Restricted Mode; Nailed-Up Control Tunnels - Nortel 7 Configuration

140 Chapter 7 Configuring control tunnels
In this environment, the remote Boston Nortel VPN Router is a control tunnel to
the local Cleveland Nortel VPN Router. From any system on the Cleveland
network, you can access the management address for the Boston Nortel VPN
Router. This allows systems on the Cleveland network to initiate management
operations on the Boston Nortel VPN Router, such as HTTP, FTP, and Telnet. Yet
because it is a control tunnel, users on the Cleveland private networks cannot
exchange packets with users on the private Boston Network.
Additionally, a user control tunnel is configured so that a remote user can establish
a control tunnel when using the IPsec client. You create this user account with
password authentication in the Control Tunnels group using the serial port.

Restricted mode

The Restricted mode feature prevents management of the Nortel VPN Router
except through a control tunnel. This limits the scope of management to someone
who has the proper credentials both to set up the tunnel (if it is an end user) and to
log in as an administrator (administrative access privileges). Having the proper
access privileges acts as a level of security. Additionally, since in restricted mode
you are forced to manage the Nortel VPN Router through a tunnel, you are
guaranteeing data protection through encryption.
You enable Restricted mode through the Serial Interface menu or the command
line interface available through Telnet. In Restricted mode, you can perform the
key management functions through the control tunnel, including HTTP, FTP,
SNMP, and Telnet. All other attempts to perform these actions outside of the
control tunnel will fail. You cannot enter Restricted mode unless there is an active
control tunnel. This ensures there is a mechanism to manage the Nortel VPN
Router in restricted mode.

Nailed-up control tunnels

You may want to have some control tunnels remain up even when there is no
traffic traversing the control tunnel. This is generally the case for branch office
versus end user control tunnels.
NN46110-500
Note: If you change any settings to the branch office connection when
using nailed up tunnels, you must bring down the tunnel for the changes
to take effect.