Nortel Contivity 1100 Configuration Manual
  1. Manuals
  2. Brands
  3. Nortel Manuals
  4. Network Router
  5. Contivity 1100
  6. Configuration manual

Nortel Contivity 1100 Configuration Manual

Vpn router basic features
Hide thumbs Also See for Contivity 1100:
Table of Contents

Advertisement

Quick Links

See also: Installation Manual , Manual
Nortel VPN Router
Configuration — Basic
Features
Version 7.00
Part No. NN46110-500
311642-M Rev 01
February 2007
Document status: Standard
600 Technology Park Drive
Billerica, MA 01821-4130

Advertisement

Table of Contents
loading

Related Manuals for Nortel Contivity 1100

Summary of Contents for Nortel Contivity 1100

  • Page 1 Nortel VPN Router Configuration — Basic Features Version 7.00 Part No. NN46110-500 311642-M Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130...
  • Page 2 In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein.
  • Page 3 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies.
  • Page 4 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction.

  • Page 5: Table Of Contents

    Getting help from the Nortel Web site ........
  • Page 6 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 ....59 Default configuration ..........59 Branch office quick start utility .
  • Page 7 Restricted product - export license requirement ......117 Nortel VPN Router Configuration — Basic Features...
  • Page 8 IPSec mobility on Nortel VPN Router ........
  • Page 9 Index ............173 Nortel VPN Router Configuration — Basic Features...
  • Page 10 10 Contents NN46110-500...
  • Page 11 Edit > IPsec page for wildcard ....... . . 88 Figure 13 LAN-to-Nortel VPN Router connection ......93 Figure 14 LAN >...
  • Page 12 Figure 30 Roaming from behind NAT to behind NAT ..... . . 150 Figure 31 Roaming from behind NAT to no NAT ......151 Figure 32 Groups edit IPSec window .
  • Page 13 Configuration considerations ....... . . 152 Nortel VPN Router Configuration — Basic Features...
  • Page 14 14 Tables NN46110-500...

  • Page 15: Preface

    Preface This guide introduces the Nortel VPN Router. It also provides overview and basic configuration information to help you initially set up your Nortel VPN Router. Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router.
  • Page 16 braces ({}) brackets ([ ]) ellipsis points (. . . ) italic text plain Courier text NN46110-500 Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.

  • Page 17: Acronyms

    IPsec Key Exchange Internet Security Association and Key Management Protocol Internet service provider Layer2 Tunneling Protocol Lightweight Directory Access Protocol local area network media access control address Nortel VPN Router Configuration — Basic Features , you enter either terminal paging on...
  • Page 18 OSPF PPTP RSVP SNMP VRRP NN46110-500 network address translation network operations center Network Time Protocol Nortel VPN Router Open Shortest Path First operations support systems Password Authentication Protocol public data networks point-of-presence Point-to-Point Protocol Point-to-Point Tunneling Protocol Resource Reservation Protocol...

  • Page 19: Related Publications

    Related publications For more information about the Nortel VPN Router, refer to the following publications: • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. •...

  • Page 20: Hard-Copy Technical Manuals

    Latest software Latest documentation Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.

  • Page 21: Getting Help Over The Phone From A Nortel Solutions Center

    Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site, and you have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
  • Page 22 Preface NN46110-500...

  • Page 23: New In This Release

    New in this release The following sections details what is new in Nortel VPN Router Configuration — Basic Features for Release 7.0. Network Time Protocol (NTP) support for Daylight Savings Time 2007 change Systemlog lifetime or disk size limit usage option...

  • Page 24: Systemlog Lifetime Or Disk Size Limit Usage Option

    New in this release Systemlog lifetime or disk size limit usage option VPN Router allows you to choose between setting a log file disk size limit or a log file lifetime for the Systemlog. Previous versions of the VPN Router only allowed the Systemlog to have a lifetime specified (default 60 days).

  • Page 25: Overview

    As a highly scalable device, the Nortel VPN Router can address the security and IP services needs of the smallest branch site or largest headquarters environment. A Nortel VPN Router can be installed as an IP access router or stateful packet firewall.

  • Page 26: Virtual Private Networking

    Nortel VPN Router access allows remote users to dial in to an Internet Service Provider (ISP) anywhere and reach corporate headquarters or branch offices. The Nortel VPN Router provides remote users access to corporate databases, mail servers, and file servers.

  • Page 27: Licensing Features

    The Nortel VPN Router uses a combination of authorization, authentication, privacy, and access control for each user. Licensing features Licence keys can be obtained through Nortel’s customer support. The Nortel VPN Router provides several license key options: • Advanced Routing •...

  • Page 28: Command Line Interface

    The Nortel VPN Router Stateful Firewall License key must be installed to enable the Nortel VPN Router Stateful firewall. Tunnel keys are specific to the Nortel VPN Router hardware model that you are using. Nortel VPN Router switches are manufactured to allow either access to the maximum number of tunnels (VPN bundle) or support for 5 tunnels (Base Unit).

  • Page 29: Getting Started

    Getting started This chapter describes methods for configuring and managing the Nortel VPN Router . Note: If you are setting up a Nortel VPN Router 1010, 1050 or 1100, 1100.” These VPN Routers have unique set up and configuration considerations.

  • Page 30: Figure 3 Sample Ip Addressing Scheme

    Public LAN port IP address (remote user destination address) Firewall public network address Nortel VPN Router management IP address: System > Identity Nortel VPN Router private LAN interface IP address: System > LAN Edit IP address Private network default VPN Router: System > Routing Add/Edit...

  • Page 31: Management Virtual Address

    This eliminates a single point of failure. As long as there is a route through an interface to the MVA, you can manage the Nortel VPN Router. Access to the MVA is supported on a public interface through a VPN tunnel.

  • Page 32: Figure 4 Mva On Separate Subnet From Private Physical Interfaces

    • Identification • CRL Retrieval • To enable or disable management protocols, go to Services > Available window. From this window, you can also specify whether to manage the VPN Router from the public or private side. To redistribute the MVA, go to Routing > Policy window.

  • Page 33: Figure 5 Mva On Same Subnet As Private Physical Interface

    Figure 5 MVA on same subnet as private physical interface Figure 6 shows MVA using CLIP to manage from a remote PC tunneled from the public side. Figure 6 MVA managing from a remote PC Nortel VPN Router Configuration — Basic Features...

  • Page 34: Configuring Mva With The Serial Menu

    To configure the MVA with the serial menu: Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. Power on the terminal or PC.
  • Page 35 Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.

  • Page 36: Configuring Interfaces

    Type M and press Enter to change the Management IP address. The current IP address appears. The Old Management IP Address field is blank on a new Nortel VPN Router. Please select a menu choice (M, R): M Type 0.0.0.0 to delete.
  • Page 37 <CR> Leave unchanged Please select a menu choice (1-5, <CR>): After you complete the configuration, press Enter to return to the Interface menu. Type R and press Enter to return to the main menu. Nortel VPN Router Configuration — Basic Features...

  • Page 38: Multinetting

    To avoid re-addressing, the physical networks are consolidated onto a multinetted Nortel VPN Router interface. Multinetting allows hosts to migrate to the new IP interface or maintain the previous IP address. You can add Multinet IP addresses to the private side or the public side of the VPN Router .

  • Page 39: Table 2 Services Supported On A Multinetted Interface

    The same rules apply to all other secondary addresses. Support for NAT on multinetted addresses, with a single set of rules for all interfaces in Nortel VPN Router. NAT services available discretely for each subnet on a multi- netted interface (separately supported on each subnet address).
  • Page 40 Figure 7 on page 41 subnets, 10.1.0.0/16 and 11.1.0.0/16. Both subnets are connected to one physical LAN port on Nortel VPN Router. Nortel VPN Router sends packets to and receives packets from a host on either of these networks using the same physical port.

  • Page 41: Changing The Management Ip Address

    To change the management IP address, complete the following procedure: Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. Power on the terminal or PC.
  • Page 42 Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.
  • Page 43 IP address appears. The Old Management IP Address field is blank on a new Nortel VPN Router. Please select a menu choice (M, R): M Type 0.0.0.0 to delete. Just type <CR> to skip. Old Management IP Address = 192.168.249.44 New Management IP Address = Nortel VPN Router Configuration — Basic Features...

  • Page 44: Restricting Source Ips Access To Management

    Restricting source IPs access to management You are able to filter management access of source IP addresses. Access Lists (ACLs) restrict connection of designated source IPs for management purposes over HTTP, FTP, TELNET and SNMP. Management traffic is intercepted and if the destination is System and the packet is for one of the four services above, the source IP address is matched against the ACL that is set for the particular service.

  • Page 45: Accessing Acl Through The Gui

    Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC. Power on the terminal or PC. Nortel VPN Router Configuration — Basic Features...
  • Page 46 Using a terminal emulation program, such as HyperTerminal on the PC, press Enter. The Welcome window appears and you are prompted to supply a user name and password. Nortel VPN Router Copyright (c) 1999-2007 Nortel Networks, Inc. Version: V07_00.038 Creation date: Oct 11 2006, 09:52:35 Date: 10/13/2006...
  • Page 47 Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the Nortel VPN Router through the serial port or a Web browser. This administrator’s user ID (default = admin) and password (default = setup) combination is also called the primary administrator.
  • Page 48 - Interface Menu 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate 1) Slot 1, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate 2) Slot 2, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate...
  • Page 49 12 Type R and press Enter to return to the main menu. 13 Type E and press Enter to save the settings and exit. You can then manage the Nortel VPN Router from a Web browser. Nortel VPN Router Configuration — Basic Features...

  • Page 50: Using Boot Modes

    Using boot modes The Nortel VPN Router can be booted in one of two system modes: Safe mode or Normal mode. Each mode has its own software image, configuration files, and LDAP database. Note: The Nortel VPN Router 1010, 1050, and 1100 do not implement safe mode.
  • Page 51 Login: admin Password: setup At this point, follow the Quick Start Configuration procedure or the Guided Configuration procedure. Refer to which procedure to use. Table 3 on page 53 for help in determining Nortel VPN Router Configuration — Basic Features...

  • Page 52: Preparing For Configuration

    Prepare the clients for the type of tunneling protocol they need to use. The PPTP client application is available on the Nortel CD for Windows 95, and it comes with Windows 98 and Windows NT. Nortel also provides the IPsec client on the Nortel CD.

  • Page 53: Table 3 Web Interface Configuration Options

    Nortel VPN Router. Begin with either the Quick Start or the Guided Configuration. After you are familiar with the Nortel VPN Router navigational menu and capabilities, select Manage Switch. Table 3 Web interface configuration options...
  • Page 54 FTP private address FTP public address TELNET private address TELNET public address CRL retrieval private address CRL retrieval public address Public Nortel VPN Router IP address Private Nortel VPN Router IP address Router ID AS boundary router (true or false)
  • Page 55 Bind DN, Bind password, Confirmed > Servers User IP Addr Broadcast Any DHCP or DHCP servers: Primary IP address Secondary IP address Tertiary IP address Address pool: Pool name Start Subnet mask Your Values Nortel VPN Router Configuration — Basic Features...

  • Page 56: Welcome Window

    Before entering the configuration options, first register your Nortel VPN Router to activate licenses, warranties, and services. To start using your Nortel VPN Router, choose from one of the following options: • Click on Manage Switch to begin a configuration management session. This option allows access to all Configuration Management facilities.
  • Page 57 Context-sensitive help is available at each subsection to supplement the summary. Provided you have the information required to set up the Nortel VPN Router, the Guided Configuration is estimated to take two to three hours to complete, depending on how extensive your configuration is.
  • Page 58 58 Chapter 2 Getting started NN46110-500...

  • Page 59: Setting Up The Nortel Vpn Router 1010, 1050, And 1100

    Nortel VPN Router 1010, 1050, and 1100 located at branch office sites. If you are at a branch office site and you need to connect the Nortel VPN Router 1010, 1050, or 1100 to the network, see access”...

  • Page 60: Figure 8 Default Configuration

    Figure 8 Default configuration By default, the Nortel VPN Router 1010, 1050, and 1100 are configured with the following parameters: • The DHCP server is configured on the switch’s private interface, with a default range of 192.168.1.3/24 to 192.168.1.255/24. By default, 192.168.1.1 and 192.168.1.2 are assigned to the branch office switch’s private and...

  • Page 61: Branch Office Quick Start Utility

    VPN Router by provisioning a VPN connection to a central office or optionally, to a network operation center (NOC). BOQS allows a NOC or central office management to access the Nortel VPN Router 1010, 1050, or 1100 so that network administrators can further configure the these units without going to the remote site.

  • Page 62: Enterprise Environment

    Service Provider topology where the network operations center is an independent entity from the central office Enterprise environment Before you deploy the Nortel VPN Router 1010, 1050, or 1100 switches at the local sites, you must configure routing and tunnels on the switch at the central office.

  • Page 63: Service Provider Environment

    RIP propagates routes to this subnet across the tunnel created by BOQS. You must have at least two more IP addresses than IP workstations on the Nortel VPN Router 1010, 1050, or 1100 private network. The first address from the subnet is assigned to the private interface of the branch office switch and the second address becomes the management IP address of the switch.
  • Page 64 Every Nortel VPN Router 1010, 1050, and 1100 must have a distinct IP address that is visible from the NOC subnet. A NOC can assign any address reachable from a NOC network to a Nortel VPN Router 1010, 1050, or 1100. BOQS configures NAT on the NOC tunnel to translate the address specified in the “Branch office switch manage NAT IP address”...

  • Page 65: Deployment Procedure

    NOC. • The BOQS configures a tunnel from the branch office Nortel VPN Router to a Nortel VPN Router located at the central office and a management connection (responder control tunnel) to enable further configuration from the NOC. The NOC can take over configuring the box once the connection is established and additional configuration is required.

  • Page 66: Table 6 Boqs Parameters

    IP mask of subnet address in which NOC is located (private subnet of NOC switch). Address used by NOC to manage switch. Must be unique for each Nortel VPN Router1010/1050/1100 and reachable from the NOC. If left empty, can be managed with the second address of the subnet...

  • Page 67: Branch Office Quick Start Template

    Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010, 1050 or 1100 users will need to enter on the BOQS window. See Appendix A, “Branch office quick start template.

  • Page 68: Cable The Vpn Router And Turn The Power On

    1100, use standard Ethernet cables to connect the devices to the LAN 0 ports (labeled A–D). If you have a Nortel VPN Router 1100 that has one or two optional interface cards, connect the appropriate cables to the ports on the interface cards.

  • Page 69: Make Sure That Your Pcs Can Obtain Ip Addresses Automatically

    Depending on the type of addressing that your ISP uses, go to the appropriate section: • If your ISP uses DHCP, go to • If your ISP uses Point-to-Point Protocol over Ethernet (PPPoE), go to instructions” on page 70.” “DHCP instructions” on page Nortel VPN Router Configuration — Basic Features 70.” “PPPoE...

  • Page 70: Dhcp Instructions

    • If your ISP uses static IP addressing, go to page 71.” Note: If you complete the steps in the appropriate section and your VPN Router is not up and running, contact the service provider or company that provided the VPN Router. DHCP instructions If your ISP uses DHCP to assign an IP address to your PCs, verify that your VPN Router is connected to the Internet and start the quick-start tool as follows:...

  • Page 71: Static Ip Instructions

    From the Interface Filter list, choose permit all. Click OK. From the menu bar, choose Routing > Static Routes. 10 Click on Add Public Route (located under the Default Routes list). 11 The Add Public Default Route window appears. Nortel VPN Router Configuration — Basic Features...

  • Page 72: Compact Flash Disk

    • Context-sensitive help The help files are located on the CD and on the Nortel documentation Web site. When you click on the Help menu from the UI, you can enter the location of the help files on a server.
  • Page 73 For example, a core file generated by 10.0.8.186 on Oct.12th, 2001, at 4:46:06 PM will be named core_20011012_164606_10.0.8.186.mem. Nortel VPN Router Configuration — Basic Features...
  • Page 74 74 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 NN46110-500...

  • Page 75: Configuring User Tunnels

    Internet Service Provider (ISP) at this point. The actual connection to the Nortel VPN Router is a tunnel that is started from the remote user's PC through its dial-up connection. That connection is to the Internet (typically using an ISP), through the Internet, and ends at the Nortel VPN Router on the private, corporate network.
  • Page 76 A group can even consist of a single user, thereby creating a personal connection. The Nortel VPN Router organizes groups in a hierarchical manner. At the top of the hierarchy is the base group. The base group \Base contains the default characteristics that each new group inherits.
  • Page 77 When authenticating an IPsec client, the remote user is by default assigned to the group ID. If the group ID and group password are correct, the Nortel VPN Router passes the user ID and password (or token card) to the RADIUS server for authentication.

  • Page 78: Configuring Group Characteristics

    Each level is assigned a percentage of the total number of calls allowed access to the Nortel VPN Router. If there is a particularly high number of users logged in, new users could be denied call access, based on their call admission priority, until existing callers disconnect.
  • Page 79 • Alpha-numeric passwords forces remote users to log in with a combination of alphabetic (A to Z) and numeric (1 to 9) characters. Nortel does not recommend using all alphabetic characters because this makes it easier for hackers to decode. The default is Disabled.
  • Page 80 13 Select Enable to enable IPX support for the group. 14 Enter the maximum number of PPP links in Maximum Number of Links field that you want the Nortel VPN Router to support. The range is 1 to 5; default is 1. The Multilink PPP (MP) implementation allows tunneling multilink connections to the Nortel VPN Router when the tunneling is being done by the ISP.

  • Page 81: Setting Up User Tunnels

    Public selection for PPTP, L2TP, and L2F. By leaving IPsec, PPTP, L2TP, and L2F enabled on the private side, you can establish tunneled connections to the Nortel VPN Router using any of the tunnel types from within your corporation.
  • Page 82 Use the RADIUS check boxes to permit RADIUS requests on the public and private interfaces of the Nortel VPN Router. If you enable RADIUS traffic, you must also enable RADIUS on the Services > RADIUS window. Configuring the Nortel VPN Router tunneling protocol settings is dependent on the tunnel type.
  • Page 83 Click on Add to add a user to the group; the Add User window appears. Note: To configure firewall user authentication, see Nortel VPN Router Security — Servers, Authentication, and Certificates This window allows you to add a user profile. Only options that are enabled for the specified group appear on this window.
  • Page 84 IP address pool, DHCP, RADIUS, or a static user configuration. Note: If a host route for the destination address of the Nortel VPN Router exists in the TCP/IP route table prior to launching the Nortel VPN RouterVPN Client, the route is deleted when the tunnel is closed.

  • Page 85: Configuring Inverse Split Tunneling

    Figure 10 Inverse Split Tunneling (Figure 10) provides the flexibility of allowing remote Nortel VPN Router Configuration — Basic Features...

  • Page 86: Figure 11 Inverse Split Tunneling

    Split tunneling allows access to any network resource outside of specified split tunnel networks. Configuration is available through the GUI and the CLI of the Nortel VPN Router. The Profile > Groups window of the Nortel VPN Router GUI allows the addition of inverse split tunnels.

  • Page 87: Inverse Split Tunneling

    0.0.0.0 with a 0.0.0.0 mask to the inverse split tunnel networks list on the Nortel VPN Router. When the NVC receives the list of inverse split networks, it expands the 0.0.0.0 to be all of the directly connected local subnets detected on the host.

  • Page 88: Figure 12 Edit > Ipsec Page For Wildcard

    Figure 12 Edit > IPsec page for wildcard Select Enabled - Inverse or Enabled Locally Connected from the Split Tunneling menu. The Split Tunneling menu is used to select the tunneling mode that is used by the selected group. Table 7 Split tunneling mode options Split Tunneling Selection Disabled Enabled...

  • Page 89: Configuring Tunneling Modes Using The Cli

    “16 Net” Persistent tunneling provides a continuous connection. After successfully establishing a tunnel session to the Nortel VPN Router, the Nortel VPN Client makes every attempt to maintain a viable VPN connection without additional user intervention.
  • Page 90 90 Chapter 4 Configuring user tunnels NN46110-500...

  • Page 91: Configuring The System

    Proxy ARP Configuring the system identity Each Nortel VPN Router is uniquely identified by the system's address and domain name system (DNS) name. The DNS name can be used instead of the IP address to identify the Nortel VPN Router and launch its management interface through a web browser.
  • Page 92 10.2.3.3 with the subnet mask 255.255.0.0 to the private physical interface, the Management IP Address must reside in the 10.2.x.x network. If you configure the Nortel VPN Router on one network and plan to move it to another network, change the Management IP address and private LAN interface addresses before moving the Nortel VPN Router.

  • Page 93: Setting Up Lan Interfaces

    Chapter 5 Configuring the system 93 10 Click on OK. The Nortel VPN Router checks all of the DNS addresses to see if they respond and then provides an operational or error status. The ISP Provided Server is not user configurable. It is provided by the ISP. The ISP may assign more than one DNS server, but only one of them (primary) is shown on the window.
  • Page 94 TCP/IP, FTP, and HTTP. The Private interface also accepts tunneled protocols (for example, IPsec, PPTP, L2TP, L2F) that can be used for secure management access to the Nortel VPN Router. Note: The private LAN interface and the management IP address should be on the same network, and the public LAN interface should be on a different network, both physically and logically.

  • Page 95: Edit Lan Interface Window

    ID on the network. The device uses the Subnet Mask to determine which IP addresses are directly reachable on the network and which must be routed through a Nortel VPN Router. A sample IP address is 10.2.3.3 with a subnet mask of 255.255.0.0. This indicates that all hosts with addresses 10.2.n.n are directly reachable.
  • Page 96 Under the Configuration section, use the Speed/Duplex field to automatically or manually configure the LAN interface’s port speed and mode. Note: You can also use the Interface selection on the Nortel VPN Router Serial Port menu to set auto negotiation.

  • Page 97: Multinetting

    MAC Pause (Ethernet packet flow control) section enables the Nortel VPN Router to automatically adjust and control the flow of incoming and/or outgoing packets from any standard speed LAN device. Check to enable MAC Pause (Frame-based flow control) on the selected interface port.

  • Page 98: Figure 14 Lan > Interfaces Window

    To add an IP address: Click the Add Multinet button on the LAN Interfaces window. Figure 14 on page 98 you can add, modify, or delete a multinet address using the GUI. The Interface Filter option is not available for the secondary addresses. Figure 14 LAN >...

  • Page 99: Figure 15 Lan Interfaces > Add Ip Address Window

    From the LAN Interfaces window, select the secondary IP address to delete. Click Delete. Note: Secondary subnets can be deleted without having any effect on one another. To delete the primary subnet, remove all the secondary subnets. Nortel VPN Router Configuration — Basic Features...

  • Page 100: Configuring Multinetting Using The Cli

    Configuring multinetting using the CLI Table 8 shows the command syntax for configuring multinetting using the CLI. Table 8 Adding/Deleting a secondary address Command Description Add a secondary address to an interface Delete a secondary address CES (config-if) # no ip address Adding an IP address To add an IP address: Navigate to config mode by entering the following command: config.

  • Page 101: Table 9 Configuring Ospf Over A Secondary Address

    CES(config-if)# no ip ospf transmit-delay <secondary address> CES(config-if)# ip ospf network <broadcast/ point-to-point> <secondary address> CES(config-if)# no ip ospf network <secondary address> CES(config-if)# ip ospf poll-interval <1-65535> <secondary address> CES(config-if)# no ip ospf poll-interval <secondary address> Nortel VPN Router Configuration — Basic Features...

  • Page 102: Table 10 Configuring Rip Over A Secondary Address

    Table 9 Configuring OSPF over a secondary address Command description Set the OSPF priority on a secondary address Reset the OSPF priority on a secondary address Set the OSPF MD5 key on a secondary address Reset the OSPF MD5 key on a secondary address Table 10 displays the command syntax for configuring RIP...
  • Page 103 The device uses the Subnet Mask to determine which IP addresses are directly reachable on the network and which must be routed through a Nortel VPN Router. A sample IP address is 10.2.3.3 with a subnet mask of 255.255.0.0.
  • Page 104 Nortel VPN Router Firewall. Select from a list of all interface filters that have been set up on the Nortel VPN Router (on the Profiles > Filters window), and to select a different filter for the Nortel VPN Router Firewall.

  • Page 105: Asynchronous Data Over Tcp

    To enable asynchronous data over TCP/IP through the GUI: Go to Services > AoT. The default is disabled. Figure 16 Asynchronous data over TCP Check to enable asynchronous over TCP/IP communications. The default is disabled. Nortel VPN Router Configuration — Basic Features...

  • Page 106: Configuring Network Time Protocol (Ntp)

    0.0.0.0 on the Status > Statistics > NTP Stats window. The System set up NTP on the Nortel VPN Router. NTP synchronizes the clocks of various devices across networks. It also automatically adjusts the time of network devices so that they are synchronized within milliseconds.
  • Page 107 To configure NTP: Click on the Enable check box. If you want the Nortel VPN Router to listen for and respond to broadcast messages, check the Synchronize time with NTP Broadcast Server box. If you want the Nortel VPN Router to listen for and respond to multicast messages, check the Synchronize time with NTP Multicast Server box.

  • Page 108: Configuring System Settings

    Click on the Return to the Date and Time window link to return to the previous window. Configuring system settings The Nortel VPN Router can be booted in one of the two system modes: safe mode or normal mode. Each mode has its own software image, configuration files, and LDAP database.
  • Page 109 When you change the serial interface baud rate, you must press the Reset button. PPP allows you to set up the Nortel VPN Router to use the Point-to-Point • Protocol (PPP) over the serial port. This feature allows you to manage the Nortel VPN Router from a remote location using PPP and the serial interface.
  • Page 110 Enter the Modem Initialization string. Refer to the manufacturer’s documentation to learn the vendor-specific character initialization string. If you pre-configure the modem and use the Nortel VPN Router default initialization string (ATZ) it will provide the best results. When you select the baud rate, you must click the Reset button to change the port to the new baud rate.

  • Page 111: Using Proxy Arp

    Using proxy ARP You can configure the Nortel VPN Router to respond to ARP requests on any of its physical interfaces. The Nortel VPN Router responds to the following types of routes: • User tunnels are routes created for user tunnels. This entry is enabled by default and cannot be changed.

  • Page 112: Using The Ssh Server To Allow Secure Sessions

    Using the SSH server to allow secure sessions You can enable an SSH server to allow secure CLI sessions, such as telnet, to the NVR. You also have the option of enabling the private and public interface filters, set the port for the SSH server, and restart the server. You can use either the NVR GUI or CLI to configure the SSH server.

  • Page 113: Configuring The Ssh Server

    Chapter 5 Configuring the system 113 Configuring the SSH server To set the parameters for the SSH server: Select Services > Available. The Allowed Services page appears as shown in Figure 18 on page 114. Nortel VPN Router Configuration — Basic Features...

  • Page 114: Figure 18 Allowed Services Window

    Figure 18 Allowed Services window In the Port text box, enter the SSH server port number. Note: If an SSL VPN card exists in the NVR, the port for the SSH server cannot be 22. To enable filters, select either the Public or the Private check box. Click OK.

  • Page 115: Using The Cli For Ssh Server

    Using the CLI for SSH server Defining an SSH server (CLI) To configure an SSH server on the Nortel VPN Router, from CLI Global Configuration Mode, enter: ssh-server {port <portnum> | private | public } no ssh-server { private | public } where: •...

  • Page 116: Displaying The Current Settings For The Ssh Server

    SSH server port • state—specifies the state (enabled or disabled) of the SSH server For example, to display the current SSH server port for the Nortel VPN Router, enter: CES(config)# show ssh-server port For example, to display the state (enabled or disabled) of the current SSH server...

  • Page 117: Restricted Product - Export License Requirement

    Pursuant to such license, the product can be marketed and sold only to a limited class of international users. Any entity, other than Nortel, Inc., that wants to export this product must first obtain license approval from the US Department of Commerce.
  • Page 118 118 Chapter 5 Configuring the system NN46110-500...

  • Page 119: Configuring Branch Office Tunnels

    Router. Branch office configuration allows you to configure the accessible subnetworks behind each Nortel VPN Router. The configuration also contains the information that is necessary to set up the connection, such as the Nortel VPN Router’s IP addresses, encryption types, and authentication methods. You can apply local policy restrictions, such as access hours, filter sets, and call admission priorities, to limit connectivity into local subnetworks.

  • Page 120: Figure 19 Typical Branch Office Environment

    Internet. You must configure the default Nortel VPN Router with a static route to the Nortel VPN Router for accessible networks (refer to Profiles > Branch Office > Edit Branch Office Connection).

  • Page 121: Figure 20 Branch-To-Branch With A Firewall And A Router

    The default public LAN route directs the encapsulated data to the remote Nortel VPN Router branch office connection. For a Nortel VPN Router that has a WAN link, actions 3 and 4 collapse together, and the encapsulated data is directed to the remote server.

  • Page 122: Figure 21 Indirectly Connected Branch Offices

    NAT allows branch office connections to eliminate problems with overlapping addresses on both sides of the connection, and it allows you to hide the LAN addresses. To set up branch offices with NAT, see Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS.

  • Page 123: Pptp Nested Tunnels

    The control packets for the PPTP tunnel are processed and the Nortel VPN Router at the exit node of the branch office creates a new PPTP tunnel inside the branch office tunnel.

  • Page 124: Dns For Branch Office Tunnel Endpoints

    DNS for branch office tunnel endpoints When configuring branch office tunnels with the Nortel VPN Router, you can enter a DNS name for the tunnel endpoint. The Nortel VPN Router uses domain name address resolution to resolve the actual IP address of the endpoint. The Nortel VPN Router client already supports this ability.

  • Page 125: Round Robin Dns

    Services on the Internet typically have more than one server that is public facing to share the load. Each of these servers has a unique IP address, but share a common DNS name. Nortel VPN Router Configuration — Basic Features...

  • Page 126: Figure 23 Failover Example

    DNS query. The DNS server returns addresses 5.6.7.8 and 1.2.3.4 because of the Round Robin operation. The initiator selects address 5.6.7.8 because it is the first in the list and establishes a tunnel with the second Nortel VPN Router, achieving a failover.

  • Page 127: Dynamic Dns

    DNS name. However, users that host a Web server, FTP server, or game servers need to advertise an address or DNS name to allow their clients to connect to the server. Nortel VPN Router Configuration — Basic Features...

  • Page 128: Configuring A Branch Office

    DDNS. It is enabled by default. You can use this parameter only with the Nortel VPN Client. Also, your DNS server must support Dynamic DNS and be configured to allow Dynamic DNS registration.

  • Page 129: Figure 25 Setting Up A Branch Office Configuration

    No NAT selected Select Filter permit only dns/http Select Tunnel Type IPsec Specify Authentication Text Pre-Shared Key: settings bostoncleveland Nortel VPN Router Configuration — Basic Features Settings for Configuration Example Cleveland /Base/cleveland Review settings IPsec • vpn_to_boston • Associate with /Base/cleveland group...

  • Page 130: Adding A Group

    Adding a group To create a new group: Select Profiles > Branch Office. In Groups section, click Add. The Add Group window appears. Enter a name and then select select the parent group whose attributes the new group inherits; for example, /Base. The group name can be a maximum of 64 characters (spaces are permitted).

  • Page 131: Configuring A Tunnel Connection

    • In the remote endpoint address field, enter the address of the remote Nortel VPN Router (for example, 132.19.2.30) that you want to form the opposite end of the branch office connection. For Initiator connection types, you can enter the DNS host name.
  • Page 132 VPN without requiring that you reconfigure or rename your existing network. NAT sets are defined on the Profiles > NAT window. For further information on NAT, see Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS. 11 For IP Configuration, select either Static or Dynamic routing for this branch office connection: •...

  • Page 133: Sample Branch Office Configuration

    When you set up a branch office connection, you must perform the configuration procedure twice, once for each of the two Nortel VPN Routers that make up the connection. The branch office settings for the two Nortel VPN Routers mirror each other.

  • Page 134: Figure 26 Sample Branch Office Configuration

    The System > Forwarding window must allow branch office-to-branch office • traffic. The Profiles > Networks window must list the Nortel VPN Router’s private • networks. In the sample configuration, the local Nortel VPN Router’s internal network name is boston_hq and the subnets are 10.17.20.0 and 10.17.21.0.

  • Page 135: Sample Branch Office Procedure

    The Profiles > Filters window must have the filters that you want to use for • the branch office connection. For the example, the local Nortel VPN Router uses a filter of permit only dns/http, and the remote Nortel VPN Router uses permit all. Sample branch office procedure...
  • Page 136 136 Chapter 6 Configuring branch office tunnels 12 Click on the Test button on each end of the tunnel to verify connectivity. 13 Try to ping from on PC to the other PC through the branch office. NN46110-500...

  • Page 137: Configuring Control Tunnels

    Control tunnels provide secure access to a customer’s remote Nortel VPN Router so that you can manage it over a network. Control tunnels also guarantee that no data from the network behind that customer’s Nortel VPN Router could be accessed by anyone on the network who...

  • Page 138: Control Tunnel Types

    With both tunnel types, you can establish a secure IPsec tunnel to a system that you want to manage. The traffic inside the tunnels is limited to the Nortel VPN Router’s management IP address only, which is unique to control tunnels.

  • Page 139: Figure 28 Sample Control Tunnel Environment

    If you work at a NOC in Cleveland and you manage a customer’s Nortel VPN Router that is located in Boston, you would want to use control tunnels. On one end of the control tunnel (the Nortel VPN Router under management), access is always restricted to the management address only.

  • Page 140: Restricted Mode

    In this environment, the remote Boston Nortel VPN Router is a control tunnel to the local Cleveland Nortel VPN Router. From any system on the Cleveland network, you can access the management address for the Boston Nortel VPN Router. This allows systems on the Cleveland network to initiate management operations on the Boston Nortel VPN Router, such as HTTP, FTP, and Telnet.

  • Page 141: Creating Control Tunnels

    Another way to nail up control tunnels, is to create a script that continuously sends ping packets to the management IP address of the Nortel VPN Router on the customer premise through the control tunnel from a host at the network operations center.

  • Page 142: Adding A Group

    CONTROL CREATE <name> <password> <MGMT/Local_P> <Local_endpoint> <Remote_endpoint> <Remote_Subnet_Address> <Remote_Subnet_Mask> If you are using the local Nortel VPN Router current Management IP address (132.19.2.20) rather than a substitute, then the network address translation feature is unnecessary. If not, enable control on the remote Nortel VPN Router and enter the control address through the command line interface.

  • Page 143: Adding A Control Tunnel

    For Connection Type, select Peer to Peer, Responder or Initiator. Click OK. The page refreshes. Click OK again. The Connection Configuration window appears. Continue to step 2 in “Configuring a control tunnel connection” on page Nortel VPN Router Configuration — Basic Features 144.

  • Page 144: Configuring A Control Tunnel Connection

    Select the Endpoints for the initiator and responder connection types. • For the local endpoint address, click on the list and select the address of the local Nortel VPN Router (for example, 132.168.2.3). NN46110-500...
  • Page 145 VPN without requiring that you reconfigure or rename your existing network. NAT sets are defined on the Profiles > NAT window. For further information on NAT, see Nortel VPN Router Security — Firewalls, Filters, NAT, and QoS. 11 For IP Configuration, select either Static or Dynamic routing for this branch office connection: •...

  • Page 146: Creating A User Control Tunnel From The Serial Interface

    IP address. This is used to force management through an encrypted tunnel and restricts access to the local resource such as outsourcing management of a Nortel VPN Router. You create the control tunnel user in the group /Base/Control Tunnels.

  • Page 147: Configuring Ipsec Mobility And Persistent Mode

    AP2. If the client had an open FTP session to the server on the private side of the corporate network, this session would have been closed. Figure 29 on page 148, if a client has a wireless connection to the Nortel VPN Router Configuration — Basic Features...

  • Page 148: Figure 29 Example Configuration

    IP requires deployment of extra equipment and administration that could increase the cost of the solution and could be a potential cause of inter-operability problems between different vendors and providers. Nortel solves the IPSec mobility problem by enhancing its IPSec implementation. NN46110-500...

  • Page 149: Ipsec Mobility On Nortel Vpn Router

    Network delays or congestion Logging and status for clients and servers The Nortel VPN Client logs events to the log file. This includes events such as Nortel VPN Client sending messages that the IP address changed, and receiving acknowledgement that these messages were received by the Nortel VPN Router.

  • Page 150: Ipsec Mobility And Nat

    The event log on the Nortel VPN Router reports on IPSec mobility actions. IPSec mobility and NAT If Nortel VPN Client is behind a NAT box with NAT traversal enabled and encapsulation for ESP protocol is used, UDP encapsulation is preserved after roaming.

  • Page 151: Roaming From Behind Nat To No Nat

    NAT devices. To avoid any NAT related problems, the “Always UDP Encap” option under the IPSec group configuration always forces UDP wrapping on IPSec user tunnels even if NAT was not detected during connection establishment. Nortel VPN Router Configuration — Basic Features...

  • Page 152: Ipsec Mobility In Nat Environment

    Routing table changes Routing table changes apply to the Nortel VPN Client. When operating in split tunneling mode, the NVC periodically checks the routing table on the client's PC to determine if the table has been altered in any way. This checking is done for security reasons to detect for intrusions and unauthorized access to the private network.

  • Page 153: Initial Contact Payload (Icp)

    Adapter is plugged in and connects Initial contact payload (ICP) If the Nortel VPN Client fails to notify the Nortel VPN Router of the logoff or tunnel termination due to network problems (such as, the interface went down before sending logoff sequence), the client's session could still be in the session table for a period of time specified by the Idle Timeout.

  • Page 154: Maximum Roaming Time

    A similar situation may arise with the client failover tuning timers. If a rekey is initiated by the Nortel VPN Router during the roaming time, it may not be able to reach the client (for example, it is out of area) and the rekey may fail.

  • Page 155: Persistent Tunneling

    VPN connection. Persistence makes use of the automatic failover capability already available with the Nortel VPN Router and extends this to allow the new tunnel to be established without having to re-enter user credentials. A configuration option on the Nortel VPN Router allows you to specify that VPN clients will cache their VPN credentials for a specified period of time.

  • Page 156: Configuring Ipsec Mobility And Persistence

    However, the Nortel VPN Client will not enter persistence mode if the previous log off happened due to a log off message received from the Nortel VPN Router. This allows you to force a rogue user log off any time even when persistence is on.
  • Page 157 Roaming time, session could timeout prior to roaming completion. For Persistence, select Enabled or Disabled. The default is Disabled. For Session Persistence Time (minutes), enter the number of minutes (1-1440). The default is 60 minutes. Click on OK. Nortel VPN Router Configuration — Basic Features...
  • Page 158 IP connectivity. To configure the Nortel VPN Router using CLI, you need to either telnet to the Nortel VPN Router or connect to it through the Serial Interface > option L on the menu.
  • Page 159 To change the maximum roaming time to, for example, 210 seconds: CES(config-group/ipsec)#max-roamingtime 210 To change the persistence time to, for example, 1000 minutes: CES(config-group/ipsec)#persistent-time 1000 To exit the IPSec group configuration mode: CES(config-group/ipsec)#exit Nortel VPN Router Configuration — Basic Features...
  • Page 160 To view the IPSec configuration for the group, for example Base: CES(config)#show groups ipsec "/Base" IPSEC Settings: Rekey Timeout Rekey Data Count Perfect Forward Secrecy Banner Configured Domain name Configured Display Banner Compression Primary DNS Address Primary WINS Address Secondary DNS Address Secondary WINS Address Allow Clients Allow undefined networks for non-Contivity clients...
  • Page 161 Inverse Split Tunneling Networks Configured ! Radius Server does not exist for this group or its ancestors CES(config)# To exit configuration mode: CES(config)#exit CES# Nortel VPN Router Configuration — Basic Features : Disabled : Not : Not : Enabled : Enabled : Not...
  • Page 162 162 Chapter 8 Configuring IPSec mobility and persistent mode NN46110-500...

  • Page 163: Branch Office Quick Start Template

    Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010/1050/1100 users will need to enter on the BOQS window. You can enter the appropriate values in the right-hand column and then...
  • Page 164 Branch office quick start template NN46110-500...

  • Page 165: Glossary

    A system or process that requests a service of another system or process. default route A route that is used when the switch receives traffic for which no matching route is in the routing table. Nortel VPN Router Configuration — Basic Features...
  • Page 166 Diffie-Helman A key agreement algorithm that does key establishment, not encryption. However, the key it produces may be used for encryption, for further key management, or any other cryptography. digital certificate A certificate document in the form of a digital data object to which is appended a computed digital signature value that depends on the data object.
  • Page 167 Defines how encryption keys for sessions are initiated and updated. intranet A computer network, especially one based on Internet technology, that an organization uses for its own internal, and usually private, purposes and that is closed to outsiders. Nortel VPN Router Configuration — Basic Features...
  • Page 168 IP address The identifiers used by the protocols that govern Internet information exchange. The Internet Network Information Center assigns these numbers to uniquely identify different machines on the Internet. IPsec A tunneling protocol that offers a strong level of encryption, integrity protection.
  • Page 169 The unit of data sent across a network. Typically, it refers to application data units. PING A program used to test reachability of destinations by sending an ICMP echo request and waiting for a reply. Nortel VPN Router Configuration — Basic Features...
  • Page 170 Point-to-Point Protocol (PPP) A protocol that provides a method for transmitting packets over serial point-to-point links. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that is used as a security tool. port A transport layer demultiplexing value. Each application has a unique port number associated with it.
  • Page 171 Telnet A command protocol used to establish login sessions on a remote host. triggered update Nortel VPN Router Configuration — Basic Features...
  • Page 172 A method used by RIP in which a new routing table is sent almost immediately after a routing change has been made. This is in contrast to the poison reverse method, in which routes are updated after a cost of infinity is reached, a process that can take much time.

  • Page 173: Index

    131, 144 responder 131, 144 control tunnels 137 branch office 139 creating 141, 142 nailed-up 140 restricted mode 140 sample 139 user 139 data collection interval 110 default login 51 Nortel VPN Router Configuration — Basic Features...
  • Page 174 password 51 default route branch office 121 DHCP client 94 branch office tunnel endpoints 124 host name 92 round robin DNS 125 Dynamic DNS (DDNS) 127 encryption settings for branch office 121 FIPS overview 28 firewall branch office 120 interaction with branch office 121 license key 28 flash disk system compressed files 72...
  • Page 175 27 firewall 27 tunnel 27 licenses 56 log file configuration 110 life time 110 login 51 MAC Pause 97 management Nortel VPN Router 56 management IP address 41, 92 Multinetting 97 Nortel VPN Router Configuration — Basic Features...
  • Page 176 57 nested tunnels 123 Network Address Translation (NAT) 122 Network Time Protocol (NTP) 106 Nortel VPN Router 1010/1050/1100 branch office quick start 61 compact flash disk 72 default configuration parameters 60 ISP environment 63 setting up 67 password 51...
  • Page 177 Uniform Resource Locator (URL) 50 user ID search 84 user control tunnel serial interface 146 user groups adding 82 searching 84 user profile adding 82 user tunnels 81 VPN DNS 124 VPN Router Access 25 Nortel VPN Router Configuration — Basic Features...
  • Page 178 Index Web browser interface 50 Web interface options 53 Welcome display 56 NN46110-500...

This manual is also suitable for:

Contivity 1010Contivity 1050

Table of Contents