Nortel Networks NN46110-602 manual

220 Appendix D Configuring for interoperability

then select a default server certificate from the list. You configure servers from the System > Certificates window.

7Select Profiles > Branch Office, click Edit, scroll down to the IPsec section and click Configure.

The Branch Office window appears.

8Select the encryption type supported by your third-party client.

9Select Enable or Disable for the VendorID.

10Set Perfect Forward Secrecy (PFS) to match the client side.

11In the Rekey Time-outsection, enter the amount of time you want to limit the lifetime of a single key used to encrypt data. The default is 08:00:00 (8 hours).

12In the Rekey Data Count section, you can choose to set a rekey data count depending on how much data you expect to transmit through the tunnel with a single key. The default is 0 KB; a setting of 0 disables this count.

Configuring the VPN Router as a user tunnel

If you have third-party client software that supports Aggressive mode IPsec, you can configure the VPN Router as a user tunnel. You must use either the LDAP database or the certificate authentication. The VPN Router supports both preshared key and RSA digital signature authentication methods and you must specify one of these methods.

Nortel recommends enabling split tunnels for all groups that support third-party clients. If you disable split tunneling, third-party clients can connect only if you configure the group to allow undefined networks. This means that the client can establish IPsec security associations for all networks. If you do not enable split tunneling, you must enable the Allow undefined networks option.

Figure 13 shows a network with a split tunneling environment.

NN46110-602

Image 220

Nortel Networks NN46110-602 manual Configuring the VPN Router as a user tunnel

Contents

Nortel VPN Router Troubleshooting Copyright 2007 Nortel Networks. All rights reserved TrademarksRestricted rights legend Statement of conditions Nortel VPN Router Troubleshooting Nortel Networks Inc. software license agreement General Contents Chapter Status and logging Chapter Troubleshooting Chapter Packet capture Appendix a MIB support Appendix B Using serial PPP Index Contents NN46110-602 Figures Figures NN46110-602 Tables Tables NN46110-602 Before you begin Text conventions Italic text Acronyms L2TP Related publications Hard-copy technical manuals How to get help Finding the latest updates on the Nortel Web site Getting help over the phone from a Nortel Solutions Center Getting help from the Nortel Web site Getting help through a Nortel distributor or reseller Features New in this release Pcap enhancements Automatic backupsSnmp interface index enhancement Chapter VPN Router administration Administrator settings VPN Router administration Dynamic password Tools System configuration File management Simple Network Management Protocol Snmp VPN Router administration Click Enable for User IP Address Pool Admin Snmp Traps window To configure the amount Chapter Status and logging Sessions Reports Health check SystemStatistics Accounting Accounting records Radius accounting Data collection task Timestamp Logs Event log Select Status Event Log Event logs Capture and display filters Configure Display Entity System log Security log Configuration log Chapter Administrative tasks Shutdown Accessing the diskette drive RecoveryUsing the recovery diskette Recovery Diskette window Software/backup/v101/SN01001 Administrative tasks Automatic backups Using the GUI for automatic backup Transferring backup files through SftpTriggering a backup when a file or directory changes Select Admin Auto Backup Automatic Backup window appears. Figure Click Configure Specific Backup Specific Automatic Backup window To overwrite a file, click Overwrite files at destination Using the CLI for automatic backup Backing up specific files and directories Stopping the backup of specific files and directoriesBacking up changes to specific files or directories Using Sftp to transfer backup files Stopping the transfer of backup files using Sftp Select Admin Shutdown Click Disable new logins. Figure Disabling new loginsUpgrading the software Select Admin File System Checking available disk space Creating a control tunnel to upgrade from a remote location Select Admin Recovery and click Create Diskette Creating a recovery disketteBacking up system files Select Admin Upgrades Retrieving the new software FTP menu example Before completing the upgrade Internal Radius Accounting Interim Radius Accounting Record Select Admin Shutdown and deselect Disable new logins After you upgrade the softwareApplying the software Administrative tasks Chapter Troubleshooting Troubleshooting tools Client-based tools System-based tools Other tools Solving connectivity problems Diagnosing client connectivity problems Common client connectivity problems Login not allowed at this time Authentication failedRemote host not responding Maximum number of sessions reached No proposal chosen Other IPsec errorsExtranet connection lost Problems with name resolution using DNS services Network browsing problems Cannot browse the network with NetBEUI Troubleshooting Diagnosing WAN link problems Check the T1/V.35 interface Check the Hdlc framing Check the PPP layer Solving performance problems Performance tips for configuring Microsoft networkingEliminating modem errors Hardware encryption accelerator connectivity What should be configured on the Pptp or IPsec client? Why should Wins settings be different for extranet access? What Wins settings are recommended? What can you try on the Wins server when it is not working? Can I control which machine is the master browser? Why are subnet masks important? What should I do about subnets? Why cant I browse another client in a different tunnel? Troubleshooting Additional information Solving general problems Web browser problems and the VPN Client Manager Enabling Web browser options Long delays when Web browsingImproving performance with Internet Explorer Web browser error messages Clearing your Web browser cache when upgradingInternal error message Clearing cache New administrator login ignored Excess resource consumption using Internet ExplorerDocument not found message Internet Explorer 4.0 multiple help windows Reporting a problem with a Web browser System problemsPower failure Distorted background images Group and user profile settings not saved Select Servers Ldap Click Stop Server Solving routing problems Client address redistribution problems Solving firewall problems An error occurred while parsing the policyAn error occurred while communicating with the VPN Router Action Close the Stateful Firewall Manager Contents of the database may have changed Authorization failed. Please try againUnable to communicate with the VPN Router Action System files were not loaded properlyDeselect Cache JARs in Memory Troubleshooting NN46110-602 Chapter Packet capture Pcap features Security features File format Physical interface captures Capture typesTunnel captures Global IP captures Capture filters Filters and triggersTriggers Saving captured data Memory considerations Performance considerations Enabling packet capture on a VPN Router Enter Privileged Exec mode Serial main menu appears Setting the Pcap file path Capturing packets to disk file Setting the size of a disk capture file Setting the size of the RAM bufferSetting the maximum number of disk capture files Saving captured data Configuring and running packet capture objectsCreating a capture object Configuring a capture object CES#capture ether0 Tunnel capture parameters Using the show capture command to display capture status Starting, stopping, and saving capture objects CES# show capture Interface capture object using a filter and direction Sample packet capture configurationsExit Capture Configuration mode Interface capture object using triggers CES#show capture test-filter-in CES#capture test-trigger start Tunnel capture object using a remote IP address CES#show capture test-trigger Capture state Stopped by stop Viewing a packet capture output file on a PC Installing Ethereal softwareLocate the Microsoft Windows row and click local archive Click ethereal-setup-n.nn.n.exe Saving, downloading, and viewing Pcap files Viewing a Pcap file with Sniffer Pro Global IP capture Deleting capture objects and disabling packet capture Click Tools Options Protocol Forcing CES# no capture test-trigger Packet capture NN46110-602 Snmp RFC support Novell IPX MIBNovell RIP-SAP MIB RFC 1850-OSPF Version 2 Management Information Base RFC 1213-Network Management of TCP/IP-Based Internets RFC 1724-RIP Version 2 MIB ExtensionRFC 2667-IP Tunnel MIB RFC 2787-VRRP MIB RFC 2737-Entity MIB RFC 1573-IanaIfType MIB RFC 2233-If MIBRFC 2571-Snmp-Framework MIB RFC2790-Host Resources MIB RFC2495-DS1 MIB RFC2863 Interface MIB 64 bit counters support VPN Router MIB Cestraps.mib-Nortel proprietary MIB TRAP-TYPE Variables Newoak.mib Hardware-related traps Appendix a MIB support Appendix a MIB support Appendix a MIB support Server-related traps Appendix a MIB support Login-related traps Software-related traps Intrusion-related traps System-related traps Information passed with every trap Provides trap categories and explanations Provides descriptions for the VPN Router traps Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions Attached Failed Please note that X corresponds to Is not reachable and at least one Appendix a MIB support Appendix a MIB support VPN Router traps MIB descriptions IfReasonForStatus-ces-reason for the change in status Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix a MIB support VPN Router traps MIB descriptions Appendix a MIB support VPN Router traps MIB descriptions That triggered this event Appendix B Using serial PPP Establishing a serial PPP connection Setting up a Dial-Up Networking connection Double-click the Microsoft Dial-Up Networking icon Setting up the modem Setting up the VPN RouterSelect System Settings Appendix B Using serial PPP Troubleshooting Serial PPP Dialing in to the VPN RouterCause Actions Action PPP option settings Appendix B Using serial PPP NN46110-602 Installed new CA certificate from file Error removing CA certificate fileCertificate messages TCert Shutdown complete TCert X.509 certificates disabled in flash memoryTCert task creation failed Isakmp messages Isakmp 13 No proposal chosen in message from xxx a.b.c.d Isakmp 13 Authentication failure in message from xxx a.b.c.d Isakmp 13 xxx a.b.c.d has exceeded idle timeout-logging out No response from client-logging out Couldnt install route for remxxx@xxx Branch office messages SSL messages Checking chain invalid parent certChecking chain invalid child cert Child cert xxx not valid signature by xxx Configuration file xxx does not exist Database messagesNo matching trusted CA certs Failed to start Ldif file could not restore Security messagesAccount xxxxxx uid xxx not found in account AuthServer ldap inconsistent no server type in entry Security store new system IP address xxx failed-xxx Conn backlog reached, possible SYN attackSecurity store new system name xxx failed-xxx Error copying entry xxx to Error copying subentries of xxx toError copying tree xxx to Security store new system subnet mask xxx failed-xxx Error deleting entry Error deleting treeSchemaCls Database schema not available LocalAuthServer failed remove-xxx Session xxx uid invalid-authentication failed Session xxxxxx invalid uid-authentication failedXxx xxx being referenced by Session xxxxxx session rejected-system is initializing Session xxxxxxxxx xxx auth method not allowed Session xxxxxxxxx AddLink failed xxx current links Session xxxxxxxxx L2TP host xxx account misconfigured Session xxxxxxxxx account is disabledSession xxxxxxxxx IP address assignment failed Session xxxxxxxxx account has max links Session xxxxxxxxx account not allowed now Session xxxxxxxxx authentication failed usingSession xxxxxxxxx connect Qos level xxx full Session xxxxxxxxx login rejected new logins disabled Disable logins after restart checkbox is selectedSession xxxxxxxxx no memory free xxx threshold Session xxxxxxxxx only one session/static address allowed Session xxxxxxxxx pool address xxx already in use Session xxxxxxxxx session directed to use serverSession xxxxxxxxx static address xxx already in use Session xxxxxxxxx system has max sessions Radius no reply from server server-nameport number Radius accounting messagesRadius server-name server timed out Indicated packet length too large Radius server-name server failedNon-matching ID in server response Unsupported response type number received from server Received bad attribute type from serverResponse OK Radius user-name accounting record sent to server-name OK Login failure due to Server network connection failure Radius authentication messagesRadius no reply from Radius server server-nameport number Radius server-name server timed out authenticating user-name Non-matching id in server response Radius server returned access challenge Radius access challenge receivedRadius server rejected access Radius server-name sent challenge for user-name Radius user-name access Denied by server server-name Radius user-name access OK by server server-nameOspf Disabled Routing messages Closing OSPF-RTM connection Ospf EnabledOpened OSPF-RTM connection Can not accept x.x.x.x as router id LoadOspfAreas FailedLoadOspfIntf Failed VR xxx Starting xxx as Master for VR xxx Starting xxx as master delayed Backup for VR xxx Starting xxx as Backup forVR xxx Shutting down xxx on Unable to get configuration for VR RIP xxx RIP EnabledRIP xxx RIP Disabled RIP xxx Cant alloc main node RIP xxx Circuit xxx deleted RIP xxx Unable to register with UDPRIP xxx setsockopt RIP socket xxx Sorcvbuf xxx failed RIP xxx bind RIP socket xxx failed RIP xxx Unable to spawn timer task xxx for RIP RIP xxx cid xxx mismatched auth password fromInterface nnn not present, deleting from config Interface nnn replaced, resetting config Interface nnn replaced, deleting from config HWAccel nnn not present, deleting from config Appendix C System messages NN46110-602 Appendix D Configuring for interoperability Configuring the Cisco 2514 router, Version VPN Router and Cisco 2514 network topology NN46110-602 Following is a show config command Configuring the VPN Router for Cisco interoperability Appendix D Configuring for interoperability Connecting to IRE SafeNET/Soft-PK Security Policy Client Mask 10.42 Click Pre-Shared Key SafeNet/Soft-PK Security Policy Editor dialog box appears Configuring the VPN Router for IRE interoperability Encapsulation Protocol ESPSA Life Seconds and 3000 Seconds Go to Profiles Networks and click Edit Third-party client installation Considerations for using third-party clients Appendix D Configuring for interoperability Configuring the VPN Router as a branch office tunnel Configuring the VPN Router as a user tunnel Set Perfect Forward Secrecy PFS to match the client side To configure the VPN Router as a user tunnel Configuring IPX IPX client IPX group configuration Sample IPX VPN Router topologyWindows 95 and Windows Windows NT IPX topology Nortel VPN Router Troubleshooting Appendix D Configuring for interoperability NN46110-602 Index Index Pptp Wins