Version 7.00 Part No.
Copyright © 2008 Nortel Networks. All rights reserved. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.
Nortel Networks Inc. software license agreement This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.
Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license.
Contents 1 Contents Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 3 Acronyms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Contents Configuration information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25 External LDAP key information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 Changing from DES to 3DES . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3DES external LDAP information . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26 3DES external LDAP proxy information . . . . . . . . . . . . . . . . . . . . . . . . . .
Contents 3 External LDAP proxy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74 Configurable warning time for certificate expiration . . . . . . . . . . . . . . . . . . . . . . . . 74 VPN security using digital certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 Setting up public key infrastructure (PKI) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75 CA and X.509 certificates . . . . . . . . . . .
4 Contents NN46110-600
Figures 1 Figures Figure 1 Authenticating users . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15 Figure 2 Authentication servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19 Figure 4 Enable 3DES window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28 Figure 5 LDAP proxy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Figures NN46110-600
Tables 1 Tables Table 1 RADIUS class attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45 Table 2 RADIUS example details . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46 Table 3 Syntax of attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .
2 Tables NN46110-600
3 Preface This guide describes how to configure the Nortel VPN Router authentication services and digital certificates. Before you begin This guide is for network managers who are responsible for setting up and configuring the Nortel VPN Router. This guide assumes that you have experience with windowing systems or graphical user interfaces (GUIs) and familiarity with network management.
4 Preface braces ({}) Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is ldap-server source {external | internal}, you must enter either ldap-server source external or ldap-server source internal, but not both. brackets ([ ]) Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command.
Preface 5 separator ( > ) Shows menu paths. Example: Choose Status > Health Check. vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is terminal paging {off | on}, you enter either terminal paging off or terminal paging on, but not both.
6 Preface UDP User Datagram Protocol VPN virtual private network WAN wide area network Related publications For more information about the Nortel VPN Router, refer to the following publications: • • • • • • • • NN46110-600 Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds.
Preface 7 • • • Nortel VPN Router Using the Command Line Interface (NN46110-507) provides syntax, descriptions, and examples for the commands that you can use from the command line interface. Nortel VPN Router Configuration—Client (NN46110-306) provides information for setting up client software for the VPN Router. Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides information about configuring and using the TunnelGuard feature.
8 Preface Link to Takes you directly to the Latest documentation Nortel page for VPN Client documentation located at: www130.nortelnetworks.com/cgi-bin/eserv/cs/ main.jsp?cscat=DOCUMENTATION&resetFilter= 1&poid=12325 Getting help from the Nortel Web site The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: www.nortel.com/support This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products.
Preface 9 Getting help from a specialist by using an Express Routing Code To access some Nortel Technical Solutions Centers, you can use an Express Routing Code (ERC) to quickly route your call to a specialist in your Nortel product or service. To locate the ERC for your product or service, go to: www.nortel.
10 Preface NN46110-600
11 New in this release The following section details what is new in Nortel VPN Router Security — Servers, Authentication, and Certificates for Release 7.0.
12 New in this release LDAP 3DES password encryption The VPN Router can store shared secrets that are encrypted with 3DES, but you must first enable the feature. You enable 3DES by selecting Servers > LDAP and clicking TripleDES. For more information about encryption of shared secrets, see “Encrypting with 3DES password” on page 27. LDAP user configurable encryption key In previous releases, passwords stored in LDAP were encrypted with the same encryption key across all VPN Routers.
New in this release 13 RADIUS dynamic filtering You can set up and manage policy filters in the Remote Authentication Dial-In User Service (RADIUS) server. If you use a RADIUS server to authenticate users, the VPN Router can retrieve those policy filters from the server. IPsec user tunnels are dynamically filtered based on attributes returned from the authenticating RADIUS server. The returned dynamic filters are then prepended to the groups filter to which the user is bound.
14 New in this release NN46110-600
15 Chapter 1 Authentication services The remote user attempting to dial in to the VPN Router must be authenticated before gaining access to the corporate network. Authentication is one of the most important functions that the VPN Router provides because it identifies users and drives many other aspects of the user-centric functionality.
16 Chapter 1 Authentication services With user- and group-specific profiles, you can group common attributes while preserving the flexibility to make exceptions for individual users. The product features and network access that apply to a user are controlled by the user identity, rather than by the source IP address or another mechanism. This is necessary to support mobile users and users coming from other organizations. LDAP The Lightweight Directory Access Protocol (LDAP) emerged from the X.
Chapter 1 Authentication services 17 The X.509 digital certificates authentication mechanism works with public key encryption to provide a level of assurance that users are who they say they are. SSL and digital certificates The Secure Socket Layer (SSL) protocol uses digital certificates to establish secure, authenticated connections between SSL clients and servers. The VPN Router uses a digital certificate sent from an SSL-capable LDAP server to authenticate that server.
18 Chapter 1 Authentication services Certificate payload transports certificates or other certificate-related information through ISAKMP and can appear in any ISAKMP message. Certificate payloads are included in an exchange whenever an appropriate directory service (such as Secure DNS) is not available to distribute certificates. The VPN Router supports Microsoft native client (L2TP/IPsec) PKCS #7 termination in chained environments.
Chapter 1 Authentication services 19 Figure 2 Authentication servers RADIUS 3 RADIUS 2 Internal LDAP RADIUS 1 10/100 LAN VPN Router External LDAP 1 LDAP 2 LDAP 3 The user ID (UID) is checked against the LDAP profile database. If the UID is found in the LDAP database, the user is assigned to a group and acquires that group’s attributes. Next, the password is checked, and if it is correct, the VPN Router forms a tunnel.
20 Chapter 1 Authentication services RADIUS default group. You configure the IPsec Group ID in the Authentication section of the Profiles > Groups > Edit > Configure IPsec window. You configure the PPTP default group on the Servers > RADIUS Auth window, RADIUS Users Obtain Default Settings from the Group option. Note: The group that the user is bound to must allow the authentication method that is used when the session is started.
Chapter 1 Authentication services 21 Figure 3 Authentication server validation flowchart Authentication UID or Certificate (Cert) UID or Group ID Group ID (IPsec Only) LDAP UID Found? No No Password Correct? Assign Group Attributes Reject Request Yes No CA Allow All Enabled No Reject Request Yes Form Tunnel Assign Attributes from CA Default Group No Assign Group Attributes Yes Yes Send Server Cert and ISAKMP Sig No No Valid ISAKMP Signature (see #1 and #2 below) Yes RADIUS UID Found? Cli
22 Chapter 1 Authentication services NN46110-600
23 Chapter 2 Configuring servers This chapter describes how to configure the following authentication servers for users who tunnel into the VPN Router: • • • • • Internal LDAP server stores group and user profiles on the internal server of the VPN Router. External LDAP contains the contents of the internal LDAP server exported to a separate external LDAP server. LDAP proxy server authenticates users against an existing LDAP database separate from the VPN Router’s database.
24 Chapter 2 Configuring servers All authentication options have the following: • • • • Diffie-Hellman key exchange (ISAKMP/Oakley Aggressive Mode) to build the security association (SA). User name and the password are never transmitted in the clear; a cryptographic hash function (SHA-1) is used to protect the user’s identity. Mutual authentication between the client and the VPN Router using a keyed hash algorithm (HMAC). Protection against authentication replay attacks through the use of session cookies.
Chapter 2 Configuring servers 25 The VPN Router centrally stores remote access profiles and corporate networking details such as the addressing mechanism in an LDAP server; for example, group attributes including hours of access, filters, and authentication servers. The VPN Router queries the LDAP server for access information when a user establishes a tunnel connection.
26 Chapter 2 Configuring servers • the configuration and LDAP files to be restored must be ones that were saved before any user defined keys were applied. External LDAP key information For authentication to work between all VPN Routers using the shared LDAP, the keys must match on all VPN Routers. To change the key, the VPN Router must be configured with the last saved key.
Chapter 2 Configuring servers 27 3DES external LDAP proxy information If an external LDAP proxy is used, the VPN Router (which has its own internal LDAP file) does not touch or modify the external LDAP database. However, the VPN Router modifies the Bind Password that is attached to the Bind Name (under LDAP Proxy Servers).
28 Chapter 2 Configuring servers Figure 4 Enable 3DES window 2 Click Enable TripleDES. The 3DES Confirmation window appears. When TripleDES is enabled, all passwords within the box are encrypted with 3DES as well as any future passwords that are entered. 3 To confirm the 3DES encryption, click OK.
Chapter 2 Configuring servers 29 2 From the Encryption Key options, select Text Encryption Key or Hex Encryption Key. 3 In the Encryption Key dialog box, enter a character string or a hexadecimal value. Note: The following is applicable only for Nortel VPN Router release 7.05.300 and above. When TripleDes LDAP Encryption is not enabled, the Encryption Key value that you enter is 8 bytes—8 ASCII text characters or 16 hex characters.
30 Chapter 2 Configuring servers LDAP optimization is a process that frees all unused memory blocks and deletes any deleted LDAP data structures, making the LDAP database lookups faster and more efficient. The disadvantages of the LDAP optimization process are that it runs at the LDAP priority and is very CPU intensive. In environments with heavy traffic and very large LDAP databases, the optimization can cause timeouts and data drops.
Chapter 2 Configuring servers 31 To enable LDAP Optimization Scheduling on specific days of the week at a specific time, enter the following command: ldap-server internal optimize specific-time time where: • • days of week are the specific days for enabling LDAP Optimization Scheduling. hh:mm is the hour (00-24) and the minutes of the specific time.
32 Chapter 2 Configuring servers 2 To enable the internal LDAP server, click Switch to Internal Server. The internal server is disabled if you enable an external LDAP server. 3 Under General Configuration, click to remove the user’s fully qualified ID suffix from the UID before sending it to the RADIUS server. An example of a user ID and suffix where Rcole is the UID and acme.com is the suffix, is rcole@acme.com. Specify the character that separates the suffix from the UID.
Chapter 2 Configuring servers 33 Configuring LDAP proxy server authentication The VPN Router supports authentication against an existing LDAP server rather than creating a second user database for use with the VPN Router. The server can reside on either a private or public network that is connected to the VPN Router. Note: You must enable CSFW for the public interface to work with LDAP proxy server authentication.
34 Chapter 2 Configuring servers General filter specification syntax: • • If no filter is specified, the resultant search is (uid=username). If a filter string is specified, the search is (&(uid=username)filterstring). For example, a filter value of (|(ou=engineering)(ou=finance)) creates a search that specifies UID=username and (ou= engineering or ou=finance) (&(uid=username)(|(ou=engineering)(ou=finance)).
Chapter 2 Configuring servers 35 b In the Connection section, enter the port number (default 389) and the associated SSL port number (default 636) that your LDAP server listens to queries on. c Enter the bind distinguished name (DN), which is the LDAP equivalent of a user ID and is required to access the base DN and its subentries. Leave this field blank if your LDAP server allows anonymous access. d Enter the bind password, which can consist of up to 32 characters.
36 Chapter 2 Configuring servers 9 Select Profiles > Groups Edit > Edit IPsec. In the Authentication area, click Configure. Enter the Group ID, the Group Password, and confirm the group password. You cannot have the same group ID and user ID. Consider using the LDAP group name as the default group, because you must remember a default name once you enter it. Note: The Start/Stop option disappears when you restore the LDAP database.
Chapter 2 Configuring servers 37 Figure 6 LDAP proxy user authentication LDAP V3-compliant LDAP server LDAP controls are an extension of the LDAP protocol in LDAP/V3. They pass extended information with LDAP requests and responses. Netscape Directory Server 3.0 and higher use LDAP controls to return password information within bind responses. This information determines if the user's password is expiring or already expired.
38 Chapter 2 Configuring servers LDAP server without LDAP control support LDAP V2 servers typically require clients to bind before any operations are performed. This enhancement uses simple authentication when binding to an LDAP server to authenticate the user. The server then returns a bind response to the client indicating the status of the session setup request. The bind response contains the result along with the string representation of the error message.
Chapter 2 Configuring servers 39 Figure 7 LDAP Proxy Server password management 3 Select the server type from the list. The choices are: • • • • • Not Specified IBM RACF Server Netscape Directory Novell eDirectory Microsoft Active Directory 4 Enter the password timestamp attribute. This field can hold case-insensitive character strings. The default value for each field is blank. Authentication fails if there is no specified value. 5 Enter the password life time in days. 6 Click OK.
40 Chapter 2 Configuring servers Monitoring LDAP servers If the VPN Router cannot reach the LDAP proxy server, it still operates and passes traffic. However, it does not authenticate users whose information exists in a third party directory. The VPN Router simply pings the LDAP proxy servers every few minutes to check for their status. If it receives an ICMP reply, an attempt is made (considered available) to the LDAP proxy server. This is similar to the way the VPN Router monitors RADIUS servers.
Chapter 2 Configuring servers 41 Once the primary external LDAP server is initialized, the VPN Router issues an ICMP echo request to all secondary server IP addresses and follows the previous procedure for each secondary server. Because the VPN Router assumes only read/write access to the primary external LDAP server, it does not configure any secondary server directories for VPN Router directory storage.
42 Chapter 2 Configuring servers The VPN Router acts as a RADIUS accounting client to external RADIUS accounting servers. You enable accounting on the Servers > RADIUS Acct window. External accounting servers are located on either public or private networks. The packet flow is from the IP address/port that you configure on the Servers > RADIUS Acct > External RADIUS Accounting Server > Interface window to external servers and back.
Chapter 2 Configuring servers 43 • MS-CHAP is available for PPTP tunnel users only (it is not applicable to IPsec tunneling applications). If you are using token cards for authentication, you must select the appropriate technologies (SecurID). For example, the SecurID passcode is the pin plus the token code. Note: The UID and password are never passed in the clear for an IPsec client, either from the remote client or from the VPN Router communicating with the RADIUS server.
44 Chapter 2 Configuring servers 1 Set up and test the operation of the RADIUS server with ACE and/or Defender servers, depending on the type of token security you want. Do this before attempting authentication by an IPsec client to verify that everything on this side of the network is operating properly. 2 Identify and create the groups for authenticating token users, and supply the group ID and password to all users using either token card or group password authentication.
Chapter 2 Configuring servers 45 Figure 8 RADIUS authentication class attribute values C=US ou=My Company, c=US Base Group ou=Research and Development ou=My Company, c=US ou=Finance ou=My Company c=US Research and Development New Products Group ou=New Products ou=Research and Development ou=My Company c=US Accounts Receivable Support Group CAD Group The VPN Router supports RADIUS-supplied attributes, such as IP address and MPPE key and additional specific attributes, if they are returned from a RAD
46 Chapter 2 Configuring servers Table 1 RADIUS class attributes (continued) Name Value format Function Filter-ID filter name If defined, this filter name is applied to the tunnel session. DNS domain server name If used, the domain name system server name. NBNS protocol name NetBIOS protocol; an internet naming service. If used, translates the NetBIOS Windows domain name to the IP address. Table 2 shows sample details that you enter into your RADIUS server.
Chapter 2 Configuring servers 47 Configuring IPsec authentication The following procedures describe how to configure the VPN Router to interoperate with a RADIUS server while using either IPsec or PPTP. To configure IPsec and RADIUS: 1 2 Select Servers > Radius Auth and click Enable Access to RADIUS Authentication. a Click Remove Suffix from User ID to remove the fully-qualified ID suffix from the UID before sending it to the RADIUS server.
48 Chapter 2 Configuring servers event that the primary server is unreachable, the VPN Router queries the first and second alternate RADIUS servers. NN46110-600 a Enter either the Host Name or IP Address of the servers. For example, finance.mycompany.com or 145.22.120.111. You can also use simple names (for example, finance) if your VPN Router has a configured DNS server. For Primary, enter the primary RADIUS server host name (required if RADIUS is enabled).
Chapter 2 Configuring servers 49 The VPN Router can store all passwords encrypted with 3DES, but you must first enable the feature. To enable 3DES, select Servers > LDAP and click Enable TripleDES. When you enable TripleDES, all passwords within the box are encrypted with 3DES as well as any future passwords that are entered. You can also change the existing encryption key by enabling TripleDES and, in the Encryption Key dialog box, enter an 8 byte character string or hexadecimal value.
50 Chapter 2 Configuring servers 5 In the Maximum Transmit Attempts, enter the number of times that you want the VPN Router to try to connect to the RADIUS servers before failing. By default, the VPN Router tries three times. 6 Click the RADIUS Diagnostic Report link to check that your RADIUS Authentication configuration is correct. This report compares the settings on the RADIUS Authentication window to the corresponding settings on other VPN Router configuration windows.
Chapter 2 Configuring servers 51 3 Select one of the group authentication options. 4 Click OK. Configuring RADIUS dynamic filters The Nortel VPN Router offers several methods to control network access for authenticated users. One such mechanism is the tunnel filter. Tunnel filters are applied at the group level and control access to network resources as well as management access to the VPN Router. When a user is authenticated, they are assigned to a group.
52 Chapter 2 Configuring servers • Attribute—1 (AV Pair) The supported syntax is: [Prefix] [Action] [Protocol] [Source] [Source Wildcard Mask] [Destination] [Destination Wildcard Mask] [Operator] [Port] The following table describes the syntax of the attributes. Table 3 Syntax of attributes Section Description Prefix ip:inacl#Num= ip:outacl#Num= Where "Num" is replaced with a number specifying the order in the list. Inacl and outacl are the only two AV pair types supported.
Chapter 2 Configuring servers 53 The following example specifies that all IP traffic is allowed inbound from any address to 10.10.1.2 and all ip traffic is allowed outbound. ip:inacl#1=permit ip 0.0.0.0 255.255.255.255 host 10.10.1.2 ip:outacl#1=permit ip any any To configure RADIUS dynamic filters with the CLI, enter the following commands: CES>enable Password: CES#config t Enter configuration commands, one per line. End with Ctrl/z.
54 Chapter 2 Configuring servers If a valid class attribute is not returned, then PPTP users are placed in the default group as configured on the Servers > RADIUS Auth window. Note: Everything about the authentication type must match; for example, if you send an encrypted password, then MS-CHAP must be enabled on the RADIUS authentication window and the RADIUS server must support MS-CHAP.
Chapter 2 Configuring servers 55 Group-level RADIUS authentication works only with clients that use a group ID and password. This excludes all non-IPsec client implementations. You must use the group ID and group password to configure each client in the group for group authentication. Note: There are no separate group levels of authentication on a RADIUS configuration for the firewall user authentication (FWUA) users.
56 Chapter 2 Configuring servers the local disk. In the event of a system crash, upon reinitialization the VPN Router translates the journal file into a series of stop records on a per-session basis. This minimizes accounting data loss. A low interval creates system overhead and requires additional processing. The default interval is 00:10:00 (10 minutes). 4 In Remove Accounting Files, enter the number of days before the files are removed.
Chapter 2 Configuring servers 57 Configuring DHCP servers Dynamic Host Configuration Protocol (DHCP) dynamically assigns IP addresses to clients and provides centralized network administration. When a DHCP client requests an IP address, a DHCP server grants the client exclusive use of an assigned IP address for a specified period of time.
58 Chapter 2 Configuring servers 4 Click Add in the Standard Options section to access the Add Option window. The standard options section shows the current status of any added options and lets you add new options: • • • Select the desired options from the list. Select the desired Type from the list. Enter the appropriate value. 5 In the Pool section, click Add to add a pool. 6 In the Add Pool window: a Enter the base IP address for the pool. b Enter the subnet mask for the pool.
Chapter 2 Configuring servers 59 13 On the Host window: a Enter the host name that is registered with DNS. b Enter the IP address that you always want to reserve. c Enter the Ethernet (MAC) address. d Click OK. 14 The server does not implement configuration changes until it is restarted. Return to Server > DHCP and click Restart Server to restart the DHCP server. 15 To verify the configuration changes, select Status > Health Check or click DHCP Stats on the Status > Statistics window.
60 Chapter 2 Configuring servers Use the Remote User IP Address Pool window to select a method for users to obtain IP addresses to access the private network. The VPN Router services these addresses and they are available to remote users on demand. You can choose IP addresses assigned from one of the following: • • external Dynamic Host Configuration Protocol (DHCP) pool internal address pool A DHCP server on the private LAN segment dynamically assigns IP addresses on behalf of remote users.
Chapter 2 Configuring servers 61 provides information on the associated servers. Configuring a Secondary or Tertiary server is optional. 6 Enter the DHCP Cache Size. This is the number of IP addresses that is held in the VPN Router cache. The minimum number of IP addresses held is one (1), and the maximum is derived from the maximum number of tunnel sessions that the VPN Router supports.
62 Chapter 2 Configuring servers Select Profiles > Groups > Edit > Connectivity and click the Address Pool Name list to select the address pools used by remote users to access the VPN Router. The list shows all pools that are defined on the VPN Router. Optionally, select New to define a new pool and enter the name of the pool. The default for this option is Default. 6 Click OK to save the entries for the IP address pool and return to the Remote User IP Address Pool window.
Chapter 2 Configuring servers 63 To add a DHCP relay interface: 1 Select Servers > DHCP Relay and click Add. 2 Select a Physical Interface from the list. 3 For the state, select either Enabled or Disabled. 4 For the DHCP Server, enter the IP address and then click Enabled for Helper 1, Helper 2, and/or Helper 3. 5 Click OK. To view DHCP Relay statistics: 1 Select DHCP Relay. 2 Click Statistics.
64 Chapter 2 Configuring servers Figure 9 SSL administration SSL/TLS uses TCP port 443 for secure HTTP communication. Interface and tunnel filters govern HTTPS packets destined for the management IP address. If you enable tunnel filters, HTTPS must be allowed for SSL management through a VPN tunnel. The Stateful Firewall applies only to HTTPS traffic routed through the device, not to the management IP address.
Chapter 2 Configuring servers 65 • (RSA_EXPORT_WITH_DES40_CBC_SHA, 0x08) To use SSL Administration, you must: • • • • • • Enable HTTPS services for the public and/or private interface on the Services > Available window. Explicitly allow HTTPS if tunnel filters are enabled on the Profiles > Filters window for management through a VPN tunnel. Install a valid server certificate on the VPN Router and applied to the SSL/ TLS services to authenticate and validate SSL connections.
66 Chapter 2 Configuring servers — File extension—cacert — MIME Type—application/x-x509-ca-cert — Application to use—netscape.exe 3 e Click OK to complete the Netscape configuration. f Save the base64 format root CA certificate onto a file with extension .cacert. g Select File > Open Page and open the file. Netscape Communicator guides you to install the CA certificate.
Chapter 2 Configuring servers 67 Figure 10 HTTPS services 2 Select Services > SSLTLS, check the necessary ciphers, and select a digital server certificate (for example, CN=ces1, O=MyOrg, C=US). Figure 11 shows the SSLTLS window with select ciphers. 3 Click Advanced Options and check the box if you do not want empty fragments for CBC ciphers inserted. 4 Click Apply.
68 Chapter 2 Configuring servers Figure 11 Select ciphers 5 Verify SSL is enabled on the Web browser of the management PC. To test the SSL administration feature, direct an SSL-enabled Web browser to the private interface of the VPN Router. To use this service from the public side of the VPN Router, you must direct your browser to the public IP address. Configuring DNS servers The Domain Name Service (DNS) maps host names to IP addresses.
Chapter 2 Configuring servers 69 Companies often set up their own domain name system internally, and leave it to the ISP to handle all external DNS. These companies have their own DNS servers, but use the external DNS servers for non-company names. This splits the DNS names into two separate systems: the private, company-controlled DNS names and the Internet DNS names.
70 Chapter 2 Configuring servers NN46110-600 3 Enable Split DNS if you have a split name space. 4 For Primary, enter the DNS server IP address that the DNS proxy tries to contact first. 5 For Second Server, enter an IP address for the second DNS server. If the Primary DNS server does not respond in a few seconds, service is requested of the second DNS server. 6 For Third Server, enter an IP address for the third DNS server.
71 Chapter 3 Using certificates Digital certificates bind an entity’s public encryption or signing key to its identity, and verify that identity with a trusted third party (the certification authority). You use digital certificates for authenticating both LDAP and VPN connections. LDAP server SSL encryption Secure socket layer (SSL) provides Internet security and privacy and ensures privacy between the VPN Router and the external LDAP server.
72 Chapter 3 Using certificates Installing LDAP certificates The LDAP connection between the VPN Router and the directory server is authenticated asymmetrically. Initially a one-way authenticated SSL connection is established when the directory server passes its certificate to the VPN Router. After SSL authentication is established, the VPN Router authenticates itself to the directory server by presenting its LDAP bind DN and password.
Chapter 3 Using certificates 73 It is not necessary to enable the special character support if the certificate subject DN does not contain special characters such as comma (,), quotes (") or backslash (\) as valid characters. Note: You may need to update the LDAP to use this feature if upgraded from an older version and the cert subject DN already contains special characters. Contact Nortel technical support for details to update of the LDAP.
74 Chapter 3 Using certificates External LDAP proxy External LDAP proxy supports the mapping of the following certificate subject DN attributes to defined LDAP attributes: • • • • • User cert Common Name attribute User cert e-mail address attribute User cert serial number attribute User cert uid attribute Subject Alternative Name attribute The advanced setup includes flexible mapping. The basic setup is the default on upgrade.
Chapter 3 Using certificates 75 VPN security using digital certificates You can use X.509 certificates to authenticate IPsec tunnels and L2TP/IPsec tunnels. The VPN Router supports RSA digital signature authentication for the IPsec IKE key management protocol. Remote users can authenticate themselves to the VPN Router using a public key pair and a certificate as credentials. The VPN Router uses its own key pair and certificate to authenticate the VPN Router to the user.
76 Chapter 3 Using certificates Generating a server certificate request Consult the CA user documentation for instructions on generating reference numbers and authorization codes, as well as general CA administration information. When you use Entrust CA generated certificates with your VPN Router: • • Both Entrust Web certificates and Entrust Enterprise certificates work properly when you use HTTP-based cut and paste operations.
Chapter 3 Using certificates 77 Installing server certificates using CMP You use the Certificate Management Protocol (CMP) to create a CMP compliant certificate request. CMP targets management functions for the entire certificate or key life for enrollment, renewal, recovery, and revocation. It defines message formats and includes its own message protection. The CA is located on the private network if it has a publicly accessible IP address. Figure 13 shows a CMP environment.
78 Chapter 3 Using certificates To enter this information: 1 Select System > Certificates. 2 Click Certificate Management Protocol (CMP). The Certificate Request— CMP window displays the status of any outstanding requests and the fields to fill in for a new request. 3 For a new request, enter the reference number provided by the CA. 4 Enter the Authorization code supplied by the CA.
Chapter 3 Using certificates 79 c Enter the organization associated with the VPN Router. d Enter the locality where the VPN Router resides. e Enter the state or province where the VPN Router resides. f Enter the country where the VPN Router resides. 11 Click Apply. 12 On the System > Certificates > Certificate Generation window, select Details. This displays information from the certificate enrollment process. It provides the address for the key update, key recovery, and revocation purposes.
80 Chapter 3 Using certificates 5 Click OK. The Installed Tunnel Certificates table displays the certificate entry. 6 Enable Allow All, if desired. 7 Click OK. You now have the CA certificate which remote users can authenticate. Repeat this operation if multiple CAs are issuing user certificates. Optionally, you can configure a CRL distribution point to enable revocation checking of client certificates.
Chapter 3 Using certificates 81 The System > Certificate Details window provides the following certificate details: • • • • • • • • • This Certificate Belongs To shows the certificate owner’s X.500 distinguished name. This Certificate Was Issued By shows the issuer of the certificate (the Certificate Authority). In addition to the main attributes, this field also shows the issuer’s certificate serial number.
82 Chapter 3 Using certificates Trusted CA certificate settings To authenticate incoming tunnel requests, you must associate every CA certificate with a group. The group assignment of incoming tunnel requests is accomplished by either finding the user provisioned in the VPN Router’s directory (internal or external), or by allowing all users issued by a particular CA to gain access.
Chapter 3 Using certificates 83 You must enable the Allow All feature for each CA certificate against which you want to permit authentication without an explicit user entry. This allows anyone with a valid certificate from the particular CA to establish a tunnel connection. Also, you must associate a default group with that certificate. The client authenticating with the Allow All feature then uses the attributes associated with that group.
84 Chapter 3 Using certificates Group and certificate association configuration This feature provides finer control for a user to associate a certificate with a group for IPsec tunnel connections. Each Certificate Authority user can set up a lookup table between the certificate subject DN and a VPN Router group. When a new tunnel using the certificate is authenticated, the VPN Router uses the certificate's subject DN to look up the group in the table.
Chapter 3 Using certificates 85 Figure 14 CA Key Update ready for authentication Prior to a key update, the original CA certificate (which is a self-signed root certificate in the diagram above) is pushed out to the directory by the CA, along with the CRL it produced (a list of revoked certificates, digitally signed by the CA certificate). Both the VPN Router and the user’s PC have certificates signed by that CA, as well as the self-signed CA certificate itself.
86 Chapter 3 Using certificates There are no user tunnel or VPN Router server authentication issues presented at this point, because the certificates presented by the VPN Router and the user are signed by the original CA, and both parties have that CA certificate stored locally for authentication.
Chapter 3 Using certificates 87 The VPN Router can optionally use CRLs to verify the revocation status of user certificates. If enabled on the VPN Router, CRLs are periodically retrieved from the CA's LDAP directory store and cached in the VPN Router's associated LDAP database. This allows for rapid verification of user certificates during IPsec tunnel establishment. You can configure the frequency with which the VPN Router checks for a new CRL.
88 Chapter 3 Using certificates • • • • CRL Checking Mandatory determines if a CRL must be present when an IPsec tunnel is established to a particular CA. If this is selected, the VPN Router must have a CRL present for tunnel connections to be successful. If this is not selected, the VPN Router allows certificate authenticated tunnels when no CRL is present.
Chapter 3 Using certificates 89 To configure the CRL Update Specific Time on specific days and a specific time with the CLI, use the following command: crl update specific-time time where: hh:mm is the hour (0 to 24) and minutes of the time to apply the CRL Update.
90 Chapter 3 Using certificates configured CRL servers for the CA that you can edit or delete. You can configure and add a new CRL server in the New CRL Server section. 2 In the Search Base field, enter the portion of the X.500 directory where the CA stores certificate revocation lists. The following is a sample search base entry: ou=Engineering, o=Nortel, c=US 3 In the host field, enter the host name or IP address of the LDAP-accessible directory server that is storing the published CRLs.
Chapter 3 Using certificates 91 Figure 15 CRL distribution points A tunnel is established more quickly if you authenticate only against the specified CRL in certificates CDP. When you present a certificate for verification, a CDP from your certificate is obtained. Using that CDP information, a filter for LDAP query is built and only CRL records that match your CDP are obtained. That way you are authenticated against one CRL instead of all available CRLs.
92 Chapter 3 Using certificates CRL retrieval All CRL records are retrieved periodically. When CRL records are updated is a configured interval. Each CRL record has a next update time set to determine if the CRL record is stale. If the CRL record is stale, it is refreshed from CA LDAP.
Chapter 3 Using certificates 93 4 Enter the password for the UID, then confirm the password to verify that you entered it correctly. If you selected a variation of MS-CHAP V2 authentication, no password is required for the local UID. Identifying individual users with certificates An alternative to allowing all users issued by a particular CA to gain access to the VPN Router is to identify users explicitly by certificate attributes.
94 Chapter 3 Using certificates Identifying branch offices with certificates You use the Authentication section of the Profiles > Branch Office > Edit Connection window to configure the authentication between the local and remote branch office VPN Routers. The fields that appear in this window depend on whether you are using an IPsec, PPTP, or L2TP tunnel type. Select the authentication method that you want to use for the branch office connection from the list.
Chapter 3 Using certificates 95 configured on the System > Certificates: Generate Certificate Request window. 5 If you use a distinguished name to identify the remote branch office site, you can enter the DN as either a relative distinguished name or a full distinguished name. The DN entered here must exactly match the DN in the remote peer’s certificate. Note: Do not include the attribute type as part of your entries in the Relative section.
96 Chapter 3 Using certificates L2TP/IPsec authentication In the Authentication section, complete the following information: 1 Under Local UID, enter the user ID of the local VPN Router that you are configuring. 2 Under Peer UID, enter the user ID of the remote VPN Router that you are configuring. 3 Enter the password for the local UID, then confirm the password to verify that you entered it correctly. If you selected a variation of MS-CHAP V2 authentication, no password is required for the Local UID.
Index 97 Index A CRL server manage 89 access control subject DN 83 CRL settings 87 CSFW 33 Access Control list 51 ACE 44 D Allow All enabling 83 default group client authentication 83 authentication group password 43 overview 15 servers 23 Defender 44 DHCP relay 62 server 59 B Diffie-Hellman 24 branch office authentication 94 digital certificates SSL 17 browser security checks 65 DNS proxy 68 C DNS server 68 configuring 69 Domain Name Service (DNS) 68 CA key update 84 Dynamic Host Config
98 Index G M group password authentication 43 Microsoft 39 H O HMAC 24 outer IP address 59 HTTP services enabling 66 HTTPS services ciphers 64 I Microsoft Active Directory 39 P PAP RADIUS 42 IKE 75 ports RADIUS accounting 56 inner IP address 59 pre-shared key 94 internal LDAP 31 Public Key Infrastructure (PKI) 18, 75 interval session update 55, 56 publications hard copy 7 IP address pool 59 R IPSec certificate credentials 93 RADIUS accounting 23, 55 authentication 42 class attributes
Index 99 security association 24 Security Dynamics 23 server certificate 76 branch office 95 server certificates 80 PKCS #7 and #10 76 servers external RADIUS 23 internal LDAP 23 LDAP authentication 23 RADIUS 23 SHA-1 24 split proxy DNS 69 SSL port number 90 SSL administration 63 SSL digital certificates 17 SSL/TLS configuring 66 subject DN 82 synchronize RADIUS servers 31 T technical publications 7 tokens card 43 security 23 trusted CA certificates 79 V V3-compliant LDAP server 37 X X.
100 Index NN46110-600
