Nortel NN46120-104 User Manual
  1. Manuals
  2. Brands
  3. Nortel Manuals
  4. Gateway
  5. NN46120-104
  6. User manual
Nortel NN46120-104 User Manual

Nortel NN46120-104 User Manual

Vpn gateway
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Nortel VPN Gateway

User Guide

Release: 7.1
Document Revision: 02.01
www.nortel.com
NN46120-104
216368-G
.

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the NN46120-104 and is the answer not in the manual?

Questions and answers

Related Manuals for Nortel NN46120-104

Summary of Contents for Nortel NN46120-104

  • Page 1: User Guide

    Nortel VPN Gateway User Guide Release: 7.1 Document Revision: 02.01 www.nortel.com NN46120-104 216368-G...
  • Page 2 Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Export This product, software and related technology is subject to U.S.

  • Page 3: Table Of Contents

    Installing an NVG in a New Cluster 42 Joining a VPN Gateway to an Existing Cluster 52 Installing an ASA 310-FIPS 58 Reinstalling the Software 70 Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...
  • Page 4 AnASA 310-FIPS Cluster Must be Reconstructed onto New Devices 158 A User Fails to Connect to the VPN 163 User Unable to Connect to the VPN Gateway through the Net Direct Client 168 Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...
  • Page 5 Creating a Port Forwarder Authenticator 276 Adding a Port Forwarder Logger 279 Connecting Through a Proxy 282 Monitoring the Port Forwarder 283 Glossary Index Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Licensing 5...
  • Page 6 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 7: Preface

    Preface This User’s Guide describes how to perform basic configuration and maintenance of the Nortel VPN Gateway (NVG). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 8: Who Should Use This Book

    This User’s Guide is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 9: Related Documentation

    Lists new features available in version 7.1 and provides up-to-date product information. The preceding manuals are available for download (see (page 14). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Licensing 9...

  • Page 10: Product Names

    Note: Manufacturing of the Nortel SSL Accelerator (formerly Alteon SSL Accelerator) has been discontinued. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 11: How This Book Is Organized

    “The SNMP Agent” (page 183) agent on the NVG, and which MIBs (Management Information Bases) are supported. Copyright © 2007-2008 Nortel Networks provides an overview of the provides information about describes how to install the NVG in a new cluster,...
  • Page 12 (NVG) without the user having to start any applets from the Portal. “Glossary” (page 285) this document. Copyright © 2007-2008 Nortel Networks 191), contains a list of all syslog messages provides licensing information for the provides detailed information about the ®...

  • Page 13: Typographic Conventions

    Typographic Conventions Typeface or Symbol AaBbCc123 AaBbCc123 <AaBbCc123 > Copyright © 2007-2008 Nortel Networks Meaning This type is used for names of commands, files, and directories used within the text. It also depicts on-screen computer output and prompts. This bold type appears in command examples.

  • Page 14: How To Get Help

    Getting help through a Nortel distributor or reseller If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller. Copyright © 2007-2008 Nortel Networks https://www.nortel.com/support/ http://www.nortel.com/erc/ Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 15: Introducing The Vpn Gateway

    These features can be used separately or be combined. This User’s Guide covers the basic tasks that need to be completed irrespective of which feature you wish to deploy. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 16: Ssl Acceleration

    Application Guide for SSL Acceleration. For more information about the basic operations of the VPN Gateway, see the "Public Key Infrastructure and SSL" chapter in the Application Guide for SSL Acceleration. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 17: Vpn

    VPN client) or the Nortel SSL VPN client installed (transparent mode). For examples on how to configure the VPN Gateway for VPN deployment, see the Application Guide for VPN. Copyright © 2007-2008 Nortel Networks Getting help through a Nortel distributor or reseller Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 18: Hardware Platforms

    2424-SSL. The VPN Gateway software resides on the SSL Processor which is mounted inside the switch chassis. Note: Manufacturing of the Nortel SSL Accelerator (formerly Alteon SSL Accelerator) has been discontinued. Copyright © 2007-2008 Nortel Networks “Introducing the ASA 310-FIPS” (page Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 19: Feature List

    Net Direct client (SSL). VPN client temporarily downloaded from the Portal and removed when the user exits the session. On Windows, Net Direct is also available as an installable client (setup.exe file). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 20: Transparent Mode Access

    The extended profile (optional) also defines a group member’s access rights depending on conditions related to the user’s connection, for example, source network, authentication method, access method, client certificate installed and/or Tunnel Guard checks passed. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 21: Client Security

    SSL and IPsec VPNs. • Secure VPN binding. Each VPN is bound to a private IP interface. VLAN tagging can be used when private IP address spaces overlap. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 22: Branch Office Tunnels

    • Supports load balancing of encrypted and unencrypted traffic for up to 256 backend servers, with health checking and persistent client connections. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 23: Scalability And Redundancy

    Public Key Infrastructure • RSA pair key generation • Server certificate enrollment • Server key and certificate import/export • Key and certificate renewal Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Software Features 23...
  • Page 24 VPN Gateways, SSL servers and VPNs. • Support for histograms, for example, to measure transactions per second (TPS) and throughput. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 25: Secure Portable Office (Spo) Client

    NVG server thus simplifying SPO client maintenance and updates. For more information about Secure Portal Office Client, see Configuration - Secure Portable Client Guide. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...
  • Page 26 26 Introducing the VPN Gateway Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 27: Introducing The Asa 310-Fips

    ASA 310-FIPS device is equipped with two identical HSM cards. Note: When using the ASA 310-FIPS device in a cluster, remember that all NVG devices in the cluster must be of the ASA 310-FIPS model. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 28: Hsm Overview

    All cryptographic requests, such as generating private keys or performing encryption, are automatically routed to the HSM card by the NVG application and performed on the HSM card only. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 29: Extended Mode Vs. Fips Mode

    U.S. laws referenced in the standard. For more information about the FIPS specification, visit http://csrc.nist.gov/ publications/fips/index.htmland scroll down to "FIPS 140-1". Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 30: The Concept Of Ikey Authentication

    PCI bus within an ASA 310-FIPS, and over the network among the ASA 310-FIPS devices in the cluster. By inserting the CODE-SO iKey and the CODE-USER iKey in turns when requested Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 31: Available Operations And Ikeys Required

    Logging in to the HSM card Splitting the wrap key onto a pair of CODE iKeys Copyright © 2007-2008 Nortel Networks Available Operations and iKeys Required 31 Table 2 "Available Operations and iKeys Required" (page Type of iKey Required...
  • Page 32 HSM-SO iKey password, the HSM-USER iKey is required to re-login to the HSM card. Changing the HSM-USER iKey password Copyright © 2007-2008 Nortel Networks Type of iKey Required HSM-SO HSM-US Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 33: Additional Hsm Information

    To view the HSM card’s FIPS 140-1 validation certificate, see Appendix B, "FIPS 140-1 Validation Certificate" in the Hardware Installation Guide Copyright © 2007-2008 Nortel Networks Available Operations and iKeys Required 33 58). “An ASA 310-FIPS Stops Processing Traffic” (page...
  • Page 34 34 Introducing the ASA 310-FIPS Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 35: Initial Setup

    This chapter covers the basic setup and initialization process for the Nortel VPN Gateway (NVG ). It introduces the concept of clusters, and provides detailed instructions for reinstalling the VPN Gateway software, should it become necessary. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 36: Clusters

    NVG must be configured as a slave. Master NVGs cannot exist on different intranet subnets. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 37: Ip Address Types

    IP address that the Nortel Application Switch load balances to when requests are made to a virtual server IP address (VIP). The VPN Gateway’s host IP address will in fact be one of the switch’s RIPs. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 38: Ports

    Each port should be marked with the appropriate number on the device. If not, see the Alteon SSL Accelerator 310, 310-FIPS, 410 Hardware Installation Guide and the VPN 3050/3070 Hardware Installation Guide respectively. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 39: Interfaces

    SSL VPN from a management station. Interface 2 will handle public traffic, that is, client traffic from and to the Internet. A two-armed configuration is considered more secure. Copyright © 2007-2008 Nortel Networks “Configuration at Boot Up” (page Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...
  • Page 40 40 Initial Setup Figure 2 Two-Armed Configuration without Application Switch Note: Two-armed configuration is not available for the Application Switch 2424-SSL. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 41: The Setup Menu

    - Boot menu Info - Information menu exit - Exit [global command, always available] Copyright © 2007-2008 Nortel Networks “Connecting to the VPN Gateway” (page page 54 and onwards. Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 The Setup Menu 41 “...

  • Page 42: Installing An Nvg In A New Cluster

    This IP address must be unique on your network and be within the same network address range as the Management IP address. The host IP address will be assigned to Interface 1. Copyright © 2007-2008 Nortel Networks join - Join an existing iSD cluster...
  • Page 43 Enter the Management IP (MIP) address: <IP address> Making sure the MIP does not exist...ok Trying to contact gateway...ok Copyright © 2007-2008 Nortel Networks Setting Up a One-Armed Configuration 43 Note: If needed, you can later create a two-armed configuration by adding a new interface to the cluster, exclusively used for client traffic, and assign an unused port to that interface.

  • Page 44: Setting Up A Two-Armed Configuration

    Management IP address (see assigned to Interface 1. Enter network mask and VLAN tag ID. Copyright © 2007-2008 Nortel Networks “Complete the New Setup” (page --End-- join - Join an existing iSD cluster...
  • Page 45 Specify a default gateway IP address that is within the same network address range as the host IP address on the traffic (public) interface. Copyright © 2007-2008 Nortel Networks Setting Up a Two-Armed Configuration 45 Enter VLAN tag id (or zero for no VLAN) [0]:...

  • Page 46: Complete The New Setup

    Enter NTP server address (or blank to skip): <IP address> Enter DNS server address: <IP address> Generate new SSH host keys and define a password for the admin user. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...
  • Page 47 Create a trusted portal account [yes]: <press ENTER to create the account> User name: john User password: password trusted. Copyright © 2007-2008 Nortel Networks Creating default networks under /cfg/vpn Creating default services under /cfg/vpn (eg company.com,intranet.company.com): example.com Creating group ’trusted’ with secure access.
  • Page 48 _newline ?> Enter Upper IP address in pool range: 10.10.20.99 Enter Network mask for the pool range: [255.255.255.0] : 16 Copyright © 2007-2008 Nortel Networks VPN Portal IP address. Used by remote users to connect to the VPN. DNS search list. Enables use of short names on the Portal, for example, inside to connect the server inside.example.com.

  • Page 49: Settings Created By The Vpn Quick Setup Wizard

    If you ran the VPN quick setup wizard during the initial setup, a large number of settings were configured automatically. Copyright © 2007-2008 Nortel Networks Settings Created by the VPN Quick Setup Wizard 49 IPsec group login and secret. Enables IPsec access for the...
  • Page 50 RFC 1918 document: • Network address: 192.168.0.0 • Network address: 10.0.0.0 • Network address: 172.16.0.0 Copyright © 2007-2008 Nortel Networks Network mask: 255.255.0.0 Network mask: 255.0.0.0 Network mask: 255.240.0.0 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 51: Default Services

    Uses TCP ports 20 and 21. • smb. Uses TCP port 139. • fileshare. Uses TCP ports 20, 21 and 139. Copyright © 2007-2008 Nortel Networks Settings Created by the VPN Quick Setup Wizard 51 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 52: Joining A Vpn Gateway To An Existing Cluster

    Setup menu. Step Action Choose join from the Setup menu to add a VPN Gateway to an existing cluster. Copyright © 2007-2008 Nortel Networks “Performing Minor/Major Release 74)). Use the /boot/software/cur command to Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...
  • Page 53 Press ENTER to continue with creating a one-armed configuration. Setup a two armed configuration (yes/no) [no]: <Press ENTER> Copyright © 2007-2008 Nortel Networks Setting up a One-Armed Configuration 53 join - Join an existing iSD cluster - Initialize iSD as a new installation...
  • Page 54 Setup will guide you through the initial configuration of the iSD. Configure the management interface port number. Enter port number for the management interface [1-4]: 1 Copyright © 2007-2008 Nortel Networks “Complete the Join Setup” (page --End-- join - Join an existing iSD cluster...
  • Page 55 Enter network mask [255.255.255.0]: <press ENTER to accepts> In a two-armed configuration, the traffic interface host IP address will be assigned to Interface 2. Copyright © 2007-2008 Nortel Networks Setting up a Two-Armed Configuration 55 Step 9). The management interface host IP address will be...

  • Page 56: Complete The Join Setup

    VPN Gateway, you may configure each additional NVG as either master or slave. For up to three additional NVGs, the default setting is master. When adding one Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...
  • Page 57 Browser-Based Management Interface (BBI). Log in as the admin user. For more information about the CLI, see Interface” (page For more information about the BBI, see the SSL VPN BBI Quick Guide. Copyright © 2007-2008 Nortel Networks 135). --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 58: Installing An Asa 310-Fips

    310-FIPS as the first member in a new cluster. [Setup Menu] available] >> Setup# new Setup will guide you through the initial configuration of the iSD. Copyright © 2007-2008 Nortel Networks 27). 63). “Introducing the ASA 310-FIPS” (page join - Join an existing iSD cluster...
  • Page 59 HSM cards, you need to have the following iKeys: • • Copyright © 2007-2008 Nortel Networks Installing an ASA 310-FIPS in a New Cluster 59 “Installing an NVG in a New 42). When the basic setup is completed, new “Introducing the ASA 310-FIPS”...
  • Page 60 Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization. Copyright © 2007-2008 Nortel Networks — The purple HSM Security Officer iKey, embossed with "HSM-SO".
  • Page 61 HSM card, you will be prompted for the specific CODE iKey, in turns. Having each iKey properly Copyright © 2007-2008 Nortel Networks Installing an ASA 310-FIPS in a New Cluster 61 7), or to HSM cards in an ASA 310-FIPS device that is Two black CODE iKeys, supposedly labeled "CODE-SO"...
  • Page 62 ASA 310-FIPS units to the Copyright © 2007-2008 Nortel Networks Note: Unlike the HSM-SO and the HSM-USER iKeys, the CODE-SO and CODE-USER iKeys are not specific for each HSM card.

  • Page 63: Adding An Asa 310-Fips To An Existing Cluster

    You add additional ASA 310-FIPS units to an existing cluster by selecting join from the Setup menu in the ASA 310-FIPS, after it has booted. Copyright © 2007-2008 Nortel Networks Adding an ASA 310-FIPS to an Existing Cluster 63 “The Command Line Interface”...
  • Page 64 Follow the instructions for joining a VPN Gateway to an existing cluster. Read the sections starting with Existing Cluster” (page Copyright © 2007-2008 Nortel Networks “Reinstalling the Software” (page join - Join an existing iSD cluster - Initialize iSD as a new installation...
  • Page 65 310-FIPS device. When an operation requires inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card. Copyright © 2007-2008 Nortel Networks Adding an ASA 310-FIPS to an Existing Cluster 65 Step...
  • Page 66 Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). <insert the HSM-USER iKey specific for this HSM card> Hit enter when done. Copyright © 2007-2008 Nortel Networks Note: For more information about iKeys, see iKey Authentication” (page 30).
  • Page 67 Wrap key successfully combined to card 0. Transfer the cluster wrap key from the CODE-SO and CODE-USER iKeys onto HSM card 1. Copyright © 2007-2008 Nortel Networks Adding an ASA 310-FIPS to an Existing Cluster 67 Step 6 are related to transferring the cluster wrap key The two black HSM Code iKeys, labeled "CODE-SO"...
  • Page 68 ASA 310-FIPS units in the cluster. After a short while you will get a login prompt. Copyright © 2007-2008 Nortel Networks Note: After successfully having initialized the HSM cards, you are automatically logged in to each HSM card as USER.
  • Page 69 ASA 310-FIPS units using the command line interface (CLI). Log in as the admin user, and the Main menu is displayed. For more information about the CLI, see (page Copyright © 2007-2008 Nortel Networks Adding an ASA 310-FIPS to an Existing Cluster 69 “The Command Line Interface” 135).

  • Page 70: Nn46120-104 02.01 Standard 14 April

    When performing a reinstallation of the NVG software, access to the VPN Gateways must be accomplished through the console port. Step Action Log in as the boot user and provide the correct password. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 71: Nortel Vpn Gateway

    Select a download method, specify the server IP address, and the boot image file name. Copyright © 2007-2008 Nortel Networks Adding an ASA 310-FIPS to an Existing Cluster 71 *** Reinstall Upgrade Procedure *** Note: If the VPN Gateway has not been configured for...

  • Page 72: Nortel Vpn Gateway

    This time, log in as the admin user to enter the Setup menu. For more information about the Setup menu. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 73: Nortel Vpn Gateway

    Loading the new software upgrade package or install image onto a FTP/SCP/SFTP server on your network. • Downloading the new software from the FTP/SCP/SFTP server to your VPN Gateway. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 74: Nortel Vpn Gateway

    FTP/SCP/SFTP server. >> Main# boot/software/download Select protocol (ftp/scp/sftp) [ftp]: ftp Copyright © 2007-2008 Nortel Networks 136). When you have gained access to the VPN Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 “Connecting to the...

  • Page 75: Nortel Vpn Gateway

    (which may cause the VPN Gateway to reboot), the software version is marked as permanent. The software version previously marked as permanent will then be marked as old. Copyright © 2007-2008 Nortel Networks Activating the Software Upgrade Package 75 --End--...

  • Page 76: Nortel Vpn Gateway

    To activate the unpacked software upgrade package, use the activate command. At the Software Management# prompt, enter: Copyright © 2007-2008 Nortel Networks unpacked means that the software upgrade package has been downloaded and automatically decompressed. permanent means that the software is operational and will survive a reboot of the system.

  • Page 77: Nortel Vpn Gateway

    In this example, version 7.0.1 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent is marked as old. Copyright © 2007-2008 Nortel Networks Activating the Software Upgrade Package 77 Note: Activating the unpacked software upgrade package may cause the command line interface (CLI) software to be upgraded as well.

  • Page 78: Nortel Vpn Gateway

    78 Upgrading the NVG Software Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 79: Nortel Vpn Gateway

    This chapter describes the rules that govern administrator/operator user rights, how to add or delete users from the system, how to set or change group assignments, and how to change login passwords. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 80: Nortel Vpn Gateway

    For more information about default user groups and related access levels, see also Copyright © 2007-2008 Nortel Networks “Accessing the NVG Cluster” (page Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 81: Nortel Vpn Gateway

    Each time the new user logs in to the NVG cluster, the user must enter the name you designate as the user name in this step. Copyright © 2007-2008 Nortel Networks /cfg/sys/user - Change own password - Set password expire time interval...

  • Page 82: Nortel Vpn Gateway

    When successfully logged in, the user can change his or her own password. The login password is case sensitive and can contain spaces. Copyright © 2007-2008 Nortel Networks oper admin certadmin...

  • Page 83: Nortel Vpn Gateway

    User menu is hidden. Only users who are members of Copyright © 2007-2008 Nortel Networks Note 1: If the export passphrase defined by the Certificate Administrator is lost, configuration backups made by the admin user while he or she was not a member of the certadmin group cannot be restored.

  • Page 84: Nortel Vpn Gateway

    >> User admin# groups/list >> Groups# del 4 Verify and apply the changes. >> Groups# list Old: Pending: Copyright © 2007-2008 Nortel Networks 1: tunnelguard 2: admin 3: oper 4: certadmin Note: It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin group.

  • Page 85: Nortel Vpn Gateway

    If a match is found, the logged on user is given the administration rights pertaining to matching group(s). Otherwise, the user is denied access. See the /cfg/sys/adm/auth/group command in the User’s Guide. Copyright © 2007-2008 Nortel Networks 2: admin 3: oper --End--...

  • Page 86: Nortel Vpn Gateway

    Assign the admin user certadmin user rights by adding the admin user to the certadmin group. Copyright © 2007-2008 Nortel Networks /cfg/sys/user - Change own password - Set password expire time interval - List all users - Delete a user...

  • Page 87: Nortel Vpn Gateway

    Old: Pending: >> Groups# apply Copyright © 2007-2008 Nortel Networks Note: A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group.

  • Page 88: Nortel Vpn Gateway

    >> User# passwd Enter cert_admin’s current password: (current cert_admin user password) Enter new password: (new cert_admin user password) Copyright © 2007-2008 Nortel Networks /cfg/sys/user - Change own password - Set password expire time interval - List all users...

  • Page 89: Nortel Vpn Gateway

    >> User# edit Name of user to edit: cert_admin Type the password command to initialize the password change. Copyright © 2007-2008 Nortel Networks Changing Another Users Password 89 --End-- /cfg/sys/user - Change own password - Set password expire time interval...

  • Page 90: Nortel Vpn Gateway

    Enter new password for cert_admin: (new password for user being edited) Re-enter to confirm: (confirm new password for user being edited) Apply the changes. >> User cert_admin# apply Changes applied successfully. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 91: Nortel Vpn Gateway

    To list all users that are currently added to the system configuration, use the list command. >> User# del cert_admin Verify and apply the changes. Copyright © 2007-2008 Nortel Networks /cfg/sys/user - Change own password - Set password expire time interval...

  • Page 92: Nortel Vpn Gateway

    (-). To cancel a configuration change that has not yet been applied, use the revert command. >> User# list >> User# apply Copyright © 2007-2008 Nortel Networks oper root admin -cert_admin --End--...

  • Page 93: Nortel Vpn Gateway

    VPN Gateway by using the command line interface. This way, the encrypted private key never leaves the VPN Gateway, and is invisible to the user. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 94: Nortel Vpn Gateway

    Name and E-mail Address is strictly required. • • • Copyright © 2007-2008 Nortel Networks Note: When specifying a certificate number, make sure not to use a number currently used by an existing certificate. To view basic information about all configured certificates, use the /info/certs command.

  • Page 95: Nortel Vpn Gateway

    Generate the CSR. Press ENTER after you have provided the requested information. The CSR is generated and displayed on screen: Copyright © 2007-2008 Nortel Networks Organization Name: The registered name of the organization. This organization must own the domain name that appears in the common name of the Web server.

  • Page 96: Nortel Vpn Gateway

    Make sure to remember the password phrase. Copyright © 2007-2008 Nortel Networks Note: Provided you intend to use the same certificate number when adding the certificate returned to you (after the CSR...

  • Page 97: Nortel Vpn Gateway

    In a text editor, open the .csr file you created in should appear similar to the following: Copyright © 2007-2008 Nortel Networks Note: When using an ASA 310-FIPS, the private key is protected by the HSM card and cannot be exported.

  • Page 98: Nortel Vpn Gateway

    CSR, specify Apache. The CA will return the signed certificate for installation. The certificate is then ready to be added into the VPN Gateway. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 99: Nortel Vpn Gateway

    PEM format only. Note: When performing a copy-and-paste operation to add a certificate or key, you must always use the PEM format. Copyright © 2007-2008 Nortel Networks “How to Get Help” (page 14) Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 100: Nortel Vpn Gateway

    Open the certificate file you have received from a CA in a text editor and copy the entire contents. Make sure the selected text includes the " -----BEGIN CERTIFICATE----- " and " -----END CERTIFICATE----- " lines. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 101: Nortel Vpn Gateway

    CSR when pasting the contents of the certificate file, your certificate is now fully installed. Copyright © 2007-2008 Nortel Networks Note: Depending on the type of certificate the CA generates (registered or chain), your certificate may appear substantially different from the one shown before.

  • Page 102: Nortel Vpn Gateway

    The password phrase you are requested to type is the one you specified when creating (or exporting) the private key. Your screen output should now resemble the following example. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 103: Nortel Vpn Gateway

    Using TFTP/FTP/SCP/SFTP to add Certificates and Keys The following is an example of how to input a certificate into the VPN Gateway using TFTP, FTP, SCP, or SFTP. Copyright © 2007-2008 Nortel Networks Using TFTP/FTP/SCP/SFTP to add Certificates and Keys 103 --End--...

  • Page 104: Nortel Vpn Gateway

    You may also be prompted for a password phrase (if specified when creating or exporting the private key) Copyright © 2007-2008 Nortel Networks Note: You may arrange to include your private key in the certificate file. When the specified certificate file is retrieved...

  • Page 105: Nortel Vpn Gateway

    /cfg/ssl/server #/ssl/certcommand. If the NVG software is used for deployment of a VPN solution, the certificate should be mapped to the portal server of the Copyright © 2007-2008 Nortel Networks Using TFTP/FTP/SCP/SFTP to add Certificates and Keys 105 Certificate added.

  • Page 106: Nortel Vpn Gateway

    106 Certificates and Client Authentication desired VPN, using the /cfg/vpn #/server/ssl /cert command. To view basic information about configured certificates, use the /cfg/cur cert command. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 107: Nortel Vpn Gateway

    >> SSL Settings# cert Current value: 2 Enter certificate number: (1-1500) 3 After you have tested that the new certificate works fine you may delete the old certificate(s). Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 108: Nortel Vpn Gateway

    Action Display information about current virtual SSL servers. This command displays information about all virtual SSL servers on the VPN Gateway, including installed certificate. Based on Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 109: Nortel Vpn Gateway

    To view basic information about all certificates currently added to the VPN Gateway, use the /info/certs command. Apply your settings. >> SSL Settings# apply Changes applied successfully. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 110: Nortel Vpn Gateway

    Common Name (e.g., your name or your server’s hostname): Email Address: Subject alternative name (blank or comma separated list URI:<uri>, DNS:<fqdn>, IP:<ip-address>, email:<email -address>): Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 111: Nortel Vpn Gateway

    365 days. Also decide which key size should be used. The default key Copyright © 2007-2008 Nortel Networks Note: Only certificates having the basic constraint CA:TRUE can be used for generating client certificates. When generating a client certificate, the VPN Gateway automatically checks that the current certificate has this constraint.

  • Page 112: Nortel Vpn Gateway

    You should save the client certificate and assign a certificate index number to it. The lowest available index number available is displayed in square brackets and will be used unless you specify a different number. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 113: Nortel Vpn Gateway

    If the correct certificate index number is already listed by Current value:, press ENTER and answer no to the question if you want to clear the list. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 114: Nortel Vpn Gateway

    Enter name of combined key and certificate file on remote host: cert.pfx FTP User (anonymous): <FTP user name> Password: <password> sent 2392 bytes Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 115: Nortel Vpn Gateway

    Web browser or e-mail program. For more information about importing certificates, refer to the help system of the destination Web browser or e-mail program. Copyright © 2007-2008 Nortel Networks Transmit Private Key and Certificate to User 115 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 116: Nortel Vpn Gateway

    Specify the host name or IP address of the TFTP/FTP/SCP/S FTP server, and provide the file name of the CRL. The CRL is retrieved and added to Certificate 1 (used as an example). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 117: Nortel Vpn Gateway

    >> Revocation# add Enter serial number to revoke: To add serial numbers in hexadecimal form, enter addx instead of add. Copyright © 2007-2008 Nortel Networks Certificate revocation list found in der format Revocation list added. --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 118: Nortel Vpn Gateway

    >> Revocation# list Revoked certificates: Apply your changes. >> Revocation# apply Changes applied successfully. Copyright © 2007-2008 Nortel Networks Certificate revocation list found in ascii format “Creating Your Own Certificate Revocation List” (page --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 119: Nortel Vpn Gateway

    # CRL for CA certificate 1 # Issued first: 2005-01-01 # Last update: 2005-02-01 ASCII revocation Copyright © 2007-2008 Nortel Networks Creating Your Own Certificate Revocation List 119 “Revoking Client Certificates Issued within your Own 117). Note: You can add comments to a CRL ASCII file by preceding your comments with the # character.

  • Page 120: Nortel Vpn Gateway

    If you want to retrieve CRLs from an LDAP server, you need to provide the distinguished name of the specific object on the LDAP server, together with the attribute that holds the CRL (all in Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 121: Nortel Vpn Gateway

    When using HTTP or TFTP to retrieve a CRL, you don’t need to provide a password for binding and authentication. Copyright © 2007-2008 Nortel Networks Note: RFC 2255 states that entering host information is optional. The NVG software’s implementation of the CRL retrieval feature however requires that host information is specified.

  • Page 122: Nortel Vpn Gateway

    CRLs, a first retrieval is invoked immediately. After that, retrievals will occur at the specified time interval (where the default value is once every 24 hours). Apply the changes. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 123: Nortel Vpn Gateway

    The user name will be based on ‘useroid’ in NVG. The NDIC login screen is displayed with disabled pre-filled user name. Enter the password in the NDIC login screen. Click Connect. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 124: Nortel Vpn Gateway

    Specify the certificate you used for signing the CSR is specified as a CA certificate on the virtual SSL server. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 125: Nortel Vpn Gateway

    Current value: "" Enter certificate numbers (separated by comma): 1 Apply the changes. The CSR is signed using the private key associated with the currently selected certificate. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 126: Nortel Vpn Gateway

    Test key and certificate added. Use ’apply’ to activate. Apply the changes. The test certificate is now ready to be mapped to an SSL server. Copyright © 2007-2008 Nortel Networks “Generating and Submitting a CSR Using the CLI” (page bytes. Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 127: Nortel Vpn Gateway

    If the NVG software is used for deployment of a VPN solution, the certificate should be mapped to the portal server of the desired VPN, using the /cfg/vpn #/server/ssl /cert command. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 128: Nortel Vpn Gateway

    (1.2.840.113549.1.9.1) = john@nortel.com Check if Key and Certificate Match To check if the private key matches the public key in the selected certificate, use the following command: Copyright © 2007-2008 Nortel Networks = US = Dallas = John Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 129: Nortel Vpn Gateway

    >> Certificate 1# keyinfo The key is protected by the iSD Cluster. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 130: Nortel Vpn Gateway

    130 Certificates and Client Authentication Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 131: Nortel Vpn Gateway

    Virtual Desktop Symantec On-Demand Agent (SODA) provides a Virtual Desktop environment to secure Web-based applications and services. Therefore, you can access confidential information in a secure environment. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 132: Nortel Vpn Gateway

    In the system tree view, select Host(s). Click on SSL VPN Host name. System Information screen is displayed. Click on Licenses tab. Paste the contents of the license. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 133: Nortel Vpn Gateway

    Enter the user name and password. Click on Home. Click on the virtual desktop link. Click on the virtual desktop link. The virtual desktop is launched. Copyright © 2007-2008 Nortel Networks Launch Vdesktop from Portal 133 --End-- --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 134: Nortel Vpn Gateway

    Note: If you want to enable or disable some of the options in this, contact your system administrator. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 135: Nortel Vpn Gateway

    (available in the Boot menu), you should connect to the IP address of the particular VPN Gateway on which you want to perform these commands, or connect to that VPN Gateway through a console connection. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 136: Nortel Vpn Gateway

    When connecting to a VPN Gateway, use a serial cable with a female DB-9 connector (shipped with the VPN Gateway). Power on the terminal. To establish the connection, press ENTER on your terminal. Copyright © 2007-2008 Nortel Networks Value 9600 None...

  • Page 137: Nortel Vpn Gateway

    To establish a Telnet connection with the VPN Gateway, run the Telnet program on your workstation and issue the Telnet command, followed by the VPN Gateway ’s IP address. Copyright © 2007-2008 Nortel Networks Establishing a Telnet Connection 137 “Accessing the NVG Cluster” (page...

  • Page 138: Nortel Vpn Gateway

    Telnet client. However, because a secured and encrypted communication channel is set up even before the user name and password is transmitted, all traffic sent over the network while Copyright © 2007-2008 Nortel Networks 140). Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 139: Nortel Vpn Gateway

    VPN Gateway after having generated new host keys, your SSH client will display a warning that the host identification (or host keys) has been changed. Copyright © 2007-2008 Nortel Networks Establishing a Connection Using SSH (Secure Shell) 139 140).

  • Page 140: Nortel Vpn Gateway

    Once you are connected to the VPN Gateway through a console connection or remote connection (Telnet or SSH), you are prompted to enter a user Copyright © 2007-2008 Nortel Networks “Adding a New User” (page “How to Get Help” (page...

  • Page 141: Nortel Vpn Gateway

    Password” (page Table 5 User Access Levels User Account oper admin boot root Copyright © 2007-2008 Nortel Networks Establishing a Connection Using SSH (Secure Shell) 141 141). 88). User Access Level Description Group oper The Operator is allowed read access to some of the menus and information available in the CLI.

  • Page 142: Nortel Vpn Gateway

    If the VPN Gateway has already been configured, the Main menu of the CLI is displayed instead. The following figure shows the Main menu with administrator privileges. Copyright © 2007-2008 Nortel Networks 42)), a utility designed to help you through the Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 143: Nortel Vpn Gateway

    Command Line History and Editing For a description of global commands, shortcuts, and command line editing functions, see the Command Reference. Copyright © 2007-2008 Nortel Networks Establishing a Connection Using SSH (Secure Shell) 143 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 144: Nortel Vpn Gateway

    For more information about pending configuration changes, see the "Viewing, Applying and Removing Changes " section under Configuration Menu in the Command Reference. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 145: Nortel Vpn Gateway

    • Cannot download the NetDirect Zipped file from client PC. The chapter also provides a section on performing system diagnostics, on “System Diagnostics” (page Copyright © 2007-2008 Nortel Networks “Cannot Connect to VPN Gateway through Telnet or SSH” 148). 149).

  • Page 146: Nortel Vpn Gateway

    Access List, this means that any host is allowed to access the VPN Gateway over the network (assuming that Telnet or SSH access is enabled). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 147: Nortel Vpn Gateway

    " section under Configuration Menu>SSL Configuration Menu in the Command Reference. If this does not help you to solve the problem, contact Nortel for technical support. See Copyright © 2007-2008 Nortel Networks Check the IP Address Configuration 147 “How to Get Help” (page 14).

  • Page 148: Nortel Vpn Gateway

    VPN Gateway you want to add to the cluster. Perform the steps described in Release Upgrades” (page join from the Setup menu. Copyright © 2007-2008 Nortel Networks 70). After having adjusted the 74). Then add the NVG device by selecting Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 149: Nortel Vpn Gateway

    70). If there is still a difference in software version after this, you need to adjust the software version on the VPN Gateway you want to add as well. Copyright © 2007-2008 Nortel Networks Add Interface 1 IP Addresses and MIP to Access List 149 “Reinstalling the Software”...

  • Page 150: Nortel Vpn Gateway

    After having upgraded the software version in the cluster, log in to the VPN Gateway you want to add as the Administrator user and select join from the Setup menu. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 151: Nortel Vpn Gateway

    Power button again to turn the machine on. Log in as the Administrator user when the login prompt appears. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 152: Nortel Vpn Gateway

    Boot user can only access the VPN Gateway through a console connection using a serial cable, and the VPN Gateway presumably is set up in a server room with restricted access. Copyright © 2007-2008 Nortel Networks “Reinstalling the Software” (page 140).

  • Page 153: Nortel Vpn Gateway

    HSM card. This holds true even if you use the same password for both HSM-USER iKeys. Copyright © 2007-2008 Nortel Networks Note: It is important that you log in to the particular ASA 310-FIPS on which a reboot has occurred, and not to the Management IP address (MIP) of the cluster.

  • Page 154: Nortel Vpn Gateway

    HSM cards. The ASA 310-FIPS is now ready to process SSL traffic again. Copyright © 2007-2008 Nortel Networks Note: If you enter the wrong password for the HSM-USER fifteen (15) times in a row, the HSM-USER iKey will be rendered unusable.

  • Page 155: Nortel Vpn Gateway

    To initialize the HSM cards when installing or adding the device in a cluster, the correct HSM-SO and HSM-USER iKeys are required, as well as the corresponding HSM-SO and HSM-USER passwords. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 156: Nortel Vpn Gateway

    Again, make sure that you insert the correct HSM-SO iKey, as each HSM card requires the specific iKey that was used when the card was first initialized. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 157: Nortel Vpn Gateway

    Setup utility, a new passwords can be defined for that iKey. For more information about installing and adding ASA 310-FIPS device in a cluster, see Copyright © 2007-2008 Nortel Networks “ Installing an ASA 310-FIPS” (page --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 158: Nortel Vpn Gateway

    When both HSM cards have been initialized, you will be asked if you want to use new or existing HSM-CODE iKeys. Type existing and press ENTER. Copyright © 2007-2008 Nortel Networks “ Installing an ASA 310-FIPS” (page 58) Step Note: When asked to use FIPS or Extended Security Mode, select the same mode that was used in the former cluster.

  • Page 159: Nortel Vpn Gateway

    Enter the same secret passphrase as was defined in the former cluster running in FIPS mode. This step only appears if you selected FIPS mode when initializing the HSM cards. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 160: Nortel Vpn Gateway

    Verify that CODE-USER iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Wrap key successfully combined to card 0. Transfer the cluster wrap key to card 1. Copyright © 2007-2008 Nortel Networks Step Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 page“Adding an ASA...

  • Page 161: Nortel Vpn Gateway

    Log in to the ASA 310-FIPS that you are currently connected to and restore the configuration file of the former cluster from an FTP/TFTP/SCP/SFTP server. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 162: Nortel Vpn Gateway

    >> Configuration# The configuration information is now automatically propagated and applied to all ASA 310-FIPS devices in the cluster. The information includes certificates and encrypted private keys. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 163: Nortel Vpn Gateway

    To disable tracing, press ENTER to display the prompt, then enter stoptrace. >> Maintenance# stoptrace The aaa tag logs authentication method, user name, timeouts, group and profile (base or extended). Copyright © 2007-2008 Nortel Networks “aaa” (page Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 164: Nortel Vpn Gateway

    The ike tag logs any output that is produced by the IKE daemon, e.g. all messages related to actual ISAKMP negotiations between the client and the IKE daemon. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 165: Nortel Vpn Gateway

    The tg tag logs information related to a TunnelGuard check, e.g. access method, user name, user source IP, TunnelGuard session status and SRS rule check result. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 166: Nortel Vpn Gateway

    The smb tag shows information related to SMB (Windows file share) sessions initiated through the Portal’s Files tab. The ftp tag shows information related to FTP sessions initiated through the Portal’s Files tab. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 167: Nortel Vpn Gateway

    The netdirect_packet tag logs information about packets being sent and received when the user has initiated a connection to a host. Because of the large amount of information, we recommend logging to a TFTP/FTP/SFTP server. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 168: Nn46120-104 02.01 Standard 14 April

    VPN Gateway ’s version. If the ActiveX control cannot be started, Net Direct tries to start the Java applet instead. Copyright © 2007-2008 Nortel Networks “A User Fails to Connect to the VPN” (page Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 169: Nortel Vpn Gateway

    CLI/BBI. For example, the IP address used should be from the IP pool. On Linux and Mac, click the Advanced button in the Net Direct Java applet window. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 170: Nortel Vpn Gateway

    Net Direct works. For more information about the starttrace command see the section to the VPN” (page On Linux and Mac, are sent and received bytes displayed in the Net Direct Java applet window? Copyright © 2007-2008 Nortel Networks 163). --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 171: Nortel Vpn Gateway

    NVG through BBI/CLI . cfg/vpn #/portal/content/import Login as root and we can find the imported file in the path /config/isd/user_content/docroot1. You can access <https://vpn-ip/nortel_cacheable/NetDirect_Set up_Custom.zip>. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 172: System Diagnostics

    Host menu by typing the following commands: >> # /cfg/sys/host Enter iSD host number: (1-) <iSD host by index number> >> iSD Host 1# cur Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 173: Nortel Vpn Gateway

    To capture and analyze TCP traffic sent from a virtual SSL server to the backend server, type the following command (where you replace "#" with the index number of the desired virtual SSL server): >> # /cfg/ssl/server #/trace/tcpdump Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 174: Nortel Vpn Gateway

    The file sent to the TFTP/FTP/SFTP server does not contain any sensitive information related to the system configuration, such as certificates, private keys, and so on. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 175: Nortel Vpn Gateway

    Open Windows Explorer to C:\WINNT\Downloaded Program Files. Right click on NetDirect.OCX ActiveX control. Select Remove. NetDirect is uninstalled. Copyright © 2007-2008 Nortel Networks Unable to download NetDirect from VPN server 175 --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 176: Nortel Vpn Gateway

    176 Troubleshooting the NVG Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 177: Nortel Vpn Gateway

    EDH-RSA-DES-CBC3- DES-CBC3-SHA DES-CBC3-MD5 DHE-RSA-AES128-SHA AES128-SHA RC4-SHA RC4-MD5 RC2-CBC-MD5 RC4-MD5 RC4-64-MD5 EXP1024-RC4-SHA EXP1024-DES-CBC-SHA EXP1024-RC2-CBC-MD5 EXP1024-RC4-MD5 EDH-RSA-DES-CBC-SHA Copyright © 2007-2008 Nortel Networks Key Exchange Algorithm, Protoc Authentication SSLv3 DH, RSA SSLv3 RSA, RSA SSLv3 DH, RSA SSLv3 RSA, RSA SSLv2 RSA, RSA...

  • Page 178: Nortel Vpn Gateway

    DES-CBC-MD5 EXP-EDH-RSA-DES-CBC- EXP-DES-CBC-SHA EXP-RC2-CBC-MD5 EXP-RC4-MD5 EXP-RC2-CBC-MD5 EXP-RC4-MD5 ADH-AES256-SHA ADH-DES-CBC3-SHA ADH-AES128-SHA ADH-RC4-MD5 ADH-DES-CBC-SHA EXP-ADH-DES-CBC-SHA EXP-ADH-RC4-MD5 Copyright © 2007-2008 Nortel Networks Key Exchange Protoc Algorithm, Authentication SSLv3 RSA, RSA SSLv2 RSA, RSA SSLv3 DH (512), RSA SSLv3 RSA (512), RSA SSLv3 RSA (512), RSA...

  • Page 179: Nortel Vpn Gateway

    (ALL). The final !DH string means that all cipher suites containing the DH (Diffie-Hellman) cipher are removed from the list. (Few of the major web browsers support these ciphers.) Copyright © 2007-2008 Nortel Networks Unable to download NetDirect from VPN server 179 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 180: Nortel Vpn Gateway

    Using the OpenSSL command line tool (on a UNIX machine), it is possible to check which cipher suites a particular cipher list corresponds to. The preceding example yields the following output: Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 181: Nortel Vpn Gateway

    NULL aNULL kRSA, RSA kEDH aRSA SSLv3, SSLv2 Copyright © 2007-2008 Nortel Networks Unable to download NetDirect from VPN server 181 Meaning The default cipher list, which corresponds to ALL@STRENGTH. All cipher suites except the eNULL ciphers, which must be explicitly enabled.

  • Page 182: Nortel Vpn Gateway

    182 Supported Ciphers Table 7 Cipher Strings and Meanings (cont’d.) 3DES Cipher String Aliases SHA1, SHA Copyright © 2007-2008 Nortel Networks Cipher suites using anonymous DH encryption algorithms. Cipher suites using AES encryption algorithms. Cipher suites using triple DES encryption algorithms.

  • Page 183: Nortel Vpn Gateway

    System tree view, expand Administration and SNMP. Finally select the MIBs form. The file ALTEON-SSL-CAP.mib contains an AGENT-CAPABILITIES statement, which formally specifies which MIBs are implemented. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 184: Nortel Vpn Gateway

    • IANAifType-MIB SNMPv2-MIB The SNMPv2-MIB is a standard MIB implemented by all agents. The following groups are implemented: • snmpGroup • snmpSetGroup • systemGroup Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 185: Nortel Vpn Gateway

    Write access to all objects in this MIB is turned off in VACM. SNMP-VIEW-BASED-ACM-MIB The following group is implemented: • vacmBasicGroup Write access to all objects in this MIB is turned off in VACM. Copyright © 2007-2008 Nortel Networks SNMP-VIEW-BASED-ACM-MIB 185 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 186: Nortel Vpn Gateway

    The following groups are implemented: • ifPacketGroup • ifStackGroup Limitations The agent does not implement the following objects: • ifType • ifSpeed • ifLastChange • ifInUnknownProtos • ifOutNUnicast Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 187: Nortel Vpn Gateway

    MIB. The following groups are implemented: • dismanEventResourceGroup • dismanEventTriggerGroup • dismanEventObjectsGroup • dismanEventEventGroup • dismanEventNotificationObjectGroup • dismanEventNotificationGroup Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 DISMAN-EVENT-MIB 187...

  • Page 188: Nortel Vpn Gateway

    The following groups are implemented: • vpnBasicGroup • vpnEventGroup IANAifType-MIB Defines the IANAifType Textual Convention, and thus the enumerated values of the ifType object defined in MIB-II’s ifTable. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 189: Nortel Vpn Gateway

    Copyright © 2007-2008 Nortel Networks Description Signifies that login to the HSM card is required. Only for the ASA 310 FIPS model. Signifies that the HSM card has been tampered with. Only for the ASA 310 FIPS model.

  • Page 190: Nortel Vpn Gateway

    Trap Name linkUp vpnLicenseExhau sted Copyright © 2007-2008 Nortel Networks Description Sent when the agent detects that one of the links (interfaces) has gone up. Defined in IF-MIB. Sent when the VPN has run out of SSL or IPsec user licenses.

  • Page 191: User Guide

    Syslog Servers menu. To view the menu options, see the "Syslog Servers Configuration " section under Configuration Menu>System Configuration in the Command Reference. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 192: List Of Syslog Messages

    Failed to write to config filesystem Probable hardware error. Reinstall. CRITICAL • Config filesystem re-initialized - reinstall required Reinstall. • Application filesystem corrupt - reinstall required Reinstall. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 209).

  • Page 193: Nortel Vpn Gateway

    Sent whenever the system control process has been (re)started. ALARM Alarms are sent at a syslog level corresponding to the alarm severity as shown in the following table: Alarm Severity CRITICAL Copyright © 2007-2008 Nortel Networks Syslog Level ALERT Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 194: Nortel Vpn Gateway

    Cause: file_error | not_installed Extra: "Detailed info" Severity: critical Failed to make a new software release permanent after being activated. The system will automatically revert to the previous version. Copyright © 2007-2008 Nortel Networks Syslog Level CRITICAL ERROR WARNING ERROR...

  • Page 195: Nortel Vpn Gateway

    Cause: hsm_detected Extra: "Card<Token> " Severity: critical • Name: slave_not_starting Sender: <IP>, <SlaveNo> Cause: start_error | connect_timeout | fdsend | nothidden | Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 ALARM 195...

  • Page 196: Nortel Vpn Gateway

    If <VPNIndex> is 0, the globally shared license was exhausted. • Name: software_configuration_changed Sender: system Extra: software release version <VSN> <Status> Indicates that release <VSN> (version) has been <Status> (unpacked/installed/permanent). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 197: Nortel Vpn Gateway

    DNS alarm: all dns servers are DOWN All DNS servers are down. The VPN Gateway cannot perform any DNS lookups. ERROR • internal error: <no> Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 ERROR 197...

  • Page 198: Nortel Vpn Gateway

    Portal authentication has been configured for an http server, but no portal using the same VPN can be found. Make sure that there is a portal running using the same VPN id. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 199: Nortel Vpn Gateway

    Socks request of version <version> received and rejected. Most likely a non-standard socks client. • Failed to log to CLI:<reason> -- disabling CLI log Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 200: Nortel Vpn Gateway

    <Cert#>: no CRL passwd found — <Cert#>: no CRL filter was found — <Cert#>: no CRL interval found for cert — <Cert#>: CRL revocation failed - <Reason> Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 201: Nortel Vpn Gateway

    This will happen when the VPN Gateway is overloaded. It will start accepting connections once it has finished processing its current sessions. • No cert supplied by backend server Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 202: Nortel Vpn Gateway

    Generated if the size of the SSL session cache has been modified. • No more than <nr> backend supported Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 203: Nortel Vpn Gateway

    AAA Subsystem Messages The AAA (Authentication, Authorization and Accounting) subsystem messages are divided into these categories: • ERROR • WARNING • INFO Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 AAA Subsystem Messages 203...

  • Page 204: Nortel Vpn Gateway

    If the log value contains portal, the following messages can be displayed: • PORTAL Vpn="<id>" User="<user>" Proto="<proto>" Host="<host>" Share="<share>" Path="<path>" If the log value contains http, the following messages can be displayed: Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 205: Nortel Vpn Gateway

    AAA provided new IKE profile as received from RADIUS, but IKE does not have it. • Log off notif for non-existing session id %u AAA notified about log-off for a non-existing session. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 206: Nortel Vpn Gateway

    No Secure Service Partitioning license loaded IPSEC server ~s *will not* use interface ~p Secure Service Partitioning license not loaded. • IPsec server ~s uses default interface (interface ~p not configured) Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 207: Nortel Vpn Gateway

    Received Delete IPSEC SA message from %s Received Delete IPsec SA message. • Client %s rejected IPSec SA Proposal, so deleting ISAKMP SA Client rejected the IPSec SA proposal. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 208: Nortel Vpn Gateway

    Allocated IP ... An IP address was allocated from the IP pool. • Returned IP ... An IP address was returned to the IP address pool. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 209: Nortel Vpn Gateway

    IPSec SA All credits are exhausted for Isakmp SA Allocated IP ... Application filesystem corrupt - reinstall required audit Bad clicert, Can’t find issuer in clicert Copyright © 2007-2008 Nortel Networks Severity Type EVENT System Control INFO Traffic Processing WARNING...

  • Page 210: Nortel Vpn Gateway

    Can’t find new IKE Profile %s received in Auth Reply Client %s rejected IPSec SA Proposal, so deleting ISAKMP Client cert %d revoked Closing earlier opened UDP Encap Socket for port: %d Copyright © 2007-2008 Nortel Networks Severity Type INFO IPsec INFO Traffic...

  • Page 211: Nortel Vpn Gateway

    Could not find SSL hardware. CreateSession Failed with sessionId 0 Creating Ike Profile %s Creating tunnel profile %s Creating UDP Encap Socket for %d.%d.%d.%d/%d css error: <reason> Deleting ike profile %s Copyright © 2007-2008 Nortel Networks Severity Type ERROR EMERG CRITICAL ERROR ERROR Traffic...

  • Page 212: Nortel Vpn Gateway

    DER Id failed rsa private encrypt Failed to allocate IP addr from empty pool Failed to decode client cert Failed to der encode certificate Failed to initialize SSL hardware Copyright © 2007-2008 Nortel Networks Severity Type INFO IPsec INFO IPsec...

  • Page 213: Nortel Vpn Gateway

    Host <host ip> has been down too long: is no longer accounted for in the license pool. Host <host ip> is up: accounted for in the license pool. HSM mode: <mode> Copyright © 2007-2008 Nortel Networks Severity Type ERROR Traffic Processing...

  • Page 214: Nortel Vpn Gateway

    <ip>:<port> Ignoring request to roam from %s to %s Ignoring request to roam from %s to %s due to invalid source. Expecting %s Copyright © 2007-2008 Nortel Networks Severity Type ALARM System Control (CRITICAL) ALARM...

  • Page 215: Nortel Vpn Gateway

    IPSEC server ~s uses default interface (interface ~p not configured) IPSEC server <id> uses default interface (interface <n> not configured) ISAKMP SA Established with isd_down javascript error: <reason> for: <host><path> Copyright © 2007-2008 Nortel Networks Severity Type WARNING IPsec INFO IPsec NOTICE IPsec ERROR...

  • Page 216: Nortel Vpn Gateway

    License expired Loaded <ip>:<port> Loaded ca certificate %s Loaded server cert %s Log off notif for non-existing session id %u Copyright © 2007-2008 Nortel Networks Severity Type ERROR Traffic Processing ERROR ALARM System Control (WARNING) ALARM...

  • Page 217: Nortel Vpn Gateway

    No more than <nr> backend supported No PortalGuard license loaded: VPN <id> *will* use portal authentication No response from %s for maximum retransmission attempts %d Copyright © 2007-2008 Nortel Networks Severity Type ALARM System Control (MAJOR) ERROR ALARM System Control...

  • Page 218: Nortel Vpn Gateway

    Proxy connect host name too long: <host> Quick mode initiation to %s failed, error - %s Rebooting to revert to permanent OS version Received Delete IPSEC SA message from %s Copyright © 2007-2008 Nortel Networks Severity Type WARNING IPsec WARNING Traffic Processing...

  • Page 219: Nortel Vpn Gateway

    Set CSWIFT as default Shutting sslproxy down. Because we use clicerts, force adjust totalcache size to : <size> per server that use clicerts single_master slave_not_starting Copyright © 2007-2008 Nortel Networks Severity Type INFO IPsec INFO Config Reload INFO Config Reload...

  • Page 220: Nortel Vpn Gateway

    <version> rejected SOCKS Vpn="<id>" User="<user>" SrcIP="<ip>" Request="<request>" software_configuration_changed software_release_copying software_release_rebooting ssi_mipishere SSL connect failed: <reason> ssl_hw_fail Started ssl-proxy Copyright © 2007-2008 Nortel Networks Severity Type ERROR Traffic Processing INFO ERROR Traffic Processing INFO EVENT System Control...

  • Page 221: Nortel Vpn Gateway

    Using <hwtype> hardware Using new IKE. IKE Profile %s received in Auth Reply. vbscript error: <reason> for: <host><path> VPN AddressAssigned Vpn= "<id>" Method=<"ssl"|"ipsec"> SrcIp="<ip>" User="<user>" TunIP="<inner tunnel ip>" Copyright © 2007-2008 Nortel Networks Severity Type INFO System Control ERROR Traffic Processing WARNING...

  • Page 222: Nortel Vpn Gateway

    SrcIp="<ip>" User="<user>" Groups="<groups>" VPN LoginSucceeded Vpn= "<id>" Method=<"ssl"|"ipsec"> SrcIp="<ip>" User="<user>" Groups="<groups>" TunIP="<inner tunnel ip>" VPN Logout Vpn="<id>" SrcIp="<ip>" User="<user>" www_authenticate: bad credentials Copyright © 2007-2008 Nortel Networks Severity Type INFO INFO INFO INFO ERROR Traffic Processing Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 223: Nortel Vpn Gateway

    5. Products derived from this software may not be called "OpenSSL" nor may "OpenSSL" appear in their names without prior written permission of the OpenSSL Project. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 224: Nortel Vpn Gateway

    1. Redistributions of source code must retain the copyright notice, this list of conditions, and the following disclaimer. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 225: Nortel Vpn Gateway

    Suite 330, Boston, MA 02111-1307 USA Everyone is permitted to copy and distribute verbatim copies of this license document, but changing it is not allowed. GNU GENERAL PUBLIC LICENSE Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 226: Nortel Vpn Gateway

    (when started running for such interactive use in the most ordinary way) to print or display an announcement, including an appropriate copyright notice and a notice that there is no warranty (or else, Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 227: Nortel Vpn Gateway

    (This alternative is allowed only for noncommercial distribution and only if you received the program in object code or executable form with such an offer, in accordance with Subsection b, preceding.) Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 228: Nortel Vpn Gateway

    Program at all. For example, if a patent license not permit royalty-free redistribution of the Program by all those who receive copies directly or indirectly through you, then the only way you could satisfy both it and Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 229: Nortel Vpn Gateway

    Our decision will be guided by the two goals of preserving the free status of all derivatives of our free software and of promoting the sharing and reuse of software generally. NO WARRANTY Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 230: Nortel Vpn Gateway

    Apache Software Foundation (http://www.apache.org/)". Alternately, this acknowledgment may appear in the software itself, if and wherever such third-party acknowledgments normally appear. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 231: Nortel Vpn Gateway

    Apache Software Foundation, see http://www.apache.org/. Portions of this software are based upon public domain software originally written at the National Center for Supercomputing Applications, University of Illinois, Urbana-Champaign. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 232: Nortel Vpn Gateway

    232 License Information Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 233: Nortel Vpn Gateway

    Self-Tests: If changes are made to the design of the HSM, this document should be updated to incorporate the changes and reviewed by an NVLAP-accredited CMT lab. Copyright © 2007-2008 Nortel Networks ® HSM Cryptographic Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 234: Nortel Vpn Gateway

    HSM boards. The shared Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 235: Nortel Vpn Gateway

    PCI interface. Therefore, this algorithm is not accessible in the FIPS 140-1 Mode. The self-tests perform a known answer test on this algorithm in FIPS 140-1 Mode. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 4.0 Capabilities 235...

  • Page 236: Nortel Vpn Gateway

    PCI interface. Therefore, this algorithm is not available in the FIPS 140-1 Mode. Keys pairs of modulus size in the range 512 through 1024 bits, in 64 bit increments. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 237: Nortel Vpn Gateway

    6.4 PCI Interface This interface is used to provide data and commands to the HSM board. It is also used to read data and status from the HSM. Copyright © 2007-2008 Nortel Networks Meaning Power off Board is on but idle...

  • Page 238: Nortel Vpn Gateway

    This component is non-volatile memory. The contents of Flash will maintain its state after PCI power and Battery power have been removed. The Flash contains the firmware that controls processing within the HSM. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 239: Nortel Vpn Gateway

    USB interface. Refer to following section 9.2 for a description of how this PIN is used for authentication. User Role PIN (UserPIN) = The User Role PIN is generated randomly Copyright © 2007-2008 Nortel Networks 8.0 Definition of Security Relevant Data Items 239 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 240: Nortel Vpn Gateway

    KWK into two shares with the Split Key service. Two corresponding shares may be combined with the Combine Key service to enter the KWK into the module. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 241: Nortel Vpn Gateway

    The Security Officer initializes the board. Performing this function generates an internally stored master key, and generates a random PIN, which is stored in the Security Officer’s Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 242: Nortel Vpn Gateway

    User account. 9.5 Services The following table describes which services can be performed by which role, and the SRDI(s) which each service accesses. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 243: Nortel Vpn Gateway

    When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize the board. Note 8 = These operations must access stored cryptographic keys. The keys may not be input through the PCI interface. Copyright © 2007-2008 Nortel Networks Non- FIPS140-1 Mode User SO Role Not auth...

  • Page 244: Nortel Vpn Gateway

    When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize the board. Note 8 = These operations must access stored cryptographic keys. The keys may not be input through the PCI interface. Copyright © 2007-2008 Nortel Networks Non- FIPS140-1 Mode User SO Role Not auth...

  • Page 245: Nortel Vpn Gateway

    When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize the board. Note 8 = These operations must access stored cryptographic keys. The keys may not be input through the PCI interface. Copyright © 2007-2008 Nortel Networks Non- FIPS140-1 Mode User SO Role Not auth...

  • Page 246: Nortel Vpn Gateway

    When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize the board. Note 8 = These operations must access stored cryptographic keys. The keys may not be input through the PCI interface. Copyright © 2007-2008 Nortel Networks Non- FIPS140-1 Mode User SO Role Not auth...

  • Page 247: Nortel Vpn Gateway

    When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize the board. Note 8 = These operations must access stored cryptographic keys. The keys may not be input through the PCI interface. Copyright © 2007-2008 Nortel Networks Non- FIPS140-1 Mode User SO Role Not auth...

  • Page 248: Nortel Vpn Gateway

    FastMap chip. Using this algorithm ensures that the keys generated will be consistent with the requirements of FIPS 140-1. Performing the key generation in this manner will ensure Copyright © 2007-2008 Nortel Networks Non- FIPS140-1 Mode User...

  • Page 249: Nortel Vpn Gateway

    Rainbow Technologies key management utility. The key management utility runs on the host, and uses "Wrap Key" and "Unwrap" commands to move wrapped keys between devices in the same family. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 10.0 Key Management 249...

  • Page 250: Nortel Vpn Gateway

    11.1 FIPS 140-1 Mode In the FIPS 140-1 mode, the board may only perform FIPS approved algorithms. These are as follows: Copyright © 2007-2008 Nortel Networks Table 10 "Key Destruction" (page Voltage Applied Battery BRAM...

  • Page 251: Nortel Vpn Gateway

    Self-Test RSA Encrypt /Decrypt and Sign/Verify KATs DES KAT 3DES KAT SHA-1 KAT DSA KAT MD5 KAT Copyright © 2007-2008 Nortel Networks FIPS 140-1 Non-FIPS Mode 140-1 Mode Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 12.0 Self-Tests 251...

  • Page 252: Nortel Vpn Gateway

    (but are not limited to) banking, telecommunications, e-commerce, and medical services. In the area of self-test, the HSM provides capabilities consistent with FIPS 140-1 Level 4. Copyright © 2007-2008 Nortel Networks FIPS 140-1 Non-FIPS Mode...

  • Page 253: Nortel Vpn Gateway

    Appendix Definition of Key Codes Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 254: Definition Of Key Codes

    Note: For some of the escape codes you need two backslashes, as these are specific javassh definitions not known by the Java Property mechanism. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 255: Nortel Vpn Gateway

    Key Representation F1-F20 PGUP PGDOWN HOME INSERT Copyright © 2007-2008 Nortel Networks Explanation Backspace. This character is usually sent by the <- key (Backspace key). Escape. This character is usually sent by the Esc key. Newline. This character will move the cursor to a new line.

  • Page 256: Nortel Vpn Gateway

    BACKSPACE Example of a Key Code Definition File Following is an example of the keyCodes.at386 key code definition file, created for an AT-386 Terminal. Copyright © 2007-2008 Nortel Networks Remarks The Remove key. The Cursor Up key. The Cursor Down key.

  • Page 257: Nortel Vpn Gateway

    Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 258: Nortel Vpn Gateway

    (e.g. due to the server administrator having generated new keys). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 259: Nortel Vpn Gateway

    2, either RSA or DSA keys can be used. The RSA keys for version 1 differ in form from those for version 2, and are referred to as "RSA1". Copyright © 2007-2008 Nortel Networks Example of a Key Code Definition File 259...

  • Page 260: Nortel Vpn Gateway

    260 SSH host keys Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 261: Nortel Vpn Gateway

    Portal session. This description is based on Windows 2000 Server and Windows Server 2003. Make sure that your account is a member of the Schema Administrators group. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 262: Nortel Vpn Gateway

    On Windows 2000 Server, enter mmc in the Open field. On Windows Server 2003, enter mmc /a instead. Note that there is a space between mmc and /a. Click OK. The Console window is displayed. Copyright © 2007-2008 Nortel Networks --End-- --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 263: Nortel Vpn Gateway

    Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003) 263 On the File (Console) menu, select Add/Remove Snap-in. The Add/Remove Snap-in window is displayed. Click Add. The Add Standalone Snap-in window is displayed. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 264: Nortel Vpn Gateway

    Right-click Start, and select Open all Users. Double-click the Programs and Administrative Tools folders. On the File menu, point to New, and then select Shortcut. The Create Shortcut Wizard is displayed. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 265: Nortel Vpn Gateway

    Right-click Attributes, point to New and select Attribute. You will now receive a warning that creating schema objects is a permanent operation and cannot be undone. Click Continue. The Create New Attribute window is displayed. Copyright © 2007-2008 Nortel Networks --End-- --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 266: Nortel Vpn Gateway

    You will now receive a warning that creating schema classes is a permanent operation and cannot be undone. Click Continue. The Create New Schema Class window is displayed. Create the nortelSSLOffload class as shown: Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 267: Nortel Vpn Gateway

    Select the nortelSSLOffload class. Right-click and select Properties. The Properties window is displayed. Select the Attributes tab and click Add. Add the isdUserPrefs attribute as optional. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 268: Nortel Vpn Gateway

    The Properties window is displayed. Select the Relationship tab. Next to Auxiliary Classes, click Add Class (Add). Add the nortelSSLOffload class as an auxiliary class as shown: Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 269: Nortel Vpn Gateway

    #/ldap/enauserpre or the BBI setting User Preferences under VPN Gateway>VPN# >Authentication->Auth Servers#(Ldap) the remote user should now be able to store user preferences in Active Directory. Copyright © 2007-2008 Nortel Networks --End-- Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 270: Nortel Vpn Gateway

    270 Adding User Preferences Attribute to Active Directory Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 271: Nortel Vpn Gateway

    Appendix Using the Port Forwarder API Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 272: Nortel Vpn Gateway

    The zip file contains both a signed and an unsigned version of the API along with javadoc documentation and a demo application with source code. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 273: Nortel Vpn Gateway

    Example: http://vpn.example.com/link.yaws?t=custom&a= 1&b=1&c=1 The parameters a, b and c in the second link point out the link according to: a: VPN number Copyright © 2007-2008 Nortel Networks b: Linkset number Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 274: Nortel Vpn Gateway

    Java Web Start, refer to http://java.sun.com/products/javawebstart. A correct jnlp file corresponding to the preceding example look like this: Copyright © 2007-2008 Nortel Networks The URL to the portal, e.g. https://vpn.example.com. The type of the link to use, for example "custom". The link type should be the same as defined in the CLI/BBI.

  • Page 275: Nortel Vpn Gateway

    The provided build.xml file contains an example of how to create a content.zip file. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 276: Nortel Vpn Gateway

    A Port Forwarder authenticator must implement the PortForwarderAuthenti cator interface: public PortForwarderCredentials getCredentials(); public java.net.PasswordAuthentication getProxyCredenti als(); Example Following is an example of the code for creating a Port Forwarder authenticator. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 277: Nortel Vpn Gateway

    Example 277 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 278: Nortel Vpn Gateway

    (cookie == null) { return null; cred.setNortelToken(cookie); return cred; public PasswordAuthentication getProxyCredentials() { LoginDialog loginDialog = new LoginDialog(); return new PasswordAuthentication(loginDialog.getUserId() portForwarder.setAuthenticator(pfa); Copyright © 2007-2008 Nortel Networks headerField.indexOf(’;’)); Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 loginDialog.getPassword( .toCharArray(...

  • Page 279: Nortel Vpn Gateway

    SimpleDateFormat dateFormat = new SimpleDateFormat("hh:mm:ss.SSS "); String timeStamp = dateFormat.format(new Date()); return timeStamp; private String createMessage(String msg) { return createTimeStamp() + " : " + msg; Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Example 279...

  • Page 280: Nortel Vpn Gateway

    (throwable != null) { System.out.println(throwable.getMessage()); throwable.printStackTrace(); } else { portForwarderGui.appendInfo(messageString + if (throwable != null) { portForwarderGui.appendInfo(throwable.getMessage() + ator")); throwable.printStackTrace(); Copyright © 2007-2008 Nortel Networks params); System.getProperty("line.separ System.getProperty("line.se System.getProperty("line.separator")); System.getProperty("line.separ Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 281: Nortel Vpn Gateway

    Example 281 Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 Copyright © 2007-2008 Nortel Networks...

  • Page 282: Nortel Vpn Gateway

    If the username and/or password is not set, the Port Forwarder API will call the PortForwarderAuthenticator.getProxyCredentials() function to obtain them. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008 The proxy host for HTTP &...

  • Page 283: Nortel Vpn Gateway

    An added statistics listener will receive a PortForwarderStatistics object either when a change has occurred or at a defined interval. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 284: Nortel Vpn Gateway

    284 Using the Port Forwarder API Following is an example of the code for monitoring Port Forwarder statistics. This will print current statistics every 3 seconds. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 285: Glossary

    The CLI can be accessed through a console connection or remote connection (Telnet or SSH). The CLI is used for collecting information and configuring the NVG. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 286: Nortel Vpn Gateway

    A digital guarantee that a document has not been altered, as if it were carried in an electronically-sealed envelope. The "signature" is an encrypted digest of the text that is sent with the text Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 287: Nortel Vpn Gateway

    Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 288: Nortel Vpn Gateway

    Another difference is that the Net Direct client is packet-based, while the SSL VPN clients uses system calls. The packet-based solution supports more applications (e.g. Microsoft Outlook). Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 289: Nortel Vpn Gateway

    PKI nor even a single agreed-upon standard for setting up a PKI. However, nearly everyone agrees that reliable PKIs are necessary before electronic commerce can become widespread. A PKI is also called a trust hierarchy. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 290: Nortel Vpn Gateway

    VPN Gateway to an existing cluster. If you perform a reinstallation of the NVG software, you will also enter the Setup Utility after the VPN Gateway has rebooted. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 291: Nortel Vpn Gateway

    A program to log into another computer over a network, to execute commands in a remote machine, and to move files from one machine to another. It provides strong authentication and secure communications over insecure channels. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 292: Nortel Vpn Gateway

    The addressing technology from which URLs are created. Technically, URLs such as HTTP:// and FTP:// are specific subsets of URIs, although the term URL is mostly heard. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 293: Nortel Vpn Gateway

    The switch announces this change in ownership to the devices around it by way of a gratuitous ARP and advertisements. If the backup switch didn’t do the gratuitous Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard...

  • Page 294: Nortel Vpn Gateway

    MAC address had moved in the network. For a more detailed description, refer to RFC 2338. X.509 A widely-used specification for digital certificates that has been a recommendation of the ITU since 1988. Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 295: Nn46120-104 02.01 Standard 14 April

    CA 116 revoke certificates issued by own organization 117 certificate signing request (CSR) generate 94 submit 94 certificates Copyright © 2007-2008 Nortel Networks add using TFTP 103 client 110 managing 93 revoke client certificates 116 view installed certificates 172 ciphers...

  • Page 296: Nortel Vpn Gateway

    ASA 310-FIPS 27 iKey authentication 30 host IP 37 host keys (SSH) 257 iKey authentication 30 Copyright © 2007-2008 Nortel Networks the ASA 310-FIPS 27 wrap key 30 HSM-SO iKey 30 HSM-USER 30 idle timeout, command line interface 144...

  • Page 297: Nortel Vpn Gateway

    146 security modes on the ASA 310-FIPS 29 slave configuration 36, 57 SNMP agent 183 Copyright © 2007-2008 Nortel Networks supported MIBs 184 supported traps 189 software activate downloaded upgrade package 76 features in this version 19...

  • Page 298: Nortel Vpn Gateway

    140 Boot user for reinstall 70 categories 140 passwords 141 user preferences 261 virtual IP 37 wrap key generation of 30 Copyright © 2007-2008 Nortel Networks Nortel VPN Gateway User Guide NN46120-104 02.01 Standard 14 April 2008...

  • Page 300: Nortel Vpn Gateway

    Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks. *Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks. Export This product, software and related technology is subject to U.S.

Table of Contents