Nortel 7 Configuration
  1. Manuals
  2. Brands
  3. Nortel Manuals
  4. Network Router
  5. 7
  6. Configuration
Nortel 7 Configuration

Nortel 7 Configuration

Vpn router — basic features
Hide thumbs
Table of Contents

Advertisement

Quick Links

Download this manual
Nortel VPN Router
Configuration — Basic
Features
Version 7.00
Part No. NN46110-500
311642-M Rev 01
February 2007
Document status: Standard
600 Technology Park Drive
Billerica, MA 01821-4130

Advertisement

Table of Contents
loading
Need help?

Need help?

Do you have a question about the 7 and is the answer not in the manual?

Questions and answers

Related Manuals for Nortel 7

Summary of Contents for Nortel 7

  • Page 1 Nortel VPN Router Configuration — Basic Features Version 7.00 Part No. NN46110-500 311642-M Rev 01 February 2007 Document status: Standard 600 Technology Park Drive Billerica, MA 01821-4130...

  • Page 2: Restricted Rights Legend

    Copyright © 2007 Nortel Networks. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty.
  • Page 3 Nortel Networks Inc. software license agreement This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE.
  • Page 4 Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license.

  • Page 5: Table Of Contents

    Contents Preface ............15 Before you begin .
  • Page 6 Chapter 2 Getting started ..........29 IP addressing .
  • Page 7 Chapter 4 Configuring user tunnels ........75 Configuring group characteristics .
  • Page 8 Sample branch office procedure ........135 Chapter 7 Configuring control tunnels .
  • Page 9 Routing table changes ..........152 Initial contact payload (ICP) .
  • Page 10 10 Contents NN46110-500...
  • Page 11 MVA managing from a remote PC ......33 Figure 7 Deployment Scenario ........41 Figure 8 Default configuration .
  • Page 12 Figure 30 Roaming from behind NAT to behind NAT ..... . . 150 Figure 31 Roaming from behind NAT to no NAT ......151 Figure 32 Groups edit IPSec window .
  • Page 13 BOQS parameters ......... . 66 Table 7 Split tunneling mode options .
  • Page 14 14 Tables NN46110-500...

  • Page 15: Preface

    Preface This guide introduces the Nortel VPN Router. It also provides overview and basic configuration information to help you initially set up your Nortel VPN Router. Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router.
  • Page 16 braces ({}) brackets ([ ]) ellipsis points (. . . ) italic text plain Courier text NN46110-500 Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command.

  • Page 17: Acronyms

    separator ( > ) vertical line ( Acronyms This guide uses the following acronyms: CHAP FIPS ISAKMP L2TP LDAP Shows menu paths. Example: Choose Status > Health Check. Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command.
  • Page 18 OSPF PPTP RSVP SNMP VRRP NN46110-500 network address translation network operations center Network Time Protocol Nortel VPN Router Open Shortest Path First operations support systems Password Authentication Protocol public data networks point-of-presence Point-to-Point Protocol Point-to-Point Tunneling Protocol Resource Reservation Protocol Routing Information Protocol Simple Network Management Protocol User Datagram Protocol...

  • Page 19: Related Publications

    Related publications For more information about the Nortel VPN Router, refer to the following publications: • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. • Nortel VPN Router Configuration —...

  • Page 20: Hard-Copy Technical Manuals

    Hard-copy technical manuals You can print selected technical manuals and release notes free, directly from the Internet. Go to the need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe* Acrobat Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers.

  • Page 21: Getting Help Over The Phone From A Nortel Solutions Center

    • search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues • sign up for automatic notification of new software and documentation for Nortel equipment • open and manage technical support cases Getting help over the phone from a Nortel Solutions Center If you do not find the information you require on the Nortel Technical Support Web site, and you have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center.
  • Page 22 Preface NN46110-500...

  • Page 23: New In This Release

    New in this release The following sections details what is new in Nortel VPN Router Configuration — Basic Features for Release 7.0. Network Time Protocol (NTP) support for Daylight Savings Time 2007 change Systemlog lifetime or disk size limit usage option...

  • Page 24: Systemlog Lifetime Or Disk Size Limit Usage Option

    New in this release Systemlog lifetime or disk size limit usage option VPN Router allows you to choose between setting a log file disk size limit or a log file lifetime for the Systemlog. Previous versions of the VPN Router only allowed the Systemlog to have a lifetime specified (default 60 days).

  • Page 25: Overview

    Chapter 1 Overview This chapter introduces the Nortel VPN Router. The Nortel VPN Router is a family of products that deliver security and IP services in a single integrated platform. With IP routing, Virtual Private Networking (VPN), stateful firewall, policy management and QoS services, a single Nortel VPN Router device offers the IP services that normally require multiple purpose devices.

  • Page 26: Virtual Private Networking

    Nortel VPN Router access allows remote users to dial in to an Internet Service Provider (ISP) anywhere and reach corporate headquarters or branch offices. The Nortel VPN Router provides remote users access to corporate databases, mail servers, and file servers. Figure 1 Typical PDN The Nortel VPN Router allows ISPs to take over the role of point-of-presence (POP) providers of modem access.

  • Page 27: Licensing Features

    Figure 2 VPN service models The Nortel VPN Router uses a combination of authorization, authentication, privacy, and access control for each user. Licensing features Licence keys can be obtained through Nortel’s customer support. The Nortel VPN Router provides several license key options: •...

  • Page 28: Command Line Interface

    The Nortel VPN Router Stateful Firewall License key must be installed to enable the Nortel VPN Router Stateful firewall. Tunnel keys are specific to the Nortel VPN Router hardware model that you are using. Nortel VPN Router switches are manufactured to allow either access to the maximum number of tunnels (VPN bundle) or support for 5 tunnels (Base Unit).

  • Page 29: Getting Started

    Chapter 2 Getting started This chapter describes methods for configuring and managing the Nortel VPN Router . Note: If you are setting up a Nortel VPN Router 1010, 1050 or 1100, 1100.” These VPN Routers have unique set up and configuration considerations.

  • Page 30: Figure 3 Sample Ip Addressing Scheme

    172.19.2.30 10.2.1.23 -or- 10.8.4.6 10.2.4.56 Table 1 Sample IP addressing associations IP address 192.168.43.6 192.19.2.30 192.19.2.33 192.19.2.32 10.2.3.2 10.2.3.3 10.2.3.4 10.2.3.6 10.2.3.7 10.2.3.8 10.2.1.1 to 10.2.1.254 172.19.2.30 NN46110-500 192.19.2.33 10.2.3.3 10.2.3.2 Nortel VPN Router 192.19.2.32 10.2.3.7 Existing Firewall Class C...

  • Page 31: Management Virtual Address

    Table 1 Sample IP addressing associations (continued) 10.2.1.23 10.8.4.6 10.2.4.56 The Nortel VPN Router supports the Internetwork Packet Exchange (IPX) protocol. This allows the Nortel VPN Router to transmit and receive IPX packets over PPTP. Note: PPTP supports IPX traffic only for remote access connections. IPX is not supported in branch office tunnels.

  • Page 32: Figure 4 Mva On Separate Subnet From Private Physical Interfaces

    • Identification • CRL Retrieval • To enable or disable management protocols, go to Services > Available window. From this window, you can also specify whether to manage the VPN Router from the public or private side. To redistribute the MVA, go to Routing > Policy window.

  • Page 33: Figure 5 Mva On Same Subnet As Private Physical Interface

    Figure 5 MVA on same subnet as private physical interface Figure 6 shows MVA using CLIP to manage from a remote PC tunneled from the public side. Figure 6 MVA managing from a remote PC Nortel VPN Router Configuration — Basic Features...

  • Page 34: Configuring Mva With The Serial Menu

    The Welcome window appears and you are prompted to supply a user name and password. Welcome to the Nortel VPN Router Copyright 1999,2000,2001 Nortel Networks Version: V07_00.140 Creation date: Jan. 7, 2007, 20:51:06 Date: 04/27/2007 Unit Serial Number: 17563 Enter the administrator's user name, Enter the administrator's password, Note: The factory default user name is admin and the default password is setup.
  • Page 35 2) Administrator 3) Default Private Route Menu 4) Default Public Route Menu 5) Create A User Control Tunnel (IPsec) Profile 6) Restricted Management ModeFALSE 7) Allow HTTP ManagementTRUE 8) Firewall Options 9) Shutdown B) System Boot Options P) Configure Serial Port...

  • Page 36: Configuring Interfaces

    Type M and press Enter to change the Management IP address. The current IP address appears. The Old Management IP Address field is blank on a new Nortel VPN Router. Please select a menu choice (M, R): M Type 0.0.0.0 to delete. Just type <CR>...
  • Page 37 Utilized Channels (Fractional T1) 12345678902345678901234 Currently= R) Return to the Main Menu. Please select a menu choice: Select 0 and press Enter to enter the Slot 0, Port 1, Private LAN menu and add the interface IP address. Please select a menu choice: 0 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240...

  • Page 38: Multinetting

    Type E and press Enter to save the settings and exit. You can then manage the Nortel VPN Router from a Web browser. Multinetting IP multinetting allows a maximum of eight addresses to be configured on a single Ethernet interface. The first IP address configured on the interface is the primary address.

  • Page 39: Table 2 Services Supported On A Multinetted Interface

    Table 2 shows the services supported on a multinetted interface. Table 2 Services supported on a multinetted interface Service Integration description Nortel VPN Router Supported at the interface level specified under the Stateful Firewall Primary address on the interface. The same rules apply to all other secondary addresses on the interface.
  • Page 40 100-400, BayRS, P8000 (8100, 8600, 1200) and Baystack LAN/Campus switches, and Cisco IOS routers. Figure 7 on page 41 subnets, 10.1.0.0/16 and 11.1.0.0/16. Both subnets are connected to one physical LAN port on Nortel VPN Router. Nortel VPN Router sends packets to and receives packets from a host on either of these networks using the same physical port.

  • Page 41: Changing The Management Ip Address

    Figure 7 Deployment Scenario Changing the management IP address To manage the system, the network must have a route to the management IP address through one of the system interfaces. To change the management IP address, complete the following procedure: Connect the serial cable (supplied with your Nortel VPN Router) from the Nortel VPN Router serial port to a terminal or a communications port of a PC.
  • Page 42 • 1 stop bit • No parity • No flow control The Welcome window appears and you are prompted to supply a user name and password. Nortel VPN Router Copyright (c) 1999-2007 Nortel Networks, Inc. Version: V07_00.038 Creation date: Oct 11 2006, 09:52:35 Date: 10/13/2006 Unit Serial Number: 10167 Released Software, Fully supported...
  • Page 43 2) Administrator 3) Default Private Route Menu 4) Default Public Route Menu 5) Create A User Control Tunnel (IPsec) Profile 6) Restricted Management ModeFALSE 7) Allow HTTP ManagementTRUE 8) Firewall Options 9) Shutdown B) System Boot Options P) Configure Serial Port...

  • Page 44: Restricting Source Ips Access To Management

    Restricting source IPs access to management You are able to filter management access of source IP addresses. Access Lists (ACLs) restrict connection of designated source IPs for management purposes over HTTP, FTP, TELNET and SNMP. Management traffic is intercepted and if the destination is System and the packet is for one of the four services above, the source IP address is matched against the ACL that is set for the particular service.

  • Page 45: Accessing Acl Through The Gui

    To set an ACL for TELNET, enter the following NNCLI command: CES(config)#telnet access-list <the_name_of_an_acl> To remove an ACL for TELNET, enter the following command: CES(config)#no telnet access-list Accessing ACL through the GUI: To access ACLs from the GUI: Select Services > Available. The Allowed Services window appears. Select one of the predefined ACLs.
  • Page 46 Using a terminal emulation program, such as HyperTerminal on the PC, press Enter. The Welcome window appears and you are prompted to supply a user name and password. Nortel VPN Router Copyright (c) 1999-2007 Nortel Networks, Inc. Version: V07_00.038 Creation date: Oct 11 2006, 09:52:35 Date: 10/13/2006 Unit Serial Number: 10167 Released Software, Fully supported...
  • Page 47 2) Administrator 3) Default Private Route Menu 4) Default Public Route Menu 5) Create A User Control Tunnel (IPsec) Profile 6) Restricted Management ModeFALSE 7) Allow HTTP ManagementTRUE 8) Firewall Options 9) Shutdown B) System Boot Options P) Configure Serial Port...
  • Page 48 - Interface Menu 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate 1) Slot 1, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate 2) Slot 2, Port 1, Public LAN IP Address = Subnet Mask = 0.0.0.0 Speed/Duplex = AutoNegotiate...
  • Page 49 Select 0 and press Enter to enter the Slot 0, Port 1, Private LAN menu and add the interface IP address. Please select a menu choice: 0 0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoNegotiate * Type 0.0.0.0 to delete.

  • Page 50: Using Boot Modes

    Using boot modes The Nortel VPN Router can be booted in one of two system modes: Safe mode or Normal mode. Each mode has its own software image, configuration files, and LDAP database. Note: The Nortel VPN Router 1010, 1050, and 1100 do not implement safe mode.
  • Page 51 Enter the system default login and password in lowercase characters, as follows: Login: admin Password: setup At this point, follow the Quick Start Configuration procedure or the Guided Configuration procedure. Refer to which procedure to use. Table 3 on page 53 for help in determining Nortel VPN Router Configuration —...

  • Page 52: Preparing For Configuration

    Preparing for configuration To properly prepare for configuration of the Nortel VPN Router, you should have the following items available: • A plan to distribute IP addresses to clients when connections are requested; for example, via a DHCP server or an internal client address pool (with an address pool you need a range of IP addresses).

  • Page 53: Table 3 Web Interface Configuration Options

    • Manufacturer of device as well as firmware version, throughput, and any special configuration requirements for any devices on the network. If you assign static IP addresses to any of these devices, record them and a brief explanation why they required static addresses. •...
  • Page 54 Table 4 Configuration checklist (continued) window > System Identity > System > System WAN (if using T1, V.35, or T3) > System Date and Time Manual entry of date and time or > Services Available Tunnel Type > Services Available Management Protocol >...
  • Page 55 Table 4 Configuration checklist (continued) window Values required > Servers Radius Auth Access (enabled or disabled Server-Supported Option (enabled or disabled) Radius Servers (enabled or disabled) Primary host name or IP addresses, public or private, Port, Shared secret/confirmed Alternate 1 host name or IP addresses, public or private, Port, Shared secret/confirmed Alternate 2 host name or IP...

  • Page 56: Welcome Window

    Table 4 Configuration checklist (continued) window > Admin License Keys Install License Keys > Admin Auto Backup Welcome window The Welcome window allows access to any of the configuration areas for the Nortel VPN Router. Before entering the configuration options, first register your Nortel VPN Router to activate licenses, warranties, and services.
  • Page 57 • Click on Guided Config to begin the Guided Configuration. This option allows access to all Configuration Management facilities. The design and structure of the Guided Configuration, however, is such that you might want to follow the top-to-bottom layout provided. This approach walks you through the entire navigational menu from the Profiles to the Admin selections.
  • Page 58 58 Chapter 2 Getting started NN46110-500...

  • Page 59: Setting Up The Nortel Vpn Router 1010, 1050, And 1100

    Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 This chapter provides instructions for the network administrator who is responsible for the Nortel VPN Router 1010, 1050, and 1100 located at branch office sites. If you are at a branch office site and you need to connect the Nortel VPN Router 1010, 1050, or 1100 to the network, see access”...

  • Page 60: Figure 8 Default Configuration

    Figure 8 Default configuration By default, the Nortel VPN Router 1010, 1050, and 1100 are configured with the following parameters: • The DHCP server is configured on the switch’s private interface, with a default range of 192.168.1.3/24 to 192.168.1.255/24. By default, 192.168.1.1 and 192.168.1.2 are assigned to the branch office switch’s private and management interfaces, respectively.

  • Page 61: Branch Office Quick Start Utility

    Branch office quick start utility The branch office quick start utility (BOQS) simplifies deployment of the Nortel VPN Router in the branch office environment. BOQS converts the Nortel VPN Router 1010, 1050, or 1100 device from an Internet access VPN Router into a secure access VPN Router by provisioning a VPN connection to a central office or optionally, to a network operation center (NOC).

  • Page 62: Enterprise Environment

    After the VPN services are provisioned, branch office networks are logically connected to a central office network or to a NOC network. Branch office end users can rerun BOQS multiple times to restore the initial VPN configuration or to fix data errors. BOQS supports two network topologies: •...

  • Page 63: Service Provider Environment

    • Set the Text Pre-Shared Key to the same name as central office tunnel password. • Set Dynamic Routing to enabled. • Set RIP to enabled. After the central office setup and the BOQS are complete, the Nortel VPN Router1010, 1050, or 1100 is directly accessible from the central office. This means that there is just one hop between the central office and the branch office.
  • Page 64 Every Nortel VPN Router 1010, 1050, and 1100 must have a distinct IP address that is visible from the NOC subnet. A NOC can assign any address reachable from a NOC network to a Nortel VPN Router 1010, 1050, or 1100. BOQS configures NAT on the NOC tunnel to translate the address specified in the “Branch office switch manage NAT IP address”...

  • Page 65: Deployment Procedure

    Deployment procedure The following sequence of events illustrates the deployment procedure. • Factory configured Nortel VPN Router 1010, 1050, and 1100 boxes are shipped directly to the end customer. A provisioning worksheet is either sent or faxed from the network operations center separately from the device. •...

  • Page 66: Table 6 Boqs Parameters

    Table 6 contains the BOQS parameters. Table 6 BOQS parameters Central office tunnel configuration Central office tunnel name Central office tunnel password Central office public IP address Central office DNS server IP address Central office WINS sever IP address Private network IP address Private network mask Network Operation Center tunnel configuration Network operation center tunnel name...

  • Page 67: Branch Office Quick Start Template

    Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010, 1050 or 1100 users will need to enter on the BOQS window. See Appendix A, “Branch office quick start template.

  • Page 68: Cable The Vpn Router And Turn The Power On

    • Power cord • AC to DC external power supply • Molded serial cable RJ-45 to DB9 • Ethernet crossover cable (Nortel VPN Router 1010 only) • Nortel VPN Router CD (Note: the documentation on this CD is for reference only) Cable the VPN Router and turn the power on To set up your Nortel VPN Router 1010, 1050, or 1100:...

  • Page 69: Make Sure That Your Pcs Can Obtain Ip Addresses Automatically

    Press the power switch to the “on” position and wait for the VPN Router to boot. Note: The boot process can take as long as 3 minutes. Make sure that your PCs can obtain IP addresses automatically By default, DHCP server is enabled on the private side of the VPN Router to assign IP addresses to the PCs that you connect to the LAN 0 ports.

  • Page 70: Dhcp Instructions

    • If your ISP uses static IP addressing, go to page 71.” Note: If you complete the steps in the appropriate section and your VPN Router is not up and running, contact the service provider or company that provided the VPN Router. DHCP instructions If your ISP uses DHCP to assign an IP address to your PCs, verify that your VPN Router is connected to the Internet and start the quick-start tool as follows:...

  • Page 71: Static Ip Instructions

    Set the Administrative State option to Enabled. From the Interface Filter list, choose permit all. Click on OK. Locate the provisioning worksheet sent by the company or provider that sent you the VPN Router. 10 Enter the following URL in your browser window: http://192.168.1.2/ manage/qs.pyc.

  • Page 72: Compact Flash Disk

    12 In the Gateway Address field, type the default route address that the ISP provided. 13 Click on OK. 14 Locate the provisioning worksheet sent by the company or provider that sent you the VPN Router. 15 Enter the following URL in your browser window: http://192.168.1.2/ manage/qs.pyc.
  • Page 73 • Numerous text files You can store two software images on the flash disk at the same time. Operational changes for the compact flash disk are: • The config file is saved every minute and the past three versions are kept. The config file is only written when the configuration changes.
  • Page 74 74 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 NN46110-500...

  • Page 75: Configuring User Tunnels

    Chapter 4 Configuring user tunnels The Nortel VPN Router uses the Internet and tunneling protocols to create secure connections. The following sections describe configuring the tunnel portion of the Nortel VPN Router. The configuration process includes setting up the authentication table and specific tunnel parameters, such as IPsec encryption, L2TP access concentrators, and L2F network access servers.
  • Page 76 The Nortel VPN Router associates all remote users with a group, which dictates the attributes that are assigned to a remote user session. A group can even consist of a single user, thereby creating a personal connection. The Nortel VPN Router organizes groups in a hierarchical manner. At the top of the hierarchy is the base group.
  • Page 77 For example, \Base is the base group, Research and Development and Finance are child groups of the base group, and they are parent groups to groups below them. Groups are collections of users with the same access attributes and rights. If all users have identical characteristics, then only one group is necessary.

  • Page 78: Configuring Group Characteristics

    Configuring group characteristics In addition to assigning users to groups and providing authentication access, you can configure other group characteristics: Go to the Profiles > Groups window and click on the Edit button next to the group that you want to configure. Under the Connectivity section, click on the Configure button to change the any of the group characteristics.
  • Page 79 • Maximum password age is the time after which the login password expires. The Maximum Password Age range is from 0 (no password expiration) to 180 days (6 months). Default is 30 days. Users receive a warning that the password will expire each time they log in for two days prior to the expiration date.
  • Page 80 Port, and TCP Connection establishment. Go to the Profiles > Filters window to create tunnel filters. 13 Select Enable to enable IPX support for the group. 14 Enter the maximum number of PPP links in Maximum Number of Links field that you want the Nortel VPN Router to support. The range is 1 to 5; default is 1.

  • Page 81: Setting Up User Tunnels

    Choose an Excess Action for traffic handling, either Drop or Mark. You can also choose Define new bandwidth rate to select a new bandwidth rate. 20 You can configure the TunnelGuard settings by refering to Nortel VPN Router Configuration —TunnelGuard . A group inherits attributes from its parent group.
  • Page 82 Choose Services > Available. Select the tunnel type. Select the Management Protocol for the Nortel VPN Router’s private interface. Use the RADIUS check boxes to permit RADIUS requests on the public and private interfaces of the Nortel VPN Router. If you enable RADIUS traffic, you must also enable RADIUS on the Services >...
  • Page 83 After selecting a group, you must click on Display to view the group members. This allows you to quickly change from viewing one group to another. The last names and first names of the selected group’s users appear, sorted by last name. Click on Add to add a user to the group;...
  • Page 84 Static IP Address option in the Profiles > Groups > Connectivity option (it is only used if the group allows it). If an IP address that is entered here is used instead of a DHCP server-assigned IP address, then only one login is allowed. Enter the subnet mask.

  • Page 85: Configuring Inverse Split Tunneling

    • LDAP search allows you to enter any LDAP database attribute that is part of the person, organizational Person, or inetOrgPerson object database (for example, cn=common name or sn=surname) to generate the associated user’s profile. Refer to your LDAP vendor’s documentation for complete details.

  • Page 86: Figure 11 Inverse Split Tunneling

    86 Chapter 4 Configuring user tunnels The security of a mandatory tunnel is partially compromised by the addition of inverse split tunneling in a way similar to that of split tunneling. However, inverse split tunneling (Figure 11) does have a significant security advantage over split tunneling in that you specify the network resources that are allowed outside the tunnel.

  • Page 87: Inverse Split Tunneling

    Chapter 4 Configuring user tunnels 87 To select the split tunneling mode in which you wish to operate, the Split Tunneling drop down menu has been modified to include two new options. Enabled – Inverse and Enabled – Inverse (locally connected). The default will remain Disabled.

  • Page 88: Figure 12 Edit > Ipsec Page For Wildcard

    Select Enabled - Inverse or Enabled Locally Connected from the Split Tunneling menu. The Split Tunneling menu is used to select the tunneling mode that is used by the selected group. Table 7 Split tunneling mode options Split Tunneling Selection Disabled Enabled...

  • Page 89: Configuring Tunneling Modes Using The Cli

    Select None from the Split Tunnel Networks menu. Select a network from the Inverse Split Tunnel Networks menu. Go to the bottom of the page and click OK. Configuring tunneling modes using the CLI The tunneling mode is selected in the CLI using the following commands after entering group ipsec configuration mode.
  • Page 90 90 Chapter 4 Configuring user tunnels NN46110-500...

  • Page 91: Configuring The System

    Chapter 5 Configuring the system This chapter describes how to configure various system-level features: • LAN interfaces • WAN interfaces • 802.1q VLAN subinterfaces • MTU and TCP MSS • Circuitless IP • Asynchronous data over TCP • • Safe mode configuration •...
  • Page 92 Enter a Management IP Address for the system. You need this address to contact all system services, such as HTTP, FTP, and SNMP. To be accessible, the Management IP Address must map to the same network as one of the private interfaces.

  • Page 93: Setting Up Lan Interfaces

    Chapter 5 Configuring the system 93 10 Click on OK. The Nortel VPN Router checks all of the DNS addresses to see if they respond and then provides an operational or error status. The ISP Provided Server is not user configurable. It is provided by the ISP. The ISP may assign more than one DNS server, but only one of them (primary) is shown on the window.
  • Page 94 A host can send only enough packets to a public interface to establish a tunnel connection. If the tunnel is not established before a preset maximum number-of-packets-allowed counter is reached, then the packets from that host are discarded. Public indicates that this interface is attached to a public data network like the Internet.

  • Page 95: Edit Lan Interface Window

    • From the Select Protocol list, select the tunneling protocol to use: IP is the standard Internet Protocol, and Point to Point Protocol over Ethernet (PPPoE) allows PPP to run over Ethernet. Note: You cannot use dynamic routing on PPPoE interfaces. DHCP is configured by default on the Nortel VPN Router 1010, 1050, and 1100 so you must first select Cancel Acquisition and then select PPPoE from the Select Protocol menu.
  • Page 96 Additional fields appear on the Edit LAN Interface window for optional network cards. LAN represents the physical port interface to which you assign an IP address. Slot n Interface n represents an optional LAN card in expansion Slot n using Interface n. Under the Configuration section, use the Speed/Duplex field to automatically or manually configure the LAN interface’s port speed and mode.

  • Page 97: Multinetting

    MAC Pause (Ethernet packet flow control) section enables the Nortel VPN Router to automatically adjust and control the flow of incoming and/or outgoing packets from any standard speed LAN device. Check to enable MAC Pause (Frame-based flow control) on the selected interface port.

  • Page 98: Figure 14 Lan > Interfaces Window

    To add an IP address: Click the Add Multinet button on the LAN Interfaces window. Figure 14 on page 98 you can add, modify, or delete a multinet address using the GUI. The Interface Filter option is not available for the secondary addresses. Figure 14 LAN >...

  • Page 99: Figure 15 Lan Interfaces > Add Ip Address Window

    Figure 15 LAN Interfaces > Add IP Address window Enter an IP address in the IP Address text box. Enter a subnet mask in the Subnet Mask text box. Click OK. To delete an IP address: From the LAN Interfaces window, select the secondary IP address to delete. Click Delete.

  • Page 100: Configuring Multinetting Using The Cli

    Configuring multinetting using the CLI Table 8 shows the command syntax for configuring multinetting using the CLI. Table 8 Adding/Deleting a secondary address Command Description Add a secondary address to an interface Delete a secondary address CES (config-if) # no ip address Adding an IP address To add an IP address: Navigate to config mode by entering the following command: config.

  • Page 101: Table 9 Configuring Ospf Over A Secondary Address

    Table 9 displays the command syntax for configuring OSPF. Table 9 Configuring OSPF over a secondary address Command description Enable OSPF on a secondary address Disable OSPF on a secondary address CES(config-if)# no ip ospf <secondary Set the OSPF authentication key Reset the OSPF authentication key Set the OSPF cost on a secondary address...

  • Page 102: Table 10 Configuring Rip Over A Secondary Address

    Table 9 Configuring OSPF over a secondary address Command description Set the OSPF priority on a secondary address Reset the OSPF priority on a secondary address Set the OSPF MD5 key on a secondary address Reset the OSPF MD5 key on a secondary address Table 10 displays the command syntax for configuring RIP...
  • Page 103 Table 10 Configuring RIP over a secondary address Command description Disable importing of default routes using RIP Enable RIP poison reverse on a secondary address Disable RIP poison reverse on a secondary address Set the RIP receive version on a secondary address Stop RIP to receive a version on a secondary address...
  • Page 104 The MSS should be 40 bytes less than the largest packet the implementation can re-assemble. Interface filter shows whether or not the Nortel VPN Router Firewall is in use (this reflects the selection on the Services > Firewall window). This entry also shows the interface filter that is currently being used by the Nortel VPN Router Firewall.

  • Page 105: Asynchronous Data Over Tcp

    Asynchronous data over TCP Asynchronous data over TCP (AOT) is a protocol that enables transport of asynchronous data packets over a TCP/IP network. A TCP packet is de-capsulated and the data is then forward to the synchronous driver to the asynchronous device or host.

  • Page 106: Configuring Network Time Protocol (Ntp)

    Select Public or Private for Service. Click the Connection Originator to enable. Specify the Peer IP address. Specify the Local IP address. Specify the Port Number, a value in the range 1000-9999. Set the maximum Number of Ticks for character idle time out, up to 60. The minimum idle time is a tick of the system clock and is 16.6milliseconds.
  • Page 107 NTP supports the 2007 Daylight Savings Time change in the United States and various Canadian provinces. In 2007, Daylight Savings Time begins at 2 a.m. on the second Sunday in March and ends at 2 a.m. on the first Sunday in November. To configure NTP: Click on the Enable check box.

  • Page 108: Configuring System Settings

    Click on the Return to the Date and Time window link to return to the previous window. Configuring system settings The Nortel VPN Router can be booted in one of the two system modes: safe mode or normal mode. Each mode has its own software image, configuration files, and LDAP database.
  • Page 109 • Serial Menu (default). In this mode, a standard menu interface is presented. You can use an application such as Hyper Terminal, when directly connected to the Nortel VPN Router, to access the menu interface. The Nortel VPN Router uses the COM port for a serial menu terminal session.
  • Page 110 — 2400 — 1200 — 600 — 300 — 150 d Data, Parity, and Stop applies only when AoT is selected. Enter the Modem Initialization string. Refer to the manufacturer’s documentation to learn the vendor-specific character initialization string. If you pre-configure the modem and use the Nortel VPN Router default initialization string (ATZ) it will provide the best results.

  • Page 111: Using Proxy Arp

    Using proxy ARP You can configure the Nortel VPN Router to respond to ARP requests on any of its physical interfaces. The Nortel VPN Router responds to the following types of routes: • User tunnels are routes created for user tunnels. This entry is enabled by default and cannot be changed.

  • Page 112: Using The Ssh Server To Allow Secure Sessions

    Using the SSH server to allow secure sessions You can enable an SSH server to allow secure CLI sessions, such as telnet, to the NVR. You also have the option of enabling the private and public interface filters, set the port for the SSH server, and restart the server. You can use either the NVR GUI or CLI to configure the SSH server.

  • Page 113: Configuring The Ssh Server

    Chapter 5 Configuring the system 113 Configuring the SSH server To set the parameters for the SSH server: Select Services > Available. The Allowed Services page appears as shown in Figure 18 on page 114. Nortel VPN Router Configuration — Basic Features...

  • Page 114: Figure 18 Allowed Services Window

    Figure 18 Allowed Services window In the Port text box, enter the SSH server port number. Note: If an SSL VPN card exists in the NVR, the port for the SSH server cannot be 22. To enable filters, select either the Public or the Private check box. Click OK.

  • Page 115: Using The Cli For Ssh Server

    Using the CLI for SSH server Defining an SSH server (CLI) To configure an SSH server on the Nortel VPN Router, from CLI Global Configuration Mode, enter: ssh-server {port <portnum> | private | public } no ssh-server { private | public } where: •...

  • Page 116: Displaying The Current Settings For The Ssh Server

    Displaying the current settings for the SSH server To display the current settings for the SSH server, from CLI Global Configuration Mode, enter: show ssh-server { port | state } where: • port—shows the SSH server port • state—specifies the state (enabled or disabled) of the SSH server For example, to display the current SSH server port for the Nortel VPN Router, enter: CES(config)# show ssh-server port...

  • Page 117: Restricted Product - Export License Requirement

    Chapter 5 Configuring the system 117 Restricted product - export license requirement This product incorporates encryption technology that is highly restricted and can require an export license from the US Department of Commerce, Bureau of Export Administration, prior to international shipment. A product that incorporates encryption with a key length up to 56 bits can be eligible for international shipment pursuant to a license exception.
  • Page 118 118 Chapter 5 Configuring the system NN46110-500...

  • Page 119: Configuring Branch Office Tunnels

    Chapter 6 Configuring branch office tunnels The branch office feature allows you to configure a secure tunnel connection between two private networks. Typically, one private network is behind a locally configured Nortel VPN Router while the other is behind a remote Nortel VPN Router.

  • Page 120: Figure 19 Typical Branch Office Environment

    Figure 19 Typical branch office environment 172.17.20.x 255.255.255.0 172.17.21.x 255.255.255.0 Boston Gateway 172.19.2.30 Access Hours: 9-5 permit only dns/http The section office configurations for two locations, Boston and Cleveland. The initial configurations show connections established with pre-shared keys. In a mixed environment, you might want to tunnel connections to certain networks, and have all other traffic go to the Internet.

  • Page 121: Figure 20 Branch-To-Branch With A Firewall And A Router

    Figure 20 Branch-to-branch with a firewall and a router Firewall Nortel VPN Router Private LAN In the branch-to-branch illustration, the following interactions take place with a Nortel VPN Router: The PC sends packets to the default route (the firewall). The firewall redirects the packets to the local Nortel VPN Router branch office connection.

  • Page 122: Figure 21 Indirectly Connected Branch Offices

    Figure 21 Indirectly connected branch offices Local: 255.255.255.0 192.149.20.0 Remote: 255.255.255.0 255.255.255.0 172.17.20.0 255.255.255.0 172.17.21.0 255.255.255.0 Boston 172.19.2.30 Local: Remote: In branch offices, you might have two or more branches that use the same LAN addressing scheme. Nonetheless, users still have to communicate with one another across the branches.

  • Page 123: Pptp Nested Tunnels

    Chapter 6 Configuring branch office tunnels 123 PPTP nested tunnels Nested tunnels allow you to create a PPTP end user tunnel inside an IPSec branch office tunnel or an asynchronous branch office tunnel. You can have a nested tunnel from within the private network or from the public side. A nested tunnel from within the private network allows an end user to originate a PPTP connection from a client PC located on the on the private network.

  • Page 124: Dns For Branch Office Tunnel Endpoints

    DNS for branch office tunnel endpoints When configuring branch office tunnels with the Nortel VPN Router, you can enter a DNS name for the tunnel endpoint. The Nortel VPN Router uses domain name address resolution to resolve the actual IP address of the endpoint. The Nortel VPN Router client already supports this ability.

  • Page 125: Round Robin Dns

    Figure 22 VPN DNS When you configure an initiator for an asynchronous branch office tunnel, you can use a domain name of a remote peer instead of the IP address. Go to Profiles > Branch Office. In the Connections section, click on Select next to the connection that you want to configure.

  • Page 126: Figure 23 Failover Example

    DNS query, the DNS server returns IP addresses 1.2.3.4 and 5.6.7.8. The initiator selects 1.2.3.4 because it is first in the list of addresses and establishes a tunnel. If 1.2.3.4 goes down, the initiator must reestablish the tunnel and send a new DNS query.

  • Page 127: Dynamic Dns

    Round Robin DNS. The initiator at branch office one uses 1.2.3.4 as a remote point because it was the first response in the list. The initiator at branch office two uses 5.6.7.8 as a remote point because it was the first DNS response in the list.

  • Page 128: Configuring A Branch Office

    The Nortel VPN Client supports dynamic DNS registration. The Client Dynamic DNS Registration setting on the Profiles > Groups > Edit > IPsec window enables you to select whether to enable or disable DDNS. It is enabled by default. You can use this parameter only with the Nortel VPN Client. Also, your DNS server must support Dynamic DNS and be configured to allow Dynamic DNS registration.

  • Page 129: Figure 25 Setting Up A Branch Office Configuration

    Figure 25 Setting up a branch office configuration Which Management Page to Use? Profiles > Branch Office Optional Step Profiles > Groups > Edit button Profiles > Branch Office > Configure Connection Profiles > Branch Office > Configure Connection What to Do? Boston Add a group for /Base/boston...

  • Page 130: Adding A Group

    Adding a group To create a new group: Select Profiles > Branch Office. In Groups section, click Add. The Add Group window appears. Enter a name and then select select the parent group whose attributes the new group inherits; for example, /Base. The group name can be a maximum of 64 characters (spaces are permitted).

  • Page 131: Configuring A Tunnel Connection

    Configuring a tunnel connection To configure a connection: On the Profiles > Branch Office window, select the button next to the connection name and click on Configure. The Connection Configuration window appears. Select the Tunnel Type for the connection from the list. The default type is IPsec.
  • Page 132 Click the Filters drop-down list and choose the filter that you want this branch office connection to use. The default is permit all. You can specify one filter. Packet filtering controls the types of access allowed for users of this branch connection.

  • Page 133: Sample Branch Office Configuration

    network, select it from the list and the Connection Configuration window appears. These networks have been previously set up on the Profiles > Networks window. 13 To add Remote Networks, click Add button to go to the Add Networks window and add the remote networks for the branch office configuration. Remote networks are the subnetworks on the private network of the remote VPN Router.

  • Page 134: Figure 26 Sample Branch Office Configuration

    Figure 26 Sample branch office configuration As the administrator of a branch office connection, you can manage the level of access that you give to users of the connection. You specify when the connection is used, what operations can be done through the connection, and which systems on the private networks can be accessed.

  • Page 135: Sample Branch Office Procedure

    The Profiles > Filters window must have the filters that you want to use for • the branch office connection. For the example, the local Nortel VPN Router uses a filter of permit only dns/http, and the remote Nortel VPN Router uses permit all.
  • Page 136 136 Chapter 6 Configuring branch office tunnels 12 Click on the Test button on each end of the tunnel to verify connectivity. 13 Try to ping from on PC to the other PC through the branch office. NN46110-500...

  • Page 137: Configuring Control Tunnels

    Chapter 7 Configuring control tunnels Control tunnels are special tunnels that allow you to securely manage a Nortel VPN Router over the Internet. The primary reasons for creating control tunnels are secure management and network data integrity. Control tunnels provide secure access to a customer’s remote Nortel VPN Router so that you can manage it over a...

  • Page 138: Control Tunnel Types

    Figure 27 Branch office control tunnel VPN Server 1 Control Tunnels Control tunnel types There are two types of control tunnels: a branch office control tunnel and a user control tunnel. With both tunnel types, you can establish a secure IPsec tunnel to a system that you want to manage.

  • Page 139: Figure 28 Sample Control Tunnel Environment

    Chapter 7 Configuring control tunnels 139 Figure 28 Sample control tunnel environment Branch office control tunnels allow anyone on the configured network to communicate with the Nortel VPN Router being managed. This allows a Nortel VPN Router to communicate with various systems within a company’s network operations center or corporate headquarters (the Cleveland private network).

  • Page 140: Restricted Mode

    In this environment, the remote Boston Nortel VPN Router is a control tunnel to the local Cleveland Nortel VPN Router. From any system on the Cleveland network, you can access the management address for the Boston Nortel VPN Router. This allows systems on the Cleveland network to initiate management operations on the Boston Nortel VPN Router, such as HTTP, FTP, and Telnet.

  • Page 141: Creating Control Tunnels

    To create a nailed-up control tunnel using the nailed-up parameter: Go to Profiles > Branch Office window and click on Edit next to the group that you want to have nailed up. On the Edit Group window, in the Connectivity section click Configure. On the Connectivity window, when you click on the Configure button next to the Nailed Up field, a drop-down list gives you the option to select Enabled or Disabled.

  • Page 142: Adding A Group

    Initiate a Telnet session to the customer’s Nortel VPN Router. Enter the appropriate control create string, following the required control create parameters already described. A sample string follows: control create boston bostoncleveland 132.19.2.20 132.19.2.30 192.168.2.3 192.168.20.0 255.255.255.0 Management Only (a special control tunnel filter) is used by default with control tunnels to maximize security.

  • Page 143: Adding A Control Tunnel

    Enter a name and then select select the parent group whose attributes the new group inherits; for example, /Base. The group name can be a maximum of 64 characters (spaces are permitted). The new group inherits the attributes (for example, Access Hours) of its parent group, which are then used by the branch office connection.

  • Page 144: Configuring A Control Tunnel Connection

    Configuring a control tunnel connection To configure a Control Tunnel connection: On the Connection Configuration window, you enter required configuration information for the local branch office connection, for example, static routing and the IPsec tunnel type. On the Profiles > Branch Office window, select the button next to the connection name and click on Configure.
  • Page 145 • In the remote endpoint address field, enter the address of the remote Nortel VPN Router (for example, 132.19.2.30) that you want to form the opposite end of the branch office connection. For Initiator connection types, you can enter the DNS host name. Click the Filters drop-down list and choose the filter that you want this branch office connection to use.

  • Page 146: Creating A User Control Tunnel From The Serial Interface

    12 Click Create Local Network to go the Profiles > Networks window and define a local network. The Local networks are the subnetworks on the private internal network of the local VPN Router.If you want to edit an existing local network, select it from the list and the Connection Configuration window appears.

  • Page 147: Configuring Ipsec Mobility And Persistent Mode

    Chapter 8 Configuring IPSec mobility and persistent mode A large number of companies choose to secure access to their corporate networks via VPN using the IPSec protocol. IPSec allows corporate employees, located outside the corporate network to establish a secure tunnel to a private corporate network through the Internet.

  • Page 148: Figure 29 Example Configuration

    148 Chapter 8 Configuring IPSec mobility and persistent mode Figure 29 Example configuration One solution to this problem is to use mobile IP technology (described in RFC 3344) to maintain IPSec connections. In this configuration, the IP address of the mobile machine does not change when it moves from a home network to a foreign network.

  • Page 149: Ipsec Mobility On Nortel Vpn Router

    IPSec mobility on Nortel VPN Router Nortel VPN Router provides a new concept of IPSec mobility. The Nortel VPN Router IPSec implementation allows support for mobile clients to maintain tunnel connectivity while roaming from one access point to another. It maintains TCP-based applications and provides minimum disruptions to UDP-based applications.

  • Page 150: Ipsec Mobility And Nat

    150 Chapter 8 Configuring IPSec mobility and persistent mode The Nortel VPN Client status monitor reports if roaming is enabled for the session. The event log on the Nortel VPN Router reports on IPSec mobility actions. IPSec mobility and NAT If Nortel VPN Client is behind a NAT box with NAT traversal enabled and encapsulation for ESP protocol is used, UDP encapsulation is preserved after roaming.

  • Page 151: Roaming From Behind Nat To No Nat

    Chapter 8 Configuring IPSec mobility and persistent mode 151 Roaming from behind NAT to no NAT Figure 31 before roaming a client was connected via AP1 and NAT box and had IP1 IP address. After roaming, the client is connected via AP2 without NAT, UDP encapsulation will be used.

  • Page 152: Ipsec Mobility In Nat Environment

    IPSec mobility in NAT environment In some situations roaming in the environment of NAT devices might prevent users from taking full advantage of IPSec mobility feature. some configuration caveats that will allow to increase roaming effectiveness in NAT environment. Table 11 Configuration considerations Initial NVC connection was behind No NAT...

  • Page 153: Initial Contact Payload (Icp)

    When operating in IPSec mobility mode with split tunneling enabled, the Nortel VPN Client does not consider the routing table to be maliciously altered and will not bring down the tunnel in the following cases: • IP address change for any adapter •...

  • Page 154: Maximum Roaming Time

    154 Chapter 8 Configuring IPSec mobility and persistent mode Maximum roaming time Maximum roaming time is the time used by the Nortel VPN Client to keep the tunnel from going down after the IP address on the physical interface (on which tunnel was brought up) has been lost.

  • Page 155: Persistent Tunneling

    Persistent tunneling A persistent VPN connection provides the ability to maintain a VPN connection without user intervention for a designated period of time. After successfully establishing a tunnel session to the Nortel VPN Router, the Nortel VPN Client makes every attempt to maintain a viable VPN connection. Persistence makes use of the automatic failover capability already available with the Nortel VPN Router and extends this to allow the new tunnel to be established without having to re-enter user credentials.

  • Page 156: Configuring Ipsec Mobility And Persistence

    Session persistence time should be longer than the roaming time as persistence starts only after roaming fails. There is no direct relation between persistence and any other timers on the Nortel VPN Router. However, the Nortel VPN Client will not enter persistence mode if the previous log off happened due to a log off message received from the Nortel VPN Router.
  • Page 157 Figure 32 Groups edit IPSec window Scroll down to Mobility Support and select Enabled. The default is Disabled. For Max Roaming Time(seconds), enter the number of seconds. The default is 120 seconds. Maximum roaming time (1-7200 seconds) specifies how long the tunnel should stay in the suspended state, or time allowed for the roaming to take effect.
  • Page 158 IPSec mobility performs at higher level than physical adapters. As a result, the PC on which the Nortel VPN Client runs can change between any physical adapters (wireless or wireline) and roaming will continue to work as long as there is IP connectivity between the Nortel VPN Router and the client with the newly acquired address/interface.
  • Page 159 Chapter 8 Configuring IPSec mobility and persistent mode 159 To enable IPSec mobility: CES(config-group/ipsec)#mobility enable To disable IPSec mobility: CES(config-group/ipsec)#no mobility enable To enable persistence: CES(config-group/ipsec)#persistence enable To disable persistence: CES(config-group/ipsec)#no persistence enable To change the maximum roaming time to, for example, 210 seconds: CES(config-group/ipsec)#max-roamingtime 210 To change the persistence time to, for example, 1000 minutes: CES(config-group/ipsec)#persistent-time 1000...
  • Page 160 IKE 56-bit DES with Group 1 (768-bit prime) IKE Triple DES with Group 2 (1024-bit prime) IKE Triple DES with Group 7 (ECC 163-bit field) IKE AES 128 with Group 5 (1536-bit prime) IKE AES 128 with Group 8 (ECC 283-bit field)
  • Page 161 Configured Client web page Saver Password Required Client screen Saver Activation Time Client Policy Configured Client Policy Configured LDAP Authentication - User Name and Password LDAP Authentication - RSA Digital Signature LDAP Authentication - Default Server Certificate Configured External Authentication - User Name and Password External Authentication - Security Dynamics SecurID External Authentication - Group ID Configured...
  • Page 162 162 Chapter 8 Configuring IPSec mobility and persistent mode NN46110-500...

  • Page 163: Branch Office Quick Start Template

    Appendix A Branch office quick start template The branch office quick start template provides a list of values that the local Nortel VPN Router 1010/1050/1100 users will need to enter on the BOQS window. You can enter the appropriate values in the right-hand column and then fax, send, or E-mail the template to the local user along with any other information that they may need, such as who to contact for further information or questions.
  • Page 164 Branch office quick start template NN46110-500...

  • Page 165: Glossary

    Glossary acknowledgement (ACK) A type of message sent to indicate that a block of data arrived at its destination without error. address masks IP addresses used to represent a series or range of IP addresses. authentication A security procedure where a user verifies his identity before accessing networks protected by a firewall.
  • Page 166 Diffie-Helman A key agreement algorithm that does key establishment, not encryption. However, the key it produces may be used for encryption, for further key management, or any other cryptography. digital certificate A certificate document in the form of a digital data object to which is appended a computed digital signature value that depends on the data object.
  • Page 167 firewall A collection of hardware and software components that controls communication between two networks, such as a private network and the Internet. All information passed between the two networks must pass through the firewall. The firewall allows only authorized traffic to pass between the networks.
  • Page 168 IP address The identifiers used by the protocols that govern Internet information exchange. The Internet Network Information Center assigns these numbers to uniquely identify different machines on the Internet. IPsec A tunneling protocol that offers a strong level of encryption, integrity protection.
  • Page 169 management IP address The IP address that is used to manage all system services from a Web browser, such as HTTP, FTP, and SNMP. This address must be accessible from one of the switch's private physical interfaces. To be accessible, the Management IP Address must map to the same network as one of the private interfaces.
  • Page 170 Point-to-Point Protocol (PPP) A protocol that provides a method for transmitting packets over serial point-to-point links. Point-to-Point Tunneling Protocol (PPTP) A tunneling protocol that is used as a security tool. port A transport layer demultiplexing value. Each application has a unique port number associated with it.
  • Page 171 Routing Information Protocol (RIP) A distance vector, as opposed to link state, routing protocol. RSA digital signature A public-key encryptographic system that may be used for encryption and authentication. server A provider of resources, such as file servers and name servers. Simple Network Management Protocol (SNMP) The Internet standard protocol developed to manage nodes on an IP network.
  • Page 172 A method used by RIP in which a new routing table is sent almost immediately after a routing change has been made. This is in contrast to the poison reverse method, in which routes are updated after a cost of infinity is reached, a process that can take much time.

  • Page 173: Index

    Index access hours 78, 81, 119 accessible networks 120, 121 asymmetric branch office tunnel (ABOT) 119 asynchronous data over TCP (AOT) 105 authentication branch office 132, 145 authentication methods 119 base group 76 branch office access hours 119 authentication 132, 145 authentication methods 119 configuring 119 encryption settings 121...
  • Page 174 password 51 default route branch office 121 DHCP client 94 branch office tunnel endpoints 124 host name 92 round robin DNS 125 Dynamic DNS (DDNS) 127 encryption settings for branch office 121 FIPS overview 28 firewall branch office 120 interaction with branch office 121 license key 28 flash disk system compressed files 72...
  • Page 175 filter 95 Internet domain 92 inverse split tunneling 85 IP address assigning 29 currently assigned 95 IPSec mobility configuring 156 logging 149 IPX 31 tunnels 75 card 96 LAN interfaces 93 last name search 84 LDAP attribute search 85 license keys advanced routing 27 firewall 27 tunnel 27...
  • Page 176 navigational menu 57 nested tunnels 123 Network Address Translation (NAT) 122 Network Time Protocol (NTP) 106 Nortel VPN Router 1010/1050/1100 branch office quick start 61 compact flash disk 72 default configuration parameters 60 ISP environment 63 setting up 67 password 51 Peer to peer 131, 144 persistent tunneling 89, 155 port speed 96...
  • Page 177 Safe mode 50, 108 search for users 84 serial interface 31, 45 services 56 split tunnel 76, 84 subnet mask 95 subnetworks 119 Switch concepts 25 Symmetric Branch Office tunnel 119 system identity 91 technical publications 20 template 67 terminal emulator 34, 41, 45 tunnel license key 28 tunnel types 82 tunnels, configuring 75...
  • Page 178 Index Web browser interface 50 Web interface options 53 Welcome display 56 NN46110-500...

This manual is also suitable for:

101010501100

Table of Contents