5
Nortel VPN Router Configuration — SSL VPN Services
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 9
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 12
Printed technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Finding the latest updates on the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . 14
Getting help from the Nortel Web site . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Getting help over the phone from a Nortel Solutions Center . . . . . . . . . . . . . . . . . 14
Getting help from a specialist by using an Express Routing Code . . . . . . . . . . . . 15
Getting help through a Nortel distributor or reseller . . . . . . . . . . . . . . . . . . . . . . . . 15
New in this release. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 1
SSL VPN Overview. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Hardware platforms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .20
Chapter 2
Configuring the SSL VPN Module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
SSL VPN configuration considerations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Initializing the SSL VPN module . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 24
Configuring Web interface parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
SSL VPN and Nortel VPN Router Stateful Firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Configuring SSL VPN access with implied firewall rules . . . . . . . . . . . . . . . . . . . . 28
Configuring SSL VPN without implied firewall rules . . . . . . . . . . . . . . . . . . . . . . . 28
Access control with the firewall . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Launching the SSL VPN BBI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Upgrading the software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
6 Contents
NN46110-501 02.01
Minor release upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Major release upgrade . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Activating SSL VPN upgrade packages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Generating and adding certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 31
Updating existing certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Updating DNS servers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
NetDirect Agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 32
Configuring VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Appendix A
Supported ciphers . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 35
Cipher list formats . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Modifying a cipher list . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 37
Supported cipher strings and meanings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 38
Appendix B
SNMP agent . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Supported MIBs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
SNMPv2 MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IP-MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IP-FORWARD-MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
IF-MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Limitations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Alteon iSD platform MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Alteon iSD-SSL MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
SNMP-TARGET-MIB . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Supported traps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Appendix C
Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Operating system messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
EMERG . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
CRITICAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
ERROR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
System control messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Contents 7
Nortel VPN Router Configuration — SSL VPN Services
INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
ALARM . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
EVENT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Traffic processing messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
CRITICAL . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
ERROR . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 51
WARNING . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 54
Startup messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
Configuration reload messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
INFO . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Syslog messages in alphabetical order . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 57
Appendix D
Key code definitions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Syntax description . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Allowed special characters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Redefinable keys . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Example of key code definition file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Appendix E
Troubleshooting. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
8 Contents
NN46110-501 02.01
9
Nortel VPN Router Configuration — SSL VPN Services
Preface
This guide introduces the Nortel VPN Router Secure Sockets Layer (SSL) Virtual
Private Network (VPN) service. It also provides overview and basic configuration
information to help you initially set up SSL VPN services.
Before you begin
This guide is for network managers who are responsible for the set up and
configuration of the Nortel VPN Router. This guide is based on the assumption
that you have experience with windowing systems or graphical user interfaces
(GUIs) and are familiar with network management.
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Indicates that you choose the text to enter based on the
description inside the brackets. Do not type the
brackets when you enter the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold Courier text
Indicates command names and options and text that
you need to enter.
Example: Use the
show health command.
Example: Enter
terminal paging {off | on}.
10 Preface
NN46110-501 02.01
braces ({}) Indicates required elements in syntax descriptions
where more than one option exists. You must choose
only one option. Do not type the braces when you enter
the command.
Example: If the command syntax is
ldap-server
source {external | internal}
, you must enter
either
ldap-server source external or
ldap-server source internal
, but not both.
brackets ([ ]) Indicates optional elements in syntax descriptions. Do
not type the brackets when you enter the command.
Example: If the command syntax is
show ntp [associations], you can enter
either
show ntp or show ntp associations.
Example: If the command syntax is default rsvp
[token-bucket
{depth | rate}], you can enter
default rsvp, default rsvp token-bucket
depth, or default rsvp token-bucket rate.
ellipsis points (. . .) Indicates that you repeat the last element of the
command as needed.
Example: If the command syntax is
more diskn:<directory>/ <file_name>,
you enter
more and the fully qualified name of the file.
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, an underscore connects the words.
Example: If the command syntax is
ping <ip_address>, ip_address is one variable
and you substitute one value for it.
plain Courier
text
Indicates system output, for example, prompts and
system messages.
Example:
File not found.
Preface 11
Nortel VPN Router Configuration — SSL VPN Services
separator ( > ) Shows menu paths.
Example: Choose Status > Health Check.
vertical line (
| ) Separates choices for command keywords and
arguments. Enter only one choice. Do not type the
vertical line when you enter the command.
Example: If the command syntax is
terminal paging {off | on}, you enter either
terminal paging off or terminal paging on,
but not both.
12 Preface
NN46110-501 02.01
Related publications
For more information about the Nortel VPN Router, see the following
publications:
• Release notes provide the most recent information, including brief
descriptions of the new features, problems fixed in this release, and known
problems and workarounds.
• Nortel VPN Router Configuration—Client (NN46110-306) provides
information to install and configure client software for the SSL VPN Module
1000.
• Nortel VPN Router Configuration—TunnelGuard (NN46110-307) provides
information to configure and use the TunnelGuard feature.
• Nortel VPN Router Upgrades—Server Software Release 8.0 (NN46110-407)
provides information to upgrade the server software to the most recent release.
• Nortel VPN Router Installation and Upgrade—Client Software Release 8.01
(NN46110-409) provides information to upgrade the Nortel VPN Client to the
most recent release.
• Nortel VPN Router Configuration—Basic Features (NN46110-500)
introduces the product and provides information about initial setup and
configuration.
• Nortel VPN Router Configuration—Advanced Features (NN46110-502)
provides configuration information for advanced features such as the
Point-to-Point Protocol (PPP), Frame Relay, and interoperability with other
vendors.
• Nortel VPN Router Configuration—Tunneling Protocols (NN46110-503)
provides configuration information for the tunneling protocols IPsec, Layer 2
Tunneling Protocol (L2TP), Point-to-Point Tunneling Protocol (PPTP), and
Layer 2 Forwarding (L2F).
• Nortel VPN Router Configuration—Routing (NN46110-504) provides
instructions to configure the Border Gateway Protocol (BGP), Routing
Information Protocol (RIP), Open Shortest Path First (OSPF), Virtual Router
Redundancy Protocol (VRRP), Equal Cost Multipath (ECMP), routing policy
services, and client address redistribution (CAR).
• Nortel VPN Router Using the Command Line Interface (NN46110-507)
provides syntax, descriptions, and examples for the commands that you can
use from the command line interface (CLI).
Preface 13
Nortel VPN Router Configuration — SSL VPN Services
• Nortel VPN Router Configuration—Firewalls, Filters, NAT, and QoS
(NN46110-508) provides instructions to configure the Stateful Firewall and
SSL VPN Module 1000 interface and tunnel filters.
• Nortel VPN Router Security—Servers, Authentication, and Certificates
(NN46110-600) provides instructions to configure authentication services and
digital certificates.
• Nortel VPN Router Troubleshooting—Server (NN46110-602) provides
information about system administrator tasks such as recovery and
instructions to monitor VPN Router status and performance. This document
provides troubleshooting information and event log messages.
• Nortel VPN Router Administration (NN46110-603) provides information
about system administrator tasks such as backups, file management, serial
connections, initial passwords, and general network management functions.
• Nortel VPN Router Troubleshooting—Client (NN46110-700) provides
information to troubleshoot installation and connectivity problems with the
Nortel VPN Client.
Printed technical manuals
To print selected technical manuals and release notes free, directly from the
Internet, navigate to www.nortel.com/products. Find the product for which you
need documentation, then locate the specific category and model or version for
your hardware or software product. Use Adobe Acrobat Reader to open the
manuals and release notes, search for the sections you need, and print them on
most standard printers. Go to Adobe Systems website at www.adobe.com to
download a free copy of the Adobe Acrobat Reader.
How to get Help
This section explains how to get help for Nortel products and services.
14 Preface
NN46110-501 02.01
Finding the latest updates on the Nortel Web site
The content of this documentation was current at the time the product was
released. To check for updates to the latest documentation and software for SSL
VPN Module 1000, click one of the following links:
Getting help from the Nortel Web site
The best way to get technical support for Nortel products is from the Nortel
Technical Support Web site:
www.nortel.com/support
This site provides quick access to software, documentation, bulletins, and tools to
address issues with Nortel products. From this site, you can:
• download software, documentation, and product bulletins
• search the Technical Support Web site and the Nortel Knowledge Base for
answers to technical issues
• sign up for automatic notification of new software and documentation for
Nortel equipment
• open and manage technical support cases
Getting help over the phone from a Nortel Solutions Center
If you do not find the information you require on the Nortel Technical Support
Web site, and you have a Nortel support contract, you can also get help over the
phone from a Nortel Solutions Center.
Link Website
Most recent software Nortel page for SSL VPN Module 1000 software located
at
support.nortel.com/go/
main.jsp?cscat=SOFTWARE&poid=13922.
Most recent
documentation
Nortel page for SSL VPN Module 1000 documentation
located at
support.nortel.com/go/
main.jsp?cscat=documentation&tranProduct=13922
Không có nhận xét nào:
Đăng nhận xét