VPNmanager® Configuration Guide Release 3.
Copyright 2005, Avaya Inc. All Rights Reserved Notice Every effort was made to ensure that the information in this document was complete and accurate at the time of release. However, information is subject to change. Warranty Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty.
Federal Communications Commission Statement Part 15: Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment.
Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 What Products are Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 VPNmanager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Network-wide Visibility and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16 Intranet and Extranet Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 2: Using VPNmanager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 About VPNmanager administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Role Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33 Log into the VPNmanager console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Add a policy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35 Open Domain .
Contents Chapter 3: Setting up the network . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 New VPN Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55 Configuring a security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Creating a new security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57 Using Device tabs to configure the security gateway . . . . . . . . . . . . . . . . . . . . . . .
Contents Chapter 4: Configuring IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 About IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 Creating a New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 97 New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 98 IP Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Information for VPNremote Client users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . Using local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 119 120 Using RADIUS authentication (VPNos 3.X and VPNos 4.31) . . . . . . . . . . . . . . 120 Using LDAP authentication (VPnos 3.X only). . . . . . . . . . . . . . . . . . . . . . . 120 Using Policy Manager for user configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Using the VPN tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 138 General tab with IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 138 General tab with SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 139 Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 172 Device Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 173 Voice Over IP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 175 Using the IP Trunking Call Model . . . . . . . . . . . . . . . . . . . . . . .
Contents Port for dyna-policy download. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Port for Secure Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Private IP Address (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 204 Send Device Names . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 205 SuperUser Password (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Policy Manager - My Certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . About VSU certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 234 234 Creating and Installing a Signed Certificate. . . . . . . . . . . . . . . . . . . . . . . . 235 Switching certificates used by VPNmanager Console . . . . . . . . . . . . . . . . . . 237 Issuer certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents Re-setup Device. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Import Device Configuration. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 281 Ethernet Speed . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 282 Redundancy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 283 Network Interface Status . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
Preface This Avaya VPNmanager® Configuration Guide is written for individuals who have an understanding of how computer networks are installed, configured, and managed. It provides detailed information about using the Avaya VPNmanager solution to build small, medium, or large scale Virtual Private Networks (VPNs). VPNmanager is a Java-based software application that brings convenience, ease of use, extended functionality, and platform independence to the management of VPNs.
Preface Network-wide Visibility and Control The logical VPNmanager representation of virtual private networks simplifies their installation and control. From a single workstation, network managers can assign users anywhere on the network to one or more logical Groups and integrate local and remote Groups into VPNs.
Related Documentation Complementary to SNMP Management Tools The VPNmanager software is designed specifically for securely defining, configuring, monitoring, and upgrading VPNs. The VPNmanager software is required to configure and modify VPNs. Secure traffic running between VSUs or between VSUs and VPNremote Clients does not require an active VPNmanager. After configuring the required VPNs, the VPNmanager can be shutdown if desired, or used to monitor security gateway activity.
Preface Chapter 1: Overview of implementation, provides an overview of how to use VPNmanger for centralized administration of your VPN and security gateway. It includes a checklist for implmeneting the network. Chapter 2: Using VPNmanager, explains how to log in to VPNmanager. It also explains how to use the VPNmanager interface, including the VPNmanager main console and the configuration console. The VPNmanager Preferences are described here.
Contacting Technical Support Contacting Technical Support Technical Support is available to support contract holders of Avaya VPN products. Domestic support ● Toll free telephone support: (866) 462-8292 (24x7) ● Email: vpnsupport@avaya.com ● Web: http://www.support.avaya.com International Support ● For regional support telephone numbers, go to http:www.avayanetwork.com/site/GSO/ default.
Preface 20 Avaya VPNmanager Configuration Guide Release 3.
Chapter 1: Overview of implementation Planning how your virtual private network should be configured is critical to the successful deployment of a secure virtual private network.This chapter provides an overview of the major features that you will configure. Note: This chapter does not explain how to set up a VPN or how to determine what type of security policies are required. You should understand about networking, establishing firewall policies, and VPNs before implementing a VPN using VPNmanager.
Overview of implementation VPNremote Client software VPNremote Client software is a communications application that runs on remote computers that use dialup, DSL and cable connection supplied by Internet Service Providers (ISP), to connect to the corporate VPN. When communicating with a VPN, the software seamlessly performs authentication and cryptography tasks. To install and use the software, an account with an ISP must first be created.
Overview of the VPN management hierarchy ● VPNmanager Enterprise Client. Use the Enterprise Client version for managing an unlimited number of security gateways and VPNremote Clients. ● VPNmanager Service Provider Client. Use the Service Provider Client version to manage an unlimited number of security gateways and VPNremote Clients. The Service Provider also supports multiple VPN domains.
Overview of implementation An IP Group contains the IP addresses that belong to a specific LAN. Any device connected to the LAN can use these addresses. A VPN can have many IP Groups so addresses can be consolidated to meet the needs of an organization. The security gateway is configured to provide VPN gateway functionally and firewall coverage. VPNmanager security management includes creating domain-level firewall rules and device-level firewall rules.
Preparing to configure your network ● Public-backup zone. Public-backup zone is the backup interface to the primary public interface for use when Failover is configured. ● Semiprivate zone. Semiprivate zone is used for media such as wireless LAN, where the network is considered part of the protected network, but the media may be vulnerable to attack.
Overview of implementation Static Routes Static routes are specified when more than one router exists on a network to which the security gateway must forward either VPN traffic or non-VPN traffic. You can build a static route table with up to 32 network address/mask pairs. IP groups Data Terminal Equipment (DTE); such as computers, printers, and network servers, are devices that can be members of a VPN. To make these devices members, you create IP Groups.
Preparing to configure your network Security policies VPNmanager security policy management provides the following security features that can be configured: ● Firewall rules ● Denial of Service (DoS) categories ● Quality of Service (QoS) rules ● Bandwidth management In addition, encryption security options include Internet Key Exchange (IKE) with IPSecuirty protocol (IPSec). It applies globally to the VPN.
Overview of implementation Ping of Death. - The ping of death sends packets with invalid lengths. When the receiving system attempts to rebuild the packets, the system crashes because the packet length exhausts the available memory. IP Spoofing. - This attack sends an IP packet with an invalid IP address. If the system accepts this IP address, the attacker appears to reside on the private side of the security gateway.
Preparing to configure your network ● Allow voice-secure communication with Avaya’s IP Softphone and IP Office Phone Manager Pro using VPNremote Client ● Enable NAT traversal of H.323 VoIP traffic ● Optimize bandwidth for VoIP traffic using the security gateway’s Quality of Service (QoS) policies In order to successfully use VoIP it is important to thoroughly plan the implementation of the feature. Avaya suggests that you read the Avaya IP Telephony Implementation Guide before implementing VoIP.
Overview of implementation Syslog The security gateway has a syslog messaging facility for logging system error messages. The message can be automatically sent to a destination running a Syslog server. Client IP address pooling Access control devices (ACD), such as firewalls, guard networks from unauthorized users. Analyzing source addresses is one method ACDs use to decide which packets can enter a network.
Sequence to configure your VPN 11. Configure firewall rules 12. Associate firewall rules with the correct gateway and security zone 13. Configure other features such as QoS, VoIP gateway, DHCP, NAT, routing, etc.
Overview of implementation 32 Avaya VPNmanager Configuration Guide Release 3.
Chapter 2: Using VPNmanager With Avaya VPNmanager you can define, configure, and manage VPNs and firewall policies, upgrade firmware, and manage remote user access policies. The VPNmanager graphical interface is modularized by functions and tasks to make configuring a VPN fast and easy.
Using VPNmanager 4. Administrator with full access 5. An administrator with full access can modify the configuration for VPN domains, change their password, and be part of multiple VPN domains. 6. VPNmanager allows full-access administrator to modify objects and devices that are saved by VPNmanager. RBAC full-access administrators can create or delete objects, update or upgrade devices, and modify or import configuration. 7.
Log into the VPNmanager console Log into the VPNmanager console You log in to the VPNmanager from your computer’s Start menu, Programs>Avaya> VPNmanager>Console. You use the super user name and password that were configured when the VPNmanager software was installed. Figure 2: VPNmanager login screen The first time you log in to the VPNmanager Console, you log in as the super user and add the policy server address or the name associated with the address. See Add a policy server on page 35.
Using VPNmanager 3. Enter the IP address of the Policy Server. 4. Enter the port. The default is 443. 5. Click OK. The name or address is displayed on the login screen You can edit or delete the policy server information. Open Domain When you connect to the directory server, an Open Domain screen appears. A list of all domains is displayed, with the last-selected domain highlighted. Note: Note: The Open Domain screen does not appear if you add a context and then click Connect on the first logon dialog.
Navigating the main window Figure 3: VPNmanager console main window Header with domain name Menu bar View pane Icon toolbar Alarm pane The menu bar on the main VPNmanager screen includes the following commands File, Edit, View, Tools, and Help. File menu The File menu includes the following commands: ● Domain. You can create a new domain, open, close, or delete an existing domain, and select from a list of recent domains that were accessed.
Using VPNmanager Note: When you delete VPNs that include groups associated with RADIUS-enabled security gateways, the VPNremote Client configuration records should be removed from the RADIUS database. See RADIUS/ACE Services on page 124. Note: ● New Object. When New Object is selected, a list of objects that can be created are displayed. When you select one of these commands, either a dialog or a wizard is opened to configure the information. Table 2 describes the new objects that can be configured.
Navigating the main window Table 2: New object (continued) Objects Description Device Group You can group devices and assign users the those specific devices. QoS You create a quality of service (QOS) policy to classify and prioritize traffic based on a DSCP value and TCP/IP services and networks. Admin You can configure VPNmanager administrators and assign administrative roles. Failover You can configure up to five IP address for tunnel end points (TEP) and properties for failover reconnection.
Using VPNmanager list of enterprise MIB objects. Examples of ready-to-use groups include an Attack log, Traffic log, security gateway CPU usage, and throughput.You select a type of group to monitor, or you can define a customer group to monitor. See Using Monitor on page 250. ● Report Wizard. Select View>Report Wizard to open Reports, or you can click the Reports icon on the toolbar. The wizard guides you through creating various reports showing details of your network or an object in the network.
Navigating the main window Figure 5: Icons on toolbar Device Users IP Group Services Firewall Template VPN Firewall Device Group User Group QoS Mapping QoS Policy Failover Keep Alive CNA Admin Table 3: Toolbar commands Toolbar commands Description New Object The New Object button is a shortcut to the File>New Object command to create new objects within any of the categories listed in Table 2.
Using VPNmanager VPN view pane The VPN view pane is empty until you define your VPN. As devices are configured and added to the VPN, they are displayed in the view pane. The VPN view pane automatically selects one of three presentation types: network diagram view, tiled view, or tree view. The VPN view is determined by the complexity of the VPN. When the VPN contains fewer than six security gateways, a familiar network diagram view is presented.
Navigating the main window Figure 6: VPNmanager Network Diagram View Tiled View When six or more security gateways are present in the selected VPN, the presentation automatically switches from the diagram view to the tiled view. Figure 7: VPNmanager, Tiled View Tree View An alternative presentation style to the diagram and tiled views, the tree view mimics the Windows-style vertical directory presentation. Its main benefit is that in large or complex VPNs, sections can be collapsed to simplify the view.
Using VPNmanager Figure 8: VPNmanager, Tree View Alarm monitoring pane To the right of the VPN view pane is the alarm monitor pane. The alarm monitor pane contains summary alarm information, including a time stamp, security gateway name, and alarm type. Alarm information is presented in a vertically scrolling list. A rotating red beacon appears at the top of this screen when a critical alarm is received. See Monitoring alarms on page 268.
Configuration Console window Figure 9: Configuration console window Configuration Console Menu bar The menu bar on the Configuration Console window includes the following commands File, Edit, View, Tools, and Help. File menu The File menu includes the following commands: ● New Object. You can create new objects within any of the categories listed in Table 2: New object on page 38. ● Save Changes. This command saves any changes made through the Configuration Console. ● Discard changes.
Using VPNmanager View menu From the View menu, you can view the configured objects, and you can refresh the screen. Tools menu The Tools menu consists of functions used for normal VPN maintenance. These functions include the following. ● Update Devices. To update the selected security gateway configuration, click Update Devices. You select the security gateway to update. This will reconfigure all security gateway parameters for the selected gateway and can take several minutes to complete.
Update Devices Table 4: Policy Services (continued) ● IKE Certificate Usage ● Firewall* ● RADIUS/ACE ● Client Attributes* 2 of 2 a. Policies that can be configured for security gateways with VPNos 4.x. Beginning with VPNos 4.31, the Firewall configuration is not part of Policy Manager. Toolbar The toolbar includes the following shortcut buttons. ● New Object.
Using VPNmanager 5. If the Update Configuration dialog appears, do the following. ● In the User Name text box, type in the superuser name you configured through the Console Quick Setup Menu when the device was being installed. If the device had a firmware upgrade from 3.x, type in root. ● In the Password text box, type in the Superuser password configured at the Console Quick Setup Menu when the device was being installed. If the device had a firmware upgrade from 3.
Preferences Figure 10: Preferences, General Tab Save Configuration changes automatically - When this radio button is active, any changes made to an object are automatically saved upon moving to another object. Alert me before saving configuration changes - When this radio button is active, any changes made to an objects triggers a Save prompt upon attempting to move to another object.
Using VPNmanager Figure 11: Preferences, Dyna-Policy (Global) Tab Dyna Policy Authentication The Dyna Policy Authenticating tab offers a selection of how user authentication and Client Configuration Download (CCD) are performed. Choices are Local (security gateway-based), RADIUS, or LDAP. Whichever method selected is global (across the entire VPN). Selection is made by clicking on the desired radio button. See Configuring a remote user object on page 118 for details about configuring Dyna Policy.
Preferences Advanced The Advanced tab is used to either hide or display the LDAP directory context field that appears in a number of places throughout the VPNmanager Console. Users familiar with the LDAP directory structure may prefer having this field displayed.
Using VPNmanager Alarm/Monitoring The Alarm/Monitoring tab is used to define high-level functions of the alarm console. See Monitoring alarms on page 268. Figure 15: Preference, Alarm/Monitoring Resolve IP Address to Device Name - Enable/Disable. When enabled, the IP address of the alarming security gateway is translated into the security gateway name for display in the Alarm Console. When disabled, only the alarming IP address is shown.
Preferences Figure 16: Tunnel End Point Policy Issue 4 May 2005 53
Using VPNmanager 54 Avaya VPNmanager Configuration Guide Release 3.
Chapter 3: Setting up the network This chapter describes the following features that are configured for the domain and the security gateway ● New VPN domain ● Security gateway including: ● Domain name system resolution ● Zone interfaces ● NAT policies ● Static route table ● Routing information protocol (RIP) New VPN Domain A domain can be created to meet the networking needs of an entire organization, or a domain can be created to meet the needs of specific departments of an organization.
Setting up the network ● Note: Use organization names (for example, “WorldWideSales_VPN” or “ApplicationsEngineering_VPN”) since VPNs usually represent functional organizations within a corporation. Note: Once the domain name is created, you cannot change it. 3. In the Security text box, select the firewall template to be applied to this domain. For detailed information regarding the security policies included in this template, see Chapter 8: Establishing security.
Configuring a security gateway Configuring a security gateway The New Object>Device function is used to create security gateways and VPN Service Units (VSU) in a VPN environment. The security gateway acts as the end-points of VPN tunnels. Note: Beginning with VPNmanager 3.4, this configuration guide uses the term “security gateway” to refer to both the security gateway and the VSU. The VPNmanager application uses the term “Device” to refer to both of these components.
Setting up the network ● DNS Name, to enter the name of the Domain Name Service of the new security gateway. See DNS tab on page 63. If the device is already in the network, select the Detect Device checkbox. The default is selected. 3.
Using Device tabs to configure the security gateway 13. Click Finish to save the configuration information to the directory serve, to poll security gateway, and to exit the Setup Wizard. When you want to send configurations to one or more security gateway, click Update Devices from the Configuration Console window or use the Action tab to send the configuration to the security gateway.
Setting up the network Table 5: Device tabs by release (continued) Tab All VPNos Releases General X High Availability VPNos 4.0 and earlier VPNos 4.2 and later VPNos 4.5 and later VPNos 4.6 X X Network Objects Policies VPNos 4.4 and later X Interfaces Memo VPNos 4.
Using Device tabs to configure the security gateway Figure 17: Device General tab Directory Name - The directory name is the location of the security gateway in the directory tree structure.The security gateway name is unique within the VPN domain to which it is assigned. VPN Mode - The VPN mode can either be VPN Gateway or User VPN. In the VPN Gateway mode, the security gateway is configured in a site-to-site VPN. The VPNmanager can manage the device in the VPN Gateway mode.
Setting up the network Associated IP Groups area. - This area lists the names of the IP groups associated with this security gateway. You can select an IP group from the list and click Go to go to the IP Group tab to view the group information. For VSUs running VPNos 4.0 or earlier, the following additional information is shown. Export Type. - Export type indicates the level of encryption used. Serial Number - A unique number assigned during manufacturing for each security gateway.
Using Device tabs to configure the security gateway 3. In the Memo text box, type in any information about the security gateway. 4. When finished, click Save. DNS tab Use the DNS tab to define where to forward the Domain Name Service (DNS) name resolution requests from the IP devices on the private side of the security gateway. Figure 18: DNS tab Configuring the DNS tab for security gateways at 4.
Setting up the network When a DNS server is selected to send the DNS query, and no response is received within a short time, another DNS server is selected by continuing the process as described in the previous paragraph. But if the previous server replies to the DNS query, another DNS server is not selected, regardless of whether response is positive or negative.
Using Device tabs to configure the security gateway To add a static DNS server 1. From the Configuration Console Contents column, select the security gateway to be configured. Click the DNS tab to bring it to the front. 2. In the Static DNS Servers area, click Add. Enter the IP address of the DNS server and enable the back-up link, if required. 3. The backup link is the DNS server that is used when backup ethernet is in use.
Setting up the network 7. Click Close to return to the DNS tab. Clicking close ignores any changes made in the Add DNS Rule dialog box. 8. Click Save to save the change. 9. When you want to send the configuration to one or more VSUs, click Update Devices. To delete a DNS server address: 1. From the Contents column, select the security gateway you want to delete. 2. Click the DNS tab to bring it to the front. 3. From the Current DNS Servers list, select the address you want to delete. 4.
Using Device tabs to configure the security gateway Figure 20: Interface tab Config Media interfaces can be assigned to one of six different network uses, called zones. The number of zones that can be configured depends on the security gateway model (Table 6). Ethernet0 and Ethernet1 are present in all models and are assigned to the public and the private zones. The media interfaces that remain are unused and can be configured as required.
Setting up the network Table 6: Network zones (continued) Media type SG5 and SG5X SG200 Ethernet2 NA NA Ethernet3 to Ethernet5 NA SG203 NA SG208 ● Unused ● Unused ● Public backup ● Public backup ● Private ● Private ● Semiprivate ● Semiprivate ● DMZ ● DMZ ● Management ● Management ● Unused ● Unused ● Public backup ● Public backup ● Private ● Private ● Semiprivate ● Semiprivate ● DMZ ● DMZ ● Management ● Management 2 of 2 The following section descri
Using Device tabs to configure the security gateway To set the amount of time delay to switch from a secondary interface to the primary interface once the primary link has been detected, configure the Hold Down Timer. This delay provides the necessary time for the primary interface to stabilize. The Hold Down Timer applies to failover conditions occurring due to a link-level failure on the public primary interface only. The Hold Down Time value is expressed in seconds. The value range is 0 to 3600 seconds.
Setting up the network Options for IP addressing for interface zones You can configure each zone with different addressing options and the private port can be configured as a DHCP server or DHCP relay used to obtain IP addresses from the DHCP server (Table 7). This section explains the options in detail.
Using Device tabs to configure the security gateway Point-to-Point Protocol Over Ethernet (PPPoE) Client Use PPPoE Client addressing as a convenient way to connect the public or public-backup zone of the security gateway to the Internet, if your ISP supports PPPoE addressing. PPPoE Client addressing requires user authentication.
Setting up the network Field Description Primary WINS This is optional. Configure primary WINS when delivering network configuration information to DHCP clients. The security gateway will deliver the primary WINS server information before the secondary WINS server information. This order of delivery will ensure that DHCP clients will use the WINS servers in the specified configuration order. Secondary WINS This is optional.
Using Device tabs to configure the security gateway DHCP Relay This functionality allows the DHCP Relay agent to bind to the device’s private and semi-private interface zones and forward only DHCP requests from the network behind the device to the DHCP server(s) on the public network. DHCP Relay server can reside on either the private, semiprivate, public zones, or another remote network.
Setting up the network Figure 21: Media interface configuration dialog Note: Note: The fields displayed in the screen are based on the type of zone selected. 3. The media option choices depend on the media type selected and the capabilities of the underlying device hardware and driver. QoS is used by the QoS module to restrict the bandwidth of the interface to the upstream limit of the network. For example, to allow QoS to regulate maximum bandwidth of a 100 mbps to 25 mbps, enter 25 mbps. 4.
Using Device tabs to configure the security gateway The IP address. This IP address must be within the same subnet as the DHCP server. Avaya recommends that you use an IP address for the device that falls into the DHCP subnet, but not in the DHCP range. ● 4. Click Add, and then click OK. To add an IP telephony device to the security gateway: 1. Click IP Telephony. The IP Telephony Settings dialog is displayed. 2. Enter the following information ● TFTP File Path Name.
Setting up the network Private port tab For SGs with VPNos 4.2 or VPNos 4.3, the Private Port tab is used to configure of the private IP address. In addition, you can configure the device to act as a DHCP server on the private port or you can configure a DHCP relay. Note: Note: For SGs with VPNos 4.4 and higher, configure the private port address using the Interfaces tab.
Using Device tabs to configure the security gateway Note: Note: Note: Changing the DHCP Server IP address may result in losing connectivity to the security gateway, if the VPNmanager is on the private side of the security gateway. Also all active DHCP clients may require renewal through an OS utility (e.g., using winipcfg or ipconfig in Windows), or rebooting. Note: When changing the DHCP IP address range, execute an ipconfig release and renew command. IP Devices Configuration.
Setting up the network The Avaya DEFINITY® series of IP telephones require entries for all four fields (refer to your Definity documentation for further information). Non-Avaya IP telephones require at a minimum, the TFTP server IP address. Note: Note: The following IP telephone DHCP options are supported: ● Option 150: Proprietary to Avaya IP telephones. This option is for the TFTP server IP address. ● Option 176: Proprietary to Avaya IP telephones.
Using Device tabs to configure the security gateway Note: Note: When the security gateway is acting as a DHCP Relay, the security gateway cannot be a DHCP server at the same time. DHCP Relay and DHCP Server services are mutually exclusive. When the DHCP Relay agent receives DHCP client requests from the private port, the DHCP server(s) creates new DHCP messages and forwards the messages to the DHCP server(s) on the public network.
Setting up the network Figure 24: Device Users tab To add a device account user: 1. From the Configuration Console Contents column, select the device to be configured. Click the Device Users tab to bring it to the front. 2. Click on the Device Account User drop-down menu to select the user. 3. In the VPN Authentication Profile area, enter the following information: ● VSU/SG Address. Select the primary device from the drop-down menu or enter the DNS name of the device.
Using Device tabs to configure the security gateway Select a network object and click Add to configure additional IP addresses and mask. Figure 25: Device Network Objects tab Routing Routing is specified when more than one router exists on a network to which the security gateway must forward either VPN or non-VPN traffic. The Routing tab shows the VPN traffic default routes, including the IP address of the hop and the IP address of the network mask pairs for this hop.
Setting up the network The Network/Mask Pairs for this Hop list indicates the static route destination address. You can build a static route table with up to 32 network address/mask paris. This limit allows for any combination ranging from a single router with 32 network address/mask pairs to 32 routers with a single address/mask pairs. To build a routing table using the default gateway: 1. From the Configuration Console Contents column, select the security gateway you want to configure. 2.
Using Device tabs to configure the security gateway 13. Click Add to List to put the address/mask pair into the Current Network/Mask Pairs for this Hop list box, which also associates the pair with the IP address of the next hop router. 14. Click Finished to return to the Static Route tab. 15. Click Save. 16. When you want to send the configuration to one or more security gateways, click Update Devices. Default Gateway for VPN Traffic (VPNos 3.
Setting up the network If the security gateway is in a network with many routers (gateways) to other TCP/IP networks, there can be more than one possible path to a specific router. In that case, routers are probably building routing tables from the information exchanged by a routing protocol. Security gateways can use such protocols to dynamically build a routing table. To build a RIP table: 1. From the Configuration Console Contents column, select the security gateway you want to configure. 2.
Using Device tabs to configure the security gateway Policies tab, NAT services Network Address Translation (NAT) is an Internet standard that allows private (nonroutable) networks to connect to public (routable) networks. To connect private networks and public networks, address mapping is performed on a security gateway that is located between the private network and the public network. Note: Beginning with the VPNmanager 3.2 and the VPNos 4.2 releases, the VPNremote Client 4.
Setting up the network Note: If your network contains any nonroutable addresses, Avaya recommends that you enable the Share public address to reach the internet feature. Any firewall rules that are in use can block translated traffic. Note: Priority of NAT types NAT is a rule-based policy, where the priority is based on the NAT type and then the order in which the NAT types appear in the NAT list. NAT types have the following priority: 1. Redirection 2. Static NAT 3. Port NAT Configuring NAT (VPNos 4.
Using Device tabs to configure the security gateway To add a NAT rule (VPNos 4.31) 1. From the Configuration Console Contents column, select the Policy tab to bring it to the front. Select NAT from the list. 2. Click GO. The NAT Rules dialog is displayed and the selected device’s name should be visible in the Object Names list. 3. From the Type list, select either static, port, or redirection. See Policies tab, NAT services on page 85.
Setting up the network About NAT types for VPNos 3.X For VPNos 3.X, you can set the following types of NAT mapping on the VSU. ● Static Mapping – Addresses from one network are permanently mapped to addresses on another network. Static mapping works when traffic is initiated either inside or outside of the private network. ● Dynamic Mapping – Addresses from one network are temporarily mapped to an address from another network.
Using Device tabs to configure the security gateway ● Provide support for multi-gateway network configurations. Address mapping can be used to ensure that request and reply packets enter and exit the network through the same security gateway. Accessing the Internet from private networks Figure 28 shows an example of using NAT to allow hosts on a private non-routable or non-registered network to access the Internet.
Setting up the network In the example shown in Figure 28, when client 10.1.2.101 initially sends a packet to a host on the public network, the security gateway dynamically maps the client’s private address 10.1.2.101 to a public address selected from the N1.N2.N3.0/24 address pool. Since the packet is going out the public interface, the security gateway changes the packet’s source address 10.1.2.101 to its assigned public address N1.N2.N3.X. When the public host receives the packet, it sends a reply to N1.
Using Device tabs to configure the security gateway changing it from 10.1.1.17 to 172.16.0.17. At this point, the packet’s source and destination addresses are: 172.16.0.17 -> 172.16.1.20. The packet is then tunneled across the public network to LA_VSU. Since the packet enters LA_VSU through a tunnel, the NAT rule on the tunnel interface is applied to the packet changing its destination address from 172.16.1.20 to 10.1.2.20, which is the IP address of the LA_Sales_Group server.
Setting up the network When the SF_VSU receives the reply packet through the tunnel, the tunnel NAT rule changes the packet’s destination address from 172.16.0.17 to 10.1.1.17 and the private interface NAT rule changes the packet’s source address from 172.16.1.20 to 10.0.88.20 before the packet is sent out to the SF_Sales_Group client through the private interface.
Using Device tabs to configure the security gateway Figure 30: Using NAT to Support Multiple Gateways Interface for VPNos 4.2 The following three interface choices are available for devices with VPNos 4.2: ● Public – Primarily used to allow clients on a private network to access hosts on the Internet and for transport mode VPNs. ● Private – Used to support multiple gateways.
Setting up the network ● Tunnel – This is a special interface used to support tunneling between overlapping private networks while still allowing connections to the Internet. Group - If you select “Use existing groups,” the original address and masks are replaced with the Group selection list. Original - The IP address of the original address and Network/Mask Pair. Translated - Enter the translated address and mask or port range in the Translated fields.
Using Device tabs to configure the security gateway 3. From the Translation Type list, select a translation type. 4. From the Translation will be applied on list, select which interface needs the NAT rule. 5. In the Original Address and Original Mask text boxes, type in the original address and mask. 6. Do one of the following. ● In the Translated Address and Translated Mask text boxes, type in the translated address and mask.
Setting up the network To add a tunnel NAT rule: 1. From the Configuration Console>Device Contents pane, select the Policy tab to bring it to the front. Select NAT from the list. Click GO. The NAT Rules dialog is displayed. 2. Click the Add to open the Add NAT Rule dialog box. 3. Select the tunnel zone for the NAT rule. The Media Interface field displays the media that corresponds to the zone that you select. 4. From the Type list, select either static or port.
Chapter 4: Configuring IP Groups An IP Group is composed of a set of hosts (workstations and servers) that are located behind a common security gateway. The hosts are defined by their IP address and mask. The security gateway must exist prior to creating IP Groups. Virtual private networks (VPNs) are made up of IP Groups at multiple locations linked across a public IP network.
Configuring IP Groups 5. Your new IP Group appears in the Contents column. 6. Click Save. After an IP Group is created, use the General and Memo tabs to record notes about the IP group. New IP Group The New IP Group screen is displayed when New>IP Group is selected, or when no IP Groups currently exist. Note: If the Hide directory context field box is unchecked (in the Advanced tab of the Preferences drop-down menu), the Context field is displayed (default = off).
IP Group - General tab Figure 31: IP Group General tab One or more address/mask pairs can be created, and the group can be associated with a specific security gateway. Your new group can even be associated with a security gateway belonging to an extranet, a VPN outside your domain and belonging to another organization, such as suppliers, banks, or customers.This tab includes the following information. Members IP Network/Mask Pairs and Ranges.
Configuring IP Groups IKE Identifier. - Extranet security gateway using IKE key management can be based on the following IKE Identifier types: ● IP Address ● DNS Name ● Directory Name ● Email Name When one of the above is selected, an appropriate field appears in which the information is entered. Add IP Group member The Add IP Group Member dialog appears when Add is clicked. New member can be added to the current IP Group list.
Add IP Group member Table 8: Deriving the Group Mask (continued) To specify a contiguous range of this many addresses: Start from an IP address that meets these specifications: And use this mask: 128 ###.###.###.n (n = zero or 128); e.g., 130.57.4.128 255.255.255.128 256 ###.###.###.0 (n = zero); e.g., 130.57.4.0 255.255.255.0 512 ###.###.n.0 (n = multiple of 2); e.g., 130.57.2.0 or 130.57.4.0 255.255.254.0 1024 ###.###.n.0 (n = multiple of 4); e.g., 130.57.4.0 or 130.57.8.0 255.255.252.
Configuring IP Groups 3. Configure the address/mask pair. ● New IP Network. Type in the network address for a LAN. ● New IP Mask. Type in a mask to define the range of addresses that will become members of the IP Group. The larger the mask, the smaller and more focused the address range will be. The method is just like masking a subnet. 4. The address/mask pair can be as simple as the network address for a specific LAN and its subnet mask.
Add IP Group member 4. Configure the address/mask pair. ● New IP Network. Type in the network address for a LAN. ● New IP Mask. Type in a mask to define the range of addresses that will become members of the IP Group. The larger the mask, the smaller and more focused the address range will be. The method is just like masking a subnet. 5. Click Apply, then Close to return to the General tab. 6. Your new pair appears in the Members list. 7. From the Associate this group with area, select Extranet device.
Configuring IP Groups Memo Memo can be used to record notes about the IP Group, such as change history, where the group is located, etc. Information entered here is associated only with the security gateway in focus. This information is stored only in the database and not downloaded to the security gateway. 104 Avaya VPNmanager Configuration Guide Release 3.
Chapter 5: Configuring remote access users VPNremote™ Client users who log in to the VPN through the security gateway must have their user authentication configured on the security gateway. User objects are used for creating remote users. Those remote users connect to the VPN through an ISP (Internet Service Provider). Each user is defined by a name, password, and dyna-policy distribution and authentication method. As a minimum, you must configure the user name and the password for each remote user.
Configuring remote access users Using dyna-policy The VPNremote client uses a Dyna-Policy when communicating with a VPN. The dyna-policy tells the VPNremote client which authentication and dyna-policy must be used and the topology of the VPN. A dyna-policy can be configured for either globally for all users on the domain or for individual users. The global dyna-policy is configured from the VPNmanager Preferences property and is automatically distributed to the VPNremote Client.
Configuring a global dyna-policy Configuring a global dyna-policy You configure the global CCD from the Preferences property sheet. You should set up the default global CCD before you configure user objects. The parameters can be changed any time. You configure the following Preferences property tabs to create a global dyna-policy: ● Dyna-Policy Defaults (User) ● Dyna-Policy Defaults (Global) ● Dyna-Policy Authentication ● Remote Client The following describes each of the tabs.
Configuring remote access users VPN configuration files on remote user’s computer ● None. The VPN session parameter information is stored locally on the remote users computer. No password is required when VPNremote is subsequently launched. ● Download configuration when remote starts. VPN session parameter data is downloaded over the network to the remote computer at the beginning of every session, and purged when the session is terminated (most secure method).
Configuring a global dyna-policy Figure 34: Preferences, Dyna-Policy (Global) tab Dyna-Policy Authentication tab The Preferences Dyna-Policy Authentication tab is used to define how user authentication and Client Configuration Download (CCD) are performed. Choices are Local (security gateway-based), RADIUS, or LDAP. Whichever method you selected becomes the global used across the entire VPN.
Configuring remote access users Local authentication Local authentication is used in non-dynamic VPNs, that is VPNs that are not using RADIUS or a directory server as the authentication database. The user is authenticated from the database stored in the security gateway’s flash memory. This is the default. RADIUS authentication (VPNos 3.x and VPNos 4.31) RADIUS authentication uses an existing RADIUS database for user authentication.
Configuring a global dyna-policy Remote Client tab The Preferences Remote Client tab is used to establish a path (tunnel) to a secure DNS server to resolve client DNS names (as opposed to using a public DNS server) and to set the remote client idle time-out period.
Configuring remote access users To configure Client DNS Resolution Redirection for all VPNremote Clients: ● Enter a subdomain name in the Domain Name field (for example, finance.mycompany.com). ● Enter the IP address of the DNS server that will resolve DNS requests for the corresponding subdomain name in the Protected DNS Server field. ● Repeat this procedure for up to two additional subdomains, then click Apply. These settings apply to all Clients in all VPNs.
Configure a default CCD with global dyna-policy Configure a default CCD with global dyna-policy The following procedure describes how to configure default dyna-policy parameters. These commands control how CCD automatically delivers dyna-policies to VPNremote Clients. By default, all user adopt these settings, but they can be rejected and custom configured from the Dyna-Policy tab of a specific user. 1.
Configuring remote access users Note: Note: This is the only choice for VPNos 4.31 ● ● Select Use RADIUS configuration to store the Dyna-Policies on a dedicated RADIUS server. ● Select Use LDAP for configuration to store the Dyna-Policies on the Directory Server. (Only with VPNos 3.x with iPlanet Directory Server) Select LDAP Authentication to use the directory server to authenticate remote users. Select a method to store the policy.
About creating individual dynamic-policy Default user The Default User feature is normally used in conjunction with the default dyna-policy to establish a common template by which a desired VPN policy type is delivered to the remote clients in the domain. Multiple default users can exist in a domain, but only one default user can exist per VPN in a domain. When a remote user is configured as a default user, the user password is not required to log in. Note that the Default User has a unique icon.
Configuring remote access users Figure 37: User General tab Directory Name. - This is the unique users name within the directory structure. It is not duplicated anywhere within the VPN domain to which it is assigned. Current VPN Membership. - This section lists VPNs to which the currently highlighted user is assigned membership. Current User Groups. - This displays a list of the User Groups to which the user belongs.
About creating individual dynamic-policy Actions tab The User Actions tab is used for non-dyna-policy alternatives. Figure 38: User’s Action tab Export My Configuration. - Exports your dyna-policy to a file for conveyance to the remote user’s machine. Enter a password and retype the password. Note: Note: If Default User is configured, this button is disabled. Rekey User VPNs. - Clicking the Rekey button causes the preshared secret to be rekeyed for this users VPNs. Reset User Directory Password.
Configuring remote access users Figure 39: User Advanced tab Four types of identifiers can exist in the certificate generated for the remote user. ● Directory Name ● IP Address ● DNS Name ● Email Name (RFC 822) Configuring a remote user object If you remote users use the default CCD, you only need to complete steps 1 through 5. If a individual dyna-policy should be created continue with step 6. 1. From the Configuration Console window, click Users to list all User Objects in the Contents column.
Information for VPNremote Client users 5. Click the Dyna Policy tab to bring it to the front. If you do not want the default Dyna-Policy settings, select Do Not Use Default Dyna-Policy. Then configure a customized method for storing the VPN configuration for the user. ● Select None to store the VPN session parameters locally on the remote user’s computer. The policy is automatically downloaded to the user’s computer the first time that the VPNremote Client is initially connected.
Configuring remote access users Using local authentication If the security gateway uses authenticating remote users for CCD, deliver the following pairs to the respective users. ● NAME: The name created in Step 2. ● PASSWORD: The password created in Step 3 Using RADIUS authentication (VPNos 3.X and VPNos 4.31) If a RADIUS server is used for authenticating remote users for CCD, deliver the following pairs to the respective users.
Using Policy Manager for user configuration A Client IP Address Pool is a range of source IP addresses that is recognized by an ACD. The pool is stored in the security gateway, so when it recognizes an inbound packet from a VPNremote Client, it swaps the source address with one from the pool. When the security gateway recognizes an outbound packet having a pooled address, it changes the destination address to the remote client’s address. A security gateway can be configured with multiple pools.
Configuring remote access users Add Client WINS The Client WINS address entered here is sent to the security gateway that is used for the VPNremote virtual adapter configuration. This information is then sent to the VPNremote Client through CCD. Two Client WINS address can be configured in the VPNmanager. To configure the Client IP configuration 1. From the Configure Console window, go to Tools>Policy Manager. 2. From the Select Object Name list, select the security gateway to be configured. 3.
Using Policy Manager for user configuration Figure 41: Policy Manager for client attributes Enable Client Legal Message. - The check box is used to enable the Client legal message. The default is disabled. Require Acceptance. - Select Yes to require the remote user to accept the message before log on is authenticated. Select No if the message is to be displayed, but the remote user is not required to accept the message to authenticate to the security gateway. The default is No. Message Text.
Configuring remote access users RADIUS/ACE Services (VPNos 3.x and VPNos 4.31 only) Note: Note: If a RADIUS server is used, the name assigned to a VPNremote Client must be identical to the one used in the RADIUS server. A popular tool for managing authentication and accounting for remote access has been Remote Authentication Dial-In User Service (RADIUS). Use the Policy Manager for RADIUS/ACE if you want to use one or more RADIUS servers to authenticate remote users.
RADIUS/ACE Services Settings RADIUS attempts before assuming failure - Integer from 1 to 10 indicating the number of attempts the security gateway makes before timing out with a failure. The default is 3. RADIUS time-out before assuming failure - Time in seconds from 10 to 500. This value is the total number of seconds that the security gateway waits for a response from any specified RADIUS server before timing out with a failure. The default is 6 seconds.
Configuring remote access users The RADIUS protocol The RADIUS protocol is documented in an Internet Engineering Task Force (IETF) Request for Comment (RFC), specifically RFC 2058. ● Client/Server Model – A Network Access Server (NAS) operates as a client of RADIUS. The client is responsible for passing user information to designated RADIUS servers and then acting on the response that is returned.
RADIUS/ACE Services Use this as my: - Select the role you wish this server to perform: Primary Server, Secondary Server, or Tertiary Server. To add a RADIUS server: 1. From the Contents column, select the security gateway you want to configure. 2. Click the Policies tab to bring it to the front. 3. From the drop-down list, select RADIUS/ACE, then click GO to open the Policy Manager for RADIUS/ACE. 4. Select the Enable RADIUS/ACE check box so the security gateway uses RADIUS services. 5.
Configuring remote access users 14. From the Settings options, use the following to configure the connection expiration times for the server. ● RADIUS Attempts. The number of times a RADIUS server is contacted before failure is assumed and the next RADIUS server is used.The default is 3 attempts. ● Time to assume failure. The time that should pass when a RADIUS server is not responding and the next RADIUS server is used.The default value is 6 seconds. ● Designated RADIUS attribute for policy.
Chapter 6: Configuring user groups The User Group function is used to setup and maintain logical groups in which the individual VPN users reside. User groups have a single-level hierarchy - you cannot have a user group within another user group. A User Group Object is a method for simultaneously managing many user objects (remote users). For example, all remote users, who are in sales, can be consolidated into a single user group. Then that group can be associated with one or more VPN objects.
Configuring user groups User Group - General tab The User Group General tab is used to manage your users and their respective user group assignments. Figure 43: User Group, General tab All existing user groups are displayed in the Contents list. The highlighted user group is displayed in the General tab window. Directory Name. - This is the unique User Group name. It is unique in that it is not duplicated anywhere within the VPN domain to which it is assigned. Current Users.
User Group - Actions tab User Group - Actions tab The Actions tab is used to control authentication for specific user groups. Figure 44: User Group, Actions Tab User/Manager authentication - Rekey is used to change the key of the highlighted user group. You should change the key regularly to ensure maximum security. Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed. In the case of SKIP, rekeying generates and distributes a new master key to all security gateways associated with the VPN.
Configuring user groups 4. Use the General tab to populate the group with specific users. ● From the Available Users column, select one or more users. To select multiple users which are listed adjacently, hold the SHIFT key. To select multiple users which are not adjacently listed, hold the CTRL key. ● Click Move Left to move your selected users to the Current Users column. 5.
Chapter 7: Configuring VPN objects A VPN object is the method used for linking security gateways, remote terminals, and LAN terminals in a fully configured virtual private network. To create a VPN, you name the VPN, select a key management method, and optionally, designate it as the Default VPN. After that you can configure the VPN using VPNmanager, using the tabs associated with the created VPN.
Configuring VPN objects IKE VPNs Note: Note: IKE VPNs are supported in VPNremote Client 3.0 and later. An IKE VPN can run in certificate or preshared secret authentication mode. Also, IKE VPNs always operate in tunnel mode, which means the entire original packet (header and payload) is encrypted and inserted in the payload of an IPSec packet before it goes out to the public networks. Certificate mode involves the exchange of X.
Default VPN policy In tunnel mode (security gateways and VPNremote Client only), IP packets between members are secured by encrypting and authenticating the entire packet, including the addressing header. The encrypted and authenticated packet is then used as the payload of a new packet with a new addressing header. This new addressing header specifies the IP addresses of packet’s source and destination, whether they be two security gateways or a VPNremote Client and a security gateway.
Configuring VPN objects Creating a new VPN object To create a new VPN object: 1. From the VPNmanager Console main window, click New Object and select VPN. The New VPN dialog is displayed. 2. In the Name text box, type in a name for your new VPN Object. Any characters can be used, except a comma [,]. 3. From the VPN Type options, do one of the following. ● Select SKIP to create a SKIP VPN Object. ● Select IKE to create an IKE VPN Object. 4. Click Apply to create the object. 5.
Creating a designated VPN 9. On the LDAP server, a local server or an external server with a different context, add user. Enter the user credentials. 10. Log in to the security gateway through the VPNremote client using the credentials entered in the RADIUS/LDAP server. The user should be authenticated successfully by the RADIUS/LDAP server. The RADIUS/LDAP server returns the VPN name to the security gateway. The user then gets the default VPN policy from the security gateway.
Configuring VPN objects Using the VPN tabs After you have created a VPN object, you can use the VPN tabs to change the default settings or modify configuration. The tabs displayed are dependent on the VPNos release for the device. General tab The General tab provides high-level control of the VPN. A check box enables the VPN. This allows VPNs to be built before being activated. The contents of this screen depends on what VPN type you have selected, IKE or SKIP.
Using the VPN tabs Enable VPN. - When this box is checked and the security gateway has been updated, the VPN is active. Unchecking the box disables the VPN and is typically used during the troubleshooting process. Default VPN. - When this box is checked, this VPN is the default VPN for the domain. Only one VPN can be the default VPN in a domain. Default VPN is an alternative method of user authentication suited for large IKE-based VPNs. Directory Name.
Configuring VPN objects Members-Users tab The Members-Users tab is used to establish the user membership of the VPN. A list of currently assigned users appears in the Current VPN Members list. Use the right and left arrows to move the users to the desired column. Figure 46: VPN, Members [Users] tab Note: Note: When a remote user is removed from a VPN and the security gateway is updated, all non-RADIUS enabled security gateways that are affected by the removal of the remote user are updated.
Using the VPN tabs Figure 47: VPN, Members [IP Groups] Tab Security (IKE) tab The Security (IKE) tab is used for configuring the encryption and authentication algorithms used at the end-points of a VPN tunnel. The configuration procedure involves setting a lifetime for public-keys, and a specific Diffie-Hellman Group for automatically generating keys of a specific strength.
Configuring VPN objects In the ISAKMP (IKE) area you set up the key-exchange parameters that you want used for the VPN. Field Description Encryption Algorithm Select one of the following types: ● DES. A common encryption algorithm that is not subject to export regulations. ● 3DES. A robust encryption algorithm. 3DES is subject to government regulation. Contact Avaya for a current list of controlled and uncontrolled application and territories. ● Any.
Using the VPN tabs Field Description Lifetime Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets. Lifetimes are either time based or based on throughput. Time-based lifetimes are based on the amount of time that the keys are used without a key change. Throughput lifetimes are defined by the amount of data that is acted on by a set of keys. The more often a key is changed, the “more secure” the system.
Configuring VPN objects Pre-Shared Secret The Pre-Shared Secret area appears only when the VPN type is IKE with Preshared Secret selected. The preshared secret appears in the Secret field as either ASCII or hexadecimal. Select Modify Secret to change the preshared secret. Both the local and the remote security gateway must have the identical preshared secrete text, or a secure tunnel cannot be established between them.
Using the VPN tabs LZS. - This refers to Lempel-Ziv-Stac hardware date compression technique used prior to encryption. Yes/No enables or disables its use. AH/ESP. - This is the Authentication Header (AH)/Encapsulation Security Payload (ESP). IKE VPNs authenticate IP packets using either an ESP trailer as defined in RFC2406, IP Protocol 51, or AH as defined in RFC2402, IP Protocol 52. Perfect Forward Secrecy.
Configuring VPN objects Add IPSec proposal You can add up to four IPSec proposals.You determine the encryption method, the authentication methods, how long a single set single set of cryptographic keys is used when applying VPN services to IP packets and the order this proposal is in the list. Field Description Encryption Select one of the following types: Authentication Compression ● DES. A common encryption algorithm not subject to export regulation. ● 3DES. A robust encryption algorithm.
Using the VPN tabs Field Description Lifetime Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets. Lifetimes are either time based or based on throughput. Time-based lifetimes are based on the amount of time that the keys are used without a key change. Throughput lifetimes are defined by the amount of data that is acted on by a set of keys.
Configuring VPN objects Actions tab The Actions tab is used to export the VPN (without keys) and to change the VPN security key (Rekey). Figure 49: VPN, Actions tab VPN configuration Export Exports the VPN to another VPN domain without the keys. Typically used to create an extranet.
Advanced VPN tab Rekey site-to-site VPN Rekey Used to change the preshared secret key of a site-to-site VPN. This should be done regularly to ensure maximum security. Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed. In the case of SKIP, rekeying generates and distributes a new master key to all security gateways associated with the VPN. This SKIP master key is used to generate session keys used for cryptographic functions.
Configuring VPN objects In the Exchange area, check Use Aggressive mode for clients to enable the IKE Aggressive mode between a user and then security gateway, which accomplishes the same goals as Main mode, only faster. Note: Note: Aggressive mode must be used when Preshared Secret is being used for the remote client users. When certificate-based key exchange is used, either Main mode, or Aggressive mode may be used.
Configuring a SKIP VPN 7. If you want to add User Objects or User Group Objects as members of this VPN Object, do the following. Note: ● Click the Members-Users tab to bring it to the front. ● From the Available list, select specific User Objects and User Group Objects. User Group Objects are always located at the bottom of the list. Note: Tip: Hold the Shift key to simultaneously select many adjacent items, or hold the Crtl key to simultaneously select many non-adjacent items.
Configuring VPN objects Configuring an IKE VPN Note: Note: security gateways at each end of a tunnel must use the same IKE settings. To configure a new IKE VPN Object: 1. Move to the Configuration Console window. 2. From the Icon toolbar, click VPN to list all VPN Objects in the Contents column. 3. From the Contents column, select the VPN Object that needs to be configured. 4. Click the General tab to bring it to the front. 5.
Configuring an IKE VPN ● Select 3DES to divide VPN traffic into 64 bit blocks and encrypt each block three times with three different keys. 12. Use the Authentication Algorithm list to select a specific type of algorithm that each security gateway must use to authenticate each other. ● Select Any if you want the security gateways to automatically negotiate which algorithm to use. ● Select MD5 if you want each security gateway to authenticate each other using the Message Digest 5 (MD5) hash function.
Configuring VPN objects 22. Perfect Forward Secrecy (PFS) is a key-creation method used for assuring that a new key is not related to any previous keys. This is done by using key creation values which are independent of past values. ● Select Yes to use PFS. ● Select No to not use PFS. 23. Use the AH/ESP list to create packets containing IPSec headers. The payloads contain the entire original packet (header and payload). ● Select AH Header to authenticate the entire packet.
Configuring an IKE VPN ● ● From the Authentication drop-down list, select the type of authentication to use. ● None. Packets are not authenticated. ● HMAC-MD5. Packets are authenticated using the Hash-based Message Authentication Code (HMAC) coupled with the Message Digest 5 (MD5) hash function. ● HMAC-SHA. Packets are authenticated using the Hash-based Message Authentication Code (HMAC) coupled with the Secure Hash Algorithm (SHA).
Configuring VPN objects Enabling CRL checking For certificate-based VPNs using IKE negotiation, a security gateway must verify the other certificate of the VSU. When Certification Revocation List (CRL) Checking is enabled, the VSU validates the certificate revocation list downloaded from the VPNmanager using the Certificate Authority (CA) certificate. The VSU checks the certificate against the validated CRL. If the CRL locates a revoked certificate, the IKE negotiation is cancelled.
Enabling CRL checking 11. Import the crl.ldif file by opening the Netscape Console login dialog box. ● Solaris OS: In the server root, enter ./startconsole. ● Windows NT: From the windows Taskbar, click Start/Programs/Netscape Server Family/Netscape Console. 12. In the User ID text box, type in the Administrative ID string used during the server installation procedure. 13. In the Password text box, type in the Password string used during the server installation procedure. 14.
Configuring VPN objects If the Directory Server has been updated using a new CRL, the cached CRL must be manually removed from the VSU console. To remove the CRL from the VSU: 1. From the VSU Console, enter 3 for the Utilities menu. 2. From the Utilities menu, enter 18 to Show CRL information. 3. After selecting 18 from the Utilities menu, a list of serial numbers appear on the screen. 4. Enter Y to delete the CRL list. 5. From the VPNmanager main menu, click Config. 6. Select Device. 7.
Exporting a VPN object to an extranet Figure 51: Exporting a VPN Object to an Extranet DomainA created the VPN Object that was exported to an extranet (DomainB). This method allows members of VPN ObjectA and VPN ObjectB to privately share network resources and communicate. VPN ObjectA is built with IP GroupA and IP DomainA GroupB.
Configuring VPN objects Table 9: VPN Object Export Checklist (continued) Task AdministratorB creates security gateway ObjectB and supplies the IP address of that object to AdministratorA. AdministratorA creates IP Group ObjectB (Creating a New IP Group on page 97) and configures it with an extranet device (To configure an IP Group that is associated with an extranet: on page 102) having the IP address supplied by AdministratorB.
Importing a VPN object from an extranet 10. Click OK to open the Save dialog. 11. Use the controls in the Save dialog to select a location for the VPN Object data file. 12. In the File name text box, type in a name for the file, and use VPN as the file name extension. 13. Click Save to create the file. You can now deliver the data file, using e-mail, floppy disk, or FTP, to the extranet administrator.
Configuring VPN objects Rekeying a VPN object Use the Rekey command to create a new key that SKIP VPN tunnel endpoints (security gateways and VPNremote Clients) must use for encryption tasks. To rekey a SKIP VPN Object: 1. Open the Configuration Console window. 2. From the Icon toolbar, click VPN to list all VPN Objects in the Contents column. 3. From the Contents column, select the VPN Object that needs to be rekeyed. 4. Click the Actions tab to bring it to the front. 5.
Chapter 8: Establishing security This chapter describes the VPNmanager security measures you can configure to establish a secure domain. Included in this chapter is how to set up the following: ● Firewall rules set up (4.2 and later) ● Denial of Service (4.X) ● Services ● Voice Over IP controls (4.X only) ● QoS policy and QoS mapping (4.31) ● Packet Filtering (3.
Establishing security Figure 52: Firewall tab At the domain level, firewall policy management allows the network administrator to set rules across the domain. These rules are referred to as domain level firewall rules. These rules can be applied to all, or some of the devices in the domain. Rules can also be set for specific devices in the domain. At the device level, firewall policy management allows the network administrator to set rules for a specific device.
Firewall rules set up You select View>Firewall to add domain firewall rules. You can apply common rules to all or some of the devices within the domain when firewall rules are added at the domain level. When firewall rules are applied at the domain level, they can be applied to several devices at the same time which can reduce the complexity of defining security for each device. To create domain level firewall rules: 1. From the Configuration Console window, select View>Firewall. 2.
Establishing security Note: Note: Although UDP is connectionless, if a packet is first sent out from a given port, a reply is expected in the reverse direction on the same port. Keep State “remembers” the port and ensures that the replying packet enters in the same port. 14. Select the position of the firewall policy in the template. 15. Click Finish to return to the Firewall tab. Device level firewall rules Device level firewall rules apply to specific devices within the domain.
Firewall rules set up 12. If the filter rule set for the intended traffic is also to be applied to the reply packets, select Keep State. This function can be applied to TCP, UDP, and ICMP packets. 13. If you want to change the default time-out settings for the TCP state, UDP state, or ICMP state, click Advanced. Note: Note: Note: Keep State sets up a state table, with each entry set up by the sending side. Reply packets pass through a matching filter that is based on the respective state table entry.
Establishing security Active-FTP is beneficial to the FTP server administrator, but detrimental to the client side adman. If the FTP server attempts to make connections to random high ports on the client, these packets would almost certainly be blocked by a firewall on the client side. Passive-FTP is beneficial to the client, but detrimental to the FTP server adman.
Firewall rules set up FTP-Proxy does have some issues when operating within a NAT gateway. A protected FTP server must have a routable address, and the router on the unprotected side of the gateway must have static route to it the security gateway interface address is the route. Because this is a proxy application, FTP (TCP) packets destined for external FTP servers or clients will typically have as source address the address of the interface to which the FTP-Proxy rule was applied.
Establishing security Predefined templates The predefined templates can be used as a basis for user-defined templates, however; the predefined templates cannot be modified. For detailed information regarding the predefined templates, see Firewall rules template on page 297.
Firewall rules set up 5. Select Template, Device, or None. Parameter Description Template The user-defined template is created using a predefined template – high, medium, or low. Select the template from the drop-down list. Device The user-defined template is created using an existing security gateway firewall configuration. Select the existing security gateway from the drop-down list. Using an existing security gateway configuration is also know as cloning the configuration.
Establishing security 22. For maximum flexibility and capability, the firewall rules can be specified on each interface: Public, Private, or Tunnel. The packets are checked against the firewall rules at the interface where they are defined. 23. Select the Direction from the drop-down list. 24. Direction is in respect to the security gateway: in or out. 25. If this rule is to be logged, select the Log Enable check box. 26. If this rule is to keep state, select the KeepState Enable check box. 27.
Device Group The predefined services can be used as a general service set or as a starting point for creating a customized service, or user-defined service, that is required for use in the firewall definition. The service types IP, TCP, UDP, and ICMP are provided and parameters for each of these types can be specified in the user-defined service. A comprehensive suite of UDP, TCP, and ICMP filter options are provided.
Establishing security The security gateway objects Denial of Service tab is used to change the settings for specific devices. Changing the settings here overrides the domain level settings for that category. When devices are updated, the DOS categories at the device level and the remaining DOS categories from the domain level are sent to the device. Figure 55: Denial of Service You can enable protection for the following seven areas of attack: Ping of Death.
Voice Over IP WinNuke Attack. - This attack attempts to completely disable networking on computers that are running Windows 95 or Windows NT. This attack can be swift and crippling because it uses common Microsoft NetBIOS services. WinNuke attacks ports 135 to port 139 on platforms that are based on Windows 95 and Windows NT. Buffer Overflow. - This attack overflows the internal buffers of the application by sending more traffic than the buffers can process.
Establishing security When using the IP Trunking Call Model, configure the following: ● Service Port. The port to which the gatekeeper sends call-signaling messages. ● Source Trunk Zone. The zone where the gatekeeper is located with respect to the SG (e.g. “private” when the gatekeeper is on private side of the SG). ● Source Trunk Network Objects. The IP networks that define the IP address space of the gatekeeper. ● Destination Trunk Zone.
Voice Over IP 6. Select LRQ Required to enable the location request. When learn request (LRQ) is enabled, the voice packets are routed using domain names. The security gateway uses LRQ to locate the destination and returns the appropriate IP address to route the voice packet to the correct destination. ! Important: Important: The LRQ Required functionality is available on security gateways running VPNos 4.6 and higher. 7. In the Service Port field, enter specify the H.323 protocol port.
Establishing security Figure 56: Voice over IP tab Using the Gatekeeper Routed Call Model The Gatekeeper Routed call model should be used when there is an SG in the network path between IP endpoints (e.g. IP hard phones and IP soft phones) and the Gatekeeper with which those IP endpoints register and 1) either the IP endpoints or the Gatekeeper is being NATed by the SG or 2) the SG’s Firewall function is enabled. When using Gatekeeper Routed Call Model, configure the following: ● Service Port.
Voice Over IP Add gatekeeper settings When you add a gatekeeper, you include the gatekeeper name or IP address, the location of the gatekeeper with respect to the firewall, the registration, authentication, status protocol, and time-out. Click Add to configure gatekeeper settings for the VoIP configuration. Only one gatekeeper can be configured for a device. Figure 57: Add gatekeeper setting for VoIP To enable VoIP and add gatekeeper settings 1.
Establishing security Note: If the network object does not exist, cancel the configuration and create one. Note: 8. Click Next. The Gatekeeper(s) dialog appears. ● In the Zone field, select the zone which the destination endpoints are connected to. For example, if the endpoints are connected to the private zone, select private zone for this field. 9. Click Add. The Add Gatekeeper dialog appears. In the Gatekeeper IP field, specify the IP address of the endpoint. 10.
QoS policy and QoS mapping Therefore, it is not necessary to create a class for all other traffic. If 0% is allocated, the class is removed from the existing configuration. Note: When the media interface is configured, the total upstream bandwidth can be specified in Media Settings and this setting is partitioned to the specified classes. Note: ● Whether Burst is enabled. For each class, the burst capability value can be set to Yes or No. The default is No.
Establishing security Note: Note: Note: It is not recommended to assign similar traffic in different classes. Example: One class containing any FTP and another class containing “ANY TCP”. This would be ambiguous because “ANT+YTCP” would include FTP also. Similar cases might cause ambiguity in classification. Note: It is not recommended to use Services containing ICMP or port-ranges. QoS does not support port-ranges.
QoS policy and QoS mapping Figure 59: Modify QoS bandwidth. burst and DSCP value screen 4. Configure bandwidth, burst and DSCP values. ● Enter the percentage of bandwidth to be allocated for this type. When classes are configured, it is recommended that the sum total allocation of all the classes be less than 98% and allow bursting to take advantage of the unused bandwidth. 2% is always internally allocated to control traffic. ● Burst is set to No. Change to Yes if bursting should be allowed.
Establishing security QoS mapping QoS Mapping is the mapping of a QoS policy to a zone. A zone can map to only one QoS policy, but a QoS policy can be applied to multiple zones. When you map QoS policies consider the following: ● If QoS is configured over multiple interfaces, the DSCP values belonging to a class for a particular zones should not belong to a different class for other zones.
Packet Filtering What can be filtered Table 10 lists the specific types of traffic that can be filtered.
Establishing security Figure 60: Policy Manager, Packet Filtering/QoS Clicking on the Edit or Add buttons launches a Packet Filtering Policy Wizard that guides you through configuration of the desired packet filtering. Advanced The Advanced tab accesses specific types of filters that are activated through checkboxes. Permit/Deny non-VPN traffic Radio Buttons The Radio Buttons at the top of the Packet Filter Rule-Advanced screen are set according to your security policy.
Packet Filtering Note: This mode should be used when the VSU is dedicated to VPN traffic and is in parallel with another device (such as a router or firewall) that can resolve ARPs from the private network to the Internet gateway. This mode should not be used when the VSU is the only path between network devices and a router with which those devices need to communicate. Note: Drop all fragments - When checked, discards all non-expected IP packet fragments.
Establishing security Traffic Type - The fields and drop-down lists in this section change according to the IP Protocol type selected. Depending on the traffic type selected (user-defined TCP and user-defined UDP), Source and Destination fields appear to collect additional parameters. If the Traffic Type selected is user-defined IP, a Protocol ID field appears. A comprehensive suite of UDP, TCP, and ICMP filter options are provided.
Packet Filtering To Where ● Type. NetworkMask Pair or Any. ● IP Network Mask Pair. Identify the source IP address to which the filter rule applies. The Filtering Policy in progress This area presents a dynamically updated summary of the filter parameters based on the current selections. ● Interface. Select the private, public, or Tunnel interface of the VSU to which this filter is applied. ● Direction. In or Out. ● Log. Yes or No.
Establishing security Note: Note: As you build your policy, its parameters populate the “Filtering Policy in Progress” text box, which is located at the bottom of the wizard. 7. If you want to make a note about this policy, in the Memo text box, type in a note. 8. From the IP Protocol Type drop-down list, select the type of traffic you want to control. 9. Controls appear in the Traffic Type options box after you select an item from the list. 10. Use the controls to configure the parameters for the policy.
Packet Filtering Note: Note: A packet is filtered against the ACL policies defined in the ACL list in the list order. The packet is matched against policy number 1 first, then policy number 2, then policy number 3, and so on until the packet finds a match or it exhausts the list. If a match is found, the VSU applies the action specified in the policy to the packet. If no match is found, the VSU applies the default policy to the packet. The default policy is to permit the packet.
Establishing security 4. From the drop-down list, select Packet Filtering, then click GO to open the Policy Manager for Packet Filtering. 5. Click Advanced to open the Packet Filter Rule-Advanced dialog box. 6. Use Table 12 for determining which option you want. Table 12: Packet Filter rule-advanced options Option Description Permit all non VPN traffic Select this button to permit all non VPN packets. Deny all IP non VPN traffic Select this button to block all IP non VPN packets.
Packet Filtering About Differentiated Services IP packets move from router to router by using Routing and Packet Forwarding processes. The routing process involves building and maintaining a routing table. The packet forwarding process involves comparing the destination address of a packet with entries in a routing table to determine where to send the packet. Furthermore, there is a component of the forwarding process that can be used for controlling the behavior of a specific type of packet.
Establishing security Types of marking rules Two kinds of packet marking rules can be created. ● A rule can be made to examine the ToS field of a header and copy the existing mark to the TOS field of the new packet, which is entering or exiting the VSU. This is known as inheriting a mark. ● A rule can be made to skip the ToS field, but examine the remaining fields of the header. If a match is made, then the ToS field is appropriately marked.
Packet Filtering 6. From the Action drop-down list, select Permit to activate the QoS Mark drop-down list. Note: Note: As you build your Packet Marking Rule, its parameters populate the “Filtering Policy in Progress” text box, which is located at the bottom of the wizard. 7. From the QoS Mark drop-down list, do one of the following.
Establishing security Table 14: Parameters used in a Packet Marking Rule (continued) Parameter Description Destination Address Use the To Where controls to configure which destination address the rule must contain. VSU Interface Use the Interface drop-down list to apply the rule to the VSU public, private, or Tunnel interface. Direction Use the Direction drop-down list to apply the rule to packets that are entering or exiting the VSU. 2 of 2 9.
Packet Filtering To use the firewall policy management: 1. Move to the Configuration Console window. 2. From the Contents column, select the security gateway that the policy is applied. 3. Click the Policies tab to bring it to the front. 4. Select Firewall from the Policies drop-down list. 5. Click Go to open the policy manager for firewall. Add firewall policy To add a firewall policy: 1. Click Add to open the firewall policy wizard. 2. Type a name for the new rule in the Name text box. 3.
Establishing security 17. The keepstate function allows a rule set for the intended traffic to also be applied to the reply packets. The function can be applied to TCP, UDP, and ICMP packets. 18. Keepstate sets up a state table with each entry set up by the sending side. Reply packets pass through a matching filter based on the respective state table entry. A state entry is not created for packets that are denied. 19. Click Advanced to change the default keepstate values to TCP, UDP, or ICMP. 20.
Chapter 9: Using advanced features This chapter explains about the advanced functions of VPNmanager.
Using advanced features ● VPNos 4.4 includes MTU Path Discovery, NAT Traversal, and Port for Dyna Policy Download ● VPNos 4.5 includes Path MTU Discovery, NAT Traversal, and Port for Dyna Policy Download Note: The Private IP Address and the local DHCP server IP address are combined beginning with VPNos 4.2. Previously the Private IP Address was located on the Advanced tab. Note: Figure 62: Security gateway, Advanced tab ARP Determines the VSU use of its MAC addresses.
Device Advanced Examples of traffic destined for the private network are: ● Decapsulated IPSec packets destined for the private network. ● SNMP Get Responses being sent to a VPNmanager console residing on the private side of the VSU ● Traps sent to a VPNmanager console residing on the private side of the VSU Note: It is important to remember that ARP often works in conjunction with the Advanced Filter setting.
Using advanced features As a packet is routed through different networks, it may be necessary for a router to divide the packet into smaller pieces because it might be too large to transmit as a single packet on a different network. This may occur at the interfaces of physically different networks. The MTU of a security gateway passing secure traffic is 1404 bytes, which includes the additional IPSec information. The MTU of a security gateway passing unprotected traffic is 1514 bytes.
Device Advanced 6. In the Fragmentation Control for Encapsulated VPN Traffic area, select the appropriate Do Not Fragment (DF) bit property. Note: If DF bit is set in the IP header, the packet would not be fragmented further down the network path. Note: ● Copy DF bit from the source packet. If this property is selected, the DF bit from the source IP header is copied to the VPN traffic. When Path MTU is enabled (On), the copy DF bit from the source packet property is the default behavior.
Using advanced features Port for dyna-policy download If a VSU is configured to receive dyna-policies from a remote server instead of storing them locally, it uses a specific port for listening to the remote server. The port uses the Secure Sockets Layer (SSL) for protection, and its default number is 1443. The port number can be changed if necessary. To change the port number: 1. From the Device>Contents column, select the VSU you want to configure. 2. Click the Advanced tab to bring it to the front. 3.
Device Advanced A typical use of the private IP address is when the VSU’s private side IP network is a different network (different network number and/or mask) from the VSU’s public side IP network. For example, when you deploy the VSU in parallel with a firewall or other access device. If you are using the VSU’s primary IP address as the management IP address, use caution when changing it from the VPNmanager.
Using advanced features ● Send VSU(s) names that are involved in CCD only. Select this option if you want the remote client to query only those VSUs that are performing Dyna-Policy services. This is useful if a domain contains many VSUs that are not used for authenticating remote clients. This saves time for the remote client because they don’t have to query every VSU to build a complete Dyna-Policy. ● Send no VSU names.
Device Advanced Note: The VSU determines what type of authentication it permits, but this is dependent upon the authentication policy last downloaded from VPNmanager (SuperUser Password OFF or ON). Remember that if you set the SuperUser Password to OFF you are no longer able to connect to the VSU using the SuperUser account. The only way to recover SuperUser authentication is to change the setting to back to ON, then do one of the following: Note: 1. Authenticate via your LDAP user account or 2.
Using advanced features Figure 63: VSU Tunnel Persistence Figure 64, illustrates tunnel persistence between SGs and remote users (RUser). The addition of SGD to VPN2 (SGA, SGC, SGD, and Remote User) interrupts tunnel persistence in VPN2, thus breaking the remote connection. Once the configuration update is complete, the remote connection will be restored. Because modifications have not been made in VPN1 (SGA and SGB) and VPN3 (SGB and SGD), tunnels remain persistent.
TEP Policy TEP Policy The Tunnel End Point (TEP) Policy tab provides control of the security policy applied to the traffic that flows between the end points of a tunnel. The default is off, or Do not apply configured VPN policies to TEP traffic.
Using advanced features Servers The Servers tab is used for adding backup directory servers to a specific security gateway. There is no practical limit on how many backups you can configure. Backup servers can be added at anytime, and they can be organized so that when one fails, a specific one can be used as a backup. To install additional servers, see your iPlanet Directory Server documentation for instructions. The following procedure only establishes it as a backup server.
Servers To create a backup server: 1. Move to the Configuration Console window. 2. From the Device>Contents column, select the security gateway that needs to have the backup server. 3. Click the Directory Servers tab to bring it to the front. 4. Click Add to open the Add Directory Server dialog box. 5. Use Table 15 configuring a connection to a server. Table 15: Add Directory Server Commands Item Description Enter IP Address or DNS Name Type in the IP address or host name used by the server.
Using advanced features 4. From the Servers list, select a specific secondary end-point. 5. Use Table 16 for performing specific management tasks. Table 16: Servers list commands Command Description Edit Use this command to edit the server with the Add Directory Server dialog box. Move Up Click this button to move the server higher in the list. Move Down Click this button to move the server lower in the list. Delete Click this button to remove the server from the list.
Resilient Tunnel Figure 67: Primary and Resilient Tunnels Resilient Tunnels are used for backing-up Primary Tunnels. Should a Primary Tunnel go out of service, the Resilient Tunnel will automatically be used for VPN traffic. Primary Tunnel Tokyo LAN LAN VSU A Router WAN San Francisco LAN High-speed Router VSU HUB LAN Router VSU Low-speed Resilient Tunnel Tunnel Switching The switching mechanism involves time and a packet called a Heartbeat. Figure 68 illustrates how tunnels are switched.
Using advanced features 6. After VSUA establishes a connection with VSUC, the resilient tunnel is used for VPN traffic. 7. On a periodic basis, VSUA continues to request a heartbeat from VSUB. The period is called Dead Primary Poll Interval. 8. If VSUA reconnects with VSUB, VSUA waits for a specific time before it switches traffic back to VSUB. The waiting period is called Hold-down Time. Note: If packet filtering is used, be sure the heartbeat packets are not filtered.
Resilient Tunnel Add resilient tunnel There are four parameters associated with Resilient Tunnel automatic backup mode. They are: ● Heartbeat Interval The time, in seconds, between heartbeat request attempts made by the remote security gateway to the primary security gateway. Default is 10 seconds. ● Heartbeat Retry Limit The number of times a heartbeat request is sent by the remote security gateway before the primary security gateway is declared inactive. Default is 3 tries.
Using advanced features 7. From the Properties list, click on Heartbeat Interval so the heartbeat interval values appears. ● In the Heartbeat Interval drop-down list, select a unit of time. ● In the Heartbeat Interval text box, type in a duration that defines the period of the primary end-point’s heartbeat. 8. From the Properties list, click on Heartbeat Retry Limit so the heartbeat retry limit values appears.
Resilient Tunnel 5. You can edit, move up, move down or delete. 6. When finished, click Save to save your work. Stopping and starting resilient tunnel services Resilient tunnel services for a specific primary end-point or secondary end-point can be stopped or started at any time. Primary end-point service To stop or start resilient tunnel services for a primary end-point: 1. Move to the Configuration Console window. Select Devices. 2.
Using advanced features Failover TEP Failover TEP is used to protect site-to-site VPN traffic that moves through the public networks. The endpoints for tunnels are located in SGs. Up to four head-end devices can be configured to backup a specific security gateway. Upon completion of the Failover TEP configuration, the VPNmanager will download identical VPN configuration to the alternate head-end devices.
Advanced Action Configuring failover TEP Failover TEP is configured from the Failover TEP tab. To configure failover TEP: 1. Move to the Configuration Console window. The Device tabs are displayed. 2. From the Device>Contents column, select the device that is operating as the head- end device. 3. Click the Failover TEP tab to bring it to the front. 4. Select the Enable checkbox to enable failover TEP on the device.
Using advanced features Figure 71: Advanced Action tab Switch Flash Switch flash is used to switch the flash chip from which the security gateway is executing its NOS. Normally, a duplicate image of the NOS is loaded into the second flash bank, however, a new or previous NOS image may alternately be loaded when it is desired to switch between the two NOS versions. The flash from which the security gateway is currently executing its NOS is indicated (Flash 0 or Flash 1).
High Availability High Availability This tab provides access to the High Availability (HA) functions for the security gateway including enabling high availability, setting the public and private virtual addresses, adding security gateway members to the HA group, viewing the status of the HA group, converting a passive member to an active member, configuring member VSUs, the VRRP advertisement interval, version number, third party reference points for the public and private interfaces, and minimum connectiv
Using advanced features To configure the security gateway to deny all non-VPN traffic through the VPNmanager: 1. Move to the Configuration Console window. Select Devices. 2. From the Device>Contents column, select the security gateway you want to configure. 3. Click the Policies tab to bring it to the front. 4. From the drop-down list, select Packet Filtering, then click GO to open the Policy Manager for Packet Filtering. 5. Click Advanced to display the Packet Filter Rule Advanced window. 6.
High Availability member is down and will force the election to become the active member. The value for missed advertisement ranges from 3 to 16. Group ID. - The Group ID allows configuration of a unique identifier for the HA group. By using the Group ID, the HA group avoids conflicts with other VRRP implementations on the network. The values for the Group ID can range from 0 to 255. Pass Phrase. - Beginning with VPNos 4.
Using advanced features By selecting the member in the table, the following actions can be performed: ● Edit - This action allows the member to be edited. ● Update - This action allows the selected member configuration to be updated. If you suspect that a passive member does not have the most current configuration for the HA group, use the Update button to update the passive member’s configuration. Using Update revises the configuration on the passive member to match the active member’s index number.
High Availability Note: Note: Virtual Addresses must be valid routable addresses. 6. Click the Add button to add members to the HA group. 7. Enter the private IP addresses of the Active security gateway. 8. The private IP address may have been entered during the initial creation of the security gateway object. If the private IP address has already been entered, confirm the IP address is correct and move to the next step. 9. Enter the public and private IP addresses of the Passive security gateway(s). 10.
Using advanced features 5. Click the Enable High Availability check box to disable High Availability on the remaining security gateway. 6. Click Update Devices from the Configuration Console. Click OK to complete update. Failover Use the Failover object to configure up to five IP addresses for tunnel endpoint (TEP) for the security gateways. These IP addresses are used for failover locations in the case of VPN or clear traffic failure.
Failover Note: If the public-backup interface idle timer is disabled, the security gateway continues to use the alternate network interface. Note: Network path failure is defined as the configured number of consecutive connectivity checks without a response from the number of hosts that need to fail. The following is an example of a network path failure criteria. The configuration is as follows: ● The number of consecutive “no” responses is five.
Using advanced features 4. Select Get IP List for DNS Names so that when a DNS query is made, the security gateway keeps all the IP addresses that are returned in the cache. The security gateway attempts to respond to the queries in the same order that the queries were received. If this parameter is not selected and a DNS query is made, the security gateway uses the first IP address of the DNS response that is returned. 5.
Failover 10. In the Hosts field, click Add, to enter the network host or hosts for which you want to monitor connectivity. You can define up to five DNS names or IP addresses. These hosts can be either within the VPN or outside the VPN. If the host is within the VPN, the host information is encapsulated in the associated VPN policy. If the host is outside the VPN, the host information is sent in the clear. 11.
Using advanced features In previous releases of VPNos 4.x, a system reboot would not restore the original RTEP. ● Restore primary RTEP In the event of tunnel failover, restore the original, primary remote tunnel endpoint in effect following a system reboot. Beginning with VPNos 4.4, restore primary RTEP is the default setting. If restore primary RTEP is configured and the system reboots, failover reconnect will attempt to connect to the first entry of the failover RTEP list. 4.
Converged Network Analyzer Test Plug Typically, one CNA unit is configured in the network operations center, and another CNA unit is configured in the corporate network. The CNA unit in the network operations center (NOC) is used to set up network topologies, configure network tests, and schedule network tests. Multiple CNA units can be configured in the network to monitor network topology and test results.
Using advanced features ! Important: Important: When the default RTP test port value is modified, you must create a new CNA service to use the new RTP test destination port. If the security gateway is configured to allow CNA traffic, be sure to update the firewall rule to use the new CNA service. 6. In the CNA Hive(s) area, click Add to enter the CNA hive configuration information. The CNA hive information includes the following: ● CNA hive name The CNA hive name identifies the CNA hive deployment.
Keep Alive Figure 74: Keep alive tab To configure keep alive: 1. From the Configuration Console window, select New Object>Keep Alive. The Keep ALive dialog is displayed. 2. In the Keep Alive name text box, enter a unique name. Click Apply. Click Close to go to the Keep Alive tab. 3. Click Enable to enable the keep alive configuration. 4. From the Send From drop-down menu, select a network zone. ● Public.
Using advanced features 8. In the Traceroute Criteria area, select Initiate Traceroute when criteria are met, and complete the following: a. In the Number of Failed Hosts field, enter the number of hosts from the configured keep alive hosts that can fail to receive keep alive responses. If multiple hosts are configured and all hosts are critical, enter 1. If any one of the configured hosts failed to respond, network path failover occurs. b.
Policy Manager - My Certificates Up to eight certificates can be stored in a VSU. During IKE negotiation, a VSU sends a specified certificate to its target. Those other VSUs and clients are called targets. Likewise, the target that received a certificate must distribute its [unique] certificate to the sender to complete the exchange. The VSUs use the exchange to authenticate each other and to distribute their public keys. These additional certificates can be created then installed into a VSU.
Using advanced features Figure 76: The Policy Manager for My Certificates To install a signed certificate into a VSU: 1. From the Device>Contents column, select the VSU that needs a Signed Certificate. 2. Click the Policies tab to bring it to the front. 3. From the drop-down list, select My Certificates, then click GO to open the Policy Manager for My Certificates. 4. Click Generate Certificate Request to open the Save as dialog box. 5.
Policy Manager - My Certificates Figure 77: An Example of a Signed Certificate Header -----BEGIN CERTIFICATE----nfi897rho987fb+mht>,oi$s25hgj98iJop)kjh GrDfgyui987jg55dJ99KJY6%$3@@Sd5()~ 43dbi0oMl=_+;mhjuuhJ8*&tfeEckiooplkjghf hkjhyytuUTffRgYyYUy^6676%$$RgLo0l0LI -----END CERTIFICATE----Footer 11. Cut the signed certificate from whatever file the PKI System sent it in, then paste it to the file you created in Step 6. Include the header and footer.
Using advanced features 4. From the Maintain Certificates list select the certificate that you want the VPNmanager Console to use. 5. The default VSU certificate is identified by an asterisk in the MGR column. Although a specific certificate may have other targets, as assigned through the IKE Certificate Usage tab (See IKE Certificate Usage on page 240), the VPNmanager Console can still use it. 6. Click Use as Manager Certificate to make the VPNmanager Console a target of the certificate.
Policy Manager - My Certificates Figure 78: Issuer Certificates PKI 4 1 2 3 WAN VSUA VSUB Target of VSUA Targets use Issuer Certificates to authenticate Signed Certificates they receive. The Issuer Certificate must be from the same PKI System that created the Signed Certificate. Issuer Certificates are stored on targets. Explanation for Figure 78: 1. A Certificate Request from VSUA is sent to a PKI System to be signed. 2.
Using advanced features Figure 79: An Example of an Issuer Certificate Header -----BEGIN CERTIFICATE----nfi897rho987fb+mht>,oi$s25hgj98iJop)kjh GrDfgyui987jg55dJ99KJY6%$3@@Sd5()~ 43dbi0oMl=_+;mhjuuhJ8*&tfeEckiooplkjghf hkjhyytuUTffRgYyYUy^6676%$$RgLo0l0LI -----END CERTIFICATE----Footer 3. Cut the issuer certificate from whatever file the PKI system sent it in, then paste it into a text file. The file can have a DER or TXT file name extension.
Policy Manager - My Certificates About Certificate Usage (Exchange) Every certificate identifies its owner and contains the owner’s public-key. The concept of certificate usage is based on Owners and Targets. An owner sends its certificate to a target, who then uses it to encrypt any information it sends to the owner. Owners and targets can be a VSU, Remote Client, or any device that can use the Internet-Key Exchange (IKE) protocol to exchange certificates.
Using advanced features When a VSU recognizes that an target wants to communicate, the VSU uses the IKE Certificate Usage list to determine which bundle to send to the target. The search always starts at the top of the list, so it’s important to put the most frequently used bundles at the top of the list. There can be cases when you have to make a general purpose bundle that applies to any type of target. Always place that bundle at the bottom of the IKE Certificate Usage list.
Policy Manager - My Certificates 7. From the Target Type drop-down, select the type of target for the certificate. ● IP Address. Select to show the Enter Target Address text boxes. Type in the address of any IKE compatible device as a target. Typically, this is a VSU. ● VPN. Select to show the Select Target VPN list. VPN objects that have been created appears in the list. Select a specific VPN to be a target for the certificate. This only applies to Avaya Inc. VSUs of Version 3.0 and higher. ● FQDN.
Using advanced features 244 Avaya VPNmanager Configuration Guide Release 3.
Chapter 10: Monitoring your network This chapter describes the real-time monitoring facilities that the VPNmanager application provides. This includes the following ● Using SNMP to monitor the device ● Syslog Services ● Using Monitor ● Monitoring alarms ● Report Wizard Using SNMP to monitor the device The VPNmanager uses the SNMP protocol to monitor the security gateway. The security gateway includes a SNMP agent that supports MIB-II and a proprietary MIB.
Monitoring your network The traps that are generated by the security gateway are sent to the list of trap targets that are configured. The version of the trap that is sent is the same as the version of the SNMP Agent, that is, if the security gateway is configured for SNMPv1, a SNMPv1 trap is sent. A maximum of five trap targets can be specified and one of these can be the Directory Server.
Using SNMP to monitor the device To add an SNMP Trap Target for security gateway’s running versions prior to VPNos 4.2, do the following: 1. From the Contents column, select the security gateway you want to configure. 2. Click the SNMP tab to bring it to the front. 3. In the Trap Community text box, type in a unique community name. 4. Click Add to open the Add SNMP Trap Target dialog box. 5. In the SNMP Trap Target text boxes, type in the SNMP Target IP address. 6.
Monitoring your network Note: If your organization’s security policy dictates that this traffic be secure, TEP Policy (in the Main Console Preferences tab) can be turned on to encrypt this traffic. Note: For additional information about using third party SNMP Manager, see Using SNMP to monitor the device on page 245. Syslog Services Security gateways have a syslog messaging facility for logging system error messages. The messages can be automatically sent to a destination running a Syslog server.
Syslog Services Add Syslog Policy The Add Syslog Policy screen allows you to designate the host to which syslog messages are sent by the selected security gateway or all devices. It also enables syslog messages to be sent to the VPNmanager through a designated UDP port. ● Hosts to receive log messages. Enter the name or the IP Address of the target machine you are designating to receive syslog data. ● Send event log message via.
Monitoring your network 12. Type in the following command line to create a directory for the syslog file, its size limit, protocol used, port number. (Directory) \\Program Files\Avaya\VPNmanger\Console\Syslog\ ..\jre\bin\java SyslogServer “-Lc:\ProgramFiles\AvayaVPN\Syslog” [-Ssize] [-Pport] [-Nnumber] ● If you want the size of the log file to be limited to a specific size, type in a specific size in kilobytes, otherwise the 8000 KB (8 MB) default size will be used.
Using Monitor Device List For VPN Domain. - This drop-down menu allows you to select a specific domain, or all domains to monitor. Select Device(s). - A list of all available network objects available for monitoring. You can select a single device, or select all devices displayed. Select Monitoring Group. - This window displays a list of all possible preconfigured groups you may wish to monitor. These groups are constructed from one or more logically related items from MIB-II and the VPNet Enterprise MIB.
Monitoring your network The following tables detail the individual enterprise MIB items in each of the monitoring groups. Table 18: Log Group Parameters Parameter Description Log Index An integer identifying this row in the Log table. Time sysUpTime value when this attack occurred. Attack Type Indicates the reason that the packet was registered in the attack log. Six identifier types are reported: Packet Header (Hex) ● 1 = SKIP header error (packet was not IPSec AH or IPSec ESP).
Using Monitor Table 20: ActiveSessions Parameters Parameter Description ActiveSessions Name A VPNremote client name or a security gateway name as defined in VPNmanager. Length Length of this session in seconds. Original IP VPNremote client’s originating IP address or remote security gateway IP address. Xlated IP VPNremote client’s assigned address from the Client IP Address pool if configured.
Monitoring your network Table 21: Address Table Parameters Parameter Description Address Table Index The interface on which this entry’s equivalence is effective. The interface identified by a particular value of this index is the same interface as identified by the same value of ifIndex. Physical Address The media-dependent physical address. Network Address The Network Address (e.g., the IP address) corresponding to the media-dependent ‘physical’ address.
Using Monitor Table 22: ipRouteTable Parameters (continued) Parameter Description Metric 3 An alternate routing metric for this route. The semantics of this metric are determined by the routing-protocol specified in the route’s ipRouteProto value. If this metric is not used, its value should be set to -1. Metric 4 An alternate routing metric for this route. The semantics of this metric are determined by the routing-protocol specified in the route’s ipRouteProto value.
Monitoring your network Table 22: ipRouteTable Parameters (continued) Parameter Description Route Proto The routing mechanism via which this route was learned. Inclusion of values for gateway routing protocols is not intended to imply that hosts should support those protocols. Enumerated values: 1. other 2. local 3. netmgmt 4. icmp 5. egp 6. ggp 7. hello 8. rip 9. is-is 10. es-is 11. ciscoIgrp 12. bbnSpfIgp 13. ospf 14.
Using Monitor Table 22: ipRouteTable Parameters (continued) Parameter Description Metric 5 An alternate routing metric for this route. The semantics of this metric are determined by the routing-protocol specified in the route’s ipRouteProto value. If this metric is not used, its value should be set to -1. Route Info A reference to MIB definitions specific to the particular routing protocol which is responsible for this route, as determined by the value specified in the route’s ipRouteProto value.
Monitoring your network Table 23: FilterStats Parameters (continued) Parameter Description No Match Out Number of outbound packets that did not match any rule. This count includes all non-rule-matching packets, regardless of whether the packets were ultimately passed or blocked per the default rule. Pass Log In Number of inbound packets that were allowed to pass which have been logged.
Using Monitor Table 23: FilterStats Parameters (continued) Parameter Description Packets Logged In Total number of inbound packets that should have been logged. This number includes packets that matched filtering rules declared using either the ‘log option’ or the ‘log action’. Packets Logged Out Total number of outbound packets that should have been logged. This number includes packets that matched filtering rules declared using either the ‘log option’ or the ‘log action’.
Monitoring your network Table 23: FilterStats Parameters (continued) Parameter Description Bad Frag Alloc Out Number of failed attempts to allocate a Fragment table entry for outbound packets. This occurs when a filter rule is declared using the ‘keep frag’ option. A packets matching this rule cause a Fragment table entry to be allocated. If the table is full, the allocation fails. New Frag Alloc In Number of successful attempts to allocate a Fragment table entry for inbound packets.
Using Monitor Table 23: FilterStats Parameters (continued) Parameter Description Bad State Alloc In Number of failed attempts to allocated State table entries for inbound packets. This occurs when a filter rule is declared using the ‘keep state’ option. Packets that match the rule cause a State table entry to be allocated. This allows expected return packets to bypass other filtering rules that might normally block them. Allocation fails if the State table is full and a new entry cannot be allocated.
Monitoring your network Table 23: FilterStats Parameters (continued) Parameter Description Cache Hit Out Number of cache hits for inbound packets on this interface. Each outbound packet is examined to see if a packet with identical characteristics exists in the outbound cache for this interface. If a match is found, the resulting rule match applied to the previous packet is applied to the current one, bypassing the rest of the filtering mechanism.
Using Monitor Table 23: FilterStats Parameters (continued) Parameter Description No Match Pass Out Number of outbound packets for a given interface which did not match any filtering rule and were ultimately allowed to pass per the interface’s default rule. No Match Block In Number of inbound packets for a given interface which did not match any filtering rule and were ultimately blocked per the interface’s default rule.
Monitoring your network Table 25: Active Ports Parameters Parameter/ Group Description Active Ports The number of active ports on this security gateway. Traffic Rate Table Group See Traffic Rate Table Parameters on page 264. Overview Statistics Table Group See Overview Statistics Table Parameters on page 265. Ethernet Statistics Table Group See Ethernet Statistics Table Parameters on page 266.
Using Monitor Table 26: Traffic Rate Table Parameters (continued) Parameter Description KBits From Port The average rate (in KBits per second) at which packets have been transmitted from this port over the last seconds. KBits To Port The average rate (in KBits per second) at which packets have been received on this port over the last seconds.
Monitoring your network Table 27: Overview Statistics Table Parameters (continued) Parameter Description IP Header Length Errors The number of packets dropped on this port because of an invalid IP header length. Address Map Discards The number of packets dropped because of IP Address Map errors. 2 of 2 Table 28: Ethernet Statistics Table Parameters Parameter Description EtherStat Port Description A description of each port. Total Frames Received Total number of frames received on this port.
Using Monitor Table 28: Ethernet Statistics Table Parameters (continued) Parameter Description CRC Errors The number of packets dropped on this port because of CRC errors. Frame Errors The number of packets dropped on this port because of frame errors. Overflow Errors The number of packets dropped on this port because of overflow errors. No-Xmit-Buffer Errors The number of packets not transmitted on this port because no VPNos transmit buffers were available.
Monitoring your network Monitoring wizard (Presentation) The Monitoring presentation screen is used to select the display type for the monitored data. The update frequency is also indicated here. Presentation There are four types of presentations: ● Bar graph ● Line graph ● Pie chart ● Table Some types of data cannot be displayed in all four presentation styles. For example, only the System Group can be presented as a bar graph.
Monitoring alarms This window provides detailed information about the alarm including a time stamp, the security gateway generating the alarm, alarm definition, first and last occurrence. This window appears even if it does not contain any content. The most recent entry is at the top of the list. ● Properties. The Alarm Properties screen displays a list of specific alarm types and their corresponding disposition action: ignore or take action. Refer to Table 29 for Alarm Type descriptions.
Monitoring your network Table 29: Alarm Descriptions (continued) Alarm Type Description SKIP Algorithm Mismatch Indicates that a packet for which one of the three algorithms (compression, encryption, or authentication) used to secure it did not match the VPN configuration within the security gateway where it was received. This alarm could result from a cryptographic attack. Invalid Packet Signature Indicates a packet that failed authentication was received.
Report Wizard The first Report wizard screen allows you to specify the objects you wish to include in the report. The available objects include: ● IP Group ● User ● User Group ● Device (security gateway) ● VPN To create a report using the report wizard: 1. Move to the Main Console. 2. Click Report to start the Report Wizard. 3. In the Report Contents portion of the screen, select the object types to be included in the report. 4.
Monitoring your network Generating the report When you are satisfied with the report selections made, click on the Finished button to generate the report. The report window appears after a short pause. If a hardcopy is desired, you may save the report as a PDF or html file, then print from Acrobat or a browser (respectively). Figure 84: Report Sample 272 Avaya VPNmanager Configuration Guide Release 3.
Device diagnostics Device diagnostics Beginning with VPNmanager 3.7, device specific diagnostic reports can be retrieved from a security gateway running VPNos 4.6 or higher The device diagnostic capability allows the network administrator to run any of the available diagnostic reports from a central network management location. Diagnostic reports provides convenient access to remote security gateways that can be used to troubleshoot common configuration problems.
Monitoring your network Table 30: Diagnostic Reports Report Type Description Firewall State Shows information about each firewall rule configured in the security gateway. Firewall Timers Shows firewall timer information for the various IP protocols. Process Table Shows information about all user processes that are currently running in the security gateway. Protocol Stats Shows information about the network traffic that the security gateway handles.
Chapter 11: Device management From the VPNmanager Console, you can manage and check that status of the security gateways This chapter describes: ● Using the Management tab to change administrative passwords and set up SSH and Telnet to connect to a security gateway ● Using the Connectivity tab to ping the security gateway ● Using the Device Actions tab to reboot the device, set the device time and import a device configuration ● Importing and exporting VPN configurations to a device ● Exporting RAD
Device management Note: To restrict access to hosts or networks, Firewall rules limit access from specific zones. See Appendix B: Firewall rules template on page 297. Note: To set up SSH or Telnet 1. Move to the Configuration Console window. 2. From the Icon tool bar, click Devices to list all security gateways in the Contents column. 3. From the Contents column, select the security gateway to configure for SSH or Telnet connection. 4. Click the Management tab, to bring it to the front.
Using the Connectivity tab ● Root is the login name for the security gateway administrator. The root administrator has full privileges to configure and maintain a specific security gateway network and user configuration. ● Monitor is the login name for an administrator who can view the Inspect properties and monitor sub functions of the security gateway’s interface software. The monitor user has read-only permissions. These administrator’s cannot be deleted but their passwords can be changed.
Device management Figure 85: The Connectivity tab for a security gateway Object Two methods for testing the connectivity of a security gateway are: ● Ping between the VPNmanager workstation and a security gateway ● Proxy ping, which has been initiated by the VPNmanager, from a security gateway to any node.
Using the Device Actions tab To directly ping a specific security gateway: 1. Move to the Configuration Console window. 2. From the Contents column, select the security gateway that you want to ping. 3. Click the Connectivity tab to bring it to the front. 4. Click Ping This Device to start the ping. 5. Information about the ping appears in the Ping Results text box. Check Connectivity by Proxy Ping Ping this Address/DNS name: Enter the IP address or DNS name.
Device management Figure 86: The Actions tab for a security gateway Object Update Configuration When changes are made to a Device Object, use the Update Configuration button to send the changes from the server to a specific security gateway. Reset Device Time Click Reset Time to synchronize the security gateway and VPNmanager workstation to Greenwich Mean Time. Reboot Device To restart a security gateway at any time, click Reboot.
Using the Device Actions tab Re-setup Device Allows a complete re-setup of the security gateway. This is normally done when the security gateway created did not exist in the network, or when the security gateway has been replaced with a new unit. Import Device Configuration You can use the Import Device Configuration feature in VPNmanager to import configuration data from security gateways running VPNos 4.31, for use in VPNmanager.
Device management To import configuration data for a device: 1. Select “Devices” on the Configuration window in VPNmanager. 2. Select the device from which configuration data will be imported. (If the device entry does not yet exist in VPNmanager, simply create a new device, specifying its IP address and selecting “Set Up Later” in the Device Setup Wizard.) 3. Select the device Actions tab. 4. Click the Import Configuration button.
Using the Device Actions tab 100 Mbps, Full Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 100 Mbps in full duplex mode. In full duplex mode, the Ethernet port is capable of sending and receiving packets simultaneously over the network at 100 Mbps. 100 Mbps, Half Duplex. - This option allows the VPNmanager to configure the security gateway’s Ethernet port speed to 100 Mbps in half duplex mode.
Device management IPSec Engine Status - The IPSec Engine Status section shows the current state of the VSU-1200’s two packet processor engines (PPE). If either PPE fails, a FAILED status is displayed indicating which PPE failed. Both PPEs must be functional for the VSU-1200 to operate correcting. The PPEs and Ethernet cards are enclosed in a tamper-evident case and can only be serviced by an authorized technician.
Importing and exporting VPN configurations to a device ● When creating an “alien Group,” which is a group that includes IP address/mask pairs residing within an importing administrator’s network, the exporting administrator associates each alien Group with an extranet device. In the Group configuration, the IP address of the importing administrator’s security gateway must be specified if any tunnel mode VPNs include this security gateway.
Device management The Users file variable parameters are: Note: ● – The name of the Client as entered in VPNmanager. Case and spelling are significant. This parameter is written by VPNmanager. ● – The response required from the Client to the authentication challenge sent through the security gateway by the RADIUS server. Case and spelling are significant. This field must be entered by the system administrator.
Chapter 12: Upgrading firmware and licenses You can upgrade the VPNos firmware and license from the VPNmanager and set encryption strength and remote access for VSU100s. Centralized firmware management The VPNmanager centralized firmware management allows you to upgrade the firmware for one or many security gateways at one time. You can quickly verify the firmware release for any security gateway or VSU model. VPNmanager validates that the firmware image is correct before upgrading the device.
Upgrading firmware and licenses ● ● Upgrade Options The upgrade options are: ● Skip devices that are up-to-date This option is the default setting. The devices that up-to-date will not display in the upgrade list. If a device should be downgraded, this option must be unchecked to view all devices in the upgrade list. ● Prompt for reboot This option is not the default setting. All devices selected in the upgrade list to be upgraded will reboot when the upgrade is completed.
Device - Upgrade tab Figure 87: Device Upgrade tab Upgrading a security gateway’s firmware Use the Upgrade Firmware button for upgrading the firmware of a specific security gateway. Before upgrading firmware from the VPNmanager, you must download the latest firmware from Avaya Inc. The security gateway firmware download is password-protected. Contact technical support at vpnsupport@avaya.com to request a password prior to beginning the download.
Upgrading firmware and licenses 6. Double-click the firmware zip file to begin extracting the VPNos image. The Password screen appears. 7. Enter the password from technical support. 8. Go to the VPNmanager Console, then move to the Configuration Console window. 9. Click View>Device to list all the security gateway in the Contents column. 10. From the Contents column, select the security gateway to upgrade. 11. Click the Upgrade tab, to bring it to the front. 12.
Device - Upgrade tab Use the License button to upload the licenses from the VPNmanager Console. Once you have received the license file from your sales representative, upload the license file to the security gateway as follows: 1. Save the license file to a directory on the computer. 2. From the security gateway object Upgrade tab, click License. 3. Navigate to the directory where the license was saved and select the license file. Click Open. 4.
Upgrading firmware and licenses 292 Avaya VPNmanager Configuration Guide Release 3.
Appendix A: Using SSL with Directory Server As an added benefit, all communications with the Directory Server can be secured by SSL (Secure Sockets Layer). In order to enable SSL, a Public Key Infrastructure (PKI) is used for creating a signed certificate and an issuer’s certificate. Both signed certificates are then installed on the server. The issuer’s certificate is then installed in the policy server, the VPNmanager Console, and the devices belonging to the VPN domain.
Using SSL with Directory Server Installing the issuer’s certificate in the policy server and the VPNmanager Console Installing an Issuer’s Certificate into VPNmanager Console is done from the command line. The same Issuer’s Certificate that was installed in the server can be used here. Since the console can run on Windows NT or Solaris OS, the following two sub sections cover the procedures.
Installing the Issuer’s Certificate into a security gateway Solaris OS Computers To install a certificate in VPNmanager Console: 1. Copy the certificate to the opt/Avaya/VPNmanager/Console directory. 2. Open a Console window. 3. Move to the opt/Avaya/VPNmanager/Console directory. 4. Type in the following command to install the certificate. The filename is a name of the certificate file, and aliasname is the alias you choose for the certificate file. 5. sh importcert.
Using SSL with Directory Server 4. From the Issuer Certificates list, select a row where the new issuer certificate will be installed. 5. Click Add to open the Open dialog box. 6. Use the Look in list for navigating to the location of the Issuer Certificate. 7. Select the Issuer Certificate, then click OK to return to the Policy Manager window. 8. After the device has received the Issuer Certificate, the certificate appears in the Issuer Certificates list. 9. Close the window.
Appendix B: Firewall rules template General The security gateway contains a powerful multi-layer inspection engine to provide extensive filtering capabilities, essential for a full-time connection to the Internet. You can configure your own rules, but, as a convenience in setting up the Firewall on the security gateway, predefined general firewall rules (templates) can be selected to protect the public, private, semi-private, DMZ, and maintenance zones.
Firewall rules template Medium Security. - Selecting medium security enforces the same security policy as high security for all zones except the semi-private zone. The semi-private zone with medium security is trusted the same as the private zone. That is, the same security policy that is enforced on the private zone is enforced on the semi-private zone. In medium security, semi-private zone can also access all the resources in the private zone. Low Security.
Public zone firewall templates ● DNS from any IP to any ● Common services originating from all internal networks, private, DMZ, management and semi-private. All other outgoing traffic is blocked. The medium security policy for the public zone is the same as that of the high security policy. The low security policy allows all the traffic allowed for medium security. In addition, all TCP, UDP packets from all networks are allowed to go out.
Firewall rules template Table 31: Public high and medium security firewall rules (continued) Rule Name Action Source Destination Service Direction Zone Keep State Description OutBoundP ublicGenera lAccess Permit Any Any ICMPECHO REQUEST SSH/ TELNET FTP-CTRL PASSIVEFT P HTTP/ HTTPS DNS-TCP/ DNS-UDP NETBIOS-N S-TCP/UDP NETBIOS-D GM-TCP/ UDP NETBIOS-S SN-TCP/ UDP POP3/ IMAP/SMTP NNTP Out Public Yes Permit traffic with the services to go out. The traffic can come from any network.
Public zone firewall templates Rule Name Action Source Destination Service Direction Zone Keep State Description InBoundPu blicAccess Permit Any PublicIP IKE_IN IPSEC_NAT_T_IN AH/ESP ICMPDestUnreach In Public no Permit incoming VPN traffic and ICMP unreachable packet InBoundPu blictoDMZA ccess Permit Any DMZNet ICMPEchoReq(PING) FTP-Ctrl/PassiveFTP SSH/TELNET HTTP/HTTPS DNS-TCP/DNS-UDP POP3/IMAP/SMTP NNTP In Public Yes Permit incoming traffic to DMZ network InBoundPu blicBlockAll
Firewall rules template Table 32: Public low security firewall rules Rule Name Action Source Destination Service Direction Interface Keep State InBoundPublicA ccess Permit Any PublicIP IKE_IN IPSEC_NAT_T_IN AH/ESP ICMPDestUnreach In Public no InBoundPublicto DMZAccess Permit Any DMZNet HTTP/HTTPS POP3/IMAP/SMTP In Public Yes InBoundPublicB lockAll Deny Any Any Any In Public No OutBoundPublic Access Permit PublicIP Any IKE_OUT IPSEC_NAT_T_OUT AH/ESP ICMPDestUnreach Out
Private zone firewall templates Table 33: Public VPN-only firewall rules (continued) OutBoundPublic AccessVPNKey Mgmt Permit Public-IP Any IKE-IN IKE-AVAYA-IN Out Public-IP Yes InBoundPublicI CMP Permit Any Public-IP ICMPDESTUNREACHAB LE ICMPTIMEEXCEEDED In Public-IP No OutBoundPublic ICMP Permit Public-IP Any ICMPDESTUNREACHAB LE Out Public-IP No InBoundPublicB lockAll Block Any Any Any In Public No OutBoundPublic BlockAll Block Any Any Any Out Public No 2 of 2 Pri
Firewall rules template The private medium security rules and the low security rules are the same as the private high security rules. Table 34: Private high security firewall rules Rule Name Action Sour ce Destinati on Service Direc tion Zone Keep State Description InBoundPrivateToMg mtDenyAccess Deny Any Managem entNet Any In Privat e No Traffic to ManagementNet is denied.
Semi-private zone firewall templates Table 36: Private low security firewall rules Rule Name Action Source Destination Servi ce Direction Zone Keep State Description InBoundPriv ateDenyAcc ess Deny Any ManagementNet Any In Private No Traffic to Managemen tNet is denied.
Firewall rules template ● The destination is Public and the services are FTP, SSH, Telnet, HTTP, HTTPS, POP3, IMAP, or ICMPechorequest. All other incoming traffic is blocked.
Semi-private zone firewall templates Table 37: Semi-private high security firewall rules (continued) Rule Name Action Source Destination Service Direc tion Zone Keep State Keep State OutBoundS emiPrivate VPNAcces s Permit SemiPriv ateIP PublicIP Any IKE_OUT IPSEC_NAT_T_OUT AH ESP ICMPDestUnreach Out SemiP rivate No Permit outgoing VPN traffic. OutBoundS emiPrivate PermitAll Permit Any Any Any Out SemiP rivate Yes Permit everything with Keep state.
Firewall rules template Table 39: Semi-private low security firewall rules Rule Name Action Source Destination Service Direction Zone Keep State Description InBoundSem iPrivateDeny Access Deny Any Manageme ntNet Any In Semi Private No Traffic to Management Net is denied.
DMZ zone firewall templates Table 40: Semi-private VPN-only security firewall rules (continued) InBoundSemiPri vateAccessICM P Permit Any Semi-Private -IP ICMPDESTUNREACHAB LE ICMPTIMEEXCEEDED In Semi-Pri vate No OutBoundSemi PrivateAccessI CMP Permit Semi-Privat e-IP Any ICMPDESTUNREACHAB LE Out Semi-Pri vate No InBoundSemiPri vateBlockAll Block Any Any Any In Semi-Pri vate No OutBoundSemi PrivateBlockAll Block Any Any Any Out Semi-Pri vate No 2 of 2 DMZ zone firewall temp
Firewall rules template Table 41: DMZ high and medium security firewall rules (continued) OutBoundD MZAccess Permit Any DMZNet ICMPECHOREQUEST SSH/TELNET FTP-CTRL PASSIVEFTP HTTP/HTTPS DNS-TCP/DNS-UDP NETBIOS-NS-TCP/UDP NETBIOS-DGM-TCP/UDP NETBIOS-SSN-TCP/UDP POP3/IMAP/SMTP NNTP Out DMZ Yes Permit outgoing traffic with common services OutBoundD MZBlockAll Deny Any Any Any Out DMZ No Deny the rest of the traffic 2 of 2 Table 42: DMZ low security firewall rules Rule Name Action Source D
Management zone security Management zone security Management interface connection can be configured to simplify network deployments to eliminate enterprise network dependencies on switches or routers. The Management zone is a trusted network similar to the Private zone. Outgoing traffic is allowed, but incoming traffic is restricted. Only traffic initiated by the security gateway is allowed. High, medium and low security rules are the same.
Firewall rules template The CNA template can be combined with any other preconfigured firewall template security level - high, medium, low, or none.
Glossary A Aggressive mode An IKE mechanism used in the first phase of establishing a security association. Aggressive mode accomplishes the same authentication negotiating goal between clients as Main mode but faster (three packets versus six). AH/ESP In an IPSec packet, the Authentication Header (AH) and Encapsulation Security Payload (ESP) header. IKE VPNs authenticate IP packets using either an ESP header as defined in draft-ietf-ipsec-esp-v2-03.
Certificate Authority Certificate Authority A trusted company or organization that serves as a repository of digital certificates. Once a CA accepts your public key (with some other proof of identity), others can then request verification of your public key. Certificates Issuer Issuer Certificates also reside in the security gateway and are used to authenticate the other side.
Issuer Certificates Dynamic VPNs Dynamic VPNs are VPNs that can be readily scaled as dictated by business demands. As the remote client user population grows, the authentication and session configuration information for each new user must necessarily also grow. By maintaining this information not in the security gateway’s flash memory but on a dedicated network host device, the number of users becomes unlimited. Two techniques of achieving this functionality normally used are LDAP or RADIUS.
LAN L LAN Local Area Network LDAP Lightweight Directory Access Protocol is a simplified version of the standard X.500 distributed directory model standard. LDAP specifies how a client accesses a directory server. LDAP has emerged as a favored protocol since it also handles key management with key and certificate storage. Lifetime, Key Payload key lifetime defines the extent to which a single set of cryptographic keys is used when applying VPN services to IP packets.
Signing Certificates O Oakley A key exchange protocol used in IPSec as part of the Internet Key Exchange protocol. P Packet Filter Hardware or software mechanism used in firewalls to discards packets based on the contents of the packet headers. Perfect Forward Secrecy Perfect Forward Secrecy defines a parameter of ISAKMP in which disclosure of long-term secret keying material does not compromise the secrecy of the exchanged keys from previous communications.
SKIP SKIP Simple Key-Management for Internet Protocol – SKIP differs from ISAKMP in the area of negotiation. In SKIP, all of the security parameters are identified within each SKIP secured packet in the form of a SKIP header. The cryptographic algorithms defining the VPN services in a SKIP VPN are predefined, instead of negotiated dynamically as in ISAKMP.
Index Index 3DES . . . . . . . . . . . . . . . . . . . . . . . 142 Authentication Algorithm drop-down list IKE VPN . . . . . . . . . . . . . . . . . . . 153 IPSec . . . . . . . . . . . . . . . . . . . . . 155 SKIP VPN . . . . . . . . . . . . . . . . . . 151 A B Access Control List (ACL), using the . . . . . . . . 190 ACE/Server AccessManager . . . . . . . . . . . . 126 action tab, device . . . . . . . . . . . . . . . . . 279 Active VPN Sessions . . . . . . . . . . . . . . . .
Index clients DNS resolution redirection. . . . . . . . . . . CNA enable . . . . . . . . . . . . . . . . . . . . compression configuring in an IKE VPN . . . . . . . . . . . how much can the LZS algorithm do . . . . . . compression (IPSEC) . . . . . . . . . . . . . . Compression Algorithm drop-down list (SKIP) . . . Configuration Console . . . . . . . . . . . . . . configuring client DNS resolution redirection . . . . . . . . NAT . . . . . . . . . . . . . . . . . . . . . NAT (Network Address Translation) .
Index Extranet, (continued) IP Address text boxes . . IP Group, configuring an IPSec Proposals, About . support. . . . . . . . . VSU . . . . . . . . . . extranet, creating . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .103 . 102 . 154 . 16 . 99 . 284 F Failover TEP detailed description . . . . . . . Failover, reconnect. . . . . . . . . failover,connectivity check example . FAX support . . . . . . .
Index IPSec engine status . . . IPSec Proposals . . . . . ISAKMP . . . . . . . . . Issuer Certificates, about . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 284 . 145 . 135 .238 K Keep alive detailed description . . . . . . . . . . Keep State . . . . . . . . . . . . . . . key management protocols . . . . . . . . keying algorithm (modulus) in an IKE VPN . . . . . . . . . . . . . . . . . . 232 . 188 . 135 . 154 L LDAP Authentication . .
Index Packet Fowarding Behavior, what is . . . . . . . . . 193 Packet Marking Rule, creating a . . . . . . . . . . 194 packet mode. . . . . . . . . . . . . . . . . . . . 134 PAP. . . . . . . . . . . . . . . . . . . . . . . . 126 password configuring for a specific User Object (for Local Authentication) . . . . . . . . . . . . . . . . 119 for importing VPN data . . . . . . . . . . . . . 161 for protecting exported VPN data . . . . . . . .
Index RADIUS, Settings . . . . . . . . . . . . . . RC5 as an IPSec encryption parameter . . . . reboot . . . . . . . . . . . . . . . . . . . . redundancy (VSU-1200) . . . . . . . . . . . Rekey User VPNs . . . . . . . . . . . . . . rekeying a VPN . . . . . . . . . . . . . . . Remote Client Address Pool, broadcasting the . Remote Client inactivity timeout . . . . . . . . Remote Client tab . . . . . . . . . . . . . . Remote Tunnel option (for One-armed VPNs) . Report Wizard . . . . . . . . . . . . . . . .
Index templates, firewall . . . . . . . . . TEP policy detailed description . . . . . . . terminal equipment to a VPN, adding Topology, VPN Access Control One-armed Remote Tunnel option . . ToS, marking . . . . . . . . . . . traffic non VPN, filtering . . . . . . . . non-IP, filtering . . . . . . . . . Transport mode SKIP VPNs, in . . . . . . . . . transport mode . . . . . . . . . . Transport radio button . . . . . . . tunnel interface (NAT) . . . . . . . Tunnel mode IKE VPN, in an . . . . . . . . .
Index X x . . . . . . . . . . . . . . . . . . . . . . . . . 169 Z zone, public . . . . zone, public-backup zones IP addressing. . network . . . . type of . . . . . . . . . . . . . . . . . . . 68 . . . . . . . . . . . . . . . . 68 . . . . . . . . . . . . . . . . 70 . . . . . . . . . . . . . . . . 67 . . . . . . . . . . . . . . 25, 67 326 Avaya VPNmanager Configuration Guide Release 3.
