Third-party client installation | Nortel Networks NN46110-602

216 Appendix D Configuring for interoperability

9For some vendors, if you want to turn off Vendor ID and/or Perfect Forward Secrecy (PFS), do that on the Profiles > Groups > IPsec: Configure window.

Third-party client installation

The VPN Router supports third-party IPsec clients and includes support for the following:

•Authentication using either pre-shared authentication (using IKE Aggressive mode) or digital signature certificate authentication (using IKE Main mode) into a VPN Router’s remote access user’s IPsec account for third-party IPsec clients.

•Client address assignment used within the IPsec tunnel formed as a result of the Quick Mode negotiation. The client’s external IP address or a pre-arranged internal IP address is used as the address that is negotiated during the IKE Quick Mode exchange.

•Split tunneling with third-party IPsec clients, such that if you enable split tunneling on the VPN Router, then the subnet that the client specifies as the VPN Router’s identity within the tunnel during IKE Quick Mode must be listed as one of the split tunnel networks for the Quick Mode proposal to be accepted. If you do not enable split tunneling, then the VPN Router identity that the client specifies for Quick Mode can be any value that the client chooses.

Depending on the third-party client that you use, you must configure either a branch office tunnel or a user tunnel. For example, the VPN Router was configured and tested with the LINUX* FreeS/WAN client. If you are using the FreeS/WAN LINUX client, you must configure your user and the VPN Router as a branch office tunnel. If you are using another client that supports IPsec Aggressive mode, you can configure your VPN Router as a user tunnel.

NN46110-602

Image 216

Nortel Networks NN46110-602 manual Third-party client installation

Contents

Nortel VPN Router Troubleshooting Copyright 2007 Nortel Networks. All rights reserved TrademarksRestricted rights legend Statement of conditions Nortel VPN Router Troubleshooting Nortel Networks Inc. software license agreement General Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Before you begin Text conventions Italic text Acronyms L2TP Related publications Hard-copy technical manuals How to get help Finding the latest updates on the Nortel Web site Getting help over the phone from a Nortel Solutions Center Getting help from the Nortel Web site Getting help through a Nortel distributor or reseller Features New in this release Automatic backups Pcap enhancementsSnmp interface index enhancement Chapter VPN Router administration Administrator settings VPN Router administration Dynamic password Tools System configuration File management Simple Network Management Protocol Snmp VPN Router administration Click Enable for User IP Address Pool Admin Snmp Traps window To configure the amount Chapter Status and logging Sessions Reports System Health checkStatistics Accounting Accounting records Radius accounting Data collection task Timestamp Logs Event log Select Status Event Log Event logs Capture and display filters Configure Display Entity System log Security log Configuration log Chapter Administrative tasks Shutdown Recovery Accessing the diskette driveUsing the recovery diskette Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Using the GUI for automatic backup Transferring backup files through SftpTriggering a backup when a file or directory changes Select Admin Auto Backup Automatic Backup window appears. Figure Click Configure Specific Backup Specific Automatic Backup window To overwrite a file, click Overwrite files at destination Using the CLI for automatic backup Stopping the backup of specific files and directories Backing up specific files and directoriesBacking up changes to specific files or directories Using Sftp to transfer backup files Stopping the transfer of backup files using Sftp Disabling new logins Select Admin Shutdown Click Disable new logins. FigureUpgrading the software Select Admin File System Checking available disk space Creating a control tunnel to upgrade from a remote location Creating a recovery diskette Select Admin Recovery and click Create DisketteBacking up system files Select Admin Upgrades Retrieving the new software FTP menu example Before completing the upgrade Internal Radius Accounting Interim Radius Accounting Record After you upgrade the software Select Admin Shutdown and deselect Disable new loginsApplying the software Administrative tasks Chapter Troubleshooting Troubleshooting tools Client-based tools System-based tools Other tools Solving connectivity problems Diagnosing client connectivity problems Common client connectivity problems Login not allowed at this time Authentication failedRemote host not responding Maximum number of sessions reached Other IPsec errors No proposal chosenExtranet connection lost Problems with name resolution using DNS services Network browsing problems Cannot browse the network with NetBEUI Troubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the Hdlc framing Check the PPP layer Solving performance problems Performance tips for configuring Microsoft networkingEliminating modem errors Hardware encryption accelerator connectivity What should be configured on the Pptp or IPsec client? Why should Wins settings be different for extranet access? What Wins settings are recommended? What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Solving general problems Web browser problems and the VPN Client Manager Long delays when Web browsing Enabling Web browser optionsImproving performance with Internet Explorer Web browser error messages Clearing your Web browser cache when upgradingInternal error message Clearing cache New administrator login ignored Excess resource consumption using Internet ExplorerDocument not found message Internet Explorer 4.0 multiple help windows Reporting a problem with a Web browser System problemsPower failure Distorted background images Group and user profile settings not saved Select Servers Ldap Click Stop Server Solving routing problems Client address redistribution problems Solving firewall problems An error occurred while parsing the policyAn error occurred while communicating with the VPN Router Action Close the Stateful Firewall Manager Authorization failed. Please try again Contents of the database may have changedUnable to communicate with the VPN Router System files were not loaded properly ActionDeselect Cache JARs in Memory Troubleshooting NN46110-602 Chapter Packet capture Pcap features Security features File format Capture types Physical interface capturesTunnel captures Global IP captures Filters and triggers Capture filtersTriggers Saving captured data Memory considerations Performance considerations Enabling packet capture on a VPN Router Enter Privileged Exec mode Serial main menu appears Setting the Pcap file path Capturing packets to disk file Setting the size of the RAM buffer Setting the size of a disk capture fileSetting the maximum number of disk capture files Configuring and running packet capture objects Saving captured dataCreating a capture object Configuring a capture object CES#capture ether0 Tunnel capture parameters Using the show capture command to display capture status Starting, stopping, and saving capture objects CES# show capture Sample packet capture configurations Interface capture object using a filter and directionExit Capture Configuration mode Interface capture object using triggers CES#show capture test-filter-in CES#capture test-trigger start Tunnel capture object using a remote IP address CES#show capture test-trigger Capture state Stopped by stop Installing Ethereal software Viewing a packet capture output file on a PCLocate the Microsoft Windows row and click local archive Click ethereal-setup-n.nn.n.exe Saving, downloading, and viewing Pcap files Viewing a Pcap file with Sniffer Pro Global IP capture Deleting capture objects and disabling packet capture Click Tools Options Protocol Forcing CES# no capture test-trigger Packet capture NN46110-602 Snmp RFC support Novell IPX MIBNovell RIP-SAP MIB RFC 1850-OSPF Version 2 Management Information Base RFC 1724-RIP Version 2 MIB Extension RFC 1213-Network Management of TCP/IP-Based InternetsRFC 2667-IP Tunnel MIB RFC 2787-VRRP MIB RFC 2737-Entity MIB RFC 1573-IanaIfType MIB RFC 2233-If MIBRFC 2571-Snmp-Framework MIB RFC2790-Host Resources MIB RFC2495-DS1 MIB RFC2863 Interface MIB 64 bit counters support VPN Router MIB Cestraps.mib-Nortel proprietary MIB TRAP-TYPE Variables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Login-related traps Software-related traps Intrusion-related traps System-related traps Information passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix B Using serial PPP Establishing a serial PPP connection Setting up a Dial-Up Networking connection Double-click the Microsoft Dial-Up Networking icon Setting up the VPN Router Setting up the modemSelect System Settings Appendix B Using serial PPP Troubleshooting Serial PPP Dialing in to the VPN RouterCause Actions Action PPP option settings Appendix B Using serial PPP NN46110-602 Error removing CA certificate file Installed new CA certificate from fileCertificate messages TCert X.509 certificates disabled in flash memory TCert Shutdown completeTCert task creation failed Isakmp messages Isakmp 13 No proposal chosen in message from xxx a.b.c.d Isakmp 13 Authentication failure in message from xxx a.b.c.d Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out No response from client-logging out Couldnt install route for remxxx@xxx Branch office messages SSL messages Checking chain invalid parent certChecking chain invalid child cert Child cert xxx not valid signature by xxx Configuration file xxx does not exist Database messagesNo matching trusted CA certs Failed to start Ldif file could not restore Security messagesAccount xxxxxx uid xxx not found in account AuthServer ldap inconsistent no server type in entry Conn backlog reached, possible SYN attack Security store new system IP address xxx failed-xxxSecurity store new system name xxx failed-xxx Error copying entry xxx to Error copying subentries of xxx toError copying tree xxx to Security store new system subnet mask xxx failed-xxx Error deleting entry Error deleting treeSchemaCls Database schema not available LocalAuthServer failed remove-xxx Session xxx uid invalid-authentication failed Session xxxxxx invalid uid-authentication failedXxx xxx being referenced by Session xxxxxx session rejected-system is initializing Session xxxxxxxxx xxx auth method not allowed Session xxxxxxxxx AddLink failed xxx current links Session xxxxxxxxx L2TP host xxx account misconfigured Session xxxxxxxxx account is disabledSession xxxxxxxxx IP address assignment failed Session xxxxxxxxx account has max links Session xxxxxxxxx authentication failed using Session xxxxxxxxx account not allowed nowSession xxxxxxxxx connect Qos level xxx full Session xxxxxxxxx login rejected new logins disabled Disable logins after restart checkbox is selectedSession xxxxxxxxx no memory free xxx threshold Session xxxxxxxxx only one session/static address allowed Session xxxxxxxxx pool address xxx already in use Session xxxxxxxxx session directed to use serverSession xxxxxxxxx static address xxx already in use Session xxxxxxxxx system has max sessions Radius accounting messages Radius no reply from server server-nameport numberRadius server-name server timed out Radius server-name server failed Indicated packet length too largeNon-matching ID in server response Unsupported response type number received from server Received bad attribute type from serverResponse OK Radius user-name accounting record sent to server-name OK Radius authentication messages Login failure due to Server network connection failureRadius no reply from Radius server server-nameport number Radius server-name server timed out authenticating user-name Non-matching id in server response Radius server returned access challenge Radius access challenge receivedRadius server rejected access Radius server-name sent challenge for user-name Radius user-name access Denied by server server-name Radius user-name access OK by server server-nameOspf Disabled Routing messages Ospf Enabled Closing OSPF-RTM connectionOpened OSPF-RTM connection Can not accept x.x.x.x as router id LoadOspfAreas FailedLoadOspfIntf Failed VR xxx Starting xxx as Master for VR xxx Starting xxx as Backup for VR xxx Starting xxx as master delayed Backup forVR xxx Shutting down xxx on Unable to get configuration for VR RIP xxx RIP EnabledRIP xxx RIP Disabled RIP xxx Cant alloc main node RIP xxx Circuit xxx deleted RIP xxx Unable to register with UDPRIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed RIP xxx bind RIP socket xxx failed RIP xxx Unable to spawn timer task xxx for RIP RIP xxx cid xxx mismatched auth password fromInterface nnn not present, deleting from config Interface nnn replaced, resetting config Interface nnn replaced, deleting from config HWAccel nnn not present, deleting from config Appendix C System messages NN46110-602 Appendix D Configuring for interoperability Configuring the Cisco 2514 router, Version VPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Connecting to IRE SafeNET/Soft-PK Security Policy Client Mask 10.42 Click Pre-Shared Key SafeNet/Soft-PK Security Policy Editor dialog box appears Configuring the VPN Router for IRE interoperability Encapsulation Protocol ESPSA Life Seconds and 3000 Seconds Go to Profiles Networks and click Edit Third-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Configuring the VPN Router as a user tunnel Set Perfect Forward Secrecy PFS to match the client side To configure the VPN Router as a user tunnel Configuring IPX IPX client IPX group configuration Sample IPX VPN Router topologyWindows 95 and Windows Windows NT IPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins