Page 1
Nortel VPN Router Configuration — Basic Features Version 7.00 Part No. NN46110-500 311642-M Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130...
Page 2
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
Page 3
30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
Page 4
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.
Preface This guide introduces the Nortel VPN Router. It also provides overview and basic configuration information to help you initially set up your Nortel VPN Router. Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router.
Page 16
braces ({}) brackets ([ ]) ellipsis points (. . . ) italic text plain Courier text NN46110-500 Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.
IPsec Key Exchange Internet Security Association and Key Management Protocol Internet service provider Layer2 Tunneling Protocol Lightweight Directory Access Protocol local area network media access control address Nortel VPN Router Configuration — Basic Features , you enter either terminal paging on...
Page 18
OSPF PPTP RSVP SNMP VRRP NN46110-500 network address translation network operations center Network Time Protocol Nortel VPN Router Open Shortest Path First operations support systems Password Authentication Protocol public data networks point-of-presence Point-to-Point Protocol Point-to-Point Tunneling Protocol Resource Reservation Protocol...
Related publications For more information about the Nortel VPN Router, refer to the following publications: • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. •...
Latest software Latest documentation Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site, and you have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
New in this release The following sections details what is new in Nortel VPN Router Configuration — Basic Features for Release 7.0. Network Time Protocol (NTP) support for Daylight Savings Time 2007 change Systemlog lifetime or disk size limit usage option...
New in this release Systemlog lifetime or disk size limit usage option VPN Router allows you to choose between setting a log file disk size limit or a log file lifetime for the Systemlog. Previous versions of the VPN Router only allowed the Systemlog to have a lifetime specified (default 60 days).
As a highly scalable device, the Nortel VPN Router can address the security and IP services needs of the smallest branch site or largest headquarters environment. A Nortel VPN Router can be installed as an IP access router or stateful packet firewall.
Nortel VPN Router access allows remote users to dial in to an Internet Service Provider (ISP) anywhere and reach corporate headquarters or branch offices. The Nortel VPN Router provides remote users access to corporate databases, mail servers, and file servers.
The Nortel VPN Router uses a combination of authorization, authentication, privacy, and access control for each user. Licensing features Licence keys can be obtained through Nortel’s customer support. The Nortel VPN Router provides several license key options: • Advanced Routing •...
The Nortel VPN Router Stateful Firewall License key must be installed to enable the Nortel VPN Router Stateful firewall. Tunnel keys are specific to the Nortel VPN Router hardware model that you are using. Nortel VPN Router switches are manufactured to allow either access to the maximum number of tunnels (VPN bundle) or support for 5 tunnels (Base Unit).
Getting started This chapter describes methods for configuring and managing the Nortel VPN Router . Note: If you are setting up a Nortel VPN Router 1010, 1050 or 1100, 1100.” These VPN Routers have unique set up and configuration considerations.
Public LAN port IP address (remote user destination address) Firewall public network address Nortel VPN Router management IP address: System > Identity Nortel VPN Router private LAN interface IP address: System > LAN Edit IP address Private network default VPN Router: System > Routing Add/Edit...
This eliminates a single point of failure. As long as there is a route through an interface to the MVA, you can manage the Nortel VPN Router. Access to the MVA is supported on a public interface through a VPN tunnel.
• Identification • CRL Retrieval • To enable or disable management protocols, go to Services > Available window. From this window, you can also specify whether to manage the VPN Router from the public or private side. To redistribute the MVA, go to Routing > Policy window.
Figure 5 MVA on same subnet as private physical interface Figure 6 shows MVA using CLIP to manage from a remote PC tunneled from the public side. Figure 6 MVA managing from a remote PC Nortel VPN Router Configuration — Basic Features...
To configure the MVA with the serial menu: Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. Power on the terminal or PC.
Page 35
Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.
Type M and press Enter to change the Management IP address. The current IP address appears. The Old Management IP Address field is blank on a new Nortel VPN Router. Please select a menu choice (M, R): M Type 0.0.0.0 to delete.
Page 37
<CR> Leave unchanged Please select a menu choice (1-5, <CR>): After you complete the configuration, press Enter to return to the Interface menu. Type R and press Enter to return to the main menu. Nortel VPN Router Configuration — Basic Features...
To avoid re-addressing, the physical networks are consolidated onto a multinetted Nortel VPN Router interface. Multinetting allows hosts to migrate to the new IP interface or maintain the previous IP address. You can add Multinet IP addresses to the private side or the public side of the VPN Router .
The same rules apply to all other secondary addresses. Support for NAT on multinetted addresses, with a single set of rules for all interfaces in Nortel VPN Router. NAT services available discretely for each subnet on a multi- netted interface (separately supported on each subnet address).
Page 40
Figure 7 on page 41 subnets, 10.1.0.0/16 and 11.1.0.0/16. Both subnets are connected to one physical LAN port on Nortel VPN Router. Nortel VPN Router sends packets to and receives packets from a host on either of these networks using the same physical port.
To change the management IP address, complete the following procedure: Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. Power on the terminal or PC.
Page 42
Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.
Page 43
IP address appears. The Old Management IP Address field is blank on a new Nortel VPN Router. Please select a menu choice (M, R): M Type 0.0.0.0 to delete. Just type <CR> to skip. Old Management IP Address = 192.168.249.44 New Management IP Address = Nortel VPN Router Configuration — Basic Features...
Restricting source IPs access to management You are able to filter management access of source IP addresses. Access Lists (ACLs) restrict connection of designated source IPs for management purposes over HTTP, FTP, TELNET and SNMP. Management traffic is intercepted and if the destination is System and the packet is for one of the four services above, the source IP address is matched against the ACL that is set for the particular service.
Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. Power on the terminal or PC. Nortel VPN Router Configuration — Basic Features...
Page 46
Using a terminal emulation program, such as HyperTerminal on the PC, press Enter. The Welcome window appears and you are prompted to supply a user name and password. Nortel VPN Router Copyright (c) 1999-2007 Nortel Networks, Inc. Version: V07_00.038 Creation date: Oct 11 2006, 09:52:35 Date: 10/13/2006...
Page 47
Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.
Page 48
- Interface Menu 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate 1) Slot 1, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate 2) Slot 2, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate...
Page 49
12 Type R and press Enter to return to the main menu. 13 Type E and press Enter to save the settings and exit. You can then manage the Nortel VPN Router from a Web browser. Nortel VPN Router Configuration — Basic Features...
Using boot modes The Nortel VPN Router can be booted in one of two system modes: Safe mode or Normal mode. Each mode has its own software image, configuration files, and LDAP database. Note: The Nortel VPN Router 1010, 1050, and 1100 do not implement safe mode.
Page 51
Login: admin Password: setup At this point, follow the Quick Start Configuration procedure or the Guided Configuration procedure. Refer to which procedure to use. Table 3 on page 53 for help in determining Nortel VPN Router Configuration — Basic Features...
Prepare the clients for the type of tunneling protocol they need to use. The PPTP client application is available on the Nortel CD for Windows 95, and it comes with Windows 98 and Windows NT. Nortel also provides the IPsec client on the Nortel CD.
Nortel VPN Router. Begin with either the Quick Start or the Guided Configuration. After you are familiar with the Nortel VPN Router navigational menu and capabilities, select Manage Switch. Table 3 Web interface configuration options...
Page 54
FTP private address FTP public address TELNET private address TELNET public address CRL retrieval private address CRL retrieval public address Public Nortel VPN Router IP address Private Nortel VPN Router IP address Router ID AS boundary router (true or false)
Page 55
Bind DN, Bind password, Confirmed > Servers User IP Addr Broadcast Any DHCP or DHCP servers: Primary IP address Secondary IP address Tertiary IP address Address pool: Pool name Start Subnet mask Your Values Nortel VPN Router Configuration — Basic Features...
Before entering the configuration options, first register your Nortel VPN Router to activate licenses, warranties, and services. To start using your Nortel VPN Router, choose from one of the following options: • Click on Manage Switch to begin a configuration management session. This option allows access to all Configuration Management facilities.
Page 57
Context-sensitive help is available at each subsection to supplement the summary. Provided you have the information required to set up the Nortel VPN Router, the Guided Configuration is estimated to take two to three hours to complete, depending on how extensive your configuration is.
Page 58
58 Chapter 2 Getting started NN46110-500...
Nortel VPN Router 1010, 1050, and 1100 located at branch office sites. If you are at a branch office site and you need to connect the Nortel VPN Router 1010, 1050, or 1100 to the network, see access”...
Figure 8 Default configuration By default, the Nortel VPN Router 1010, 1050, and 1100 are configured with the following parameters: • The DHCP server is configured on the switch’s private interface, with a default range of 192.168.1.3/24 to 192.168.1.255/24. By default, 192.168.1.1 and 192.168.1.2 are assigned to the branch office switch’s private and...
VPN Router by provisioning a VPN connection to a central office or optionally, to a network operation center (NOC). BOQS allows a NOC or central office management to access the Nortel VPN Router 1010, 1050, or 1100 so that network administrators can further configure the these units without going to the remote site.
Service Provider topology where the network operations center is an independent entity from the central office Enterprise environment Before you deploy the Nortel VPN Router 1010, 1050, or 1100 switches at the local sites, you must configure routing and tunnels on the switch at the central office.
RIP propagates routes to this subnet across the tunnel created by BOQS. You must have at least two more IP addresses than IP workstations on the Nortel VPN Router 1010, 1050, or 1100 private network. The first address from the subnet is assigned to the private interface of the branch office switch and the second address becomes the management IP address of the switch.
Page 64
Every Nortel VPN Router 1010, 1050, and 1100 must have a distinct IP address that is visible from the NOC subnet. A NOC can assign any address reachable from a NOC network to a Nortel VPN Router 1010, 1050, or 1100. BOQS configures NAT on the NOC tunnel to translate the address specified in the “Branch office switch manage NAT IP address”...
NOC. • The BOQS configures a tunnel from the branch office Nortel VPN Router to a Nortel VPN Router located at the central office and a management connection (responder control tunnel) to enable further configuration from the NOC. The NOC can take over configuring the box once the connection is established and additional configuration is required.
IP mask of subnet address in which NOC is located (private subnet of NOC switch). Address used by NOC to manage switch. Must be unique for each Nortel VPN Router1010/1050/1100 and reachable from the NOC. If left empty, can be managed with the second address of the subnet...
Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010, 1050 or 1100 users will need to enter on the BOQS window. See Appendix A, “Branch office quick start template.
1100, use standard Ethernet cables to connect the devices to the LAN 0 ports (labeled A–D). If you have a Nortel VPN Router 1100 that has one or two optional interface cards, connect the appropriate cables to the ports on the interface cards.
Depending on the type of addressing that your ISP uses, go to the appropriate section: • If your ISP uses DHCP, go to • If your ISP uses Point-to-Point Protocol over Ethernet (PPPoE), go to instructions” on page 70.” “DHCP instructions” on page Nortel VPN Router Configuration — Basic Features 70.” “PPPoE...
• If your ISP uses static IP addressing, go to page 71.” Note: If you complete the steps in the appropriate section and your VPN Router is not up and running, contact the service provider or company that provided the VPN Router. DHCP instructions If your ISP uses DHCP to assign an IP address to your PCs, verify that your VPN Router is connected to the Internet and start the quick-start tool as follows:...
From the Interface Filter list, choose permit all. Click OK. From the menu bar, choose Routing > Static Routes. 10 Click on Add Public Route (located under the Default Routes list). 11 The Add Public Default Route window appears. Nortel VPN Router Configuration — Basic Features...
• Context-sensitive help The help files are located on the CD and on the Nortel documentation Web site. When you click on the Help menu from the UI, you can enter the location of the help files on a server.
Page 73
For example, a core file generated by 10.0.8.186 on Oct.12th, 2001, at 4:46:06 PM will be named core_20011012_164606_10.0.8.186.mem. Nortel VPN Router Configuration — Basic Features...
Page 74
74 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 NN46110-500...
Internet Service Provider (ISP) at this point. The actual connection to the Nortel VPN Router is a tunnel that is started from the remote user's PC through its dial-up connection. That connection is to the Internet (typically using an ISP), through the Internet, and ends at the Nortel VPN Router on the private, corporate network.
Page 76
A group can even consist of a single user, thereby creating a personal connection. The Nortel VPN Router organizes groups in a hierarchical manner. At the top of the hierarchy is the base group. The base group \Base contains the default characteristics that each new group inherits.
Page 77
When authenticating an IPsec client, the remote user is by default assigned to the group ID. If the group ID and group password are correct, the Nortel VPN Router passes the user ID and password (or token card) to the RADIUS server for authentication.
Each level is assigned a percentage of the total number of calls allowed access to the Nortel VPN Router. If there is a particularly high number of users logged in, new users could be denied call access, based on their call admission priority, until existing callers disconnect.
Page 79
• Alpha-numeric passwords forces remote users to log in with a combination of alphabetic (A to Z) and numeric (1 to 9) characters. Nortel does not recommend using all alphabetic characters because this makes it easier for hackers to decode. The default is Disabled.
Page 80
13 Select Enable to enable IPX support for the group. 14 Enter the maximum number of PPP links in Maximum Number of Links field that you want the Nortel VPN Router to support. The range is 1 to 5; default is 1. The Multilink PPP (MP) implementation allows tunneling multilink connections to the Nortel VPN Router when the tunneling is being done by the ISP.
Public selection for PPTP, L2TP, and L2F. By leaving IPsec, PPTP, L2TP, and L2F enabled on the private side, you can establish tunneled connections to the Nortel VPN Router using any of the tunnel types from within your corporation.
Page 82
Use the RADIUS check boxes to permit RADIUS requests on the public and private interfaces of the Nortel VPN Router. If you enable RADIUS traffic, you must also enable RADIUS on the Services > RADIUS window. Configuring the Nortel VPN Router tunneling protocol settings is dependent on the tunnel type.
Page 83
Click on Add to add a user to the group; the Add User window appears. Note: To configure firewall user authentication, see Nortel VPN Router Security — Servers, Authentication, and Certificates This window allows you to add a user profile. Only options that are enabled for the specified group appear on this window.
Page 84
IP address pool, DHCP, RADIUS, or a static user configuration. Note: If a host route for the destination address of the Nortel VPN Router exists in the TCP/IP route table prior to launching the Nortel VPN RouterVPN Client, the route is deleted when the tunnel is closed.
Split tunneling allows access to any network resource outside of specified split tunnel networks. Configuration is available through the GUI and the CLI of the Nortel VPN Router. The Profile > Groups window of the Nortel VPN Router GUI allows the addition of inverse split tunnels.
0.0.0.0 with a 0.0.0.0 mask to the inverse split tunnel networks list on the Nortel VPN Router. When the NVC receives the list of inverse split networks, it expands the 0.0.0.0 to be all of the directly connected local subnets detected on the host.
Figure 12 Edit > IPsec page for wildcard Select Enabled - Inverse or Enabled Locally Connected from the Split Tunneling menu. The Split Tunneling menu is used to select the tunneling mode that is used by the selected group. Table 7 Split tunneling mode options Split Tunneling Selection Disabled Enabled...
“16 Net” Persistent tunneling provides a continuous connection. After successfully establishing a tunnel session to the Nortel VPN Router, the Nortel VPN Client makes every attempt to maintain a viable VPN connection without additional user intervention.
Page 90
90 Chapter 4 Configuring user tunnels NN46110-500...
Proxy ARP Configuring the system identity Each Nortel VPN Router is uniquely identified by the system's address and domain name system (DNS) name. The DNS name can be used instead of the IP address to identify the Nortel VPN Router and launch its management interface through a web browser.
Page 92
10.2.3.3 with the subnet mask 255.255.0.0 to the private physical interface, the Management IP Address must reside in the 10.2.x.x network. If you configure the Nortel VPN Router on one network and plan to move it to another network, change the Management IP address and private LAN interface addresses before moving the Nortel VPN Router.
Chapter 5 Configuring the system 93 10 Click on OK. The Nortel VPN Router checks all of the DNS addresses to see if they respond and then provides an operational or error status. The ISP Provided Server is not user configurable. It is provided by the ISP. The ISP may assign more than one DNS server, but only one of them (primary) is shown on the window.
Page 94
TCP/IP, FTP, and HTTP. The Private interface also accepts tunneled protocols (for example, IPsec, PPTP, L2TP, L2F) that can be used for secure management access to the Nortel VPN Router. Note: The private LAN interface and the management IP address should be on the same network, and the public LAN interface should be on a different network, both physically and logically.
ID on the network. The device uses the Subnet Mask to determine which IP addresses are directly reachable on the network and which must be routed through a Nortel VPN Router. A sample IP address is 10.2.3.3 with a subnet mask of 255.255.0.0. This indicates that all hosts with addresses 10.2.n.n are directly reachable.
Page 96
Under the Configuration section, use the Speed/Duplex field to automatically or manually configure the LAN interface’s port speed and mode. Note: You can also use the Interface selection on the Nortel VPN Router Serial Port menu to set auto negotiation.
MAC Pause (Ethernet packet flow control) section enables the Nortel VPN Router to automatically adjust and control the flow of incoming and/or outgoing packets from any standard speed LAN device. Check to enable MAC Pause (Frame-based flow control) on the selected interface port.
To add an IP address: Click the Add Multinet button on the LAN Interfaces window. Figure 14 on page 98 you can add, modify, or delete a multinet address using the GUI. The Interface Filter option is not available for the secondary addresses. Figure 14 LAN >...
From the LAN Interfaces window, select the secondary IP address to delete. Click Delete. Note: Secondary subnets can be deleted without having any effect on one another. To delete the primary subnet, remove all the secondary subnets. Nortel VPN Router Configuration — Basic Features...
Configuring multinetting using the CLI Table 8 shows the command syntax for configuring multinetting using the CLI. Table 8 Adding/Deleting a secondary address Command Description Add a secondary address to an interface Delete a secondary address CES (config-if) # no ip address Adding an IP address To add an IP address: Navigate to config mode by entering the following command: config.
Table 9 Configuring OSPF over a secondary address Command description Set the OSPF priority on a secondary address Reset the OSPF priority on a secondary address Set the OSPF MD5 key on a secondary address Reset the OSPF MD5 key on a secondary address Table 10 displays the command syntax for configuring RIP...
Page 103
The device uses the Subnet Mask to determine which IP addresses are directly reachable on the network and which must be routed through a Nortel VPN Router. A sample IP address is 10.2.3.3 with a subnet mask of 255.255.0.0.
Page 104
Nortel VPN Router Firewall. Select from a list of all interface filters that have been set up on the Nortel VPN Router (on the Profiles > Filters window), and to select a different filter for the Nortel VPN Router Firewall.
To enable asynchronous data over TCP/IP through the GUI: Go to Services > AoT. The default is disabled. Figure 16 Asynchronous data over TCP Check to enable asynchronous over TCP/IP communications. The default is disabled. Nortel VPN Router Configuration — Basic Features...
0.0.0.0 on the Status > Statistics > NTP Stats window. The System set up NTP on the Nortel VPN Router. NTP synchronizes the clocks of various devices across networks. It also automatically adjusts the time of network devices so that they are synchronized within milliseconds.
Page 107
To configure NTP: Click on the Enable check box. If you want the Nortel VPN Router to listen for and respond to broadcast messages, check the Synchronize time with NTP Broadcast Server box. If you want the Nortel VPN Router to listen for and respond to multicast messages, check the Synchronize time with NTP Multicast Server box.
Click on the Return to the Date and Time window link to return to the previous window. Configuring system settings The Nortel VPN Router can be booted in one of the two system modes: safe mode or normal mode. Each mode has its own software image, configuration files, and LDAP database.
Page 109
When you change the serial interface baud rate, you must press the Reset button. PPP allows you to set up the Nortel VPN Router to use the Point-to-Point • Protocol (PPP) over the serial port. This feature allows you to manage the Nortel VPN Router from a remote location using PPP and the serial interface.
Page 110
Enter the Modem Initialization string. Refer to the manufacturer’s documentation to learn the vendor-specific character initialization string. If you pre-configure the modem and use the Nortel VPN Router default initialization string (ATZ) it will provide the best results. When you select the baud rate, you must click the Reset button to change the port to the new baud rate.
Using proxy ARP You can configure the Nortel VPN Router to respond to ARP requests on any of its physical interfaces. The Nortel VPN Router responds to the following types of routes: • User tunnels are routes created for user tunnels. This entry is enabled by default and cannot be changed.
Using the SSH server to allow secure sessions You can enable an SSH server to allow secure CLI sessions, such as telnet, to the NVR. You also have the option of enabling the private and public interface filters, set the port for the SSH server, and restart the server. You can use either the NVR GUI or CLI to configure the SSH server.
Chapter 5 Configuring the system 113 Configuring the SSH server To set the parameters for the SSH server: Select Services > Available. The Allowed Services page appears as shown in Figure 18 on page 114. Nortel VPN Router Configuration — Basic Features...
Figure 18 Allowed Services window In the Port text box, enter the SSH server port number. Note: If an SSL VPN card exists in the NVR, the port for the SSH server cannot be 22. To enable filters, select either the Public or the Private check box. Click OK.
Using the CLI for SSH server Defining an SSH server (CLI) To configure an SSH server on the Nortel VPN Router, from CLI Global Configuration Mode, enter: ssh-server {port <portnum> | private | public } no ssh-server { private | public } where: •...
SSH server port • state—specifies the state (enabled or disabled) of the SSH server For example, to display the current SSH server port for the Nortel VPN Router, enter: CES(config)# show ssh-server port For example, to display the state (enabled or disabled) of the current SSH server...
Pursuant to such license, the product can be marketed and sold only to a limited class of international users. Any entity, other than Nortel, Inc., that wants to export this product must first obtain license approval from the US Department of Commerce.
Page 118
118 Chapter 5 Configuring the system NN46110-500...
Router. Branch office configuration allows you to configure the accessible subnetworks behind each Nortel VPN Router. The configuration also contains the information that is necessary to set up the connection, such as the Nortel VPN Router’s IP addresses, encryption types, and authentication methods. You can apply local policy restrictions, such as access hours, filter sets, and call admission priorities, to limit connectivity into local subnetworks.
Internet. You must configure the default Nortel VPN Router with a static route to the Nortel VPN Router for accessible networks (refer to Profiles > Branch Office > Edit Branch Office Connection).
The default public LAN route directs the encapsulated data to the remote Nortel VPN Router branch office connection. For a Nortel VPN Router that has a WAN link, actions 3 and 4 collapse together, and the encapsulated data is directed to the remote server.
NAT allows branch office connections to eliminate problems with overlapping addresses on both sides of the connection, and it allows you to hide the LAN addresses. To set up branch offices with NAT, see Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS.
The control packets for the PPTP tunnel are processed and the Nortel VPN Router at the exit node of the branch office creates a new PPTP tunnel inside the branch office tunnel.
DNS for branch office tunnel endpoints When configuring branch office tunnels with the Nortel VPN Router, you can enter a DNS name for the tunnel endpoint. The Nortel VPN Router uses domain name address resolution to resolve the actual IP address of the endpoint. The Nortel VPN Router client already supports this ability.
Services on the Internet typically have more than one server that is public facing to share the load. Each of these servers has a unique IP address, but share a common DNS name. Nortel VPN Router Configuration — Basic Features...
DNS query. The DNS server returns addresses 5.6.7.8 and 1.2.3.4 because of the Round Robin operation. The initiator selects address 5.6.7.8 because it is the first in the list and establishes a tunnel with the second Nortel VPN Router, achieving a failover.
DNS name. However, users that host a Web server, FTP server, or game servers need to advertise an address or DNS name to allow their clients to connect to the server. Nortel VPN Router Configuration — Basic Features...
DDNS. It is enabled by default. You can use this parameter only with the Nortel VPN Client. Also, your DNS server must support Dynamic DNS and be configured to allow Dynamic DNS registration.
Adding a group To create a new group: Select Profiles > Branch Office. In Groups section, click Add. The Add Group window appears. Enter a name and then select select the parent group whose attributes the new group inherits; for example, /Base. The group name can be a maximum of 64 characters (spaces are permitted).
• In the remote endpoint address field, enter the address of the remote Nortel VPN Router (for example, 132.19.2.30) that you want to form the opposite end of the branch office connection. For Initiator connection types, you can enter the DNS host name.
Page 132
VPN without requiring that you reconfigure or rename your existing network. NAT sets are defined on the Profiles > NAT window. For further information on NAT, see Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS. 11 For IP Configuration, select either Static or Dynamic routing for this branch office connection: •...
When you set up a branch office connection, you must perform the configuration procedure twice, once for each of the two Nortel VPN Routers that make up the connection. The branch office settings for the two Nortel VPN Routers mirror each other.
The System > Forwarding window must allow branch office-to-branch office • traffic. The Profiles > Networks window must list the Nortel VPN Router’s private • networks. In the sample configuration, the local Nortel VPN Router’s internal network name is boston_hq and the subnets are 10.17.20.0 and 10.17.21.0.
The Profiles > Filters window must have the filters that you want to use for • the branch office connection. For the example, the local Nortel VPN Router uses a filter of permit only dns/http, and the remote Nortel VPN Router uses permit all. Sample branch office procedure...
Page 136
136 Chapter 6 Configuring branch office tunnels 12 Click on the Test button on each end of the tunnel to verify connectivity. 13 Try to ping from on PC to the other PC through the branch office. NN46110-500...
Control tunnels provide secure access to a customer’s remote Nortel VPN Router so that you can manage it over a network. Control tunnels also guarantee that no data from the network behind that customer’s Nortel VPN Router could be accessed by anyone on the network who...
With both tunnel types, you can establish a secure IPsec tunnel to a system that you want to manage. The traffic inside the tunnels is limited to the Nortel VPN Router’s management IP address only, which is unique to control tunnels.
If you work at a NOC in Cleveland and you manage a customer’s Nortel VPN Router that is located in Boston, you would want to use control tunnels. On one end of the control tunnel (the Nortel VPN Router under management), access is always restricted to the management address only.
In this environment, the remote Boston Nortel VPN Router is a control tunnel to the local Cleveland Nortel VPN Router. From any system on the Cleveland network, you can access the management address for the Boston Nortel VPN Router. This allows systems on the Cleveland network to initiate management operations on the Boston Nortel VPN Router, such as HTTP, FTP, and Telnet.
Another way to nail up control tunnels, is to create a script that continuously sends ping packets to the management IP address of the Nortel VPN Router on the customer premise through the control tunnel from a host at the network operations center.
CONTROL CREATE <name> <password> <MGMT/Local_P> <Local_endpoint> <Remote_endpoint> <Remote_Subnet_Address> <Remote_Subnet_Mask> If you are using the local Nortel VPN Router current Management IP address (132.19.2.20) rather than a substitute, then the network address translation feature is unnecessary. If not, enable control on the remote Nortel VPN Router and enter the control address through the command line interface.
For Connection Type, select Peer to Peer, Responder or Initiator. Click OK. The page refreshes. Click OK again. The Connection Configuration window appears. Continue to step 2 in “Configuring a control tunnel connection” on page Nortel VPN Router Configuration — Basic Features 144.
Select the Endpoints for the initiator and responder connection types. • For the local endpoint address, click on the list and select the address of the local Nortel VPN Router (for example, 132.168.2.3). NN46110-500...
Page 145
VPN without requiring that you reconfigure or rename your existing network. NAT sets are defined on the Profiles > NAT window. For further information on NAT, see Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS. 11 For IP Configuration, select either Static or Dynamic routing for this branch office connection: •...
IP address. This is used to force management through an encrypted tunnel and restricts access to the local resource such as outsourcing management of a Nortel VPN Router. You create the control tunnel user in the group /Base/Control Tunnels.
AP2. If the client had an open FTP session to the server on the private side of the corporate network, this session would have been closed. Figure 29 on page 148, if a client has a wireless connection to the Nortel VPN Router Configuration — Basic Features...
IP requires deployment of extra equipment and administration that could increase the cost of the solution and could be a potential cause of inter-operability problems between different vendors and providers. Nortel solves the IPSec mobility problem by enhancing its IPSec implementation. NN46110-500...
Network delays or congestion Logging and status for clients and servers The Nortel VPN Client logs events to the log file. This includes events such as Nortel VPN Client sending messages that the IP address changed, and receiving acknowledgement that these messages were received by the Nortel VPN Router.
The event log on the Nortel VPN Router reports on IPSec mobility actions. IPSec mobility and NAT If Nortel VPN Client is behind a NAT box with NAT traversal enabled and encapsulation for ESP protocol is used, UDP encapsulation is preserved after roaming.
NAT devices. To avoid any NAT related problems, the “Always UDP Encap” option under the IPSec group configuration always forces UDP wrapping on IPSec user tunnels even if NAT was not detected during connection establishment. Nortel VPN Router Configuration — Basic Features...
Routing table changes Routing table changes apply to the Nortel VPN Client. When operating in split tunneling mode, the NVC periodically checks the routing table on the client's PC to determine if the table has been altered in any way. This checking is done for security reasons to detect for intrusions and unauthorized access to the private network.
Adapter is plugged in and connects Initial contact payload (ICP) If the Nortel VPN Client fails to notify the Nortel VPN Router of the logoff or tunnel termination due to network problems (such as, the interface went down before sending logoff sequence), the client's session could still be in the session table for a period of time specified by the Idle Timeout.
A similar situation may arise with the client failover tuning timers. If a rekey is initiated by the Nortel VPN Router during the roaming time, it may not be able to reach the client (for example, it is out of area) and the rekey may fail.
VPN connection. Persistence makes use of the automatic failover capability already available with the Nortel VPN Router and extends this to allow the new tunnel to be established without having to re-enter user credentials. A configuration option on the Nortel VPN Router allows you to specify that VPN clients will cache their VPN credentials for a specified period of time.
However, the Nortel VPN Client will not enter persistence mode if the previous log off happened due to a log off message received from the Nortel VPN Router. This allows you to force a rogue user log off any time even when persistence is on.
Page 157
Roaming time, session could timeout prior to roaming completion. For Persistence, select Enabled or Disabled. The default is Disabled. For Session Persistence Time (minutes), enter the number of minutes (1-1440). The default is 60 minutes. Click on OK. Nortel VPN Router Configuration — Basic Features...
Page 158
IP connectivity. To configure the Nortel VPN Router using CLI, you need to either telnet to the Nortel VPN Router or connect to it through the Serial Interface > option L on the menu.
Page 159
To change the maximum roaming time to, for example, 210 seconds: CES(config-group/ipsec)#max-roamingtime 210 To change the persistence time to, for example, 1000 minutes: CES(config-group/ipsec)#persistent-time 1000 To exit the IPSec group configuration mode: CES(config-group/ipsec)#exit Nortel VPN Router Configuration — Basic Features...
Page 160
To view the IPSec configuration for the group, for example Base: CES(config)#show groups ipsec "/Base" IPSEC Settings: Rekey Timeout Rekey Data Count Perfect Forward Secrecy Banner Configured Domain name Configured Display Banner Compression Primary DNS Address Primary WINS Address Secondary DNS Address Secondary WINS Address Allow Clients Allow undefined networks for non-Contivity clients...
Page 161
Inverse Split Tunneling Networks Configured ! Radius Server does not exist for this group or its ancestors CES(config)# To exit configuration mode: CES(config)#exit CES# Nortel VPN Router Configuration — Basic Features : Disabled : Not : Not : Enabled : Enabled : Not...
Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010/1050/1100 users will need to enter on the BOQS window. You can enter the appropriate values in the right-hand column and then...
A system or process that requests a service of another system or process. default route A route that is used when the switch receives traffic for which no matching route is in the routing table. Nortel VPN Router Configuration — Basic Features...
Page 166
Diffie-Helman A key agreement algorithm that does key establishment, not encryption. However, the key it produces may be used for encryption, for further key management, or any other cryptography. digital certificate A certificate document in the form of a digital data object to which is appended a computed digital signature value that depends on the data object.
Page 167
Defines how encryption keys for sessions are initiated and updated. intranet A computer network, especially one based on Internet technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders. Nortel VPN Router Configuration — Basic Features...
Page 168
IP address The identifiers used by the protocols that govern Internet information exchange. The Internet Network Information Center assigns these numbers to uniquely identify different machines on the Internet. IPsec A tunneling protocol that offers a strong level of encryption, integrity protection.
Page 169
The unit of data sent across a network. Typically, it refers to application data units. PING A program used to test reachability of destinations by sending an ICMP echo request and waiting for a reply. Nortel VPN Router Configuration — Basic Features...
Page 170
Point-to-Point Protocol (PPP) A protocol that provides a method for transmitting packets over serial point-to-point links. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that is used as a security tool. port A transport layer demultiplexing value. Each application has a unique port number associated with it.
Page 171
Telnet A command protocol used to establish login sessions on a remote host. triggered update Nortel VPN Router Configuration — Basic Features...
Page 172
A method used by RIP in which a new routing table is sent almost immediately after a routing change has been made. This is in contrast to the poison reverse method, in which routes are updated after a cost of infinity is reached, a process that can take much time.
Page 177
Uniform Resource Locator (URL) 50 user ID search 84 user control tunnel serial interface 146 user groups adding 82 searching 84 user profile adding 82 user tunnels 81 VPN DNS 124 VPN Router Access 25 Nortel VPN Router Configuration — Basic Features...
Page 178
Index Web browser interface 50 Web interface options 53 Welcome display 56 NN46110-500...