Manuals / Avaya / Computer Equipment / Network Router

Avaya 3.7 manual Advanced VPN tab, Rekey site-to-site VPN

Models: 3.7

1 326

Download 326 pages 56.24 Kb

Page 149

Advanced VPN tab

Rekey site-to-site VPN

Rekey

Used to change the preshared secret key of a site-to-site VPN. This should be done regularly to ensure maximum security.

Only SKIP and Preshared Secret IKE VPNs can be manually rekeyed. In the case of SKIP, rekeying generates and distributes a new master key to all security gateways associated with the VPN. This SKIP master key is used to generate session keys used for cryptographic functions. In the case of Preshared Secret IKE VPNs, rekeying generates and distributes a new negotiation key to all security gateways associated with the VPN. This negotiation key is used to provide authentication during IKE negotiations, in which the actual session key is dynamically generated. Manual Keyed VPNs can be rekeyed by manually editing the relevant keys.

Advanced VPN tab

The Advanced tab is used to set up advanced VPN options. Generally, the defaults do not need to be changed.

Figure 50: VPN Advanced tab

Apply VPN to clients only provides VPN access to users and ignores the site-to-site “mesh” or relationships between security gateways. This is a usability feature that can be used in VPNs with complex rules to only mesh the users.

In a normal VPN, the IP Groups are meshed together and the users are meshed with the groups. When the “Apply VPN to clients only” check box is check, only the users are meshed.

Issue 4 May 2005 149

Image 149

Avaya 3.7 manual Advanced VPN tab, Rekey site-to-site VPN

Contents

VPNmanager Confi guration Guide Copyright 2005, Avaya Inc All Rights Reserved Declarations of Conformity Page Contents Using VPNmanager Setting up the network Configuring IP Groups Configuring user groups 129 Establishing security 163 Using advanced features 199 Contents Monitoring your network 245 Glossary 313 Index 319 VPNmanager Overview What Products are CoveredNetwork-wide Visibility and Control Secure VPN ConfigurationIntranet and Extranet Support No Special Consoles RequiredRelated Documentation Using VPNmanager HelpHow This Book Is Organized Complementary to Snmp Management ToolsPreface Contacting Technical Support Preface Avaya VPNmanager Configuration Guide Release Security gateways Components of the Avaya security solutionVPNmanager software VPNremote Client softwareDomain hierarchy Overview of the VPN management hierarchySecurity gateway Preparing to configure your networkNetwork zones Media type SG5 and SG5X SG200 SG203 SG208 Static Routes IP groupsRemote users and user groups Firewall policies Denial of ServiceSecurity policies QoS VoIPNAT Additional featuresSyslog Sequence to configure your VPNClient IP address pooling SSL for Directory ServerSequence to configure your VPN Page Role Based Management About VPNmanager administratorsTo configure an administrator to be an SNMPv3 admin To add an administratorAdd a policy server Log into the VPNmanager consoleOpen Domain Navigating the main windowVPNmanager console main window File menuFile MenuNew Object list New object Objects Description New object Objects Description Edit menuView menu Help menu ToolbarTools menu Icons on toolbar Toolbar commands Description CommandsVPN view pane Network Diagram ViewTree View Tiled ViewAlarm monitoring pane Configuration Console windowConfiguration console window Configuration Console Menu barNAT Policy ServicesContents pane Update DevicesToolbar Details paneGeneral tab PreferencesDyna Policy Defaults Global Dyna Policy Defaults UserPreferences, Dyna-Policy Global Tab Dyna Policy AuthenticationRemote Client AdvancedTEP Policy Alarm/MonitoringTunnel End Point Policy Page To create a new domain New VPN DomainSelect Level of security To create a new security gateway Configuring a security gatewayCreating a new security gateway Setting up the network Device tabs by release Tab All VPNos Releases Earlier Later Using Device tabs to configure the security gatewaySnmp Device General tab To create a memo Memo tabDNS tab DNS tabTo add a DNS Relay DNS Relay Configuration area, click AddTo add a static DNS server Configuring the DNS tab for VSU at VPNos 4.2 or earlierTo add a DNS server address To edit an existing server addressTo delete a DNS server address Interfaces tabNetwork zones Media SG5 SG200 SG203 SG208 Type Interface tabEthernet2 Unused Public backup Private Semiprivate Using Device tabs to configure the security gateway Static addressing Options for IP addressing for interface zonesDhcp addressing Manage-ment Address assignedLocal Dhcp Server Point-to-Point Protocol Over Ethernet PPPoE ClientWins Dhcp Relay To change the media interface configurationStatic Changing network interfacesTo add an IP device to the security gateway Media interface configuration dialogTo add an IP telephony device to the security gateway Private port tab with VPNos 4.2 or VPNos Private port tabIP Device Configuration with VPNos 4.2 or VPNos Adding an IP Device ConfigurationTo add an IP Device None Device users tabTo add a device account user Network Object tabDevice Network Objects tab RoutingTo build a routing table using the default gateway Common Default Gateway for VPN Traffic topology Default Gateway for VPN Traffic VPNosTo build a RIP table About NAT types for VPNos Policies tab, NAT servicesPriority of NAT types Configuring NAT VPNosTo delete a NAT rule To add a NAT rule VPNosTo edit a NAT rule NAT applications About NAT types for VPNosAccess the Internet from private Networks Accessing the Internet from private networksSetting up VPN with overlapping private addresses Setting Up a VPN with Overlapping private Addresses Using NAT to support multiple gateway configurations Interface for VPNos Using NAT to Support Multiple GatewaysOriginal To configure a NAT ruleAdd NAT Rule VPNos 4.2 or earlier Tunnel NAT rules To add a tunnel NAT rule To create a new IP Group About IP GroupsCreating a New IP Group IP Group General tab New IP GroupIP Group General tab Add IP Group member Configuring an IP Group To configure an IP Group that is associated with an extranet Configuring an IP Group that connects to an extranetDelete Memo Default client configuration Configuring remote access usersUser Dyna-Policy tab Using dyna-policyDyna-Policy Defaults User tab Configuring a global dyna-policyDisable split tunneling Dyna-Policy Defaults Global tabVPN configuration files on remote user’s computer Dyna-Policy Authentication tab Radius authentication Local authenticationLdap authentication Dynamic VPNs VPNosRemote Client tab Client DNS resolution redirectionSend Syslog messages Remote Client inactivity connection time-out VPNosConfigure a default CCD with global dyna-policy Creating new user object About creating individual dynamic-policy Default userUser General tab To create a new user objectUser General tab Dyna-Policy tabActions tab Reset User Directory Password. The user’s password is resetUser Advanced tab Configuring a remote user objectInformation for VPNremote Client users Client IP address pool configuration Using Policy Manager for user configurationUsing local authentication Using Radius authentication VPNos 3.X and VPNosAdd Client DNS Add Client IP address poolTo configure the Client IP configuration Configuring client attributesAdd Client Wins Creating a messagePolicy Manager for client attributes Enforce brand nameEnable RADIUS/ACE RADIUS/ACE ServicesRadius concepts SettingsRadius protocol Authenticating secret passwordAdd RADIUS/ACE server Radius server dataRADIUS/ACE To add a Radius serverConfiguring remote access users To create a user group New user groupUser Group Memo tab User Group General tabTo configure a user group Configuring a user groupMove to the Configuration Console window User Group Actions tabConfiguring user groups Skip VPNs Types of VPN objectsVPN packet processing modes IKE VPNsDefault VPN policy To create a default VPN within a selected domain Creating a default VPNCreating a new VPN object To create a new VPN objectCreate a new VPN Object, see Creating a new VPN object on Creating a designated VPNGeneral tab with IKE Using the VPN tabsGeneral tab with Skip Members-IP Groups tab Members-Users tabVPN, Members IP Groups Tab Security IKE tabSHA1 Field Description Pre-Shared Secret Security IPSecIPSec Proposals Field Description Encryption AuthenticationAdd IPSec proposal Field Description Lifetime Export VPN configurationRekey Advanced VPN tabRekey site-to-site VPN To configure a new Skip VPN object Configuring a Skip VPNConfiguring a Skip VPN To configure a new IKE VPN Object Configuring an IKE VPNConfiguring an IKE VPN Configuring VPN objects Configuring an IKE VPN Enabling CRL checking Enabling CRL checking To remove the CRL from the VSU Click Update DevicesExporting a VPN object to an extranet VPN Object Export Checklist Task VPN Object export checklistTo export a VPN Object Export procedureTo import a VPN Object data file Open the Configuration Console windowImporting a VPN object from an extranet To rekey a Skip VPN Object Rekeying a VPN objectLevels of firewall policy management Firewall rules set upDomain level firewall rules Firewall rulesTo create domain level firewall rules To create device level firewall rules Device level firewall rulesPriority of Firewall rules versus NAT rules Security Gateways and FTP To add a new firewall rule for active FTP Firewall templatesTo add a new firewall rule for FTP-control or passive FTP To create a user-defined firewall template Predefined templatesUser defined templates Select Template, Device, or None Parameter Description Services property ServicesTo create a device group object Denial of ServiceDevice Group Denial of Service To select or deselect DOS categories Using the IP Trunking Call ModelVoice Over IP To enable VoIP and add IP Trunking Voice Over IP Voice over IP tab Using the Gatekeeper Routed Call ModelTo enable VoIP and add gatekeeper settings Add gatekeeper settingsQoS Policy QoS policy and QoS mappingQoS policy and QoS mapping QoS policy To add a QoS policyModify QoS bandwidth. burst and Dscp value screen Mapping QoS policies Packet FilteringQoS mapping Traffic types that can be filtered What can be filteredPacket Filtering and NAT Policy Manager, Packet Filtering/QoS Permit/Deny non-VPN traffic Radio ButtonsAdd Packet Filtering Policy From/Where Filtering Policy in progress To WhereLocating this filtering policy Running the packet filtering policy wizardTo start or stop filtering services Starting and stopping filtering servicesRunning the Policy Manager for packet filtering Managing the ACLTo configure advanced filtering options Configuring advanced filtering optionsACL commands Command Description To edit, change the sequence, or delete a filtering policyPacket Filter rule-advanced options Option Description Marking packets for differentiated services QoSHow a VSU marks packets About Differentiated ServicesTypes of marking rules How to create a packet marking ruleTo create a packet marking rule IP packet marking information DescriptionParameters used in a Packet Marking Rule Description Policy Manager for firewalls Packet filtering firewallTo use the firewall policy management Add firewall policyTo add a firewall policy Parameter DescriptionEstablishing security Device Advanced Using advanced featuresARP You would then want to Path MTU DiscoveryEnter the Path MTU Timeout value To configure the Path MTU DiscoveryNAT Traversal Port for dyna-policy download Port for Secure AuthenticationPrivate IP Address VPNos To change the port numberSend Device Names Select the Enable Private IP Address check boxTo add a private IP address To select a VSU name distribution methodSuperUser Password VPNos Tunnel Persistence VSU Tunnel Persistence TEP Policy Add servers ServersTo edit, change the sequence, or delete a backup server To create a backup serverAdd Directory Server Commands Description Managing the server listResilient Tunnel Servers list commands Command DescriptionPrimary and Resilient Tunnels Tunnel SwitchingResilient Tunnel tab for a security gateway Object Creating a resilient tunnelTo create a resilient tunnel Add resilient tunnelPrerequisites Managing the resilient tunnel list Primary end-point service Stopping and starting resilient tunnel servicesSecondary end-point service Move to the Configuration Console window. Select DevicesFailover TEP tab for a security gateway object Failover TEPAdvanced Action Configuring failover TEPTo configure failover TEP Disable Fips Switch FlashReset password High Availability High AvailabilitySelect the Deny all non VPN traffic radio button Virtual addressesAdvanced parameters Members Creating a High Availability Group Configuring high availabilityDeleting a high availability group Updating a high availability group using Update DeviceTo update HA VSUs Failover Tab FailoverFailover connectivity checks in 10-second intervals Configuration is as followsTo configure failover Set consecutive no responses Failover reconnect To set up failover reconnectConverged Network Analyzer Test Plug Enter the test request port value Select the CNA Test Plug Services interfaceKeep Alive Keep alive tab To configure keep aliveAbout VSU certificates Policy Manager My CertificatesInstalling a Signed Certificate into a VSU Creating and Installing a Signed CertificatePolicy Manager for My Certificates To install a signed certificate into a VSUTo switch certificates Switching certificates used by VPNmanager ConsoleAbout Issuer Certificates Issuer certificatesTo install an Issuer Certificate into a VSU target Installing an issuer certificateIKE Certificate Usage An Example of an Issuer CertificateAssigning a Target for a Certificate About Certificate Usage ExchangeClick Add to open the Add IKE Certificate Policy To assign a target for a certificatePolicy Manager My Certificates Page Monitoring your network Using Snmp to monitor the deviceSnmp Tab for a security gateway Object To add Snmp trap targetsConfiguring Snmp for a security gateway Adding Admin Users for SNMPv3VPN active sessions To delete Snmp trap targetsPolicy Manager for Syslog Services Syslog ServicesAdd Syslog Policy To run Syslog servicesMonitoring wizard Using MonitorEnterprise MIB Using Monitor System Group Parameters Log Group Parameters DescriptionActiveSessions Parameters Description IpRouteTable Parameters Address Table Parameters DescriptionIpRouteTable Parameters Description IpRouteTable Parameters Description FilterStats Parameters FilterStats Parameters Description FilterStats Parameters Description FilterStats Parameters Description FilterStats Parameters Description FilterStats Parameters Description Filter Rules Parameters Traffic Rate Table Parameters Active Ports Parameters Description GroupOverview Statistics Table Parameters Traffic Rate Table Parameters DescriptionEthernet Statistics Table Parameters Overview Statistics Table Parameters DescriptionEthernet Statistics Table Parameters Description Define CustomPresentation Monitoring alarmsMonitoring wizard Presentation Alarm Descriptions Alarm Type Alarm TypesReport Wizard To create a report using the report wizard Report Sample Generating the reportDiagnostic Reports Report Type Description Device diagnosticsDiagnostic Reports Report Type Description Setting Up SSH and Telnet Using the Management tabTo set up SSH or Telnet Changing device administrator’s passwordsTo reset the passwords Using the Connectivity tabConnectivity tab for a security gateway Object Check connectivity by pingCheck Connectivity by Proxy Ping Using the Device Actions tabTo directly ping a specific security gateway To proxy ping a specific security gatewayReboot Device Update ConfigurationReset Device Time Import Device Configuration Re-setup DeviceEthernet Speed To import configuration data for a deviceNetwork Interface Status RedundancyExport VPN Importing and exporting VPN configurations to a deviceSwitching Exporting Radius Device management Centralized firmware management Upgrading firmware and licensesDevice Upgrade tab Select Save this file to disk. Click OK To upgrade a security gateway’s firmwareUpgrading a security gateway’s firmware License Open Remote Access VSU-100 OnlyEncryption Strength Page Installing Certificates for Running SSL When to Configure your VPNmanager for SSLTo view all the installed issuer’s certificates To install a certificate in VPNmanager ConsoleTo delete an installed issuer’s certificates Windows NT and Windows 2000 ComputersSolaris OS Computers Installing the Issuer’s Certificate into a security gatewayTo install the issuer’s certificate into a security gateway Using SSL with Directory Server General Appendix B Firewall rules templatePublic zone firewall templates Public high and medium security firewall rules Telnet Ikein Public VPN-only firewall rules Public low security firewall rulesPrivate zone firewall templates Private medium security firewall rules Private high security firewall rulesPrivate low security firewall rules Semi-private zone firewall templatesPing Semi-private high security firewall rulesSemi-private medium security firewall rules Semi-private VPN-only security firewall rules Semi-private low security firewall rulesDMZ high and medium security firewall rules DMZ zone firewall templatesDMZ low security firewall rules Management high, medium, and low security firewall rules Management zone securityConverged Network Anaylyzer template CNA-RT Converged network analyzer firewall rulesAlarms Aggressive modeCertificate Authority Service DNSCertificates CertificateDyna Policy Dynamic VPNsEncapsulation Extranet securityMask Pairs Lifetime, KeyMIB Enterprise Non-EnterprisePacket Filter OakleyPerfect Forward SecrecySplit Tunneling Smart CardTriple DES User GroupsIndex DOS 254 55, 97, 115, 129 PAP Radius ToS, marking 193 Zone, public zone, public-backup