Site inter-operability with Cisco, Nortel and Nokia/Checkpoint
gateways
! RiverMaster tunnel configuration of L2TP and EAP protocols
! Resolved issues since the last release
! Known issues with this release
Aurorean Release 3.5 enhancements broaden the VPN options for clients, whether
they are operating on Windows XP/2000 platforms or connecting to an
ANG-1100/3000/7000. Network administrators and users are required to
perform some level of configuration to enable these enhancements, either on the
Command Line Interface to the ANG-3000/7000, the RiverMaster management
application, or the ANG-1100's Web Config on-line tool, depending on which
options are implemented.
Also, administrators are required to upgrade their APS, ANG-3000/7000 and
RiverMaster software, install Microsoft Internet Explorer 5.5, configure the
Microsoft RADIUS server plugin on the APS, and set up L2TP and EAP protocols.
Instructions for network administrators and users to configure these
enhancements (or where directions can be found in associated documents), as
well as caveats to consider during configuration, are detailed in subsequent
sections of this document.
Release Notes
Page 1 of 30
Advertisement
Related Manuals for Enterasys ANG-1100
Summary of Contents for Enterasys ANG-1100
-
Page 1: Release Notes
Command Line Interface to the ANG-3000/7000, the RiverMaster management application, or the ANG-1100’s Web Config on-line tool, depending on which options are implemented. Also, administrators are required to upgrade their APS, ANG-3000/7000 and RiverMaster software, install Microsoft Internet Explorer 5.5, configure the... - Page 2 ! Example 1: An Microsoft Windows XP client is connected to an ANG-3000 using L2TP/IPSec and EAP. ! Example 2: An ANG-1100 and ANG-3000 and their associated networks are connected by a Client mode tunnel. ! Example 3: An ANG-1100 and ANG-3000 and their respective networks are connected via Network Extension Mode.
- Page 3 Release Notes Release 3.5 Enhanced Support for VPN Clients ! Example 5: An ANG-1100 is connected to a Nortel, Cisco or Nokia/Checkpoint router by a Peer to Peer tunnel. Configuring VPN Inter-operability Aurorean Release 3.5 provides seamless VPN inter-operability with Microsoft Windows XP and Windows 2000 desktops featuring support for the L2TP/IPSec tunneling protocol, EAP and Microsoft’s Certificate Authority (PKI).
- Page 4 Aurorean 3.5 CD ROM in the Aurorean 3.5 System Software/Manuals directory or on the Web at the following URL: http://www.enterasys.com/support/manuals Upgrade requirements for IE v5.5, LINUX kernel, ANG, APS and RiverMaster software apply only if you have Aurorean system software lower than Rel. 3.5. If you have new Aurorean Rel.
- Page 5 Release Notes Release 3.5 Enhanced Support for VPN Clients ! Aurorean_3.5.00-<build #>/Aurorean 3.5 System Software/Network Gateway/rts-3.5.00-<build #>.i386.rpm ! Aurorean_3.5.00-<build #>/Aurorean 3.5 System Software/Policy Server/setup.exe ! Aurorean_3.5.00-<build #>/Aurorean 3.5 System Software/RiverMaster/setup.exe Installing Internet Explorer Version 5.5 on APS-3000/7000 You can install Internet Explorer version 5.5 on your APS-3000/7000 from an executable file stored on the Aurorean Release 3.5 CD ROM.
- Page 6 Upgrading to Aurorean Release 3.5 Release Notes Release 3.5 Enhanced Support for VPN Clients Figure 2 Windows IE Internet Options Window 4. Click on the Content tab. Page 6 of 30 Rel. 3.5 Release Notes...
- Page 7 Release Notes Release 3.5 Enhanced Support for VPN Clients 5. Click on the Certificates button. The Certificate Manager window appears as shown in Figure 3. 6. Click on the Intermediate Certification Authorities tab. 7. Select all authorities displayed and remove them. 8.
- Page 8 Upgrading to Aurorean Release 3.5 and press The VNC Authentication window appears as shown in Figure 4. The IP address you typed includes the port number (5800) with which to access the APS. 2. Type welcome in the Password field and click OK. The APS desktop appears.
- Page 9 Release Notes Release 3.5 Enhanced Support for VPN Clients 4. Enter your network User Name and Password. The Domain name should already be entered. Press The Microsoft Certificate Services Welcome window appears as shown in Figure 6. Rel. 3.5 Release Notes Upgrading to Aurorean Release 3.5 Figure 5 Network Password Window Page 9 of 30...
- Page 10 Upgrading to Aurorean Release 3.5 Release Notes Release 3.5 Enhanced Support for VPN Clients Figure 6 Microsoft Certificate Services Welcome Window 5. Choose Request a Certificate and click Next. The Advanced Certificate Requests window appears as shown in Figure 7. Figure 7 Advanced Certificate Requests Window Page 10 of 30 Rel.
- Page 11 Release Notes Upgrading to Aurorean Release 3.5 Release 3.5 Enhanced Support for VPN Clients 6. Select Submit a certificate request to this CA using a form and press Next. The Advanced Certificate Request window appears as shown in Figure 8. Figure 8 Advanced Certificate Request Window Rel.
- Page 12 Upgrading to Aurorean Release 3.5 7. Make the following selections: – – – – – – – – The Certificate Issued window appears as shown in Figure 9. 8. Click Install this certificate. A window appears indicating the certificate was successfully issued. 9.
- Page 13 Release Notes Release 3.5 Enhanced Support for VPN Clients To issue the ipsecDefault command, perform the following: 1. Log into the ANG-3000/7000 with the login and password netadmin (default) and press 2. At the command prompt, change directory to usr/indus/ipsec. 3.
- Page 14 IKE/IPSec tunnel (refer to Figure 1). Capabilities Tunnels on the ANG-1100 can be configured in Client mode, NEM, or Peer to Peer mode (described in a later section) by setting radio buttons on Web Config. Client mode provides the functionality of Aurorean Releases 3.1/3.2 on the ANG-1100 while...
- Page 15 Release Notes Release 3.5 Enhanced Support for VPN Clients provide a path to remotely manage the ANG-1100 over the tunnel). The new rule automatically secures data to whatever subnet is configured on the ANG-1100's trusted interface. ! RIP packets sent from the ANG-1100 into the tunnel broadcast reachability to the ANG-1100's trusted subnet.
- Page 16 LAN Setup window of the ANG-1100’s Web Config utility to distribute unique IP addresses. Refer to the ANG-1100 User’s Guide for more information. ! An ANG-1100 may use NEM to tunnel to one site only. That site can have multiple ANG-3000/7000s for failover but the ANG-1100 cannot export its trusted network to two or more separate sites.
- Page 17 This command creates an IPSec selector covering the entire pool of networks for use by all ANG-1100 devices. 9. Type ./ipsecSelector -L and press selector was added. Rel. 3.5 Release Notes Using Network Extension Mode for ANG-1100 Tunnels ANG-1100 ANG-1100 ANG-1100 Figure 13 Multiple Network Extension Mode Tunnels...
- Page 18 Caveats A central ANG-3000/7000 using Aurorean 3.5 firmware must manage a considerable amount of “overhead” for all tunnel traffic to an ANG-1100 using NEM. The performance impact of tunnels between these devices may be appreciable if a large number of ANG-1100s enable NEM. You should conform to the following guidelines...
- Page 19 3 IP subnets (subnet and mask) which are reachable via the remote security gateway. (Only one subnet is supported per tunnel if both peers are ANG-1100 gateways). ! Peer to Peer mode tunnels can coexist with Client mode tunnels (refer to Figure 15).
- Page 20 ! Up to three (reachable) IP addresses and Subnet Masks of the remote peers that each ANG-1100 will connect to ! The public IP address (Gateway IP address) of the ANG-1100 at the opposite end of the connection ! The pre-shared keys (Passwords) of the ANG-1100 at the opposite end of the...
- Page 21 Connecting to a Cisco VPN 3005 Router The instructions below are provided to configure a sample Peer to Peer tunnel between a Cisco router and the ANG-1100. The following software revision was used: Software Rev: Cisco System, Inc. / VPN 3000 Concentrator Series Version 2.5.2 (Rel) Aug 16 2000 11:41:47...
- Page 22 To configure the ANG-1100 to connect with the Cisco 3005, enter the following values in the VPN Setup window of the Web Config utility of the ANG-1100. For more information on configuring the ANG-1100, refer to the ANG-1100 User’s Guide.
- Page 23 ! Checkmark Start network gateway now and click Connecting to the Nortel Contivity CES 600 Switch The following instructions are provided to configure a Peer to Peer tunnel between a Nortel Contivity Extranet Switch and the ANG-1100. 8. At the main menu, click to PROFILES> Networks. –...
- Page 24 To configure the ANG-1100 to connect with the Nortel 600, enter the following values in the VPN Setup window of the Web Config utility of the ANG-1100. For more information on configuring the ANG-1100, refer to the ANG-1100 User’s Guide.
- Page 25 – – Rel. 3.5 Release Notes Inter-operability with Third-Party VPN Gateways Select Properties > Encryption and enter new values if necessary. Set the Checkpoint lifetimes to agree with the ANG1102 defaults. The IKE lifetime is 86400 seconds =1440 minutes, IPSec lifetime = 28800 seconds).
- Page 26 Inter-operability with Third-Party VPN Gateways 4. Enter a Network Object for the ANG-1102 Private Address. Select Manage > Network objects > New (or Edit) >. – – – 5. Enter a Network Object for the ANG-1102. Select Manage > Network objects >...
- Page 27 ANG-1100 to the same ANG-3000/7000. Bug # 3728. ! ANG-1100 Web Config Session Does Not Timeout Web Config sessions on the ANG-1100 do not time out after running for 24 hours. The session should close after a default period of inactivity. Bug # 3271.
- Page 28 Known Issues With This Release It has not been verified that SecurID authentication operates for native clients using EAP. ! IE v.6 Does Not Run with the ANG-3000/7000 Web Config WebConfig on the ANG-3000/7000 does not display using Internet Explorer v.
- Page 29 Release Notes Release 3.5 Enhanced Support for VPN Clients Since IPSec default values were removed from the APS database, Floppy Configuration does not run correctly. To set these defaults, you must run the ipsecDefault script using the CLI on the remote ANG receiving the configuration via a floppy disk.
- Page 30 Enterasys Networks recommends that you have your copy of the applicable documentation on hand when you call. Aurorean ©2001 Enterasys Networks. All rights reserved. This publication contains information that is the property of Enterasys Networks. Information in this publication is subject to change without notice. Enterasys Networks assumes no responsibility for errors or omissions in this publication or for the use of this material.