Page 1 ..............UIDE This manual describes how to use the Access Point QVPN Builder™ applica- tion with Access Point™ IP Services routers.
Page 3: Please Read
The device must withstand any interference received, including interfer- ence that may cause undesired operation. The Access Point router has been tested and found to comply with the limits for a Class A digital device pursuant to Part 15 of the FCC Rules and Regula- tions.
Page 4 Important - Please Read Shielded cables must be used with this unit to ensure compliance with the FCC Class A limits. Access Point QVPN Builder User Guide...
Page 5: Table Of Contents
Integrated Applications...2 Platform Requirements ...2 NT 4.0 Requirements ... 2 Solaris 2.6 Requirements... 3 Access Point Operating System Support Matrix ...3 2 Installing the QVPN Builder... 5 Installing Builder ...5 Installing the Standalone Version on Solaris Systems ... 6 Installing the Client/Server Version on Solaris Systems ... 9 Installing the Standalone Version on Windows NT Systems ...
Page 6 Creating or Modifying VPN Definitions... 38 Selecting the Configuration Method...38 Changing VPN Settings for the VPN ...39 Changing VPN Settings for the Access Point Systems ...41 Changing Probe Settings ...43 Saving the VPN Definition... 45 Saving the VPN Definition With the Standalone Version ...46 Saving the VPN Definition With the Client/Server Version ...46...
Page 7 Removing the VPN Definition With the Client/Server Version ... 49 Using VPN Definitions ...49 Exporting Data ... 49 Importing VPN Data Files... 50 Importing VPN Definitions From Version 1.1... 53 Verifying the Configuration...53 Deploying the Configuration ...53 Using the VPN Deployment Tables...54 VPN Statistics ...
Page 8 C O N T E N T S Using Rule Sets ... 85 Exporting Rule Sets ...85 Importing Rule Set Files...86 Specifying a Rule Set for a VPN... 87 Using the QoS/Firewall: Examples ... 88 Configuring a Firewall That Allows Web Surfing ...88 Configuring SYN Flood Protection ...95 Classifying ICMP Packets ...99 Creating a Forwarding Policy...101...
Page 9 Exporting the Log Table To a File ... 130 Managing User Profiles ...130 Adding User Profiles ... 131 Modifying User Profiles... 131 Deleting User Profiles ... 132 Restoring VPN Databases...132 Finding a VPN Name...133 Troubleshooting ...133 Figures Figure 1 QVPN Builder Login Screen ...16 Figure 2 QVPN Builder Definition View Window ...22 Figure 3...
Page 10 C O N T E N T S QVPN Builder User Guide...
Page 11: Preface
VPN server capabilities. The Access Point QVPN Builder monitor a virtual private network of Access Point systems. This guide explains how to install, configure, and manage the Access Point QVPN Builder application. Chapter titles and their subject areas are outlined below.
Page 12 Access Point product have several years of networking experience. The Access Point QVPN Builder application lets you configure and manage virtual private networks from a central management station. Builder is flexible enough to provision the security profiles, firewall rules, and Quality of Service policies for small or large VPNs.
Page 13 P R E F A C E Contacting Lucent Support For questions or problems with the Access Point QVPN Builder application or the Access Point router, refer to this manual or to the Lucent Technologies Lucent Worldwide Services Web site at: http://www.lucent.com/networkcare If you are not able to find the help you need, contact Lucent Technologies Inc.
Page 14 P R E F A C E Access Point QVPN Builder User Guide...
Page 15: Product Overview
The Access Point QVPN Builder application is a powerful tool that lets you create and deploy VPNs easily from a central management station. While most VPNs must be configured on a host-by-host basis, Builder enables VPNs to be defined at a single location and exported to defined ™...
Page 16: Integrated Applications
P R O D U C T O V E R V I E W Integrated Applications sets of hosts (Access Point systems) without network disruptions. Builder also lets you incorporate firewall and Quality of Service (QoS) parameters as part of a VPN definition, allowing you to rate-limit and shape traffic flowing over tunnels.
Page 17: Solaris 2.6 Requirements
Access Point Operating System V2.1 V2.2.0 V2.2.1 V2.3 V2.4 P R O D U C T O V E R V I E W Access Point Operating System Support Matrix YSTEM UPPORT ATRIX Access Point QVPN Builder User Guide Partial...
Page 18 P R O D U C T O V E R V I E W Access Point Operating System Support Matrix Access Point QVPN Builder User Guide...
Page 19: Installing The Qvpn Builder
..............Before installing or using Builder, make sure the Access Point systems (APs) are configured and reachable through SNMP.
Page 20: Installing The Standalone Version On Solaris Systems
Make sure you are logged on as a superuser (root). To install Builder, enter the following command: Access Point QVPN Builder User Guide T A N D A L O N E E R S I O N O N...
Page 21 Make sure you are logged on as a superuser (root). I N S T A L L I N G T H E Q V P N B U I L D E R ERSION ON OLARIS YSTEMS FROM AN Access Point QVPN Builder User Guide Installing Builder...
Page 22 If you reply with no, you can start the daemon at any time with the QVPNRequestConfigDaemon command. Refer to Request Config Daemon” on Page 32 You will see output similar to the following: Installing Lucent Technologies Access Point QVPN Builder Client/Server version: 2.4.B002 02-27-2001... Checking for available space... Unpacking... Checksumming...
Page 23 Do you want to start the QVPNRequestConfigDaemon now ? [yes] Starting AccessView QVPNRequestConfigDaemon 2.4.B002 02-27-2001 QVPNRequestConfigDaemon configuration completed. Lucent Access Point QVPN Builder 2.4.B002 02-27-2001 Installation Complete: To start the QVPN Builder application run /AV2.4/AccessView/bin/QVPNBuilder To start the Tunnel Status application run /AV2.4/AccessView/bin/TunnelStatus To start the Traffic Status application run /AV2.4/AccessView/bin/TrafficStatus...
Page 24 The installation asks if you want to create the installation directory if it doesn't already exist. Next, the installation asks if you want to run the included scripts as root. Answer “y”. Access Point QVPN Builder User Guide Page 18 LIENT ERVER...
Page 25: Installing The Client/Server Version On Solaris Systems
I N S T A L L I N G T H E Q V P N B U I L D E R ERSION ON OLARIS YSTEMS FROM AN Access Point QVPN Builder User Guide Installing Builder...
Page 26 You can include the path to Builder in your shell initialization file. You can also create a soft link to Builder using the ln -s command. The Builder exe- Access Point QVPN Builder User Guide “Using the QVPN Request Config Daemon” on Page 32 “Using the Traffic Status and Tunnel Status Appli-...
Page 27: Installing The Standalone Version On Windows Nt Systems
I N S T A L L I N G T H E Q V P N B U I L D E R E R S I O N O N I N D O W S ERSION ON INDOWS FROM A Access Point QVPN Builder User Guide Installing Builder NT S Y S T E M S CD-ROM...
Page 28: Installing The Client/Server Version On Windows Nt Systems
Optionally, the icons for the applications can be placed on your desktop. Start up the application by clicking on the icon on your desktop (if available) or selecting Start → Programs → Lucent Access Point → QVPN Builder. To uninstall the application, select Start → Settings → Control Panel →...
Page 29 I N S T A L L I N G T H E Q V P N B U I L D E R ERSION ON INDOWS FROM A ERSION ON INDOWS FROM AN Access Point QVPN Builder User Guide Installing Builder CD-ROM...
Page 30: Initial Startup Tasks
You must reboot after the installation. Start up the application by clicking on the icon on your desktop (if available) or selecting Start → Programs → Lucent Access Point → QVPN Builder. NOTE To uninstall the client/server version, you must uninstall the application (by selecting Start →...
Page 31: Logging In For The First Time
I N S T A L L I N G T H E Q V P N B U I L D E R I M E “Managing User Profiles” I M E L I E N T Access Point QVPN Builder User Guide Initial Startup Tasks...
Page 32: Evolving Version 2.1 And 2.3 Databases
V2.3, export the rule sets from Builder V2.1 or V2.3 and import them into V2.4. (See and importing rule sets.) Change directory to the Access View database directory located under the Access Point QVPN Builder User Guide 2 . 1 2. 3 D A N D...
Page 33: Accessing Unix Server Databases From Windows Nt Client Systems
I N S T A L L I N G T H E Q V P N B U I L D E R A T A B A S E S R O M I N D O W S Access Point QVPN Builder User Guide Initial Startup Tasks NT C L I E N T...
Page 34: Setting Up The Qvpn Request Config Daemon To Access Unix Databases
Activate the service by rebooting the PC. If you have already rebooted the PC, click the Start button in the Services window to activate the service. Access Point QVPN Builder User Guide E Q U E S T O N F I G A E M O N T O “Accessing UNIX Server Data-...
Page 35: Getting Started With Builder
........This section describes the Access Point QVPN Builder application (Builder) graphical user interface.
Page 36: Figure 2 Qvpn Builder Definition View Window
Log Frame Message Area Note that if you make any changes to the properties, an asterisk appears next to the modified item in the tree frame. Once you save the VPN definition, the asterisk disappears. Access Point QVPN Builder User Guide...
Page 37: The Tree Frame
R E E R A M E The Tree frame shows the relationship between the VPN and Access Point in a tree format. You can expand or collapse the tree at any time. The root of the tree (the global VPN) contains four children: VPN, Qos/Firewall, NAT, and APs.
Page 38: The Log Frame
The Log frame displays log messages generated by certain events, including changes, deployments, and deployment failures. You can clear or purge (erase from disk) the log. For more information, see “Configuring Logging” on Page Access Point QVPN Builder User Guide 129.
Page 39: Table 1 Definition View Tool Bar Buttons
Same as Tools Browser. About the Builder Window → New. → Remove. → Save. → → Clear. → Apply Apply Configuration popup. → Query Query Configuration popup. → → Tunnel Status. → → Traffic Status. Access Point QVPN Builder User Guide →...
Page 40: Getting Detailed Help Information
AP and Builder must match so that Builder can communicate with each AP. With the root VPN selected, select Edit → SNMP Properties to specify how Builder should set up SNMP access for the APs added to the VPN definition. Access Point QVPN Builder User Guide Definition View Tool Bar Buttons Description Launch SSH session to current selected AP →...
Page 41 You can specify the SNMP version as V2 (for simple SNMP access) or V3 (for Configuring SNMP Access Settings Access Point QVPN Builder User Guide...
Page 42: Managing Access Point Systems
D D I N G C C E S S To add an Access Point system (AP) to the VPN definition, select Edit → Add AccessPoint and change any settings in the Access Point Properties frame as necessary. After making the necessary changes, you should verify the configu- ration and deploy the configuration to ensure that the configuration is updated.
Page 43: Using The Traffic Status And Tunnel Status Applications
Click on the Lucent Traffic Status icon on your desktop or select Start → Programs → Lucent Access Point → Traffic Status to start up the Traffic Status application. Click on the Lucent Tunnel Status icon on your desktop or select Start →...
Page 44: Traffic Status Application
• A pie chart showing the bandwidth allocated to each class as a percentage of its parent (when you have selected the Allocated tab) Access Point QVPN Builder User Guide P P L I C A T I O N...
Page 45: Tunnel Status Application
Summary information about the selected tunnel or interface (when you G E T T I N G S T A R T E D W I T H B U I L D E R Using the Traffic Status and Tunnel Status Applications Access Point QVPN Builder User Guide...
Page 46: Using The Qvpn Request Config Daemon
Designed to be used with Builder, the QVPN Request Config daemon (Config daemon) allows an AP to request its own configuration (VPN, QoS/firewall, and NAT) from Builder. The AP can request only information that is config- ured by Builder. Access Point QVPN Builder User Guide EQUEST ONFIG AEMON...
Page 47: Starting Up The Daemon
Point Properties frame. G E T T I N G S T A R T E D W I T H B U I L D E R Using the QVPN Request Config Daemon Access Point QVPN Builder User Guide...
Page 48: Shutting Down The Daemon
On Solaris systems, use this command: tail -f ConfigDaemon.log On Windows NT systems, use either of these commands: type ConfigDaemon.log more ConfigDaemon.log Access Point QVPN Builder User Guide A E M O N P E R A T I O N...
Page 49: Changing The Snmp Community Name For The Daemon
G E T T I N G S T A R T E D W I T H B U I L D E R Using the QVPN Request Config Daemon A M E F O R T H E A E M O N Access Point QVPN Builder User Guide A E M O N...
Page 50 Access Point QVPN Builder User Guide Description Shows the current version of the daemon Shows the debug mode Shows the database path where the daemon looks for VPNs Shows the daemon’s SNMP configuration...
Page 51: Managing Vpns
VPN. Once policies are established as part of a VPN definition, Builder securely dis- tributes the configuration to the Access Point systems (APs) that make up that VPN.
Page 52: Creating Or Modifying Vpn Definitions
............... This section describes how to create or change VPN settings for the VPN and Access Point properties. It also describes how to add and remove APs from your VPN configuration.
Page 53: Changing Vpn Settings For The Vpn
Select the AP for which you want to specify a configuration method to dis- play its Access Point Properties frame. Select the appropriate method from the Config Method drop-down list. Builder (default) indicates that the Builder pushes out the configuration to the AP when requested.
Page 54 Security Profile Use Wildcard Tunnels Use Dynamic Routing IKE Auth Method Access Point QVPN Builder User Guide Description A user-definable option for future expansion. Specify the security profile (default-strong is the default value). The security profile is the security specification for the entire VPN.
Page 55: Changing Vpn Settings For The Access Point Systems
By default, the VPN type is a full mesh topology as shown in the VPN Proper- ties frame. To create a hub-and-spoke topology: Select the AP that you want to use as the hub to display its Access Point M A N A G I N G V P N S...
Page 56 (configurable) intervals. When a response is not received after a specified number of updates, Keepalive assumes the gateway is unreachable. In this event, Keepalive places its IPSec Access Point QVPN Builder User Guide EEPALIVE PDATE...
Page 57: Changing Probe Settings
E T T I N G S The AP has the ability to send proprietary probe packets. For more information about probes, see the Access Point Configuration Guide. You can specify whether the APs respond to Probes and configure Probe parameters. By default, the device (AP) manages probes and Builder does nothing.
Page 58 After configuring your settings, you can apply the changes to either all APs or to selected APs by selecting the appropriate button for Apply Parameters To... as shown below. Access Point QVPN Builder User Guide Description When checked, the AP creates probes for all APs to which it has tunnels.
Page 59: Saving The Vpn Definition
............... To save the VPN definition to the database, select File → Save As... or File → Save. Access Point QVPN Builder User Guide...
Page 60: Saving The Vpn Definition With The Standalone Version
If you want to use VPN definitions that were created with Version 1.1, refer to “Importing VPN Definitions From Version 1.1” on Page Access Point QVPN Builder User Guide E F I N I T I O N I T H T H E...
Page 61: Opening The Vpn Definition With The Standalone Version
T A N D A L O N E I T H T H E L I E N T E R V E R Access Point QVPN Builder User Guide E R S I O N E R S I O N...
Page 62: Accessing Locked Files
Confirm that you really want to remove the VPN. The VPN is removed from the drop-down list and from the database/log (db) directory. Access Point QVPN Builder User Guide I L E S E F I N I T I O N...
Page 63: Removing The Vpn Definition With The Client/Server Version
E F I N I T I O N I T H T H E L I E N T Access Point QVPN Builder User Guide M A N A G I N G V P N S Using VPN Definitions...
Page 64: Importing Vpn Data Files
VPN keyword. Each VPN data file can contain only one VPN line. The QVPN name field in the VPN line can be more than one word. Access Point QVPN Builder User Guide A T A I L E S...
Page 65 If you try to import AP definitions and there is no VPN open in Builder, you will receive an error. See the next section for a sample VPN data file. M A N A G I N G V P N S Using VPN Definitions Access Point QVPN Builder User Guide...
Page 66 # ************ AccessPoint definition block ends! **************** # More AccessPoint definitions # ACCESSPOINT,198.202.232.127,AP Two,none -> When router addr # specified as "none", router addr will use AP’s IP addr ACCESSPOINT,198.202.232.127,AP Two,10.200.1.196 SNMP,v3,swnm,none,none,none,none,2,5,161 SUBNET,20.1.1.0,255.255.255.0 SUBNET,20.1.2.0,255.255.255.0 ACCESSPOINT,198.202.232.160,AP Three,10.200.1.197 SNMP,v2,swnm,none,none,none,none,2,5,161 SUBNET,30.1.1.0,255.255.255.0 SUBNET,30.1.2.0,255.255.255.0 Access Point QVPN Builder User Guide...
Page 67: Importing Vpn Definitions From Version 1.1
E F I N I T I O N S R O M E R S I O N Access Point QVPN Builder User Guide M A N A G I N G V P N S Verifying the Configuration 1 .1...
Page 68: Using The Vpn Deployment Tables
The application displays information about these tunnels using Deployment tables. By selecting an item in the Tree and then clicking on the Deployment tab in the Configuration and Deployment frame, you can obtain status and con- figuration information about VPNs. Access Point QVPN Builder User Guide ABLES...
Page 69: Vpn Statistics
Selecting VPN at the VPN root or an AP and then clicking on the Deployment tab provides access to summary information about Tunnels, Routes, IPSec Interfaces, and Probes. M A N A G I N G V P N S Using the VPN Deployment Tables Access Point QVPN Builder User Guide...
Page 70: Tunnel, Route, And Ipsec Interface Information
Security Profile — the tunnel’s security profile, which is determined by the weakest profile of the participating APs You can select any tunnel with a mouse click to highlight the row. Access Point QVPN Builder User Guide I PS A N D...
Page 71 State — IPSec’s current configuration state (Add — to be added, Current — deployed, Remove — to be removed) • C — configuration M A N A G I N G V P N S Using the VPN Deployment Tables Access Point QVPN Builder User Guide...
Page 72: Managing Security Profiles
............... Builder has three default security profiles: • default-weak • default-strong • default-auth If you have read-write privilege, you can add, modify, or delete other security profiles. Access Point QVPN Builder User Guide ROFILES...
Page 73: Adding Security Profiles
Click Apply to modify the profile. Repeat steps 2 and 3 for each additional profile. Click Done when you have finished modifying profiles. M A N A G I N G V P N S Managing Security Profiles Access Point QVPN Builder User Guide...
Page 74: Deleting Security Profiles
Click on the profile in the Profile List that you want to delete and click Remove to delete the profile. Repeat step 2 for each additional profile. Click Done when you have finished deleting profiles. Access Point QVPN Builder User Guide R O F I L E S...
Page 75: Managing Qos/Firewall Policies
........The Access Point system (AP) uses CBQ to provide firewall and QoS ser- vices by classifying and scheduling how traffic flows through the AP.
Page 76: Using The Qos/Firewall Rule Set Editor
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S Using the QoS/Firewall Rule Set Editor • Supplies values for the parameters from the rule set or the Access Point properties. The more specificity provided by the rule, the more secure the rule. You can create, modify, save, and delete rule sets.
Page 77 ToS range, or datalink. Interface Indicates the interface(s) where CBQ classes are created. If the service classification is stateful, you can specify a stateful interface. Using the QoS/Firewall Rule Set Editor → Save. Access Point QVPN Builder User Guide...
Page 78: Default Template Rule Set Definition And Modification
Bandwidth allocation: 0 • Bounded: true (any traffic not classified by rule 1 is filtered (denied)) Access Point QVPN Builder User Guide Description Specifies the action to take for the selected traffic. You can deny, permit, limit, or shape traffic. These...
Page 79 Remember that the “-default” suffix has special meaning when applied to a CBQ class on the AP (For more information about default classes, see the Access Point Configuration Guide). NOTE These rules do not provide a default firewall. Both of these rules are applied to the APMgmt interface which must be set it in the definition of each AP to which this rule set is applied.
Page 80: Defining A Rule Set
Select the rule set you want to modify and click Open Rule Set. Add or modify the rules in your rule set. Access Point QVPN Builder User Guide “Using the QoS/Firewall Rule Set Editor” on Page 62 Figure for infor-...
Page 81: Adding A Rule
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S “Setting Parameter Values” on Page 80 Access Point QVPN Builder User Guide Defining a Rule Set...
Page 82 The Select Source Parameter dialog box is shown here. Select the appropriate parameter for your rule and click OK to make your selection. Access Point QVPN Builder User Guide “Setting Parameter Values” on Page ARAMETERS for information about...
Page 83 APs. M A N A G I N G Q O S / F I R E W A L L P O L I C I E S ARAMETERS Access Point QVPN Builder User Guide Defining a Rule Set...
Page 84 Remove Selected in the New Classification section. Edit the classification by selecting the item in the Classification List and spec- ifying the appropriate information on the right side of the dialog box. Access Point QVPN Builder User Guide ARAMETERS...
Page 85 ToS Range Definition section. Fill in the Mask field (hex value that specifies the bits in the ToS byte of IP packets that will be read and matched against by the AP) in the ToS Mask Definition section. Click Apply. Access Point QVPN Builder User Guide...
Page 86 Add Indices. Add the datalink mask (mask that is applied to the TCI and each value in the datalink index range expressed in hex) by filling in the Datalink Mask section and clicking Apply. Access Point QVPN Builder User Guide...
Page 87 M A N A G I N G Q O S / F I R E W A L L P O L I C I E S ARAMETERS Access Point QVPN Builder User Guide Defining a Rule Set...
Page 88 If you select Limit, then you can specify a for- warding policy for stateful or stateless classifi- cation (see creating a forwarding policy). When you spec- Access Point QVPN Builder User Guide ARAMETERS shows default action profiles and Page 101...
Page 89: Changing The Rule Name
Input Input False Input Input True/False Input Input True/False Output Output Access Point QVPN Builder User Guide Defining a Rule Set Stateful Established Class Returned To Input tree of To interface Input tree of To interface Input tree of To interface...
Page 90: Specifying Execution Order
Select the comment field for the appropriate rule. Make your changes. Save the rule set by selecting File → Save As... or File → Save. Access Point QVPN Builder User Guide R D E R or down arrow ( buttons.
Page 91: Removing A Rule
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S A R A M E T E R S “Using the QoS/Firewall Rule Set Editor” on Page 62 Access Point QVPN Builder User Guide Modifying a Rule Set for infor-...
Page 92: Modifying The Default New Rule Set
To modify the default new rule set that is used whenever you create a new rule set: Select Tools → Rule Set Editor... to bring up the QoS/Firewall Rule Set Editor. Select File → Edit Template to bring up the DefaultRuleSetTemplate shown below. Access Point QVPN Builder User Guide “Setting Parameter Values” on Page 80...
Page 93: Removing A Rule Set
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S → Reset Template. Access Point QVPN Builder User Guide Removing a Rule Set...
Page 94: Setting Parameter Values
To set parameter values for particular APs: In Builder’s Tree frame, click on QoS/Firewall for the AP. Make sure that the specified rule set is the one you want to use. If it is not Access Point QVPN Builder User Guide ALUES for more information.
Page 95 Once you set parameter val- ues, the parame- ter is listed in the Parameter Over- rides list. Edit or remove an override by selecting the parameter in the Parameter Overrides Setting Parameter Values Access Point QVPN Builder User Guide...
Page 96: Verifying The Qos/Firewall Policies
Gets the QoS/Firewall Deployment table and the CBQ interface table. • Creates and configures all necessary CBQ interfaces. • Removes all CBQ classes that are marked as removed in the QoS/Firewall Access Point QVPN Builder User Guide IREWALL OLICIES Page 83 IREWALL...
Page 97: Using The Qos/Firewall Deployment Table
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S Using the QoS/Firewall Deployment Table EPLOYMENT ABLE I E W Access Point QVPN Builder User Guide...
Page 98: Using The Apply/Query View
Device → Apply ( ) or Device → Query ( ) and make the appropriate selections from the Apply Configuration or Query Configuration popups. • If — the interface associated with this class • Parent — the parent of the class Access Point QVPN Builder User Guide U E R Y I E W...
Page 99: Using Rule Sets
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S E T S Access Point QVPN Builder User Guide Using Rule Sets...
Page 100: Importing Rule Set Files
For a template, select Tools → Import → Template. You must have previously selected File → Edit Template to NOTE import a template. Either action brings up the following dialog box so you can choose the rule Access Point QVPN Builder User Guide I L E S...
Page 101: Specifying A Rule Set For Avpn
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S ET FOR A “Associating a Rule Set” on Page Access Point QVPN Builder User Guide Specifying a Rule Set for a VPN “Associating a Rule Set” on...
Page 102: Using The Qos/Firewall: Examples
HTTP return class explicitly allows data to return from external hosts, pro- vided the data match the traffic flows initiated by an internal client. As a result, Access Point QVPN Builder User Guide XAMPLES I R E W A L L...
Page 103 Add the Src parameter by selecting the Src field, clicking on the right mouse button, and selecting Edit... from the pop-up menu. Add a new Source/Destination called LANHosts that specifies Host Range in the dia- Using the QoS/Firewall: Examples Access Point QVPN Builder User Guide...
Page 104 Specifying the Service Parameter Add the Service parameter by selecting the Service field, clicking on the right mouse button, and selecting Edit... from the pop-up menu. Add a new Classification called allowWebAccess that uses Stateful classification Access Point QVPN Builder User Guide...
Page 105 Interface field, clicking on the right mouse button, and selecting Edit... from the pop-up menu. Check the Stateful Classification box, select LAN as the From Interface and WAN as the To Interface, and click OK as shown here. Access Point QVPN Builder User Guide...
Page 106 Rule Set to choose the rule set that you want to associate with this AP. Make your choice in the dialog box and click Select Rule Set. The selected rule set is listed in the Current Rule Set field: Access Point QVPN Builder User Guide...
Page 107 Interfaces Dialog appears. This assigns the CBQ classes you’ve config- ured to particular CBQ interfaces. Click in the CBQ.1 checkbox for LAN and APMgmt. For WAN, click in the CBQ.3 checkbox. Click OK for each Access Point QVPN Builder User Guide...
Page 108 Once you set parameter values, the parameter is listed in the Parameter Overrides list. You can edit or remove an override by selecting the param- eter in the Parameter Overrides list and clicking on the Edit Override or Remove Override button as shown below. Access Point QVPN Builder User Guide...
Page 109: Configuring Syn Flood Protection
After making all your changes, click Apply in the upper left-hand corner of the Access Point Properties frame. Save the VPN definition by selecting File → Save or File → Save As... to include these QoS/firewall policies as part of your VPN definition.
Page 110 Flood drop-down list in the Stateful Classification Edit section and click The Intervene Mode of SYN flood protection is enabled for all the listed applications for this class (whether or not they are selected). Access Point QVPN Builder User Guide...
Page 111 Select Tools → Rule Set Editor... to bring up the QoS/Firewall Rule Set Editor. If you are defining a new rule set, select File → New. If you are modifying an existing rule set, select File → Open. Using the QoS/Firewall: Examples Access Point QVPN Builder User Guide...
Page 112 (whether or not they are selected). Save the rule set by selecting File → Save As... or File → Save. Next, if necessary, change the SYN Protect Timeout value. For the AP you Access Point QVPN Builder User Guide...
Page 113: Classifying Icmp Packets
Edit... from the pop-up menu. The Rule Classifi- M A N A G I N G Q O S / F I R E W A L L P O L I C I E S Using the QoS/Firewall: Examples Access Point QVPN Builder User Guide...
Page 114 Stateless classi- fication type from the drop- down list and clicking Add in the New Clas- sification sec- tion. Select the icmp protocol in the Protocol Classifications section and click Add. Access Point QVPN Builder User Guide...
Page 115: Creating A Forwarding Policy
M A N A G I N G Q O S / F I R E W A L L P O L I C I E S Using the QoS/Firewall: Examples O L I C Y Access Point QVPN Builder User Guide...
Page 116 Dump packets — The IP headers of the packets are dumped into the log. • Forward by destination — Forwarding equivalent of when there is no policy routing. • Drop packets — Packets are dropped. Access Point QVPN Builder User Guide...
Page 117 Actions list or in the Access Point Properties window. • Forward packets out interface — Configure a list of interfaces. You must override the interface in the Access Point Properties window. • Forward by default interface list — Configure a default list of interfaces.
Page 118 M A N A G I N G Q O S / F I R E W A L L P O L I C I E S Using the QoS/Firewall: Examples Access Point QVPN Builder User Guide...
Page 119: Managing Nat
........The Access Point system (AP) has a Network Address Translator that pro- vides globally-unique, registered IP addresses for domains using private IP addresses to connect to the Internet.
Page 120: Configuring General Nat Parameters
If the Enable NAT state box is not checked, NAT is disabled and address translation is not performed. By default, the state box is unchecked. NOTE If you decide you want to use the original values, then click on the Reset button. Access Point QVPN Builder User Guide NAT P ARAMETERS...
Page 121: Specifying Maximum Number Of Sessions
Reset button. Click Apply in the upper left-hand corner of the Properties frame. M A N A G I N G N AT Configuring General NAT Parameters E S S I O N S Access Point QVPN Builder User Guide...
Page 122: Applying Parameters
APs or to selected APs by selecting the appropriate button for Apply Parame- ters To... as shown below. If you click on the Selected AP(s) button, this dialog appears which allows you to select the APs to which you want to apply the parameters. Access Point QVPN Builder User Guide...
Page 123: Saving The Nat Configuration
NAT ... button in the APs NAT General Properties frame. The NAT Gen- eral Properties frame is shown here. O N F I G U R A T I O N Access Point QVPN Builder User Guide M A N A G I N G N AT Adding the NAT Layer...
Page 124 Click Refresh to update the Interface Dialog box. Click OK to close the Interface Dialog box. If the Insert NAT Layer under all Ipsec Instances box is checked, a NAT layer is added under all IPSec instances when the NAT configuration is deployed to the APs. Access Point QVPN Builder User Guide...
Page 125: Configuring Static Bindings
The protocol field has these values: Any (0), ICMP (1), TCP (6), and UDP (17). Fields containing incorrect data are highlighted in red. INDINGS Access Point QVPN Builder User Guide M A N A G I N G N AT Configuring Static Bindings...
Page 126: Configuring Address Translation Pools
Each parameter field is checked for errors when the Apply button is clicked. If any field has an error, its background color changes to red. Specify the appropriate information for your address translation pool as described in the rest of this section. Access Point QVPN Builder User Guide RANSLATION OOLS...
Page 127: Configuring Basic Nat Pools
Save the NAT configuration for this VPN definition by selecting File → Save. M A N A G I N G N AT Configuring Address Translation Pools O O L S “Checking the Configuration” on Page 119 Access Point QVPN Builder User Guide...
Page 128: Configuring Napt Pools
Click Apply in the upper left-hand corner of the Properties frame. After clicking Apply, you can check the status of the pools and their parameters in this frame. See for more information. Access Point QVPN Builder User Guide O O L S “Checking the Configuration” on Page 119...
Page 129: Configuring Lsnat Pools
The protocol for each private IP range will match the pool’s protocol. After specifying parameters, you would see a frame like the one shown here. M A N A G I N G N AT Configuring Address Translation Pools Access Point QVPN Builder User Guide...
Page 130 Once an LSNAT pool is deployed, you cannot modify any parameters except for IP ranges. To modify the pool’s other parameters, you must delete the LSNAT pool and add another pool. Access Point QVPN Builder User Guide “Checking the Configuration” on Page for more information.
Page 131: Removing Pools
Note that you can associate each private network with a maximum of three ETWORKS Access Point QVPN Builder User Guide M A N A G I N G N AT Configuring Private Networks...
Page 132 After clicking Apply, you can check the status of the private networks and their parameters in this frame. See Save the NAT configuration for this VPN definition by selecting File → Save. Access Point QVPN Builder User Guide “Checking the Configuration” on Page for more information.
Page 133: Checking The Configuration
AP, they are removed directly from the table. Add/Modified A red circle with a slash indicates when an entry is added or modified. Access Point QVPN Builder User Guide M A N A G I N G N AT Checking the Configuration...
Page 134: Deploying The Nat Configuration To All Aps
The configuration state (C) of the Deployment tables is marked with either a green check, indicating the state is current, or with a blue question mark, indi- cating the state is unknown and is being added, modified, or removed. Access Point QVPN Builder User Guide ONFIGURATION TO...
Page 135 Type — the type of translation pool: static • State — add, current, modified, or remove • C — (configuration state) current or unknown M A N A G I N G N AT Using the NAT Deployment Tab Access Point QVPN Builder User Guide...
Page 136 Type — the type of translation pool • State — add, current, modified, or remove • C — (configuration state) current or unknown The Deployment tab for translation pools resembles the following display: For the private networks configuration: Access Point QVPN Builder User Guide...
Page 137 Check the NAT configurations by verifying that static bindings, private net- works, and translation pools have the proper configurations. M A N A G I N G N AT Using the NAT Deployment Tab Access Point QVPN Builder User Guide...
Page 138 M A N A G I N G N AT Using the NAT Deployment Tab Access Point QVPN Builder User Guide...
Page 139: Advanced Features Of Builder
DVANCED EATURES OF ........This section provides general information about managing the Access Point QVPN Builder application (Builder), including: •...
Page 140: General Preferences
A D V A N C E D F E A T U R E S O F B U I L D E R Specifying Preferences PECIFYING REFERENCES ............... To set the preferences for displaying information, select Edit →...
Page 141 A D V A N C E D F E A T U R E S O F B U I L D E R set the log display and log file storage limits. To display events in certain colors, modify the Log Filters section by clicking Select next to the color.
Page 142: Directory Preferences
A D V A N C E D F E A T U R E S O F B U I L D E R Specifying Preferences I R E C T O R Y R E F E R E N C E S You need superuser privilege (root) to set directory preferences.
Page 143: Configuring Logging
ONFIGURING OGGING ............... The Log frame (bottom frame of main window) displays the time stamp, the severity level, the user, and the message.
Page 144: Exporting The Log Table To A File
A D V A N C E D F E A T U R E S O F B U I L D E R Managing User Profiles X P O R T I N G T H E You can export the Log table to a text file by selecting Tools → Export → Database Log File to display the Choose the export log file name window.
Page 145: Adding User Profiles
D D I N G S E R R O F I L E S To add user profiles: Select Edit → Users to display the User Profiles window shown here: Click Add to add the user profile. Replace New user (in the Name field) with the user name in the User Parameters section.
Page 146: Deleting User Profiles
A D V A N C E D F E A T U R E S O F B U I L D E R Restoring VPN Databases Repeat steps 2 through 4 for each additional user. Click Done when you have finished modifying profiles. E L E T I N G S E R To delete user profiles:...
Page 147: Finding Avpn Name
VPN N INDING A ............... On a Solaris system or a PC, you can enter the finddbname command at the command line to find the name of a VPN.
Page 148 A D V A N C E D F E A T U R E S O F B U I L D E R Troubleshooting QVPN Builder User Guide...
Page 149 ........Access Point Properties HUB Type...
Page 150 Logging in, first time address translation pools configuring configuring for Basic NAT configuring for LSNAT configuring for NAPT removing applying changes configuration applying to Access Point systems configuration status configuration, saving configuring Deployment tab deployment tab Deployment table Definition View displaying...
Page 151 IPSec instances number of sessions, specifying private networks, configuring session timers, specifying static bindings, configuring verifying the configuration NAT configuration applying to Access Point systems Network Address Translator See also NAT NT requirements Operating system support matrix Platforms supported Policy forwarding...
Page 152 NAT, configuring NT requirements operating system support matrix overview platforms supported QoS policies deploying to APs setting QoS/Firewall applying to Access Point systems configuration, verifying Deployment table Apply/Query View Definition View displaying modifying fields in sorting by field verifying firewall rules...
Page 153 Access Point properties, specifying accessing locked files applying to Access Point systems data files creating importing sample deploying configuration to all APs general properties, specifying importing VPN data files opening Probe settings, specifying...
Page 154 QVPN Builder User Guide data files creating importing sample database, restoring definitions accessing locked files applying to Access Point systems creating with Builder Access Point properties, specifying general properties, specifying Probe settings, specifying VPN properties, specifying deploying configuration to all APs with opening...
Page 155 description of Windows NT installing (client/server) Windows NT, installing (standalone) QVPN Builder User Guide...
Page 156 QVPN Builder User Guide...

This manual is also suitable for:

Ap-3 Ap-4 Ap-5 Ap-6 Ap-7 Ap-8

Lucent Technologies AP-1 Connection Manual

Preface

1 Product Overview

2 Installing the QVPN Builder

3 Getting Started with Builder

4 Managing Vpns

5 Managing Qos/Firewall Policies

6 Managing NAT

7 Advanced Features of Builder

Quick Links

Troubleshooting

Need help?

Questions and answers

Subscribe to Our Youtube Channel

Related Manuals for Lucent Technologies AP-1

Summary of Contents for Lucent Technologies AP-1

This manual is also suitable for:

Table of Contents