Avaya 3.7 IKE VPNs, VPN packet processing modes

Configuring VPN objects

134 Avaya VPNmanager Configuration Guide Release 3.7

IKE VPNs

Note:

Note: IKE VPNs are supported in VPNremote Client 3.0 and later.

An IKE VPN can run in certificate or preshared secret authentication mode. Also, IKE VPNs

always operate in tunnel mode, which means the entire original packet (header and payload) is

encrypted and inserted in the payload of an IPSec packet before it goes out to the public

networks.

Certificate mode involves the exchange of X.509 public-key certificates between endpoints of a

VPN tunnel to authenticate VPN tunnel end points. A certificate belonging to a specific endpoint

is authenticated by a third party certificate called an issuer’s certificate. Certific ates can be

obtained from a third party Public Key Infrastructure (PKI). See for more infor mation about using

a PKI. Certificate based VPNs cannot be manually rekeyed.

Preshared Secret mode involves the Diffie-Hellman algorithm for creating a shared secret key

that is used for authenticating VPN traffic. Large prime numbers and modular arithmetic

equations are exchanged between endpoints. Each endpoint uses the equations and numbers

to calculate the same shared secret key. Th e tunnel endp oints the n use the shar ed secret key t o

authenticate each other’s traffic. Even if the prime numbers and equations become publicly

known, the protocol still protects the shared secret key. As an added security measure,

preshared secret can be manually rekeyed at any time.

VPN packet processing modes

There are two ways to process packets when forming VPNs: transport mode and tunnel mode.

In transport mode, IP packets sent between VPN members are secured by applying VPN

services to the IP packet payload, leaving the original addressing header unchanged.

Source

Address Dest.

Address Payload

Source

Address Dest.

Address IPSec/SKIP

Overhead Payload with Applied VPN Services

Transport Mode

Secured VPN IP Packet

Original IP Packet

Contents

Main Page WARNING: ! Page Contents Page Page Page Page Page Page Page Page Page Preface What Products are Covered VPNmanager Overview Network-wide Visibility and Control Intranet and Extranet Support Secure VPN Configuration No Special Consoles Required Complementary to SNMP Management Tools Related Documentation How This Book Is Organized Page Contacting Technical Support Page Chapter 1: Overview of implementation Components of the Avaya security solution Security gateways VPNremote Client software VPNmanager software Overview of the VPN management hierarchy Preparing to configure your network Security gateway Page Static Routes IP groups Remote users and user groups VPN Security policies Firewall policies Denial of Service QoS VoIP Additional features NAT SNMP Syslog Client IP address pooling Sequence to configure your VPN Page Page Chapter 2: Using VPNmanager About VPNmanager administrators Role Based Management To add an administrator To configure an administrator to be an SNMPv3 admin Log into the VPNmanager console Add a policy server Open Domain Navigating the main window File menu Page Edit menu View men u Tools menu Help menu Toolb ar Page VPN view pane Network Diagram View Page Alarm monitoring pane Configuration Console window Configuration Console Menu bar File menu Edit menu View men u Tools menu Toolb ar Contents pane Details pane Update Devices Preferences Dyna Policy Defaults (User) Dyna Policy Defaults (Global) Dyna Policy Authentication Page Alarm/Monitoring TEP Policy Page Page Chapter 3: Se tti n g up th e ne t wo rk New VPN Domain To create a new domain: Page Configuring a security gateway Creating a new security gateway To create a new security gateway: Page Using Device tabs to configure the security gateway Page Page To create a memo: DNS tab Configuring the DNS tab for security gateways at 4.3 or later To add a DNS Relay To add a static DNS server Configuring the DNS tab for VSU at VPNos 4.2 or earlier To add a DNS server address To edit an existing server address: To delete a DNS server address: Interfaces tab Page Page Page Options for IP addressing for interface zones Static addressing DHCP addressing Point-to-Point Protocol Over Ethernet (PPPoE) Client Local DHCP Server Page DHCP Relay Static Changing network interfaces To change the media interface configuration: To add an IP device to the security gateway: To add an IP telephony device to the security gateway: Private port tab Adding an IP Device Configuration To add an IP Device: DHCP Relay None Device users tab To add a device account user: Network Object tab Routing To build a routing table using the default gateway: Default Gateway for VPN Traffic (VPNos 3.X) To build a RIP table: Policies tab, NAT services About NAT types for VPNos 4.31 Priority of NAT types Configuring NAT (VPNos 4.31) To add a NAT rule (VPNos 4.31) To edit a NAT rule To delete a NAT rule About NAT types for VPNos 3.X NAT applications Accessing the Internet from private networks Setting up VPN with overlapping private addresses Page Using NAT to support multiple gateway configurations Interface for VPNos 4.2 Add NAT Rule (VPNos 4.2 or earlier) Original To configure a NAT rule: Tunnel NAT rules To add a tunnel NAT rule: Chapter 4: Configuring IP Groups About IP Groups Creating a New IP Group To create a new IP Group: New IP Group IP Group - General tab Page Add IP Group member Configuring an IP Group To configure an IP Group that communicates within its own VPN domain: Configuring an IP Group that connects to an extranet To configure an IP Group that is associated with an extranet: Delete Page Chapter 5: Configuring remote access users Default client configuration Using dyna-policy Configuring a global dyna-policy Dyna-Policy Defaults (User) tab VPN configuration files on remote users computer Disable split tunneling Dyna-Policy Defaults (Global) tab Page Local authentication RADIUS authentication LDAP authentication Dynamic VPNs (VPNos 3.x) Remote Client tab Client DNS resolution redirection Remote Client inactivity connection time-out (VPNos 3.x) Send Syslog messages. . . Configure a default CCD with global dyna-policy Creating new user object Default user To create a new user object: About creating individual dynamic-policy User - General tab Dyna-Policy tab Actions tab Configuring a remote user object Information for VPNremote Client users Using local authentication Using RADIUS authentication (VPNos 3.X and VPNos 4.31) Using LDAP authentication (VPnos 3.X only) Using Policy Manager for user configuration Client IP address pool configuration Add Client IP address pool Add Client DNS Add Client WINS To configure the Client IP configuration Configuring client attributes Creating a message Enforce brand name RADIUS/ACE Services Enable RADIUS/ACE Settings RADIUS concepts The RADIUS protocol Add (RADIUS/ACE server) Authenticating (secret) password RADIUS server data To add a RADIUS server: Page Chapter 6: Configuring user groups New user group To create a user group: User Group - General tab User Group - Memo tab User Group - Actions tab Configuring a user group To configure a user group: Page Chapter 7: Configuring VPN objects Types of VPN objects SKIP VPNs IKE VPNs VPN packet processing modes Default VPN policy Creating a new VPN object To create a new VPN object: Creating a default VPN To create a default VPN within a selected domain: Creating a designated VPN To set up a designated VPN within a selected domain, perform the following steps: Using the VPN tabs General tab with IKE General tab with SKIP Members-Users tab Members-IP Groups tab Security (IKE) tab Page Page Pre-Shared Secret Security (IPSec) IPSec Proposals Add IPSec proposal Page Actions tab VPN configuration Export Rekey site-to-site VPN Rekey Advanced VPN tab Configuring a SKIP VPN To configure a new SKIP VPN object: Page Configuring an IKE VPN To configure a new IKE VPN Object: Page Page Page Enabling CRL checking Page To remove the CRL from the VSU: Exporting a VPN object to an extranet Figure 51: Exporting a VPN Object to an Extranet VPN Object export checklist Export procedure To export a VPN Object: Importing a VPN object from an extranet To import a VPN Object data file: Rekeying a VPN object To rekey a SKIP VPN Object: Chapter 8: Establishing security Firewall rules set up Levels of firewall policy management Firewall rules Domain level firewall rules To create domain level firewall rules: Device level firewall rules To create device level firewall rules: Priority of Firewall rules versus NAT rules Setting up firewall rules for FTP FTP and Firewall/NAT Operation Security Gateways and FTP To add a new firewall rule for FTP-control or passive FTP To add a new firewall rule for active FTP Firewall templates Predefined templates User defined templates To create a user-defined firewall template: Page Services Device Group To create a device group object: Denial of Service Page To select or deselect DOS categories Voice Over IP Using the IP Trunking Call Model Using the LRQ Required checkbox of the IP Trunking Call Model To enable VoIP and add IP Trunking: Page Using the Gatekeeper Routed Call Model Add gatekeeper settings To enable VoIP and add gatek eepe r settings QoS policy and QoS mapping QoS Policy ! CAUTION: To add a QoS policy Page QoS mapping Mapping QoS policies Packet Filtering What can be filtered Packet Filtering and NAT Advanced Permit/Deny non-VPN traffic Radio Buttons Add Packet Filtering Policy From/Where To Where The Filtering Policy in progress Locating this filtering policy The filtering policy in progress Running the packet filtering policy wizard Running the Policy Manager for packet filtering Starting and stopping filtering services To start or stop filtering services: Managing the ACL To edit, change the sequence, or delete a filtering policy: Configuring advanced filtering options To configure advanced filtering options: Marking packets for differentiated services (QoS) About Differentiated Services How a VSU marks packets Types of marking rules How to create a packet marking rule To create a packet marking rule: Page Packet filtering firewall To use the firewall policy management: Add firewall policy To add a firewall policy: Page Chapter 9: Using advanced features Device Advanced ARP you would then want to: Path MTU Discovery To configure the Path MTU Discovery: NAT Traversal Port for dyna-policy download To change the port number: Port for Secure Authentication Private IP Address (VPNos 3.x) To add a private IP address: Send Device Names To select a VSU name distribution method: SuperUser Password (VPNos 3.x) Tunnel Persistence Page TEP Policy Servers Add servers To create a backup server: Managing the server list To edit, change the sequence, or delete a backup server: Resilient Tunnel Tunnel Switching Creating a resilient tunnel Add resilient tunnel Prerequisites To create a resilient tunnel: Managing the resilient tunnel list To edit, change the sequence, or delete a filtering policy: Stopping and starting resilient tunnel services Primary end-point service To stop or start resilient tunnel services for a primary end-point: Secondary end-point service To stop or start resilient tunnel services for a secondary end-point: Failover TEP Configuring failover TEP To configure failover TEP: Advanced Action Switch Flash Reset password Disable FIPS High Availability To configure the security gateway to deny all non-VPN traffic through the VPNmanager: Virtual addresses Advanced parameters Members Configuring high availability Creating a High Availability Group Use the following procedure to create High Availability (HA) groups: Updating a high availability group using Update Device To update HA VSUs: Deleting a high availability group Use the following procedure to delete High Availability (HA) groups: Failover The configuration is as follows: To configure failover: Page Failover reconnect To set up failover reconnect: Converged Network Analyzer Test Plug Page Keep Alive To configure keep alive: Policy Manager - My Certificates About VSU certificates Creating and Installing a Signed Certificate To install a signed certificate into a VSU: Switching certificates used by VPNmanager Console To switch certificates: Issuer certificates About Issuer Certificates Installing an issuer certificate To install an Issuer Certificate into a VSU (target): IKE Certificate Usage About Certificate Usage (Exchange) Assigning a Target for a Certificate To assign a target for a certificate: Page Page Chapter 10: Monitoring your network Using SNMP to monitor the device To add SNMP trap targets To delete SNMP trap targets Adding Admin Users for SNMPv3 Configuring SNMP for a security gateway VPN active sessions Syslog Services Add Syslog Policy To run Syslog services: Using Monitor Enterprise MIB Monitoring wizard Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Page Define Custom Monitoring wizard (Presentation) Presentation Monitoring alarms Alarm Types Report Wizard To create a report using the report wizard: Page Device diagnostics Page Chapter 11: Device management Using the Management tab Setting Up SSH and Telnet To set up SSH or Telnet Changing device administrators passwords To reset the passwords Using the Connectivity tab Check connectivity by ping To directly ping a specific security gateway: Check Connectivity by Proxy Ping To proxy ping a specific security gateway: Using the Device Actions tab Page Re-setup Device Import Device Configuration To import configuration data for a device: Ethernet Speed Redundancy Network Interface Status Switching Importing and exporting VPN configurations to a device Export VPN Exporting RADIUS Page Chapter 12: Upgrading firmware and licenses Centralized firmware management To upgrade the firmware using centralized firewall management: Device - Upgrade tab Upgrading a security gateways firmware To upgrade a security gateways firmware: License Encryption Strength Remote Access (VSU-100 Only) Page Appendix A: Using SSL with Directory Server When to Configure your VPNmanager for SSL Installing the issuers certificate in the policy server and the VPNmanager Console Windows NT and Windows 2000 Computers To install a certificate in VPNmanager Console: To view all the installed issuers certificates: To delete an installed issuers certificat es : Installing the Issuers Certificate into a security gateway To install the issuers certificate into a security gateway: Page Appendix B: Firewall rules template General Public zone firewall templates Public zone firewall templates Issue 4 May 2005 299 Table 31: Public high and medium security firewall rules (continued) Public zone firewall templates Issue 4 May 2005 301 Table 32: Public low security firewall rules Table 33: Public VPN-only firewall rules Private zone firewall templates Table 35: Private medium security firewall rules Semi-private zone firewall templates Table 37: Semi-private high security firewall rules Semi-private zone firewall templates Issue 4 May 2005 307 Table 38: Semi-private medium security firewall rules Table 37: Semi-private high security firewall rules (continued) Table 39: Semi-private low security firewall rules Table 40: Semi-private VPN-only security firewall rules DMZ zone firewall templates Table 41: DMZ high and medium security firewall rules (continued) Table 42: DMZ low security firewall rules Management zone security Converged Network Anaylyzer template Page Glossary A B C D E F H L M N O P R S Syslog T U V Index Numerical A B C D E F G H I K L M N P Q R S T U V W X Z