Manuals / Nortel Networks / Computer Equipment / Network Router

Nortel Networks NN46110-602 manual Configuring the VPN Router as a branch office tunnel

Models: NN46110-602

1 230

Download 230 pages 7.59 Kb

Page 219

Appendix D Configuring for interoperability 219

(are correctly decrypted, and authenticated) are accepted; other packets are dropped. If any attempt is made to change the station address of the client, the tunnel is automatically closed. Third-party clients do not necessarily have this security.

•Tight integration with MS-DUN and IPASS—This allows one-click access that dials and authorizes the ISP connection and then creates the VPN connection automatically. This makes it significantly easier for the end user. Third-party clients typically do not have this ease-of-use feature.

•High end PKI integration—The VPN Router integrates software from the leading certificate vendors, for a high-end managed PKI implementation. Managed PKI features like automated enrollment and automatic renewal are critical for large-scale rollouts. Other clients have loose or no integration for managed PKI and rely on the features of a browser or simple cut-and-paste methods. This is not available with third-party clients when used with the VPN Router, even if the client has the support built in.

Configuring the VPN Router as a branch office tunnel

To configure the VPN Router as a branch office tunnel:

1Select Profiles > Branch Office and click Define Branch Office Connection.

The Branch Office > Define Connection window appears.

2For the local endpoint address, select the address of the local VPN Router from the list.

3For the remote endpoint address, enter the address of the remote VPN Router that forms the opposite end of the branch office connection.

4Set the tunnel type to IPsec.

5Depending on what your third-party clients support, you can use either pre-shared key or digital certificate authentication. Click to enable the user name and password to authenticate user identity. The user name is the user’s IP address and the password can be any password. Match the preshared secret with the client shared secret.

6Click RSA Digital Signature to enable certificate authentication if your third-party client supports RSA Digital Signature authentication. You must

Nortel VPN Router Troubleshooting

Image 219

Nortel Networks NN46110-602 manual Configuring the VPN Router as a branch office tunnel

Contents

Nortel VPN Router Troubleshooting Statement of conditions Copyright 2007 Nortel Networks. All rights reservedTrademarks Restricted rights legendNortel Networks Inc. software license agreement Nortel VPN Router TroubleshootingGeneral Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Text conventions Before you beginItalic text Acronyms L2TP Related publications Finding the latest updates on the Nortel Web site Hard-copy technical manuals How to get helpGetting help from the Nortel Web site Getting help over the phone from a Nortel Solutions CenterGetting help through a Nortel distributor or reseller New in this release FeaturesAutomatic backups Pcap enhancementsSnmp interface index enhancement Administrator settings Chapter VPN Router administrationVPN Router administration Tools Dynamic passwordFile management System configurationSimple Network Management Protocol Snmp VPN Router administration Admin Snmp Traps window Click Enable for User IP Address PoolTo configure the amount Chapter Status and logging Reports SessionsSystem Health checkStatistics Accounting records AccountingData collection task Radius accountingTimestamp Event log LogsEvent logs Select Status Event LogCapture and display filters Configure Display Entity Security log System logConfiguration log Shutdown Chapter Administrative tasksRecovery Accessing the diskette driveUsing the recovery diskette Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Select Admin Auto Backup Using the GUI for automatic backupTransferring backup files through Sftp Triggering a backup when a file or directory changesAutomatic Backup window appears. Figure Click Configure Specific Backup To overwrite a file, click Overwrite files at destination Specific Automatic Backup windowUsing the CLI for automatic backup Stopping the backup of specific files and directories Backing up specific files and directoriesBacking up changes to specific files or directories Stopping the transfer of backup files using Sftp Using Sftp to transfer backup filesDisabling new logins Select Admin Shutdown Click Disable new logins. FigureUpgrading the software Checking available disk space Select Admin File SystemCreating a control tunnel to upgrade from a remote location Creating a recovery diskette Select Admin Recovery and click Create DisketteBacking up system files Retrieving the new software Select Admin UpgradesFTP menu example Internal Radius Accounting Interim Radius Accounting Record Before completing the upgradeAfter you upgrade the software Select Admin Shutdown and deselect Disable new loginsApplying the software Administrative tasks Chapter Troubleshooting Client-based tools Troubleshooting toolsOther tools System-based toolsDiagnosing client connectivity problems Solving connectivity problemsCommon client connectivity problems Maximum number of sessions reached Login not allowed at this timeAuthentication failed Remote host not respondingOther IPsec errors No proposal chosenExtranet connection lost Problems with name resolution using DNS services Cannot browse the network with NetBEUI Network browsing problemsTroubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the PPP layer Check the Hdlc framingHardware encryption accelerator connectivity Solving performance problemsPerformance tips for configuring Microsoft networking Eliminating modem errorsWhat should be configured on the Pptp or IPsec client? What Wins settings are recommended? Why should Wins settings be different for extranet access?What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Web browser problems and the VPN Client Manager Solving general problemsLong delays when Web browsing Enabling Web browser optionsImproving performance with Internet Explorer Clearing cache Web browser error messagesClearing your Web browser cache when upgrading Internal error messageInternet Explorer 4.0 multiple help windows New administrator login ignoredExcess resource consumption using Internet Explorer Document not found messageDistorted background images Reporting a problem with a Web browserSystem problems Power failureSelect Servers Ldap Click Stop Server Group and user profile settings not savedClient address redistribution problems Solving routing problemsAction Close the Stateful Firewall Manager Solving firewall problemsAn error occurred while parsing the policy An error occurred while communicating with the VPN RouterAuthorization failed. Please try again Contents of the database may have changedUnable to communicate with the VPN Router System files were not loaded properly ActionDeselect Cache JARs in Memory Troubleshooting NN46110-602 Chapter Packet capture Pcap features File format Security featuresCapture types Physical interface capturesTunnel captures Global IP captures Filters and triggers Capture filtersTriggers Memory considerations Saving captured dataPerformance considerations Enabling packet capture on a VPN Router Serial main menu appears Enter Privileged Exec modeCapturing packets to disk file Setting the Pcap file pathSetting the size of the RAM buffer Setting the size of a disk capture fileSetting the maximum number of disk capture files Configuring and running packet capture objects Saving captured dataCreating a capture object Configuring a capture object CES#capture ether0 Tunnel capture parameters Starting, stopping, and saving capture objects Using the show capture command to display capture statusCES# show capture Sample packet capture configurations Interface capture object using a filter and directionExit Capture Configuration mode CES#show capture test-filter-in Interface capture object using triggersCES#capture test-trigger start CES#show capture test-trigger Capture state Stopped by stop Tunnel capture object using a remote IP addressInstalling Ethereal software Viewing a packet capture output file on a PCLocate the Microsoft Windows row and click local archive Saving, downloading, and viewing Pcap files Click ethereal-setup-n.nn.n.exeGlobal IP capture Viewing a Pcap file with Sniffer ProClick Tools Options Protocol Forcing Deleting capture objects and disabling packet captureCES# no capture test-trigger Packet capture NN46110-602 RFC 1850-OSPF Version 2 Management Information Base Snmp RFC supportNovell IPX MIB Novell RIP-SAP MIBRFC 1724-RIP Version 2 MIB Extension RFC 1213-Network Management of TCP/IP-Based InternetsRFC 2667-IP Tunnel MIB RFC 2737-Entity MIB RFC 2787-VRRP MIBRFC2790-Host Resources MIB RFC 1573-IanaIfType MIBRFC 2233-If MIB RFC 2571-Snmp-Framework MIBRFC2495-DS1 MIB VPN Router MIB RFC2863 Interface MIB 64 bit counters supportTRAP-TYPE Cestraps.mib-Nortel proprietary MIBVariables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Software-related traps Login-related trapsSystem-related traps Intrusion-related trapsInformation passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Establishing a serial PPP connection Appendix B Using serial PPPDouble-click the Microsoft Dial-Up Networking icon Setting up a Dial-Up Networking connectionSetting up the VPN Router Setting up the modemSelect System Settings Appendix B Using serial PPP Actions Troubleshooting Serial PPPDialing in to the VPN Router CauseAction PPP option settings Appendix B Using serial PPP NN46110-602 Error removing CA certificate file Installed new CA certificate from fileCertificate messages TCert X.509 certificates disabled in flash memory TCert Shutdown completeTCert task creation failed Isakmp 13 No proposal chosen in message from xxx a.b.c.d Isakmp messagesIsakmp 13 Authentication failure in message from xxx a.b.c.d No response from client-logging out Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging outBranch office messages Couldnt install route for remxxx@xxxChild cert xxx not valid signature by xxx SSL messagesChecking chain invalid parent cert Checking chain invalid child certFailed to start Configuration file xxx does not existDatabase messages No matching trusted CA certsAuthServer ldap inconsistent no server type in entry Ldif file could not restoreSecurity messages Account xxxxxx uid xxx not found in accountConn backlog reached, possible SYN attack Security store new system IP address xxx failed-xxxSecurity store new system name xxx failed-xxx Security store new system subnet mask xxx failed-xxx Error copying entry xxx toError copying subentries of xxx to Error copying tree xxx toLocalAuthServer failed remove-xxx Error deleting entryError deleting tree SchemaCls Database schema not availableSession xxxxxx session rejected-system is initializing Session xxx uid invalid-authentication failedSession xxxxxx invalid uid-authentication failed Xxx xxx being referenced bySession xxxxxxxxx AddLink failed xxx current links Session xxxxxxxxx xxx auth method not allowedSession xxxxxxxxx account has max links Session xxxxxxxxx L2TP host xxx account misconfiguredSession xxxxxxxxx account is disabled Session xxxxxxxxx IP address assignment failedSession xxxxxxxxx authentication failed using Session xxxxxxxxx account not allowed nowSession xxxxxxxxx connect Qos level xxx full Session xxxxxxxxx only one session/static address allowed Session xxxxxxxxx login rejected new logins disabledDisable logins after restart checkbox is selected Session xxxxxxxxx no memory free xxx thresholdSession xxxxxxxxx system has max sessions Session xxxxxxxxx pool address xxx already in useSession xxxxxxxxx session directed to use server Session xxxxxxxxx static address xxx already in useRadius accounting messages Radius no reply from server server-nameport numberRadius server-name server timed out Radius server-name server failed Indicated packet length too largeNon-matching ID in server response Radius user-name accounting record sent to server-name OK Unsupported response type number received from serverReceived bad attribute type from server Response OKRadius authentication messages Login failure due to Server network connection failureRadius no reply from Radius server server-nameport number Radius server-name server timed out authenticating user-name Non-matching id in server response Radius server-name sent challenge for user-name Radius server returned access challengeRadius access challenge received Radius server rejected accessRouting messages Radius user-name access Denied by server server-nameRadius user-name access OK by server server-name Ospf DisabledOspf Enabled Closing OSPF-RTM connectionOpened OSPF-RTM connection VR xxx Starting xxx as Master for Can not accept x.x.x.x as router idLoadOspfAreas Failed LoadOspfIntf FailedVR xxx Starting xxx as Backup for VR xxx Starting xxx as master delayed Backup forVR xxx Shutting down xxx on RIP xxx Cant alloc main node Unable to get configuration for VRRIP xxx RIP Enabled RIP xxx RIP DisabledRIP xxx bind RIP socket xxx failed RIP xxx Circuit xxx deletedRIP xxx Unable to register with UDP RIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failedInterface nnn replaced, resetting config RIP xxx Unable to spawn timer task xxx for RIPRIP xxx cid xxx mismatched auth password from Interface nnn not present, deleting from configHWAccel nnn not present, deleting from config Interface nnn replaced, deleting from configAppendix C System messages NN46110-602 Configuring the Cisco 2514 router, Version Appendix D Configuring for interoperabilityVPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Mask Connecting to IRE SafeNET/Soft-PK Security Policy ClientClick Pre-Shared Key 10.42SafeNet/Soft-PK Security Policy Editor dialog box appears Go to Profiles Networks and click Edit Configuring the VPN Router for IRE interoperabilityEncapsulation Protocol ESP SA Life Seconds and 3000 SecondsThird-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Set Perfect Forward Secrecy PFS to match the client side Configuring the VPN Router as a user tunnelTo configure the VPN Router as a user tunnel Configuring IPX IPX client Windows NT IPX group configurationSample IPX VPN Router topology Windows 95 and WindowsIPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins