Page 1
Nortel VPN Router Security — Servers, Authentication, and Certificates Version 7.00 Part No. NN46110-600 315897-F Rev 02 January 2008 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130...
The software license agreement is included in this document. Trademarks Nortel Networks, the Nortel Networks logo, and Nortel VPN Router are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
Page 3
If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Nortel VPN Router Security — Servers, Authentication, and Certificates...
Page 4
This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York. NN46110-600...
Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router. This guide assumes that you have experience with windowing systems or graphical user interfaces (GUIs) and familiarity with network management.
Page 14
(. . . ) italic text plain Courier text NN46110-600 Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.
AVPAIR ISAKMP L2TP LDAP PPTP Nortel VPN Router Security — Servers, Authentication, and Certificates Shows menu paths. Example: Choose Status > Health Check. Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command.
SSL VPN Module 1000, including authentication, networks, user groups, and portal links. • Nortel VPN Router Security—Servers, Authentication, and Certificates (NN46110-600) provides instructions for configuring authentication services and digital certificates. • Nortel VPN Router Security—Firewalls, Filters, NAT, and QoS (NN46110-601) provides instructions for configuring the Stateful Firewall and interface and tunnel filters.
• Nortel VPN Router Configuration—Client (NN46110-306) provides information for setting up client software for the VPN Router. • Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides information about configuring and using the TunnelGuard feature.
Nortel Solutions Center. In North America, call 1-800-4NORTEL (1-800-466-7835). Outside North America, go to the following web site to obtain the phone number for your region: www.nortel.com/callus NN46110-600 Takes you directly to the Nortel page for VPN Client documentation located at: www130.nortelnetworks.com/cgi-bin/eserv/cs/ main.jsp?cscat=DOCUMENTATION&resetFilter=...
Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller. Nortel VPN Router Security — Servers, Authentication, and Certificates...
New in this release The following section details what is new in Nortel VPN Router Security — Servers, Authentication, and Certificates for Release 7.0. Features See the following sections for information about feature changes: • LDAP proxy password management support for Active Directory •...
LDAP 3DES password encryption The VPN Router can store shared secrets that are encrypted with 3DES, but you must first enable the feature. You enable 3DES by selecting Servers > LDAP and clicking TripleDES. For more information about encryption of shared secrets, see 3DES password”...
You can set up and manage policy filters in the Remote Authentication Dial-In User Service (RADIUS) server. If you use a RADIUS server to authenticate users, the VPN Router can retrieve those policy filters from the server. IPsec user tunnels are dynamically filtered based on attributes returned from the authenticating RADIUS server.
Chapter 1 Authentication services The remote user attempting to dial in to the VPN Router must be authenticated before gaining access to the corporate network. Authentication is one of the most important functions that the VPN Router provides because it identifies users and drives many other aspects of the user-centric functionality.
LDAP is based on directory entries; it has an Internet person schema that defines standard attributes and you can extend it to include other attributes. A directory service is a central repository of user information; for example, the VPN Router supports the following elements using LDAP: • groups •...
In order for digital certificate authentication to succeed, you must import a certificate from the authority certifying the LDAP server into the VPN Router's certificate store. This type of certificate is often referred to as a CA root certificate.
ISAKMP and can appear in any ISAKMP message. Certificate payloads are included in an exchange whenever an appropriate directory service (such as Secure DNS) is not available to distribute certificates. The VPN Router supports Microsoft native client (L2TP/IPsec) PKCS #7 termination in chained environments.
If the group name does not exist, the user is given the RADIUS default group’s attributes. If the UID and password are incorrect, the VPN Router rejects the user request.
Page 30
If the UID is not in the profile LDAP (internal or external) database and if you specified LDAP proxy as the next server to check, the UID and password is checked against the LDAP proxy database. Figure 3 illustrates the steps in user validation. NN46110-600...
Page 31
(see #1 and #2 below) RADIUS UID Found? Reject Request Group ID RADIUS Found in UID Found? LDAP? Reject Request Nortel VPN Router Security — Servers, Authentication, and Certificates LDAP UID Assign Group Found? Attributes Assign Attributes from CA Allow All Default Enabled...
VPN Router: • Internal LDAP server stores group and user profiles on the internal server of the VPN Router. External LDAP contains the contents of the internal LDAP server exported to a separate external LDAP server. •...
User name and the password are never transmitted in the clear; a cryptographic hash function (SHA-1) is used to protect the user’s identity. • Mutual authentication between the client and the VPN Router using a keyed hash algorithm (HMAC). •...
The first time that you enable 3DES and configure a 24-byte encryption key, the VPN Router updates the LDAP. This can take some time, depending on the size of the user base.
VPN Router2 cannot set any key except the one that matches the key of VPN Router1. After VPN Router2 sets a key that matches, then VPN Router2 can configure a new key. If VPN Router 2 sets a new key, then VPN Router1 must configure a matching key before authentication is successful.
3DES external LDAP proxy information If an external LDAP proxy is used, the VPN Router (which has its own internal LDAP file) does not touch or modify the external LDAP database. However, the VPN Router modifies the Bind Password that is attached to the Bind Name (under LDAP Proxy Servers).
VPN Router. If you use a user-defined encryption key with an external server, all the VPN Routers that use that external LDAP server must have the same configured encryption key..
Encryption Key. In the Encryption Key dialog box, enter a character string or a hexadecimal value. Note: The following is applicable only for Nortel VPN Router release 7.05.300 and above. When TripleDes LDAP Encryption is not enabled, the Encryption Key value that you enter is 8 bytes—8 ASCII text characters or 16 hex...
Page 40
<hh:mm> where: hh:mm is the hour (00-24) and the minutes of the specific time. To disable LDAP Optimization Scheduling everyday at a specific time, enter the following command: no ldap-server internal optimize specific-time enable NN46110-600...
To configure internal LDAP: Select Servers > LDAP. The internal LDAP server is internal to the VPN Router. If you are using more than one VPN Router or if you are using LDAP authentication for other network services, consider using an external LDAP server.
Page 42
Click Import Secure LDAP (SSL) CA Certificate to import a CA certificate dialog box where you can paste a PKCS#7 Base-64 certificate. Select Optimize Database to optimize the internal LDAP database. NN46110-600 This option takes you to an edit...
The VPN Router supports authentication against an existing LDAP server rather than creating a second user database for use with the VPN Router. The server can reside on either a private or public network that is connected to the VPN Router.
Page 44
For the remote LDAP server, enter the Master, Slave 1, and Slave 2 LDAP server host names or IP addresses. If the master server becomes unavailable, the VPN Router attempts to initiate a connection with the slave servers. NN46110-600...
Page 45
Leave this field blank if your LDAP server allows anonymous access. d Enter the bind password, which can consist of up to 32 characters. The VPN Router uses this password to prove its identity (the bind DN) to the LDAP server.
LDAP server combined with the error message within the bind response find the password status: expired, expiring, or valid password. You can change the VPN Client password to the proxy server if the password is expired. Figure 6 shows the proxy server access fields. NN46110-600...
This information determines if the user's password is expiring or already expired. When you configure the VPN Router to use an external LDAP authentication server, it informs users that their passwords are expired or expiring and allows the client to change the password.
LDAP user bind to the IBM RACF server implements the password change. IBM RACF server returns the LDAP result of either success or invalid credentials. To configure LDAP proxy user authentication and password management: Select Servers > LDAP Proxy. Click Pwd Management. The LDAP Proxy Server window appears. NN46110-600 (Figure 7)
Enter your old password in the Old Password dialog box. Enter your new password in the New Password dialog box. Enter your new password again in the Verify Password dialog box. Click OK. Nortel VPN Router Security — Servers, Authentication, and Certificates...
The VPN Router monitors the status of all configured external LDAP servers. If the VPN Router has marked a server as up, it monitors the status of the server by binding and conducting a search against the directory every 15 minutes. If the...
RADIUS on the Services > RADIUS window. Packet flow is from external clients to the VPN Router interface IP and port. You configure the port on the Services > RADIUS window. To configure filters, go to the the Services >...
RADIUS Authentication Servers window to configure up to three servers for remote authentication. It is imperative that the RADIUS servers contain the same user data. The VPN Router uses the alternative RADIUS servers only when it receives no response from the primary RADIUS server.
Page 53
Note: The UID and password are never passed in the clear for an IPsec client, either from the remote client or from the VPN Router communicating with the RADIUS server. If you use PAP authentication for a PPTP session, both the user name and the password are passed in the clear to the VPN Router over the Internet.
“Configuring IPsec authentication” on page RADIUS authentication class attribute values Figure 8 shows the relationship between RADIUS authentication class attribute values for VPN Router users. C is the class attribute for country, and OU is the class attribute for organizational unit. NN46110-600 47).
Company c=US CAD Group The VPN Router supports RADIUS-supplied attributes, such as IP address and MPPE key and additional specific attributes, if they are returned from a RADIUS server. All other returned attributes are ignored. The specific attributes are detailed in Microsoft documentation and defined in RFC 2548.
RADIUS-Assigned Framed-IP-Address attribute You configure a RADIUS-Assigned Framed-IP-Address attribute on the RADIUS server for the UID being authenticated by the VPN Router. If you enable Allow Static Addresses (Profiles > Groups > Edit > Connectivity window) for the assigned group, then the tunnel session uses the returned IP address. Otherwise, it assigns an IP pool address.
UID as the delimiter value. Select Error Code Pass Thru to allow an error message sent to the VPN Router by the RADIUS server to pass through the VPN Router to the originating client.
Page 58
In the Port field, enter the server port number that you want the RADIUS authentication requests to use. Default is Port 1645. d In the Secret field, enter the password to share with the VPN Router. To enhance overall security, enter a different password for each server. The shared secret encrypts the password between the VPN Router and the server when the tunnel connection uses PAP or SecurID.
Page 59
RADIUS authentication reply with a UDP port that differs from the originating UDP port. For example. if a RADIUS authentication packet is sent from the VPN Router using the UDP source port 1100 and UDP destination port 1645, the RADIUS server responds with a UDP source port of 8500 and a destination UDP port of 1100.
Page 60
In the Maximum Transmit Attempts, enter the number of times that you want the VPN Router to try to connect to the RADIUS servers before failing. By default, the VPN Router tries three times. Click the RADIUS Diagnostic Report link to check that your RADIUS Authentication configuration is correct.
VPN Router. When a user is authenticated, they are assigned to a group. Part of the group profile specifies that you apply a filter.
Page 62
Do not specify an outacl that denies all traffic, such as ip:outacl#1=deny ip any any, because this prevents the IPsec client from connecting to the banner server. You must have at least one outacl entry specified. You can specify a "deny all" filter in the group. NN46110-600 Description ip:inacl#Num= ip:outacl#Num= Where "Num"...
CES# Configuring PPTP and RADIUS To configure PPTP and RADIUS: Select Servers > Radius Auth and click Enable Access to RADIUS Authentication. Enable an authentication method. Click OK. Nortel VPN Router Security — Servers, Authentication, and Certificates End with Ctrl/z.
Configuring group-level RADIUS authentication In remote access deployments, if you want to partition users across several different RADIUS servers, the VPN Router can connect to the appropriate server when authenticating a specific user. This group-level authentication is particularly useful for large installations with many different databases, and for carriers that have a business need to keep customer authentication domains separate.
VPN Router global RADIUS configuration window. This also applies to PPTP and L2TP user tunnels. Vendor-specific RADIUS attribute You can use the vendor-specific RADIUS attribute to store VPN Router group membership information in a RADIUS vendor-specific attribute as well as to the class attribute.
Page 66
In the event of a system crash, upon reinitialization the VPN Router translates the journal file into a series of stop records on a per-session basis. This minimizes accounting data loss. A low interval creates system overhead and requires additional processing. The default interval is 00:10:00 (10 minutes).
When you configure both the DHCP server and DHCP relay on the same interface, the DHCP server takes precedence and the DHCP packets received by the VPN Router are processed by the DHCP server. For DHCP relay to be functional, you must disable the DHCP server for the interface on which the DHCP relay is configured.
Page 68
Enter the End Address for the range. Click OK. 12 Optionally, you can force the DHCP server to assign a fixed IP address to a host every time it logs in. You can do this with host reservations under the Host section. Click Add. NN46110-600...
IP address during tunnel setup. This address can come from an internal address pool, an external DHCP server,, a RADIUS server, or from an external LDAP proxy server. The VPN Router assigns the inner IP address from one of several sources, using the following order: user-specified (excluding IPsec) static address, either the VPN Router’s LDAP database, the RADIUS server,...
Page 70
Use the Remote User IP Address Pool window to select a method for users to obtain IP addresses to access the private network. The VPN Router services these addresses and they are available to remote users on demand. You can choose IP addresses assigned from one of the following: •...
Page 71
VPN Router supports. Click Immediate Address Release if there are a limited number of available IP addresses and you want the VPN Router to release the IP address back to the DHCP server immediately. IP addresses from disconnected tunnel sessions remain unavailable for the time you specify (300 to 7200 seconds).
When a locally attached host issues a DHCP or BOOTP request as a broadcast message, the VPN Router relays the message to a specified DHCP or BOOTP server. The DHCP relay agent also forwards DHCP replies from server to client.
Relayed To Client—total number of packets forwarded to DHCP client(s) Configuring SSL administration The SSL administration feature enables secure management of the VPN Router over SSL-enabled HTTP (HTTPS) and is used over all tunnel and interface types. Remote management of a VPN Router requires only an SSL-enabled Web browser on the administrator's computer, which most operating systems include.
VPN tunnel. The Stateful Firewall applies only to HTTPS traffic routed through the device, not to the management IP address. The VPN Router uses HTTPS services for Firewall User Authentication (FWUA) and SSL-enabled administration. The following cipher combinations are available: •...
Explicitly allow HTTPS if tunnel filters are enabled on the Profiles > Filters window for management through a VPN tunnel. • Install a valid server certificate on the VPN Router and applied to the SSL/ TLS services to authenticate and validate SSL connections. •...
In Internet Explorer, select Tools > Internet options > content > certificates > trusted root certification authority tab and select import. Import the root certificate that issued your VPN Router server certificate into the JRE certificate store. Note: To satisfy a further name check by Netscape browsers, make the VPN Router server certificate common name either a DNS name that resolves to the management IP address or the management IP address.
(for example, CN=ces1, O=MyOrg, C=US). Figure 11 shows the SSLTLS window with select ciphers. Click Advanced Options and check the box if you do not want empty fragments for CBC ciphers inserted. Click Apply. Nortel VPN Router Security — Servers, Authentication, and Certificates...
To test the SSL administration feature, direct an SSL-enabled Web browser to the private interface of the VPN Router. To use this service from the public side of the VPN Router, you must direct your browser to the public IP address.
Page 79
“Configuring DHCP servers” on page 57 page You can configure the VPN Router 1010, 1050, or 1100 as a DNS proxy, which means that it can act like a DNS server for any PC on the private network. The PCs are configured to send their DNS queries to the DNS proxy, which in turn passes the query to its set of true DNS servers.
Page 80
For Fourth Server, enter an IP address for the fourth DNS server. If the preceding servers do not respond, service is requested of the fourth DNS server. Click OK. The VPN Router checks all of the DNS addresses to see if they respond and then provides an operational or error status. NN46110-600...
LDAP server SSL encryption Secure socket layer (SSL) provides Internet security and privacy and ensures privacy between the VPN Router and the external LDAP server. The SSL protocol negotiates encryption keys and authenticates the server before any data is exchanged. SSL maintains the transmission channels security and integrity through encryption, authentication, and message authentication codes.
After SSL authentication is established, the VPN Router authenticates itself to the directory server by presenting its LDAP bind DN and password. For the SSL connection to be successful, the VPN Router must trust the issuer of the certificate presented by the directory server during the initial SSL authentication.
Select System > Certificates. Select Enable Special Character Support for Subject DN. The default is disabled. Figure 12 shows the System > Certificates window with LDAP special characters enabled. Figure 12 LDAP special characters Nortel VPN Router Security — Servers, Authentication, and Certificates...
Configurable warning time for certificate expiration You can configure the VPN Router so that Health Check Certificates Validity sends a warning that a certificate is due to expire. You must enable SNMP traps, and Server Trap Configuration must include Certificates Validity, with the Send One parameter not checked.
The VPN Router supports RSA digital signature authentication for the IPsec IKE key management protocol. Remote users can authenticate themselves to the VPN Router using a public key pair and a certificate as credentials. The VPN Router uses its own key pair and certificate to authenticate the VPN Router to the user.
Import the signed certificate request and click OK. Note: When you are using Entrust CA, this request must have a subject distinguished name with a common name that is equal to the Entrust reference number used to preauthorize the certificate issuance. NN46110-600...
IP address. Figure 13 shows a CMP environment. Figure 13 Sample CMP environment To initialize the VPN Router for initial certificate enrollment with CMP, you need the following: • Issuer name—CA distinguished name •...
Page 88
Relative, then enter the relative name details: Enter the common name associated with the VPN Router. b Enter the organizational unit associated with the VPN Router. Enter the organization associated with the VPN Router. d Enter the locality where the VPN Router resides.
Enter the organization associated with the VPN Router. d Enter the locality where the VPN Router resides. Enter the state or province where the VPN Router resides. Enter the country where the VPN Router resides. 11 Click Apply. 12 On the System > Certificates > Certificate Generation window, select Details.
Select Trusted if the certificate is trusted. For CA certificates, this indicates that tunnel requests presenting this issuer as the signer of their certificate are trusted. For server certificates, this is a method of turning off the certificate without deleting it. NN46110-600...
Page 91
Default Server Certificate is the Subject DN of the certificate that you want to use as the identity of the VPN Router when initiating or responding to a connection request associated with that group. Tunnel requests are bound to a particular group by the CA certificate that the remote party is presenting as the signer of its certificate.
If the subject DN of the certificate presented by the remote initiator of the tunnel is a user located on that VPN Router, then the group that the user is bound to is the one indicated in that user’s configuration.
This form of mapping incoming requests to groups allows the subject DN of incoming certificates to be parsed to a configured depth and associated with a corresponding group. During the client authentication process, the VPN Router tries to match the client’s certificate subject DN with all the associations of the CA.
This feature provides finer control for a user to associate a certificate with a group for IPsec tunnel connections. Each Certificate Authority user can set up a lookup table between the certificate subject DN and a VPN Router group. When a new tunnel using the certificate is authenticated, the VPN Router uses the certificate's subject DN to look up the group in the table.
CA certificate that issued the user certificate. The VPN Router can also verify that the user’s certificate is not revoked, because it was configured to periodically retrieve the latest CRL from the directory. It can authenticate that CRL because it has the CA certificate that signed it.
Authenticating the CRL presents a problem for the VPN Router at this point because it is signed by the updated CA certificate, and the VPN Router does not have that updated CA certificate locally to authenticate the CRL signature. The solution is to import the updated CA certificate into the VPN Router.
The VPN Router can optionally use CRLs to verify the revocation status of user certificates. If enabled on the VPN Router, CRLs are periodically retrieved from the CA's LDAP directory store and cached in the VPN Router's associated LDAP database. This allows for rapid verification of user certificates during IPsec tunnel establishment.
CRL. The default value of 0 indicates that this VPN Router does not update any CRLs. This option is useful when more than one VPN Router shares an LDAP database, but you want only one VPN Router to actually perform the update operation.
Page 99
Select System > Certificates > CA Certificate: Details and click Manage CRL Servers. The Manage CRL Servers window has a list of currently Nortel VPN Router Security — Servers, Authentication, and Certificates Specifies the choices for the application of CRL Update as none, everyday, or on specific days.
CRL distribution points (CDP) identifies how CRL vendor-specific information is obtained. It is supported for Entrust CAs. When implemented, users authenticate only against the CRL that is specified in the certificate CDP. This provides faster tunnel establishment. NN46110-600 Figure 15 is an example of CRL distribution points.
CRL instead of all available CRLs. Even if the list of CRLs is long, it does not affect performance of the VPN Router because only one CRL is used. If CRL checking is set to mandatory and CRLs are not present on the VPN Router, a request is made to CA LDAP to obtain only the CRL specified in the user's certificate CDP.
Any changes that you made on the Authentication portion of the previous window are lost. Enter the local UID. This is the user ID of the local VPN Router that you are configuring. Enter the peer UID. This is the user ID of the remote VPN Router that you are configuring.
Identifying individual users with certificates An alternative to allowing all users issued by a particular CA to gain access to the VPN Router is to identify users explicitly by certificate attributes. To create IPsec certificate credentials: Select Profiles > Users > Add User/Edit.
CA in the remote peer’s certificate hierarchy. The CA must have the trusted flag set on the Certificates window. If a CA hierarchy is used, you must import all intermediary CAs below the trusted CA to the VPN Router. These certificate authorities are NN46110-600...
Page 105
• Country—enter the country in which the user resides The local identity is the name of the VPN Router that you want to use to identify itself when initiating or responding to a connection request. You can use either a subject distinguished name (subject DN) or a subject alternative name to uniquely identify this system.
L2TP/IPsec authentication In the Authentication section, complete the following information: Under Local UID, enter the user ID of the local VPN Router that you are configuring. Under Peer UID, enter the user ID of the remote VPN Router that you are configuring.
RADIUS 42 class attributes RADIUS 46 client 23 CMP 77 CRL distribution points (CDP) 90 CRL retrieval 92 Nortel VPN Router Security — Servers, Authentication, and Certificates CRL server manage 89 CRL settings 87 CSFW 33 default group client authentication 83...
Page 108
33 server port number 90 LDAP proxy password management 36 user authentication 36 LDAP special characters 72 LDAP V2 servers 38 NN46110-600 Microsoft 39 Microsoft Active Directory 39 outer IP address 59 RADIUS 42 ports RADIUS accounting 56...