
Part No. NN46110-500 311642-M Rev 01 February 2007 Document status: Standard600 Technology Park Drive Billerica, MA 01821-4130Version 7.00Nortel VPN R
10 ContentsNN46110-500
100 Chapter 5 Configuring the systemConfiguring multinetting using the CLITable 8 shows the command syntax for configuring multinetting using the CLI.
Chapter 5 Configuring the system 101Table 9 displays the command syntax for configuring OSPF. Table 9 Configuring OSPF over a secondary addressCommand
102 Chapters Configuring the systemTable 9 Configuring OSPF over a secondary addressCommand description Command syntaxSet the OSPF priority on a secon
Chapter 5 Configuring the system 103Table 10 Configuring RIP over a secondary addressCommand description Command syntaxDisable importing of default ro
104 Chapters Configuring the systemThe MSS should be 40 bytes less than the largest packet the implementation can re-assemble.5 Interface filter show
Chapter 5 Configuring the system 105Asynchronous data over TCPAsynchronous data over TCP (AOT) is a protocol that enables transport of asynchronous da
106 Chapters Configuring the system3 Select Public or Private for Service.4 Click the Connection Originator to enable.5 Specify the Peer IP address
Chapter 5 Configuring the system 107NTP supports the 2007 Daylight Savings Time change in the United States andvarious Canadian provinces. In 2007, Da
108 Chapters Configuring the system5 Click on the Return to the Date and Time window link to return to the previous window.Configuring system setting
Chapter 5 Configuring the system 109• Serial Menu (default). In this mode, a standard menu interface is presented. You can use an application such as
11FiguresFigure 1 Typical PDN ... 26Figure 2 VPN service
110 Chapters Configuring the system— 2400— 1200 — 600— 300— 150d Data, Parity, and Stop applies only when AoT is selected.e Enter the Modem Initia
Chapter 5 Configuring the system 111Using proxy ARPYou can configure the Nortel VPN Router to respond to ARP requests on any of its physical interface
112 Chapters Configuring the systemUsing the SSH server to allow secure sessionsYou can enable an SSH server to allow secure CLI sessions, such as tel
Chapter 5 Configuring the system 113Configuring the SSH serverTo set the parameters for the SSH server:1 Select Services > Available.The Allowed S
114 Chapters Configuring the systemFigure 18 Allowed Services windowAllowed ServicesTunnel Type Public PrivateIPsecP PPPTPP PL2TP & L2FP PFirewall
Chapter 5 Configuring the system 115Using the CLI for SSH serverDefining an SSH server (CLI)To configure an SSH server on the Nortel VPN Router, from
116 Chapters Configuring the systemDisplaying the current settings for the SSH serverTo display the current settings for the SSH server, from CLI Glob
Chapter 5 Configuring the system 117Restricted product - export license requirementThis product incorporates encryption technology that is highly rest
118 Chapters Configuring the systemNN46110-500
119Chapter 6Configuring branch office tunnelsThe branch office feature allows you to configure a secure tunnel connection between two private networks
12 FiguresFigure 30 Roaming from behind NAT to behind NAT ...150Figure 31 Roaming from behind NAT to no NA
120 Chapter 6 Configuring branch office tunnelsFigure 19 Typical branch office environmentThe section “Configuring a branch office” on page 128” provi
Chapter 6 Configuring branch office tunnels 121Figure 20 Branch-to-branch with a firewall and a routerLAN Public LANPrivate LANIn the branch-to-branc
122 Chapter 6 Configuring branch office tunnelsFigure 21 Indirectly connected branch officesIn branch offices, you might have two or more branches tha
Chapter 6 Configuring branch office tunnels 123PPTP nested tunnelsNested tunnels allow you to create a PPTP end user tunnel inside an IPSec branch off
124 Chapters Configuring branch office tunnelsDNS for branch office tunnel endpointsWhen configuring branch office tunnels with the Nortel VPN Router,
Chapter 6 Configuring branch office tunnels 125Figure 22 VPN DNSWhen you configure an initiator for an asynchronous branch office tunnel, you can use
126 Chapter 6 Configuring branch office tunnelsA DNS server will be aware of all the IP addresses that correspond to a particular domain name. When a
Chapter 6 Configuring branch office tunnels 127branch offices are configured to use a domain name as a remote endpoint of the ABOT tunnel. When two in
128 Chapters Configuring branch office tunnelsThe Nortel VPN Client supports dynamic DNS registration. The Client Dynamic DNS Registration setting on
Chapter 6 Configuring branch office tunnels 129Figure 25 Setting up a branch office configurationWhich Management Page to Use?1What to Do?23Settings f
13TablesTable 1 Sample IP addressing associations ...30Table 2 Services supported on a multine
130 Chapters Configuring branch office tunnelsAdding a groupTo create a new group:1 Select Profiles > Branch Office.2 In Groups section, click Ad
Chapter 6 Configuring branch office tunnels 131Configuring a tunnel connectionTo configure a connection:1 On the Profiles > Branch Office window,
132 Chapters Configuring branch office tunnels6 Click the Filters drop-down list and choose the filter that you want this branch office connection to
Chapter 6 Configuring branch office tunnels 133network, select it from the list and the Connection Configuration window appears. These networks have b
134 Chapters Configuring branch office tunnelsFigure 26 Sample branch office configurationAs the administrator of a branch office connection, you can
Chapter 6 Configuring branch office tunnels 135The Profiles > Filters window must have the filters that you want to use for the branch office conne
136 Chapters Configuring branch office tunnels12 Click on the Test button on each end of the tunnel to verify connectivity.13 Try to ping from on PC
137Chapter 7Configuring control tunnelsControl tunnels are special tunnels that allow you to securely manage a Nortel VPN Router over the Internet. Th
138 Chapter? Configuring control tunnelsFigure 27 Branch office control tunnelVPN Server 3VPN Server 4Control tunnel typesThere are two types of contr
Chapter 7 Configuring control tunnels 139Figure 28 Sample control tunnel environmentBranch office control tunnels allow anyone on the configured netwo
14 TablesNN46110-500
140 Chapter? Configuring control tunnelsIn this environment, the remote Boston Nortel VPN Router is a control tunnel to the local Cleveland Nortel VPN
Chapter 7 Configuring control tunnels 141To create a nailed-up control tunnel using the nailed-up parameter:1 Go to Profiles > Branch Office windo
142 Chapter? Configuring control tunnels1 Initiate a Telnet session to the customer’s Nortel VPN Router.2 Enter the appropriate control create strin
Chapter 7 Configuring control tunnels 143Enter a name and then select select the parent group whose attributes the new group inherits; for example, /B
144 Chapter? Configuring control tunnelsConfiguring a control tunnel connectionTo configure a Control Tunnel connection:On the Connection Configuratio
Chapter 7 Configuring control tunnels 145• In the remote endpoint address field, enter the address of the remote Nortel VPN Router (for example, 132.
146 Chapter? Configuring control tunnels12 Click Create Local Network to go the Profiles > Networks window and define a local network. The Local n
147Chapter 8Configuring IPSec mobility and persistent modeA large number of companies choose to secure access to their corporate networks via VPN usin
148 Chapter 8 Configuring IPSec mobility and persistent modeFigure 29 Example configurationOne solution to this problem is to use mobile IP technology
Chapter 8 Configuring IPSec mobility and persistent mode 149IPSec mobility on Nortel VPN RouterNortel VPN Router provides a new concept of IPSec mobil
15PrefaceThis guide introduces the Nortel VPN Router. It also provides overview and basic configuration information to help you initially set up your
150 Chapter 8 Configuring IPSec mobility and persistent modeThe Nortel VPN Client status monitor reports if roaming is enabled for the session. The ev
Chapter 8 Configuring IPSec mobility and persistent mode 151Roaming from behind NAT to no NATIn Figure 31 before roaming a client was connected via AP
152 Chapter 8 Configuring IPSec mobility and persistent modeIPSec mobility in NAT environmentIn some situations roaming in the environment of NAT devi
Chapter 8 Configuring IPSec mobility and persistent mode 153When operating in IPSec mobility mode with split tunneling enabled, the Nortel VPN Client
154 Chapter 8 Configuring IPSec mobility and persistent modeMaximum roaming timeMaximum roaming time is the time used by the Nortel VPN Client to keep
Chapter 8 Configuring IPSec mobility and persistent mode 155Persistent tunnelingA persistent VPN connection provides the ability to maintain a VPN con
156 Chapter 8 Configuring IPSec mobility and persistent modeSession persistence time should be longer than the roaming time as persistence starts only
Chapter 8 Configuring IPSec mobility and persistent mode 157Figure 32 Groups edit IPSec window2 Scroll down to Mobility Support and select Enabled. T
158 Chapter 8 Configuring IPSec mobility and persistent modeIPSec mobility performs at higher level than physical adapters. As a result, the PC on whi
Chapter 8 Configuring IPSec mobility and persistent mode 159To enable IPSec mobility:CES(config-group/ipsec)#mobility enableTo disable IPSec mobility:
16 Prefacebraces ({})brackets ([ ])ellipsis points (. . . )italic textplain Courier textIndicate required elements in syntax descriptions where there
160 Chapter 8 Configuring IPSec mobility and persistent modeTo view the IPSec configuration for the group, for example Base:CES(config)#show groups ip
Chapter 8 Configuring IPSec mobility and persistent mode 161ConfiguredClient web page Saver Password Required Client screen Saver Activation Time Clie
162 Chapter 8 Configuring IPSec mobility and persistent modeNN46110-500
163Appendix ABranch office quick start templateThe branch office quick start template provides a list of values that the local Nortel VPN Router 1010/
164 Branch office quick start templateNN46110-500
165Glossaryacknowledgement (ACK)A type of message sent to indicate that a block of data arrived at its destination without error.address masksIP addre
166 GlossaryDiffie-HelmanA key agreement algorithm that does key establishment, not encryption. However, the key it produces may be used for encryptio
Glossary 167firewallA collection of hardware and software components that controls communication between two networks, such as a private network and t
168 GlossaryIP addressThe identifiers used by the protocols that govern Internet information exchange. The Internet Network Information Center assigns
Glossary 169management IP addressThe IP address that is used to manage all system services from a Web browser, such as HTTP, FTP, and SNMP. This addre
Preface 17separator ( > ) vertical line ( | )Shows menu paths.Example: Choose Status > Health Check.Separates choices for command keywords and a
170 GlossaryPoint-to-Point Protocol (PPP)A protocol that provides a method for transmitting packets over serial point-to-point links.Point-to-Point Tu
Glossary 171Routing Information Protocol (RIP)A distance vector, as opposed to link state, routing protocol.RSA digital signatureA public-key encrypto
172 GlossaryA method used by RIP in which a new routing table is sent almost immediately after a routing change has been made. This is in contrast to
173IndexAaccess hours 78, 81, 119 accessible networks 120, 121 asymmetric branch office tunnel (ABOT) 119 asynchronous data over TCP (AOT) 105authenti
174 Indexpassword 51default routebranch office 121DHCP client 94 DNSbranch office tunnel endpoints 124 host name 92 round robin DNS 125 Dynamic DNS (D
Index 175filter 95Internet domain 92 inverse split tunneling 85IP address assigning 29 currently assigned 95IPSec mobility configuring 156 logging 149
176 IndexNnavigational menu 57 nested tunnels 123Network Address Translation (NAT) 122 Network Time Protocol (NTP) 106Nortel VPN Router 1010/1050/1100
Index 177SSafe mode 50, 108search for users 84serial interface 31, 45services 56split tunnel 76, 84subnet mask 95subnetworks 119Switch concepts 25Symm
178 IndexWWeb browser interface 50 Web interface options 53 Welcome display 56NN46110-500
18 PrefaceNAT network address translationNOCnetwork operations centerNTP Network Time ProtocolNVR Nortel VPN RouterOSPFOpen Shortest Path FirstOSS ope
Preface 19Related publicationsFor more information about the Nortel VPN Router, refer to the following publications:Release notes provide the latest i
Copyright © 2007 Nortel Networks. All rights reserved.The information in this document is subject to change without notice. The statements, configurat
20 PrefaceHard-copy technical manualsYou can print selected technical manuals and release notes free, directly from the Internet. Go to the www.nortel
Preface 21• search the Technical Support Web site and the Nortel Knowledge Base for answers to technical issues• sign up for automatic notification
22 PrefaceNN46110-500
23New in this releaseThe following sections details what is new in Nortel VPN Router Configuration - Basic Features for Release 7.0.Network Time Proto
24 New in this releaseSystemlog lifetime or disk size limit usage optionVPN Router allows you to choose between setting a log file disk size limit or
25Chapter 1 OverviewThis chapter introduces the Nortel VPN Router. The Nortel VPN Router is a family of products that deliver security and IP services
26 Chapter 1 OverviewNortel VPN Router access allows remote users to dial in to an Internet Service Provider (ISP) anywhere and reach corporate headqu
Chapter 1 Overview 27Figure 2 VPN service modelsThe Nortel VPN Router uses a combination of authorization, authentication, privacy, and access control
28 Chapter 1 OverviewThe Nortel VPN Router Stateful Firewall License key must be installed to enable the Nortel VPN Router Stateful firewall.Tunnel ke
29Chapter 2 Getting startedThis chapter describes methods for configuring and managing the Nortel VPN Router .Note: If you are setting up a Nortel VPN
Nortel Networks Inc. software license agreementThis Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nor
30 Chapter 2 Getting startedFigure 3 Sample IP addressing schemeTable 1 Sample IP addressing associationsIP address Description (when applicable, wher
Chapter 2 Getting started 31Table 1 Sample IP addressing associations (continued)10.2.1.23 DHCP-assigned IP address for a remote user10.8.4.6 Sample r
32 Chapter 2 Getting started• Identification• CRL Retrieval• CMPTo enable or disable management protocols, go to Services > Available window. Fr
Chapter 2 Getting started 33Figure 6 shows MVA using CLIP to manage from a remote PC tunneled from the public side.Figure 6 MVA managing from a remote
34 Chapter 2 Getting startedConfiguring MVA with the serial menuTo configure the MVA with the serial menu:1 Connect the serial cable (supplied with y
Chapter 2 Getting started 35Note: This administrator’s password is also the primary administrator’s password. This password guarantees access to the
36 Chapter 2 Getting started7 Type M and press Enter to change the Management IP address. The current IP address appears. The Old Managem
Chapter 2 Getting started 37Utilized Channels (Fractional T1) 1 212345678902345678901234Currently=R) Return to the Main Menu.Please select a menu choi
38 Chapter 2 Getting started7 Type E and press Enter to save the settings and exit. You can then manage the Nortel VPN Router from a Web browser.Mult
Chapter 2 Getting started 39Table 2 shows the services supported on a multinetted interface. Table 2 Services supported on a multinetted interfaceServ
Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance
40 Chapter 2 Getting startedTable 2 Services supported on a multinetted interfaceService Integration descriptionAuthentication Protocols (RADIUS)Supp
Chapter 2 Getting started 41Figure 7 Deployment ScenarioChanging the management IP addressTo manage the system, the network must have a route to the m
42 Chapter 2 Getting started• 1 stop bit• No parity• No flow controlThe Welcome window appears and you are prompted to supply a user name and passw
Chapter 2 Getting started 43The following menu appears:Main Menu: System is currently in NORMAL mode.0) Management Address1) Interfaces2) Administrato
44 Chapter 2 Getting startedRestricting source IPs access to managementYou are able to filter management access of source IP addresses. Access Lists (
Chapter 2 Getting started 45To set an ACL for TELNET, enter the following NNCLI command:CES(config)#telnet access-list <the_name_of_an_acl>To re
46 Chapter 2 Getting startedUsing a terminal emulation program, such as HyperTerminal on the PC, press Enter. The Welcome window appears and you are p
Chapter 2 Getting started 475 Please enter the administrator's password: setupNote: The factory default user name is admin and the default passwo
48 Chapter 2 Getting startedInterface Menu0) Slot 0, Port 1, Private LAN IP Address = 47.17.163.163 Subnet Mask = 255.255.255.240 Speed/Duplex = AutoN
Chapter 2 Getting started 498 Select 0 and press Enter to enter the Slot 0, Port 1, Private LAN menu and add the interface IP address.Please select a
ContentsPreface...15Before you begin ...
50 Chapter 2 Getting startedUsing boot modesThe Nortel VPN Router can be booted in one of two system modes: Safe mode or Normal mode. Each mode has it
Chapter 2 Getting started 513 Enter the system default login and password in lowercase characters, as follows:Login: ad^in Password: setupAt this poi
52 Chapter 2 Getting startedPreparing for configurationTo properly prepare for configuration of the Nortel VPN Router, you should havethe following it
Chapter 2 Getting started 53• Manufacturer of device as well as firmware version, throughput, and any special configuration requirements for any devi
54 Chapter 2 Getting startedTable 4 Configuration checklist (continued)window Values required Your ValuesSystem > Identity Primary IP address Secon
Chapter 2 Getting started 55Table 4 Configuration checklist (continued)window Values required Your ValuesServers > Radius Auth Access (enabled or d
56 Chapter 2 Getting startedTable 4 Configuration checklist (continued)window Values required Your ValuesAdmin > License Keys Install License KeysA
Chapter 2 Getting started 57• Click on Guided Config to begin the Guided Configuration. This option allows access to all Configuration Management faci
58 Chapter 2 Getting startedNN46110-500
59Chapter 3Setting up the Nortel VPN Router 1010, 1050, and 1100This chapter provides instructions for the network administrator who is responsible fo
6 ContentsChapter 2Getting started...29IP addressing...
60 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 Figure 8 Default configuration □By default, the Nortel VPN Router 1010, 1050, and 1
Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 61Branch office quick start utilityThe branch office quick start utility (BOQS) simpli
After the VPN services are provisioned, branch office networks are logically connected to a central office network or to a NOC network. Branch office
• Set the Text Pre-Shared Key to the same name as central office tunnel password.• Set Dynamic Routing to enabled.• Set RIP to enabled.After the ce
Every Nortel VPN Router 1010, 1050, and 1100 must have a distinct IP address that is visible from the NOC subnet. A NOC can assign any address reachab
Deployment procedureThe following sequence of events illustrates the deployment procedure.• Factory configured Nortel VPN Router 1010, 1050, and 1100
66 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100Table 6 contains the BOQS parameters. Table 6 BOQS parametersCentral office tunnel c
Branch office quick start templateThe branch office quick start template provides a list of values that the local Nortel VPN Router 1010, 1050 or 1100
68 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100Power cordAC to DC external power supplyMolded serial cable RJ-45 to DB9Ethernet cro
7 Press the power switch to the “on” position and wait for the VPN Router to boot.Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100 69N
Contents 7Chapter 4Configuring user tunnels... 75Configuring group character
• If your ISP uses static IP addressing, go to “Static IP instructions” on page 71.”70 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100
6 Set the Administrative State option to Enabled.7 From the Interface Filter list, choose permit all.8 Click on OK.9 Locate the provisioning works
12 In the Gateway Address field, type the default route address that the ISP provided.13 Click on OK.14 Locate the provisioning worksheet sent by t
• Numerous text filesYou can store two software images on the flash disk at the same time. Operationalchanges for the compact flash disk are:• The c
74 Chapter 3 Setting up the Nortel VPN Router 1010, 1050, and 1100NN46110-500
75Chapter 4Configuring user tunnelsThe Nortel VPN Router uses the Internet and tunneling protocols to create secure connections. The following section
76 Chapter 4 Configuring user tunnelsThe Nortel VPN Router associates all remote users with a group, which dictates the attributes that are assigned t
Chapter 4 Configuring user tunnels 77For example, \Base is the base group, Research and Development and Finance are child groups of the base group, an
78 Chapter 4 Configuring user tunnelsConfiguring group characteristicsIn addition to assigning users to groups and providing authentication access, yo
Chapter 4 Configuring user tunnels 79• Maximum password age is the time after which the login password expires. The Maximum Password Age range is fro
8 ContentsChapter 6Configuring branch office tunnels...119PPTP nested tunnels...
80 Chapter 4 Configuring user tunnelsPort, and TCP Connection establishment. Go to the Profiles > Filters window to create tunnel filters.13 Selec
Chapter 4 Configuring user tunnels 81c Choose an Excess Action for traffic handling, either Drop or Mark.You can also choose Define new bandwidth rate
82 Chapter 4 Configuring user tunnels1 Choose Services > Available.2 Select the tunnel type.3 Select the Management Protocol for the Nortel VPN
Chapter 4 Configuring user tunnels 832 After selecting a group, you must click on Display to view the group members. This allows you to quickly chang
84 Chapter 4 Configuring user tunnelsStatic IP Address option in the Profiles > Groups > Connectivity option (it is only used if the group allow
Chapter 4 Configuring user tunnels 85LDAP search allows you to enter any LDAP database attribute that is part of the person, organizational Person, or
86 Chapter 4 Configuring user tunnelsThe security of a mandatory tunnel is partially compromised by the addition of inverse split tunneling in a way s
Chapter 4 Configuring user tunnels 87To select the split tunneling mode in which you wish to operate, the Split Tunneling drop down menu has been modi
88 Chapter 4 Configuring user tunnelsFigure 12 Edit > IPsec page for wildcard2 Select Enabled - Inverse or Enabled Locally Connected from the Spli
Chapter 4 Configuring user tunnels 893 Select None from the Split Tunnel Networks menu.4 Select a network from the Inverse Split Tunnel Networks men
Contents 9Routing table changes...152Initial contact payload (IC
90 Chapter 4 Configuring user tunnelsNN46110-500
91Chapter 5Configuring the systemThis chapter describes how to configure various system-level features:LAN interfaces WAN interfaces 802.1q VLAN subin
92 Chapter 5 Configuring the system1 Enter a Management IP Address for the system. You need this address to contact all system services, such as HTTP
Chapter 5 Configuring the system 9310 Click on OK. The Nortel VPN Router checks all of the DNS addresses to see if they respond and then provides an
94 Chapter 5 Configuring the systemA host can send only enough packets to a public interface to establish a tunnel connection. If the tunnel is not es
Chapter 5 Configuring the system 95From the Select Protocol list, select the tunneling protocol to use: IP is the standard Internet Protocol, and Poin
96 Chapter 5 Configuring the systemAdditional fields appear on the Edit LAN Interface window for optional network cards. LAN represents the physical p
Chapter 5 Configuring the system 974 MAC Pause (Ethernet packet flow control) section enables the Nortel VPN Router to automatically adjust and contr
98 Chapter 5 Configuring the systemTo add an IP address:1 Click the Add Multinet button on the LAN Interfaces window.Figure 14 on page 98 shows the L
Chapter 5 Configuring the system 99Figure 15 LAN Interfaces > Add IP Address windowN0RTELSystem “ Identity- ATM- LAN- WAN“ Dial Interface “ Circ
Commentaires sur ces manuels