VPNmanager Confi guration Guide
Copyright 2005, Avaya Inc All Rights Reserved
Declarations of Conformity
Page
Contents
Using VPNmanager
Setting up the network
Configuring IP Groups
Configuring user groups 129
Establishing security 163
Using advanced features 199
Contents
Monitoring your network 245
Glossary 313 Index 319
What Products are Covered
VPNmanager Overview
Secure VPN Configuration
Network-wide Visibility and Control
Intranet and Extranet Support
No Special Consoles Required
Using VPNmanager Help
Related Documentation
How This Book Is Organized
Complementary to Snmp Management Tools
Preface
Contacting Technical Support
Preface Avaya VPNmanager Configuration Guide Release
Components of the Avaya security solution
Security gateways
VPNremote Client software
VPNmanager software
Overview of the VPN management hierarchy
Domain hierarchy
Preparing to configure your network
Security gateway
Network zones Media type SG5 and SG5X SG200 SG203 SG208
Remote users and user groups
IP groups
Static Routes
Security policies
Denial of Service
Firewall policies
VoIP
QoS
Additional features
NAT
Sequence to configure your VPN
Syslog
Client IP address pooling
SSL for Directory Server
Sequence to configure your VPN
Page
About VPNmanager administrators
Role Based Management
To add an administrator
To configure an administrator to be an SNMPv3 admin
Log into the VPNmanager console
Add a policy server
Navigating the main window
Open Domain
File menu
VPNmanager console main window
File MenuNew Object list New object Objects Description
View menu
Edit menu
New object Objects Description
Tools menu
Toolbar
Help menu
Toolbar commands Description Commands
Icons on toolbar
Network Diagram View
VPN view pane
Tiled View
Tree View
Configuration Console window
Alarm monitoring pane
Configuration Console Menu bar
Configuration console window
Policy Services
NAT
Update Devices
Contents pane
Toolbar
Details pane
Preferences
General tab
Dyna Policy Defaults User
Dyna Policy Defaults Global
Dyna Policy Authentication
Preferences, Dyna-Policy Global Tab
Advanced
Remote Client
Alarm/Monitoring
TEP Policy
Tunnel End Point Policy
Page
New VPN Domain
To create a new domain
Select Level of security
Creating a new security gateway
Configuring a security gateway
To create a new security gateway
Setting up the network
Using Device tabs to configure the security gateway
Device tabs by release Tab All VPNos Releases Earlier Later
Snmp
Device General tab
Memo tab
To create a memo
DNS tab
DNS tab
DNS Relay Configuration area, click Add
To add a DNS Relay
Configuring the DNS tab for VSU at VPNos 4.2 or earlier
To add a static DNS server
To add a DNS server address
To edit an existing server address
Interfaces tab
To delete a DNS server address
Interface tab
Network zones Media SG5 SG200 SG203 SG208 Type
Ethernet2 Unused Public backup Private Semiprivate
Using Device tabs to configure the security gateway
Options for IP addressing for interface zones
Static addressing
Dhcp addressing
Manage-ment Address assigned
Point-to-Point Protocol Over Ethernet PPPoE Client
Local Dhcp Server
Wins
To change the media interface configuration
Dhcp Relay
Static
Changing network interfaces
Media interface configuration dialog
To add an IP device to the security gateway
To add an IP telephony device to the security gateway
Private port tab
Private port tab with VPNos 4.2 or VPNos
Adding an IP Device Configuration
IP Device Configuration with VPNos 4.2 or VPNos
To add an IP Device
Device users tab
None
Network Object tab
To add a device account user
Routing
Device Network Objects tab
To build a routing table using the default gateway
Default Gateway for VPN Traffic VPNos
Common Default Gateway for VPN Traffic topology
To build a RIP table
Policies tab, NAT services
About NAT types for VPNos
Configuring NAT VPNos
Priority of NAT types
To edit a NAT rule
To add a NAT rule VPNos
To delete a NAT rule
About NAT types for VPNos
NAT applications
Accessing the Internet from private networks
Access the Internet from private Networks
Setting up VPN with overlapping private addresses
Setting Up a VPN with Overlapping private Addresses
Using NAT to support multiple gateway configurations
Using NAT to Support Multiple Gateways
Interface for VPNos
Add NAT Rule VPNos 4.2 or earlier
To configure a NAT rule
Original
Tunnel NAT rules
To add a tunnel NAT rule
Creating a New IP Group
About IP Groups
To create a new IP Group
New IP Group
IP Group General tab
IP Group General tab
Add IP Group member
Configuring an IP Group
Configuring an IP Group that connects to an extranet
To configure an IP Group that is associated with an extranet
Delete
Memo
Configuring remote access users
Default client configuration
Using dyna-policy
User Dyna-Policy tab
Configuring a global dyna-policy
Dyna-Policy Defaults User tab
VPN configuration files on remote user’s computer
Dyna-Policy Defaults Global tab
Disable split tunneling
Dyna-Policy Authentication tab
Local authentication
Radius authentication
Ldap authentication
Dynamic VPNs VPNos
Client DNS resolution redirection
Remote Client tab
Remote Client inactivity connection time-out VPNos
Send Syslog messages
Configure a default CCD with global dyna-policy
Creating new user object
Default user
About creating individual dynamic-policy
User General tab
To create a new user object
Dyna-Policy tab
User General tab
Reset User Directory Password. The user’s password is reset
Actions tab
Configuring a remote user object
User Advanced tab
Information for VPNremote Client users
Using Policy Manager for user configuration
Client IP address pool configuration
Using local authentication
Using Radius authentication VPNos 3.X and VPNos
Add Client IP address pool
Add Client DNS
Configuring client attributes
To configure the Client IP configuration
Add Client Wins
Creating a message
Enforce brand name
Policy Manager for client attributes
RADIUS/ACE Services
Enable RADIUS/ACE
Settings
Radius concepts
Authenticating secret password
Radius protocol
Add RADIUS/ACE server
Radius server data
To add a Radius server
RADIUS/ACE
Configuring remote access users
New user group
To create a user group
User Group General tab
User Group Memo tab
Configuring a user group
To configure a user group
Move to the Configuration Console window
User Group Actions tab
Configuring user groups
Types of VPN objects
Skip VPNs
IKE VPNs
VPN packet processing modes
Default VPN policy
Creating a default VPN
To create a default VPN within a selected domain
Creating a new VPN object
To create a new VPN object
Creating a designated VPN
Create a new VPN Object, see Creating a new VPN object on
Using the VPN tabs
General tab with IKE
General tab with Skip
Members-Users tab
Members-IP Groups tab
Security IKE tab
VPN, Members IP Groups Tab
SHA1
Field Description
Security IPSec
Pre-Shared Secret
IPSec Proposals
Add IPSec proposal
Authentication
Field Description Encryption
Field Description Lifetime
VPN configuration
Export
Rekey site-to-site VPN
Advanced VPN tab
Rekey
Configuring a Skip VPN
To configure a new Skip VPN object
Configuring a Skip VPN
Configuring an IKE VPN
To configure a new IKE VPN Object
Configuring an IKE VPN
Configuring VPN objects
Configuring an IKE VPN
Enabling CRL checking
Enabling CRL checking
Exporting a VPN object to an extranet
Click Update Devices
To remove the CRL from the VSU
VPN Object export checklist
VPN Object Export Checklist Task
Export procedure
To export a VPN Object
Importing a VPN object from an extranet
Open the Configuration Console window
To import a VPN Object data file
Rekeying a VPN object
To rekey a Skip VPN Object
Firewall rules set up
Levels of firewall policy management
Firewall rules
Domain level firewall rules
To create domain level firewall rules
Device level firewall rules
To create device level firewall rules
Priority of Firewall rules versus NAT rules
Security Gateways and FTP
To add a new firewall rule for FTP-control or passive FTP
Firewall templates
To add a new firewall rule for active FTP
User defined templates
Predefined templates
To create a user-defined firewall template
Select Template, Device, or None Parameter Description
Services
Services property
Device Group
Denial of Service
To create a device group object
Denial of Service
Voice Over IP
Using the IP Trunking Call Model
To select or deselect DOS categories
To enable VoIP and add IP Trunking
Voice Over IP
Using the Gatekeeper Routed Call Model
Voice over IP tab
Add gatekeeper settings
To enable VoIP and add gatekeeper settings
QoS policy and QoS mapping
QoS Policy
QoS policy and QoS mapping
To add a QoS policy
QoS policy
Modify QoS bandwidth. burst and Dscp value screen
QoS mapping
Packet Filtering
Mapping QoS policies
Packet Filtering and NAT
What can be filtered
Traffic types that can be filtered
Permit/Deny non-VPN traffic Radio Buttons
Policy Manager, Packet Filtering/QoS
Add Packet Filtering Policy
From/Where
To Where
Filtering Policy in progress
Locating this filtering policy
Running the packet filtering policy wizard
Starting and stopping filtering services
To start or stop filtering services
Running the Policy Manager for packet filtering
Managing the ACL
Configuring advanced filtering options
To configure advanced filtering options
ACL commands Command Description
To edit, change the sequence, or delete a filtering policy
Marking packets for differentiated services QoS
Packet Filter rule-advanced options Option Description
About Differentiated Services
How a VSU marks packets
How to create a packet marking rule
Types of marking rules
To create a packet marking rule
IP packet marking information Description
Parameters used in a Packet Marking Rule Description
Packet filtering firewall
Policy Manager for firewalls
Add firewall policy
To use the firewall policy management
To add a firewall policy
Parameter Description
Establishing security
Using advanced features
Device Advanced
ARP
Path MTU Discovery
You would then want to
To configure the Path MTU Discovery
Enter the Path MTU Timeout value
NAT Traversal
Port for Secure Authentication
Port for dyna-policy download
Private IP Address VPNos
To change the port number
Select the Enable Private IP Address check box
Send Device Names
To add a private IP address
To select a VSU name distribution method
SuperUser Password VPNos
Tunnel Persistence
VSU Tunnel Persistence
TEP Policy
Servers
Add servers
To create a backup server
To edit, change the sequence, or delete a backup server
Add Directory Server Commands Description
Managing the server list
Servers list commands Command Description
Resilient Tunnel
Tunnel Switching
Primary and Resilient Tunnels
Creating a resilient tunnel
Resilient Tunnel tab for a security gateway Object
Prerequisites
Add resilient tunnel
To create a resilient tunnel
Managing the resilient tunnel list
Stopping and starting resilient tunnel services
Primary end-point service
Secondary end-point service
Move to the Configuration Console window. Select Devices
Failover TEP
Failover TEP tab for a security gateway object
To configure failover TEP
Configuring failover TEP
Advanced Action
Reset password
Switch Flash
Disable Fips
High Availability
High Availability
Advanced parameters
Virtual addresses
Select the Deny all non VPN traffic radio button
Members
Configuring high availability
Creating a High Availability Group
To update HA VSUs
Updating a high availability group using Update Device
Deleting a high availability group
Failover
Failover Tab
To configure failover
Configuration is as follows
Failover connectivity checks in 10-second intervals
Set consecutive no responses
To set up failover reconnect
Failover reconnect
Converged Network Analyzer Test Plug
Select the CNA Test Plug Services interface
Enter the test request port value
Keep Alive
To configure keep alive
Keep alive tab
Policy Manager My Certificates
About VSU certificates
Creating and Installing a Signed Certificate
Installing a Signed Certificate into a VSU
To install a signed certificate into a VSU
Policy Manager for My Certificates
Switching certificates used by VPNmanager Console
To switch certificates
Issuer certificates
About Issuer Certificates
Installing an issuer certificate
To install an Issuer Certificate into a VSU target
An Example of an Issuer Certificate
IKE Certificate Usage
About Certificate Usage Exchange
Assigning a Target for a Certificate
To assign a target for a certificate
Click Add to open the Add IKE Certificate Policy
Policy Manager My Certificates
Page
Using Snmp to monitor the device
Monitoring your network
To add Snmp trap targets
Snmp Tab for a security gateway Object
Adding Admin Users for SNMPv3
Configuring Snmp for a security gateway
VPN active sessions
To delete Snmp trap targets
Syslog Services
Policy Manager for Syslog Services
To run Syslog services
Add Syslog Policy
Enterprise MIB
Using Monitor
Monitoring wizard
Using Monitor
Log Group Parameters Description
System Group Parameters
ActiveSessions Parameters Description
Address Table Parameters Description
IpRouteTable Parameters
IpRouteTable Parameters Description
IpRouteTable Parameters Description
FilterStats Parameters
FilterStats Parameters Description
FilterStats Parameters Description
FilterStats Parameters Description
FilterStats Parameters Description
FilterStats Parameters Description
Filter Rules Parameters
Active Ports Parameters Description Group
Traffic Rate Table Parameters
Traffic Rate Table Parameters Description
Overview Statistics Table Parameters
Overview Statistics Table Parameters Description
Ethernet Statistics Table Parameters
Define Custom
Ethernet Statistics Table Parameters Description
Monitoring wizard Presentation
Monitoring alarms
Presentation
Alarm Types
Alarm Descriptions Alarm Type
Report Wizard
To create a report using the report wizard
Generating the report
Report Sample
Device diagnostics
Diagnostic Reports Report Type Description
Diagnostic Reports Report Type Description
Using the Management tab
Setting Up SSH and Telnet
Changing device administrator’s passwords
To set up SSH or Telnet
Using the Connectivity tab
To reset the passwords
Check connectivity by ping
Connectivity tab for a security gateway Object
Using the Device Actions tab
Check Connectivity by Proxy Ping
To directly ping a specific security gateway
To proxy ping a specific security gateway
Reset Device Time
Update Configuration
Reboot Device
Re-setup Device
Import Device Configuration
To import configuration data for a device
Ethernet Speed
Redundancy
Network Interface Status
Switching
Importing and exporting VPN configurations to a device
Export VPN
Exporting Radius
Device management
Upgrading firmware and licenses
Centralized firmware management
Device Upgrade tab
Upgrading a security gateway’s firmware
To upgrade a security gateway’s firmware
Select Save this file to disk. Click OK
License
Encryption Strength
Remote Access VSU-100 Only
Open
Page
When to Configure your VPNmanager for SSL
Installing Certificates for Running SSL
To install a certificate in VPNmanager Console
To view all the installed issuer’s certificates
To delete an installed issuer’s certificates
Windows NT and Windows 2000 Computers
To install the issuer’s certificate into a security gateway
Installing the Issuer’s Certificate into a security gateway
Solaris OS Computers
Using SSL with Directory Server
Appendix B Firewall rules template
General
Public zone firewall templates
Public high and medium security firewall rules
Telnet
Ikein
Public low security firewall rules
Public VPN-only firewall rules
Private zone firewall templates
Private high security firewall rules
Private medium security firewall rules
Semi-private zone firewall templates
Private low security firewall rules
Semi-private high security firewall rules
Ping
Semi-private medium security firewall rules
Semi-private low security firewall rules
Semi-private VPN-only security firewall rules
DMZ zone firewall templates
DMZ high and medium security firewall rules
DMZ low security firewall rules
Converged Network Anaylyzer template
Management zone security
Management high, medium, and low security firewall rules
Converged network analyzer firewall rules
CNA-RT
Aggressive mode
Alarms
Service DNS
Certificate Authority
Certificates
Certificate
Dynamic VPNs
Dyna Policy
Encapsulation
Extranet security
Lifetime, Key
Mask Pairs
MIB Enterprise
Non-Enterprise
Oakley
Packet Filter
Perfect Forward
Secrecy
Smart Card
Split Tunneling
Triple DES
User Groups
Index
DOS
254
55, 97, 115, 129
PAP
Radius
ToS, marking 193
Zone, public zone, public-backup