Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services Gateway 2

Version 4.80

Part No. 315899-B Rev 00 August 2003

600 Technology Park Drive Billerica, MA 01821-4130

All rights reserved. August 2003. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Inc. The software described in this document is furnished under a license agreement and may be used only in accordance with the terms of that license. The software license agreement is included in this document.

Trademarks

Nortel Networks, the Nortel Networks logo, Contivity, Preside, and Optivity are trademarks of Nortel Networks. Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated. AXENT and OmiGuard Defender are trademarks of AXENT Technologies, Inc. Check Point and Firewall 1 are trademarks of Check Point Software Technologies Ltd. Cisco and Cisco Systems are trademarks of Cisco Systems, Inc. Entrust and Entrust Authority are trademarks of Entrust Technologies, Incorporated. Java is a trademark of Sun Microsystems. Linux and Linux FreeS/WAN are trademarks of Linus Torvalds. Macintosh is a trademark of Apple Computer, Inc. Microsoft, Windows, Windows NT, and MS-DOS are trademarks of Microsoft Corporation. Netscape, Netscape Communicator, Netscape Navigator, and Netscape Directory Server are trademarks of Netscape Communications Corporation. NETVIEW is a trademark of International Business Machines Corp (IBM). Novell, NetWare and intraNetWare are trademarks of Novell, Inc. NDS is a trademark of Novell Inc. OPENView is a trademark of Hewlett-Packard Company. SafeNet/Soft-PK Security Policy Database Editor is a trademark of Information Resource Engineering, Inc. SecurID and Security Dynamics ACE Server are trademarks of RSA Security Inc. SPECTRUM is a trademark of Cabletron Systems, Inc. VeriSign is a trademark of VeriSign, Inc. All other trademarks and registered trademarks are the property of their respective owners. The asterisk after a name denotes a trademarked item.

Restricted rights legend

Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph (c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013. Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.

315899-B Rev 00 3

Statement of conditions

In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the right to make changes to the products described in this document without notice. Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or circuit layout(s) described herein. Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials, and other materials related to such distribution and use acknowledge that such portions of the software were developed by the University of California, Berkeley. The name of the University may not be used to endorse or promote products derived from such portions of the software without specific prior written permission. SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE. In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third parties).

Nortel Networks Inc. software license agreement

This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping container, within 30 days of purchase to obtain a credit for the full purchase price. “Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for the selection of the Software and for the installation of, use of, and results obtained from the Software. 1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”), Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as confidential information using the same care and discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect to such third party software.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 4

2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer, Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING, BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in such event, the above exclusions may not apply. 3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL, INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS), WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply. 4. General a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks Software available under this License Agreement is commercial computer software and commercial computer software documentation and, in the event Software is licensed for or on behalf of the United States Government, the respective rights to the software and software documentation are governed by Nortel Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections 12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities). b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails to comply with the terms and conditions of this license. In either event, upon termination, Customer must either return the Software to Nortel Networks or certify its destruction. c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable export and import laws and regulations. d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose. e. The terms and conditions of this License Agreement form the complete and exclusive agreement between Customer and Nortel Networks. f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If the Software is acquired in the United States, then this License Agreement is governed by the laws of the state of New York.

315899-B Rev 00 5 Contents

Preface ...... 11

Before you begin ...... 11 Text conventions ...... 11 Acronyms ...... 13 Related publications ...... 14 How to get help ...... 15

Chapter 1 Overview of tunnel protocols ...... 17

Chapter 2 Configuring IPsec ...... 19

Configuring IPsec settings ...... 20 Configuring group IPsec settings ...... 23 Configuring branch office connection IPsec settings ...... 32 Configuring branch office group IPsec settings ...... 35 IPsec client features ...... 39 Split tunneling ...... 40 Third-party IPsec clients ...... 41 Configuring IPsec client selections ...... 43

Chapter 3 Configuring dial interfaces ...... 47

Configuring dial interfaces ...... 47 Configuring the modem ...... 51 Configuring PPP ...... 53 Configuring ISDN BRI ...... 54

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 6 Contents

Chapter 4 Configuring PPTP ...... 59

Configuring PPTP settings ...... 59 Configuring group PPTP settings ...... 61 Configuring branch office connection PPTP settings ...... 65

Chapter 5 Configuring L2TP...... 67

Configuring L2TP settings ...... 68 Configuring group L2TP settings ...... 70 Configuring branch office connection L2TP settings ...... 73 Configuring L2TP over IPsec ...... 75 Windows 2000 configuration ...... 79 Configuring branch office for L2TP over IPsec ...... 80

Chapter 6 Configuring L2F ...... 83

Configuring L2F settings ...... 83 Configuring global L2F settings ...... 84 Configuring group L2F settings ...... 85

Chapter 7 Configuring PPPoE ...... 89

Configuring PPPoE settings ...... 91

Chapter 8 Configuring PPP ...... 97

Configuring PPP settings ...... 97

Chapter 9 Configuring frame relay...... 105

Permanent virtual circuits ...... 108 RFC 1490 ...... 108 Traffic shaping ...... 109 Committed information rate ...... 109

315899-B Rev 00 Contents 7

Committed burst rate and excess burst rate ...... 110 Traffic shaping configuration notes ...... 110 Overview of frame relay configuration ...... 111 Configuring frame relay settings ...... 112 Frame relay monitoring ...... 117 Frame relay OM statistics ...... 117 IP statistics ...... 117

Chapter 10 Configuring IPX ...... 119

Overview of IPX ...... 119 IPX client ...... 120 Windows 95 and Windows 98 ...... 120 Windows NT ...... 121 Enabling IPX for group users ...... 121 Sample IPX VPN gateway topology ...... 121

Chapter 11 Configuring a T1 CSU/DSU ...... 123

Viewing status ...... 124 Configuring a T1 CSU/DSU ...... 124

Chapter 12 Configuring Backup Interface Services (BIS) ...... 127

Backup Interfaces ...... 127 Trigger Modes ...... 127 Interface Group Failure ...... 128 Route Unreachable ...... 129 Ping Failure ...... 129 Time of day ...... 130 Usage on an asynchronous branch office tunnel (ABOT) ...... 130 Configuring BIS ...... 130 Configuring BIS with Interface Group Trigger ...... 133 Configuring BIS with Hour Trigger ...... 134 Configuring BIS with Route Unreachable Trigger ...... 135

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 8 Contents

Configuring BIS with Ping Trigger ...... 137 Configuring BIS Default and Static Routes ...... 138 Index ...... 139

315899-B Rev 00 9 Figures

Figure 1 IPsec Settings screen ...... 21 Figure 2 Group IPsec screen ...... 24 Figure 3 Branch Office Edit Connection screen ...... 32 Figure 4 Branch Office Edit Group screen ...... 36 Figure 5 Branch Office Edit IPsec screen ...... 37 Figure 6 Sample split tunneling environment ...... 40 Figure 7 System > Dial Interfaces screen ...... 48 Figure 8 System > Dial Interfaces > Configuration - PPP Port Mode screen . . . . . 49 Figure 9 System > Dial Interfaces > Configuration - Serial Port Mode screen . . . . 50 Figure 10 System > Dial Interfaces > Configuration > Configure Modem screen . . . 51 Figure 11 System > Dial Interfaces > Configuration > Configure Modem > Modem Commands screen ...... 52 Figure 12 Sytem > Dial Interfaces > Configure PPP screen ...... 53 Figure 13 System > Dial Interfaces > Interface Configuration ...... 55 Figure 14 System > Dial Interfaces > Interface Configuration > BRI Configuration . 56 Figure 15 PPTP screen ...... 60 Figure 16 Groups Edit PPTP screen ...... 62 Figure 17 Branch Office Edit Connection screen ...... 65 Figure 18 L2TP settings screen ...... 69 Figure 19 Groups Edit L2TP screen ...... 71 Figure 20 Branch Office Edit Connection screen ...... 74 Figure 21 L2F screen ...... 84 Figure 22 Groups Edit L2F screen ...... 85 Figure 23 PPPoE for single user ...... 89 Figure 24 PPPoE on a local network ...... 90 Figure 25 System LAN screen ...... 92 Figure 26 Edit PPPoE screen ...... 93 Figure 27 PPP Local Authentication screen ...... 94 Figure 28 PPP Advanced screen ...... 95

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 10 Figures

Figure 29 System WAN Interfaces screen ...... 98 Figure 30 WAN Interfaces Configure screen ...... 99 Figure 31 WAN Interfaces Configure PPP screen ...... 100 Figure 32 WAN Interfaces Configure PPP Authentication screen ...... 101 Figure 33 WAN Interfaces Configure PPP Advanced Settings screen ...... 102 Figure 34 WAN Interfaces Configure PPP CSU/DSU screen ...... 104 Figure 35 Frame relay single public interface to ISP ...... 106 Figure 36 Frame relay multiple public interfaces ...... 107 Figure 37 Gateway between frame relay network and VPN network ...... 108 Figure 38 WAN Interfaces screem ...... 112 Figure 39 Interfaces Configure screen ...... 113 Figure 40 Interface Configure Frame Relay screen ...... 114 Figure 41 Interfaces Configure Frame Relay VC screen ...... 116 Figure 42 IPX topology ...... 122 Figure 43 Configure CSU/DSU screen ...... 125 Figure 44 Services > Backup Interfaces ...... 131 Figure 45 Services > Backup Interface > Add Interface ...... 132 Figure 46 Services > Backup Interface > Add Interface > Interface ...... 133 Figure 47 Interface Group Trigger Parameters ...... 134 Figure 48 Hours Trigger ...... 135 Figure 49 Route Unreachable ...... 136 Figure 50 Ping ...... 137 Figure 51 Backup Interface Default and Static Route parameters ...... 138

315899-B Rev 00 11 Preface

This guide describes the Nortel Networks* Contivity* Secure IP Services Gateway tunneling protocols. It provides configuration information and advanced WAN settings.

Before you begin

This guide is for network managers who are responsible for setting up and configuring the Contivity Secure IP Services Gateway. This guide assumes that you have experience with windowing systems or graphical user interfaces (GUIs) and familiarity with network management.

Text conventions

This guide uses the following text conventions:

angle brackets (< >) Indicate that you choose the text to enter based on the description inside the brackets. Do not type the brackets when entering the command. Example: If the command syntax is ping , you enter ping 192.32.10.12 bold Courier text Indicates command names and options and text that you need to enter. Example: Use the show health command. Example: Enter terminal paging {off | on}.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 12 Preface

braces ({}) Indicate required elements in syntax descriptions where there is more than one option. You must choose only one of the options. Do not type the braces when entering the command. Example: If the command syntax is ldap-server source {external | internal}, you must enter either ldap-server source external or ldap-server source internal, but not both. brackets ([ ]) Indicate optional elements in syntax descriptions. Do not type the brackets when entering the command. Example: If the command syntax is show ntp [associations], you can enter either show ntp or show ntp associations. Example: If the command syntax is default rsvp [token-bucket {depth | rate}], you can enter default rsvp, default rsvp token-bucket depth, or default rsvp token-bucket rate. ellipsis points (. . . ) Indicate that you repeat the last element of the command as needed. Example: If the command syntax is more diskn:/..., you enter more and the fully qualified name of the file. italic text Indicates new terms, book titles, and variables in command syntax descriptions. Where a variable is two or more words, the words are connected by an underscore. Example: If the command syntax is ping , ip_address is one variable and you substitute one value for it. plain Courier Indicates system output, for example, prompts and text system messages. Example: File not found.

315899-B Rev 00 Preface 13

separator ( > ) Shows menu paths. Example: Choose Status > Health Check. vertical line ( | ) Separates choices for command keywords and arguments. Enter only one of the choices. Do not type the vertical line when entering the command. Example: If the command syntax is terminal paging {off | on}, you enter either terminal paging off or terminal paging on, but not both.

Acronyms

This guide uses the following acronyms:

FTP File Transfer Protocol IP Internet Protocol IKE IPsec Key Exchange ISAKMP Internet Security Association and Key Management Protocol ISP Internet service provider L2TP Layer2 Tunneling Protocol LDAP Lightweight Directory Access Protocol LAN local area network PDN public data networks POP point-of-presence PPP Point-to-Point Protocol PPTP Point-to-Point Tunneling Protocol UDP User Datagram Protocol VPN virtual private network WAN wide area network

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 14 Preface

Related publications

For more information about the Contivity Secure IP Services Gateway, refer to the following publications: • Release notes provide the latest information, including brief descriptions of the new features, problems fixed in this release, and known problems and workarounds. • Configuring Basic Features for the Contivity Secure IP Services Gateway introduces the product and provides information about initial setup and configuration. • Configuring Authentication and Certificates for the Contivity Secure IP Services Gateway provides instructions for configuring authentication services and digital certificates. • Configuring Firewalls and Filters for the Contivity Secure IP Services Gateway provides instructions for configuring the Contivity Stateful Firewall and Contivity interface and tunnel filters. • Configuring Routing for the Contivity Secure IP Services Gateway provides instructions for configuring RIP, OSPF, and VRRP, as well as instructions for configuring ECMP, routing policy services, and client address redistribution (CAR). • Reference for the Contivity Secure IP Services Gateway Command Line Interface provides syntax, descriptions, and examples for the commands that you can use from the command line interface.

You can print selected technical manuals and release notes free, directly from the Internet. Go to the www.nortelnetworks.com/documentation URL. Find the product for which you need documentation. Then locate the specific category and model or version for your hardware or software product. Use Adobe* Acrobat Reader* to open the manuals and release notes, search for the sections you need, and print them on most standard printers. Go to Adobe Systems at the www.adobe.com URL to download a free copy of the Adobe Acrobat Reader.

You can purchase printed books and documentation sets from Vervante. To order printed documentation, go to Vervante at the www.vervante.com/nortel URL.

315899-B Rev 00 Preface 15

How to get help

If you purchased a service contract for your Nortel Networks product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller for assistance.

If you purchased a Nortel Networks service program, contact Nortel Networks Technical Support. To obtain contact information online, go to the www.nortelnetworks.com/cgi-bin/comments/comments.cgi URL, then click on Technical Support.

From the Technical Support page, you can open a Customer Service Request online or find the telephone number for the nearest Technical Solutions Center. If you are not connected to the Internet, you can call 1-800-4NORTEL (1-800-466-7835) to learn the telephone number for the nearest Technical Solutions Center.

An Express Routing Code (ERC) is available for many Nortel Networks products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate an ERC for your product or service, go to the http://www.nortelnetworks.com/help/contact/ erc/index.html URL.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 16 Preface

315899-B Rev 00 17 Chapter 1 Overview of tunnel protocols

The gateway uses the Internet and remote connectivity to create secure extranets, or Virtual Private Networks (VPNs). Remote connectivity through the public data network (PDN) requires a protocol for safe transport and a connection from the remote user’s PC to the PDN. The gateway uses the most popular tunneling protocols: IPsec, PPTP, L2TP, and L2F.

To form a tunnel, the following takes place:

• The remote user establishes a connection with the PDN point-of-presence (POP), typically through an Internet Service Provider (ISP). • After the Internet connection is up, the remote user launches a second connection that specifies a connection to a gateway. Instead of a telephone number to establish the link, the second connection uses an IP address (or a name if the IP address has been entered into a Domain Name Service server). This second connection could use either the Point-to-Point Tunneling Protocol (PPTP) or the IP Security (IPsec) tunneling protocol. • Tunnels built using L2F are slightly different. The tunnel begins at a piece of networking equipment (network access server or NAS) located at the ISP instead of the remote user’s PC. The user simply dials into the ISP with a telephone number that causes an L2TP or L2F tunnel to connect directly to a specific corporation. This is similar to a traditional remote dial service except that the modems are maintained by the ISP and not the corporation.

All tunneling protocols are enabled on the public and private networks by default. Because data in tunnels is encrypted, the default setting guarantees that all interactions with the gateway are private. By leaving IPsec, PPTP, L2TP, and L2F enabled on the private side, you can establish tunneled connections to the gateway using any of the tunnel types from within your corporation. To prevent tunnel connections of a particular type (for all users, including administrators), you can simply disable the tunnel type.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 18 Chapter 1 Overview of tunnel protocols

For example, if you want to use IPsec as your only public tunneling protocol, then disable the Public selection for PPTP, L2TP, and L2F.

To configure tunnel access to the gateway:

1 Go to the Services > Available screen. 2 Select the tunnel type.

See Configuring Basic Features for the Contivity Secure IP Services Gateway for more information on configuring tunnels. See the appropriate chapter in this book for steps on how to change default tunnel protocol settings.

315899-B Rev 00 19 Chapter 2 Configuring IPsec

The IPsec tunneling protocol is supported by Nortel Networks and other third-party vendors. IPsec is a standard that offers a strong level of encryption (DES, Triple DES and AES), integrity protection (MD5 and SHA), and the IETF-recommended ISAKMP and Oakley Key Determination protocols, and token codes from SecurID* and AXENT*. IPsec offers the following features:

• Client support is available from Nortel Networks and other vendors. No special ISP services are required. • Support for IP address translation via encapsulation, packet-by-packet authentication. • Strong encryption and token codes.

Nortel Networks provides the IPsec remote access user client software on the CD that came with your gateway. You can install the client software on a network server for your remote users to download. The client software is a Microsoft* application available for the latest releases of Windows* 95, Windows 98, Windows NT*, Windows 2000 Workstation, and Windows NT Server. The software comes with complete online help.

Nortel Networks provides two versions of the IPsec client due to export restrictions. The standard version supports DES (56-bit key) encryption, and the enhanced version supports Triple DES (3DES, 168-bit key). The self-extracting installation files for DES and Triple DES are labeled accordingly on the CD. The installation is simple; the self-extracting installation includes everything necessary to create IPsec tunnels with the gateway. For more details, refer to the readme instructions included as part of the client installation.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 20 Chapter 2 Configuring IPsec

Configuring IPsec settings

To configure the gateway for IPsec tunneling, you first configure the parameters on a global level on the Services > IPsec screen. You can individually configure IPsec parameters for groups, users, and branch offices from the Profiles menu.

• Global IPsec Settings IPsec is configured globally on the Services > IPsec screen. • Group IPsec Settings Group IPsec settings are configured on the Profiles > Groups > Edit > IPsec screen. • Branch Office Connection IPsec Settings Branch office IPsec settings are configured on the Profiles>Branch Office>Edit Connection > IPsec tunnel type screen. • Branch Office Group IPsec Settings Branch office group IPsec settings are configured on the Profiles > Branch Office>Edit Group > IPsec screen.

To configure IPsec settings:

1 Select Services > IPsec. The Services > IPsec Settings screen appears (Figure 1).

315899-B Rev 00 Chapter 2 Configuring IPsec 21

Figure 1 IPsec Settings screen

2 Configure the IPsec Authentication settings. Select User Name and Password/ Pre-Shared Key, or RSA Digital Signature. 3 Configure the IPsec RADIUS Authentication settings for the connection. Click to Enable support for the authentication types that your RADIUS Server supports and that you expect to use: • AXENT Technologies Defender--AXENT OmniGuard/Defender authentication. • Security Dynamics SecurID--Security Dynamics SecurID authentication.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 22 Chapter 2 Configuring IPsec

• User Name and Password--Username and password authentication; the username and password are encrypted. 4 Configure the IPsec Encryption settings for the connection. Click the appropriate checkbox to either enable or disable the supported Encryption methods for this group. The encryption methods are shown on the screen in order of strength, from strongest to weakest.

Note: Triple DES encryption requires more processing power than DES, potentially reducing the performance of the switch. AES provides stronger encryption than 3DES, and requires less processing power than 3DES, providing a potential performance improvement for Branch Office tunnels.

5 Configure the IPsec IKE Encryption and Diffie-Hellman Group settings for the connection. If you select more than one encryption type, you can select the encryption you would like to use on a per group basis in the Profiles > Branch Office > Edit > IPsec screen or the Profiles > Groups > Edit > IPsec screen. 6 Configure the IPsec NAT Traversal settings for the connection. NAT (Network Address Translation) Traversal allows a number of devices on a private network to access the Internet simultaneously without each requiring its own external IP address. To use NAT Traversal, a UDP port must be defined. It is used for all client connections to the gateway. This port must be a unique and unused UDP port within the private network within the range 1025-49151. By default, NAT Traversal is disabled and no UDP port is defined.

Note: To allow NAT Traversal with the IPsec client, you must enable the NAT Traversal setting on the Profiles>Groups>Edit>IPsec screen.

7 Configure the Authentication Order. The IPsec, PPTP, L2TP, and L2F tunnel types each have an Authentication Order table, which lists the corresponding servers, authentication types, associated groups, and actions. The LDAP server is always queried first, then RADIUS, if applicable. 8 Configure the Load Balance settings. Click to enable Load Balancing of one gateway with an alternate gateway. Load Balancing is a protocol between two gateways that exchanges information about the number of sessions of each

315899-B Rev 00 Chapter 2 Configuring IPsec 23

connection priority and the CPU utilization. When a connection is being established, the first gateway determines which of the two gateways should service the session. The gateway and the alternate gateway must be in the same location (they must be in communication via the private interface). 9 Configure the Fail-Over settings. Click to enable Fail-over of the selected gateway. A Fail-over condition is detected in approximately two minutes. If a connection is somehow terminated or lost, the client then attempts to connect to the first-listed Fail-over gateway. It tries each gateway in succession and if no connection is established, it stops.

Configuring group IPsec settings

To configure group IPsec settings:

1 Select Profiles > Groups and then click Edit for the group whose IPsec settings you want to configure. The Groups > Edit screen appears. 2 Click Configure in the IPsec section of the screen. The Groups > Edit > IPsec screen appears (Figure 2).

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 24 Chapter 2 Configuring IPsec

Figure 2 Group IPsec screen

3 Click the Configure button for a specific parameter to make changes to that parameter. Click Configure in the All Fields section to edit all parameters at the same time. Use the Inherited button to set all fields to their inherited values. 4 Configure Split Tunneling. All IPsec client traffic is tunneled through the gateway by default. Split Tunneling allows you to configure specific network routes that are downloaded to the client. Only these network routes are then tunneled; any other traffic goes to the local PC interface. Split tunneling allows you to print locally, for example, even while you are tunneled into the gateway. 5 Configure Split Tunnel Networks. Click to select one of the networks to which you want to send encrypted tunnel traffic only. These networks are designated from the Profiles>Networks screen.

315899-B Rev 00 Chapter 2 Configuring IPsec 25

6 Configure Client Selection. The Client Selection feature enables you to configure your gateway to accept tunnel connections from third-party clients, in addition to the Nortel Networks Contivity VPN Client. Refer to the Contivity Secure IP Services Gateway Release Notes for a list of supported third-party clients.

If you choose the Configure for Both Contivity and non-Contivity Clients selection, the gateway provides support as described above, depending upon the type of client being used. For example, if you enable RADIUS Authentication, it is only used for Contivity clients, and you must have either preshared keys or RSA digital signature authentication enabled for non-Contivity clients. 7 Specify the Allowed Clients parameter. Use the menu to specify the type of clients that are allowed to create tunnels to your gateway. 8 Set the Allow undefined networks for non-Contivity clients parameter. Enabling this selection allows supported third-party clients to create IPsec tunnels to any internal networks. Nortel Networks recommends that you not allow undefined networks for third-party clients, and use Split Tunneling instead. This selection is ignored for Contivity clients. 9 Configure Authentication. Authentication is performed with a protected User ID and Password through the ISAKMP key management protocol. When you click configure, the Group Security Credentials (RADIUS) dialog box appears. 10 Configure Database Authentication (LDAP). 11 Specify User Name and Password. Click to enable the LDAP User Name and Password to authenticate user identity. Authentication is performed with a protected User ID and Password through the ISAKMP key management protocol. 12 Click to enable the Entrust certificate authentication. You must then click the drop-down list box to choose a Default Server Certificate. Servers are configured from the System > Certificates screen. 13 Configure RADIUS Authentication. The following attributes are associated with RADIUS Authentication when using IPsec tunneling. This is a two step process where (1) the gateway authenticates the remote user with the User Name and Password authentication mechanism, AXENT or SecurID hardware or software tokens, and (2) the client uses the Group ID and Group Password to authenticate the gateway's identity.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 26 Chapter 2 Configuring IPsec

User Name and Password

Click to enable the RADIUS User Name and Password to authenticate user identity. Authentication is performed with a protected User ID and Password through the ISAKMP key management protocol.

AXENT Technologies Defender

Click to enable the AXENT OmniGuard/Defender challenge response token security authentication. The AXENT OmniGuard/Defender uses a personal identification number (PIN) and password, coupled with a challenge response security dialog, to authenticate user identity.

Security Dynamics SecurID

Click to enable the Security Dynamics SecurID token security authentication. The SecurID uses a PIN and the current code generated by a token assigned to the user to authenticate user identity.

Enter the Group ID and Password, which are encrypted for transmission. The Group ID provides access to the gateway. Subsequent LDAP and RADIUS authentication is verified against the User ID.

Note: The Group ID and User ID must not be the same.

Enter and confirm the Group Password, which provides access to the gateway. Subsequent LDAP and RADIUS authentication is verified against the User Password. 14 Configure Encryption. Click Configure, then click the checkbox to either enable or disable the supported Encryption methods for this group.

315899-B Rev 00 Chapter 2 Configuring IPsec 27

Domestic export laws. Also, MD5 (Message Digest) provides integrity that detects packet modifications.

15 Select the Diffie-Hellman Group level to apply to IKE (Internet Key Exchange) encryptions.

Note: The choice of the IKE encryption algorithm does not affect the choice of the encryption algorithm used to encrypt data in IPsec. For example, you can use DES to encrypt the IKE exchanges, and then negotiate Triple DES for use in IPsec. The Services > IPsec screen contains a section labeled “IKE Encryption and Diffie-Hellman Group.”

16 Set the Accept ISAKMP Initial Contact Payload to enabled to tear down the existing connection if an incoming connection has the same User ID as the existing connection. This is disabled by default. 17 Click to enable Perfect Forward Secrecy (PFS). With PFS, keys are not derived from previous keys. This ensures that one key being compromised cannot result in the compromise of subsequent keys. 18 Configure Forced Logoff. For IPsec tunneling, you can specify a time after which all active users are automatically logged off. The default is 0, which means the option is turned off. The possible range is 00:00:01 to 23:59:59. 19 Configure Client Auto Connect. The Client Auto Connect feature enables remote Contivity VPN Clients to connect their IPsec tunnel sessions in a single step. With Auto Connect, client users simply click on the desired destination, for example, a Web page on the private internal network. This first starts their ISP connection, then makes the tunnel connection to the gateway, and finally makes the connection to the requested destination.

Click on Any Network Traffic to use the autoconnect feature for all client connection requests to authorized destinations. Now, when any network

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 28 Chapter 2 Configuring IPsec

activity is detected on the user’s workstation, a tunnel connection is automatically launched to the gateway. 20 Configure the Specify Networks and/or Domains parameters. Click on this selection to limit autoconnection use to specific domains or networks. Specify the authorized domains or networks in the following two fields.

Use the Domains selection to designate specific domains or host names that trigger the autoconnect feature. The domains that you specify must be configured on the Profiles > Domains page. Select None if you want to limit the autoconnection feature to specific networks, which you specify in the following Networks field.

Use the Networks selection to designate specific networks that trigger the autoconnect feature (the networks must be configured on the Profiles > Networks page). Select None if you do not want to designate any networks. 21 Configure the Banner setting. You can customize an enterprise login banner for the Contivity VPN Client by entering text into the space provided. This banner appears at the top of the IPsec client upon login. 22 Enable the Display Banner. Click to enable the banner and have it appear when a remote user logs into the gateway. 23 Set the Client Screen Saver Password Required parameter. Setting this security feature forces the client to use a password in association with a screen saver. When enabled, if the user leaves the system and is connected to a tunnel, the system then gets locked out of the tunnel once the screen saver kicks in. The end user would enable this feature from the Start > Settings > Control Panel > Display > Screen Saver Password Protected checkbox. Default is Disabled. 24 Set the Client Screen Saver Activation Time. This setting is used together with the Client Screen Saver Password Required setting. It defines the maximum time (in minutes) before the client's screen saver is activated. The value on the Client PC can be changed from the Start > Settings > Control Panel > Display > Strengthener Wait list box. Default is 5 Minutes. 25 Configure Client Fail-Over Tuning.

Check the Enabled box to enable client fail-over. Client fail-over uses small packets to check and maintain, or keep alive, the connection between the client and the gateway.

315899-B Rev 00 Chapter 2 Configuring IPsec 29

In the Interval section, specify the time interval that the client waits between VPN activity checks. Nortel Networks recommends a low interval when users are connecting via the client. You should use a higher setting for situations such as when a lease line is used and charges are based on traffic.

Specify the maximum number of retransmissions. This is the number of times that the client re-transmits a keepalive packet to the gateway to check for connectivity. 26 You can optionally enable the anti-replay service. While the default handling calls for the sender to increment the Sequence Number used for anti-replay, the service is effective only if the receiver checks the Sequence Number.

Note: Anti-Replay must be disabled when using IPSEC tunnels over LANs or WANs (the typical usage). If it is enabled, it causes DiffServ sorting to be incorrect. Anti-Replay does not acknowledge DiffServ and has its own methods of discarding packets, which adversely affects the DiffServ sorting.

27 Set the Allow Password Storage on Client parameter. You can allow client systems to save the login password in its password list, or you can require that the remote user enters the password each time he requests authentication and access to an IPsec tunnel. Click Enable to allow client systems to save the login password.

Note: When using certificates, saving the password on the client is not allowed.

28 Configure Compression. Click to enable Compression for IPsec tunneling. 29 Set the Rekey Timeout. You should limit the lifetime of a single key used to encrypt data or else you compromise the effectiveness of a single session key. Use the Rekey Timeout setting to control how often new session keys are exchanged between a client and a server. You should set the Rekey Timeout setting to no less than 1 hour. The default is 08:00:00 (8 hours); a setting of 00:00:00 disables the Rekey Timeout setting. The maximum setting is 23:59:59.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 30 Chapter 2 Configuring IPsec

30 Set the Rekey Data Count. You can choose to set a Rekey Data Count depending on how much data you expect to transmit via the tunnel with a single key. Default is 0 Kbytes; a setting of 0 disables the Rekey Data Count. 31 Configure the Domain Name setting. This setting enables you to specify the name of the domain that is used while an IPsec tunnel is connected. Specifying the domain name in this field ensures that domain lookup operations point to the correct domain. This is particularly important for clients that use Microsoft Outlook or Exchange, to ensure that the mail server is mapped to the correct domain.

When a tunnel is connected, the remote client’s registry is updated to use the specified domain. When the client disconnects the tunnel, the remote client’s original domain is again used. 32 Enter the Primary DNS. Enter the address of the Primary Domain Name System (DNS) server that is located on your private network. This DNS address is provided by the server to tunnel clients at setup and is used through the tunnel. The DNS server translates textual host names into IP addresses for the gateway. For example, DNS can translate the fully qualified host www.mycompany.com to its IP address 192.19.2.33.

The Primary DNS server is the first one addressed for servicing name resolution requests from a remote user; if the Primary DNS server is unavailable, service is requested of the Secondary DNS server. Recent versions of Microsoft Windows operating systems can simultaneously query multiple DNS servers.

Always use the IP address for setting a DNS server host instead of a domain name. 33 Enter the Secondary DNS. Enter an address for the Secondary Domain Name System (DNS) server. If the Primary DNS server is unavailable, service is requested of the Secondary DNS server. 34 Enter the Primary WINS. Enter an address for the primary Windows Internet Naming Service (WINS) server. A WINS server resolves NetBIOS names (for Windows networking file and print services) to IP addresses. Using a WINS server enables normal Windows file and print services to be accessed correctly through a tunnel connection.

Windows NT Server Version 4.0 and later supports a built-in WINS server. The WINS server eliminates the need to manually map NetBIOS names to IP

315899-B Rev 00 Chapter 2 Configuring IPsec 31

addresses (for example, using the textual LMHOSTS file on Windows) by updating a name-to-address mapping file dynamically on the WINS server.

The Primary WINS server is the first one addressed for servicing name resolution requests from a remote user; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server. Always use the IP address for setting a WINS server host instead of a name.

Note: If no WINS servers are specified, the client is forced to broadcast for NetBIOS names.

35 Enter an address for the Secondary Windows Internet Naming Service (WINS) server; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server. 36 Configure the Nortel Client Requirements settings.

In the Minimum Version field, select the minimum version of Contivity VPN Client that is required.

In the Action field, specify the action to take upon detection of a noncompliant client.

In the Message field, type a message giving users the URL for a Web site or FTP site from which they can download the required version of the Contivity VPN Client software.

Select a filter to apply from the list of available filters.

Click on the New Filter link to create a new filter, if needed. 37 Configure the Client Policy setting. Select a client policy as appropriate. Client Policy helps prevent potential security violations that could occur when you are using the split tunneling feature. Split tunneling allows client data to travel either through a tunnel to the enterprise network or directly to the Internet. 38 Set the Allow IPsec Data Protection parameter. Enable or disable IPsec.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 32 Chapter 2 Configuring IPsec

Configuring branch office connection IPsec settings

To configure branch office IPsec settings:

1 Select Profiles > Branch Office, then click Edit for the associated connection that you want to configure. The Branch Office > Edit Connection screen appears (Figure 3).

Figure 3 Branch Office Edit Connection screen

315899-B Rev 00 Chapter 2 Configuring IPsec 33

2 Use the drop-down list to change the tunnel type for the connection. To configure IPsec settings, select IPsec as the tunnel type. The default type is IPsec.

Note: If you change the Tunnel Type, the fields in the Authentication portion of this screen change to reflect the different configuration requirements for the selected Tunnel Type.

3 Configure the IPsec authentication attributes in the Authentication section of the screen. This portion of the screen allows you to configure the authentication that is used between the local and remote branch office gateways. The fields that appear in this screen depend on whether you are using an IPsec, PPTP, or L2TP tunnel type. The IPsec authentication fields are described in the following steps. 4 Enter the Pre-Shared Key: Text or Hex String. This is an alphanumeric text or hexadecimal string that is used between the local and remote branches for authentication. In order for authentication to occur, you must use the same pre-shared string on both the local and remote branch offices. 5 Configure the Certificates section of the screen. Certificates are associated with each endpoint gateway and allow for mutual authentication between two connections. The certificate portion of the screen includes information about the remote branch office system, the authority that issued the certificate, and the certificate identification. 6 Configure the Remote Identity. This is the name of the remote peer initiating the tunnel connection. You can use either a Subject Distinguished Name (Subject DN) or a Subject Alternative Name to uniquely identify the remote branch office system. Specifying both a full subject DN and a subject alternative name on this screen allows the remote peer to use either identity form when making a connection. 7 Select a Valid Issuer Certificate Authority from the drop-down list box. This CA is the issuer of the remote peer’s certificate or a higher level CA in the remote peer’s certificate hierarchy. The CA must have the trusted flag set via the certificates screen. If a CA hierarchy is being used, all intermediary CAs below the trusted CA must have been imported to the gateway. These Certificate Authorities are configured from the System > Certificates: Generate Certificate Request screen.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 34 Chapter 2 Configuring IPsec

8 Configure the Subject Distinguished Name. If you are using a distinguished name to identify the remote branch office site, you can choose to enter the DN as either a relative distinguished name or a full distinguished name. The DN entered here must exactly match the DN in the remote peer’s certificate. 9 Configure the Relative distinguished name. The Relative distinguished name has the following supported components:

Note: Do not include the attribute type as part of your entries in the Relative section. For example, for a name of CN=Mygateway, your entry would be Mygateway (without the CN attribute type).

• Common Name -- Enter the Common Name with which the server is associated. • Org Unit -- Enter the Organizational Unit with which the server is associated. • Organization -- Enter the Organization with which the server is associated. • Locality -- Enter the Locality in which the server resides. • State/Province -- Enter the State or Province in which the server resides. • Country -- Enter the Country in which the user resides. 10 Enter the Full distinguished name. You can directly enter the Full Distinguished Name (FDN) in this field rather than entering the individual components in the previously described Relative distinguished name fields. For example: CN=Mygateway, O=MyCompany, C=US 11 Configure the Subject Alternative Name. You can optionally use a Subject Alternative Name in place of a Subject DN, and specify the format of the name. The following formats are acceptable. • Email Name (for example, [email protected]) • DNS Name (for example, gateway.cleveland.company.com) • IP Address (for example, 192.168.34.21) 12 Specify the Local Identity. The Local Identity is the name your gateway that you want to use to identify itself when initiating or responding to a connection request. You can use either a Subject Distinguished Name (Subject DN) or a Subject Alternative Name to uniquely identify your system. If you select a

315899-B Rev 00 Chapter 2 Configuring IPsec 35

subject alternative name from your gateway’s certificate, then that identity is used in place of your gateway’s subject DN when communicating with peers.

Note: Your gateway’s server certificate only has subject alternative names if your CA issued the certificate with the alternative names. For example, with the Entrust PKI the VPN connector can issue certificates with DNS names, IP addresses, or Email alternative names.

13 Configure the Server Certificate. Click the drop-down list box to view all certificates that have been issued to the server. Server Certificates are configured from the System > Certificates: Generate Certificate Request screen.

Configuring branch office group IPsec settings

To configure branch office group IPsec settings:

1 Select Profiles > Branch Office, then click Edit for the associated group that you want to configure. The Branch Office > Edit Group screen appears (Figure 4).

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 36 Chapter 2 Configuring IPsec

Figure 4 Branch Office Edit Group screen

2 Click Configure in the IPsec section of the Branch Office > Edit Group screen. The Branch Office > Edit Group > Edit IPsec screen appears (Figure 5).

315899-B Rev 00 Chapter 2 Configuring IPsec 37

Figure 5 Branch Office Edit IPsec screen

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 38 Chapter 2 Configuring IPsec

4 Configure Encryption. Click Configure, then click the appropriate checkbox to either enable or disable the supported Encryption methods for this group.

The encryption methods are presented in order of strength, from strongest to weakest. All of the following encryption methods ensure that the packet came from the original source at the secure end of the tunnel. Some of the encryption types do not appear on non-US models that are restricted by US Domestic export laws. Also, MD5 (Message Digest) provides integrity that detects packet modifications. If two devices have different encryption settings (due to either US export laws or administrative configuration), the two devices negotiate downward until each has a compatible encryption capability. For example, if a client in the US attempts to negotiate Triple DES encryption with a gateway in Australia, then the Australian gateway rejects Triple DES encryption in favor of DES. 5 Select the Diffie-Hellman Group level to apply to IKE (Internet Key Exchange) encryptions.

Note: The choice of the IKE encryption algorithm does not affect the choice of the encryption algorithm used to encrypt data in IPsec. For example, one can use DES to encrypt the IKE exchanges, and then negotiate Triple DES for use in IPsec. The Services>IPsec screen contains a section labeled “IKE Encryption and Diffie-Hellman Group.” This section provides two choices for use with IPsec.

6 Click to enable Perfect Forward Secrecy (PFS). With PFS, keys are not derived from previous keys. This ensures that one key being compromised cannot result in the compromise of subsequent keys. 7 Click to enable Compression for IPsec tunneling.

315899-B Rev 00 Chapter 2 Configuring IPsec 39

8 Specify the Rekey Timeout. You should limit the lifetime of a single key used to encrypt data or else you compromise the effectiveness of a single session key. Use the Rekey Timeout setting to control how often new session keys are exchanged between a client and a server. You should set the Rekey Timeout setting to no less than 1 hour. The default is 08:00:00 (8 hours); a setting of 00:00:00 disables the Rekey Timeout setting. The maximum setting is 23:59:59. 9 Set the Rekey Data Count. You can choose to set a Rekey Data Count depending on how much data you expect to transmit via the tunnel with a single key. Default is 0 Kbytes; a setting of 0 disables the Rekey Data Count. 10 Set the ISAKMP Retransmission Interval. This specifies the time interval at which to make the ISAKMP retransmission. 11 Set the ISAKMP Retransmission Max Attempts parameter. This is the maximum number of attempts to make the ISAKMP retransmission. 12 Set the Keepalive Interval. This is the polling frequency used to determine if a keepalive exchange is needed. The default is one minute. The allowed range is 1 second to 60 minutes. This interval is used when the branch connection is Nailed-Up or when Keepalives are enabled for on-demand connections. 13 Set the Keepalive (on-demand connections) parameter. Keepalive (on-demand connections) has a default of disabled. Enabling this allows for a quicker detection of lost connectivity.

IPsec client features

The gateway supports the following IPsec client features:

• Split tunneling • Third-party IPsec clients • Forced logout • Client fail-over • Client auto connect • Banner • Password storage • Client screen saver • Client Keepalive

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 40 Chapter 2 Configuring IPsec

• Domain name • Client policy

Split tunneling

All IPsec client traffic is tunneled through the gateway by default. Split tunneling allows you to configure specific network routes that are downloaded to the client. Only these network routes are then tunneled; any other traffic goes to the local PC interface. Split tunneling allows you to print locally, for example, even while you are tunneled into the gateway. Figure 6 shows a sample split tunneling environment.

Figure 6 Sample split tunneling environment

10.2.3.4 10.10.0.1

10.10.0.5 Archive Public 10.2.3.3 Data Network 10.2.3.2 Printer Mail Server Contivity Secure IP 192.19.2.33 192.168.43.6 Services Gateway

192.19.2.32

Remote User 192.19.2.31

The previous figure shows split tunneling enabled and split tunnel network IP addresses 10.2.3.4 and 10.10.0.5. When a client establishes an IPsec tunnel, these addresses are loaded into the client application.

The remote user, for example, then downloads his email from the mail server at 10.10.0.5, and downloads a document from the Archive at 10.2.3.4. Next, without exiting the tunnel, the remote user can print the document through the PC's local network interface 192.19.2.32 to the printer at 192.19.2.33. You can enable split tunneling through the Profiles > Groups > IPsec > Edit screen split tunneling field.

315899-B Rev 00 Chapter 2 Configuring IPsec 41

You designate which network routes to tunnel through the gateway from the Profile>Networks screen. Next, you associate specific network routes to specific groups through the Profiles > Groups > IPsec > Edit screen by configuring the Split Tunnel Networks field.

The gateway takes precautions against violators potentially hacking tunneled information when the gateway is operating in split tunneling mode. The primary precaution is to drop packets that do not have the IP address that is assigned to the tunnel connection as its source address. For example, if you have a PPP dial-up connection to the Internet with an IP address of 192.168.21.3, and then you set up a tunneled connection to a gateway and you are assigned a tunnel IP address of 192.192.192.192, then any packets that attempt to pass through the tunnel connection with a source IP address of 192.168.21.3 (or any address other than 192.192.192.192) are dropped.

Furthermore, you can enable filters on the gateway to limit the protocol types that can pass through a tunneled connection.

The Client Selection feature enables you to configure your gateway to accept tunnel connections from third-party clients, in addition to the Nortel Networks Contivity VPN Client.

To completely eliminate security risks, you should not use the split tunneling feature.

Third-party IPsec clients

The client selection feature enables you to configure your gateway to accept tunnel connections from third-party clients, in addition to the Contivity VPN Client.

The Client Selection feature provides more flexibility and mobility than was previously available to remote users who want to connect to your gateway using a client other than the Contivity VPN Client. The alternate method of connecting third-party clients requires you to set up a branch office connection and configure the remote client’s IP address as the connection’s remote gateway address. This branch office method binds a client machine to a fixed IP address. This can be limiting if a user needs to be able to create tunnels from multiple systems, for example, a work desktop system and a mobile laptop.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 42 Chapter 2 Configuring IPsec

With the client selection feature, you establish an account for a remote user, rather than for a remote machine. You set up the account within the realm of remote access users, as has always been done for the Contivity VPN Client users. This gives the remote user the freedom to create tunnels to your gateway from different machines, and from different locations.

When configuring for Contivity VPN Clients, the gateway ignores the “Allow undefined networks for non-Contivity clients” field for clients that are not Contivity clients. The gateway never allows Contivity VPN Clients to connect to undefined networks. All reachable networks must be defined on the Profiles>Networks screen.

When configuring for clients that are not Contivity VPN Clients, the fields that are preceded by an asterisk are not supported. You must select either the Split Tunneling or “Allow undefined networks field for non-Contivity clients” field for clients that are not Contivity VPN Clients. If you select both, the gateway uses the Split Tunneling feature and ignores the “Allow undefined networks” selection.

Note: Nortel Networks recommends that you always specify Split Tunneling for groups used by clients other than Contivity VPN Clients. With Split Tunneling enabled, the third-party clients can only connect to networks that are listed as split tunnel networks on your gateway. This ensures that your gateway has control over the networks that the third-party client can access. If Split Tunneling is disabled and “Allow undefined networks for non-Contivity VPN Clients” is enabled, the clients can connect to all internal networks.

The gateway supports both preshared key and RSA digital signature authentication methods. For clients that are not Contivity VPN Clients, you must specify at least one of these authentication methods on the Services > IPsec screen.

Note: You must ensure that your remote third-party client uses the same Internet Key Exchange (IKE) Phase 1 mode that your gateway uses. For Preshared Key authentication, the gateway uses IKE Aggressive mode. If the client only supports IKE Main mode, it must be configured as a branch office due to the IKE restrictions. For RSA Digital Signature authentication, the gateway uses IKE Main mode.

315899-B Rev 00 Chapter 2 Configuring IPsec 43

RADIUS authentication is not supported. Also, you can configure a static address for the tunnel from a client other than a Contivity VPN Client, or you can allow the client to use its own IP address as the address used within the tunnel.

Configuring IPsec client selections

To configure the client selection:

1 Go to the Profiles > Groups > Edit > IPsec screen. 2 Under Forced logout, you can specify a time after which all active users are automatically logged off for IPsec tunneling. The default is 0, which means the option is turned off. The possible range is 00:00:01 to 23:59:59. 3 Client keepalive uses small packets to check and maintain, or keep alive, the connection between the client and the gateway. Use the Contivity VPN Client to disable keepalives between the gateway and the client. This option allows you to disable keepalives when tunneling over an ISDN link, since the link is not always active. If an idle time-out has been set on the gateway, and keepalives have been disabled on the client, the client might not receive notice that the connection has been closed (due to the Idle Time-out), when the physical ISDN connection is not active.

Note: If the idle time-out on the gateway logs off the client, and the client has client fail-over configured on the Services > IPsec screen, that client then fails over to the defined failover server, rather than being disconnected as desired.

When the Keep Alive parameter is disabled on the client it prevents the gateway and client from exchanging keep alive messages. Therefore, if the connection is lost, the gateway does not realize that the client is no longer connected until the idle time is reached. If the idle time-out can be set to Never, the resulting connection could remain established for a long time, which wastes gateway resources. If the number of Logins is set to 1, which is the default, the client cannot reconnect until the rekey happens, which by default is in 8 hours. If the user has the Disable Keep Alive parameter set on the client, and the connection goes down, the user could be prohibited from reconnecting for 8 hours or more, depending on the rekey value.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 44 Chapter 2 Configuring IPsec

Also, do not set the idle time-out to 0. If you lose the connection in this situation, you must delete the session from the gateway to reconnect. 4 When a static branch office tunnel fails, all packets flowing through the tunnel are dropped. The static tunnel failover feature provides a means to detect and recover from these failures. Static tunnel failover interacts with static route API directly to remove and add static routes associated with a remote network. When a tunneling protocol detects a network failure, the static tunnel API removes static routes associated with the remote network from the route table manager.

Note: When setting up static tunnel failover, you need to configure the primary tunnel as nailed up from the Profiles > Branch Office > Edit > Connectivity screen. It should also have less cost than any secondary tunnels.

5 The client auto connect feature enables remote clients to connect their IPsec tunnel sessions in a single step. This is similar to the way Microsoft Dial-Up Networking automatically connects to an ISP when a Web browser is launched. With auto connect, client users simply click on the desired destination, for example, a Web page on the private internal network. This first starts their dialup connection, then makes the tunnel connection to the gateway, and finally makes the connection to the requested destination. What has, in the past, taken three distinct user operations is now accomplished by a single action. The client auto connect settings specify those network connections that trigger the client’s autoconnect feature. For example, you can specify that whenever a remote client attempts to connect to a site in the xyz.com domain, the client auto connect feature is started. You must make sure that the gateway is configured to allow connections to potential destinations. If the gateway is not configured properly, the remote user might be able to make the connection to the gateway, but cannot access the requested destination. For example, the gateway’s filters might be set up to deny access to finance.xyz.com, while the client auto connect is configured

315899-B Rev 00 Chapter 2 Configuring IPsec 45

to start when connections to the xyz.com domain are received. With this configuration, when a remote client tries to access finance.xyz.com, their connection to their ISP and then to the gateway is automatically started. However, because of the filters, access to finance.xyz.com is denied.

Note: After you enable client auto connect, you must reboot the PC on which the client is running and manually make sure the client can connect to the gateway.

When the client successfully connects to the gateway, the gateway downloads the list of networks and domains that trigger the autoconnect feature. This list, which is stored in the client’s registry, is used to determine whether a tunnel connection should automatically be started when one is not already active.

The following client features apply only to the Contivity VPN Client:

• Banner--You can customize an enterprise login banner for the Contivity VPN Client by entering text into the space provided. This banner appears at the top of the IPsec client upon login. • Password storage on client--You can allow client systems to save the login password in this password list, or you can require that a remote user enter the password with each request for authentication and access to an IPsec tunnel. Click on Enable to allow client systems to save the login password. When using certificates, saving the password on the client is not allowed. • Client policy--Client policy helps prevent potential security violations that could occur when you are using the split tunneling feature. Split tunneling allows client data to travel either through a tunnel to the enterprise network or directly to the Internet. • Client screen saver--Setting this security feature forces the client to use a password in association with the screen saver. When it is enabled, if the user leaves the system while connected to a tunnel, the system then gets locked out of the tunnel when the screen saver kicks in. • Domain name--This setting enables you to specify the name of the domain used while an IPsec tunnel is connected. Specifying the domain name in this field ensures that domain lookup operations point to the correct domain. This is particularly important for clients that use Microsoft Outlook or Exchange,

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 46 Chapter 2 Configuring IPsec

to ensure that the mail server is mapped to the correct domain. When a tunnel is connected, the remote client’s registry is updated to use the specified domain. When the client disconnects the tunnel, the remote client’s original domain is again used.

315899-B Rev 00 47 Chapter 3 Configuring dial interfaces

The System > Dial interfaces screen enables you to configure the RS-232 serial port, the internal V.90 modem, and ISDN parameters.

Support for asynchronous serial interfaces over the serial port and V.90 internal modem provides support for dial backup scenarios. With the serial port this is achieved using an external modem. The modem can be used as a backup service for a leased-line connection between the remote and central offices or between two branch offices. If the primary connectivity goes down, a circuit-switched connection is established and traffic is rerouted. When the primary link is restored, traffic is redirected to the leased line, and the modem call is released.

In addition to backup services applications, these interfaces can also be used to dial into the gateway to manage it using the browser-based management interface screens. The serial ports allow you to run the serial menu through a direct cable connection.

The Dial Interfaces, including the V.90 modem, serial port, or ISDN connection, can be used for backup services. Backup interface services (BIS) provide an automated mechanism to enable a backup interface when a designated primary connection fails.

Configuring dial interfaces

To configure dial interfaces:

1 Select System > Dial Interfaces on the Contivity Secure IP Services Gateway menu. The Dial Interface screen appears. (For information about specific fields or parameters in the screens, refer to the online help.)

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 48 Chapter 3 Configuring dial interfaces

Figure 7 System > Dial Interfaces screen

2 Use the Select radio button to select a specific interface to configure. You can then configure the interface or view statistics about it. 3 Click Configure. The Interface Configuration screen appears. The fields in the Interface Configuration screen are different, depending on the Port Mode setting. You use the Interface Configuration screen to configure the dial interface settings for the currently selected interface.

315899-B Rev 00 Chapter 3 Configuring dial interfaces 49

Figure 8 System > Dial Interfaces > Configuration - PPP Port Mode screen

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 50 Chapter 3 Configuring dial interfaces

Figure 9 System > Dial Interfaces > Configuration - Serial Port Mode screen

4 The port mode setting, either Serial Menu, PPP or Auto Detect, is shown as it is currently set on the Switch Settings screen. If the port mode is PPP, the screen changes to allow you to configure PPP specific parameters. 5 Click Modify System Settings to access the System > Switch Settings screen to change the port mode. You can select PPP to support modem communications, Serial Menu to support a direct connection via the gateway’s serial port, or Auto Detect. 6 The Interface Filter Status indicates if the Contivity Interface Filter is enabled and in use or disabled. The filter can be enabled and disabled using the Services > Firewall/NAT screen. 7 Select the interface filter from the list of available filter options. You can click New Interface Filter to access the Profiles > Filters screen if you want to create a new interface filter to apply to this dial interface. 8 Enter a description for the interface. 9 Provide an ID for the circuit. 10 Enter the dial out phone number. 11 Select whether the interface is private or public. 12 Click the Configure PPP button to access the Configuring PPP screen to configure IP addresses, if desired.

315899-B Rev 00 Chapter 3 Configuring dial interfaces 51

Configuring the modem

1 Select Configure Modem in the Dial Interfaces > Interface Configuration screen to access the Configure Modem screen. Use this screen to set the modem parameters. You can also access the Modem Commands screen from the Configure Modem screen.

The fields in the top section of the screen provide information about the dial interface being configured, including the slot in which the interface is installed, the interface number, the type of interface, Serial or Com, and the port mode setting.

Figure 10 System > Dial Interfaces > Configuration > Configure Modem screen

2 Select the desired baud rate from the list of options available. 3 Select from the list of available options to set the Auto Answer setting. 4 Enter the initialization string that you want to use with the modem. The default is +++ATZ. 5 Enter the termination string that you want to use with the modem. The default is +++ATH.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 52 Chapter 3 Configuring dial interfaces

6 Enter the dial prefix string that you want to use with the modem. The default is +++ATDT. 7 To send commands directly to the modem, click Modem Commands.

The modem commands screen appears when you select the Modem Commands button in the Configure Modem screen. This screen enables you to send commands and receive responses from the modem.

Figure 11 System > Dial Interfaces > Configuration > Configure Modem > Modem Commands screen

8 Enter the modem command in this field. 9 Click Apply. 10 The modem response section shows the modem’s reply to commands entered.

315899-B Rev 00 Chapter 3 Configuring dial interfaces 53

Configuring PPP

Figure 12 Sytem > Dial Interfaces > Configure PPP screen

1 Enter a text description for the connection in the Description field. 2 The default IP local and remote address settings are set to Accept Negotiated Address. You can change the local and/or the remote IP addresses to specific values by selecting Specify IP Address. 3 If you select Specify IP Address, enter the IP address and the subnet mask you want to apply to the local end of the connection. 4 Click Authentication Settings to go to the Authentication Settings screen in order to configure the authentication parameters for the interface. See the

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 54 Chapter 3 Configuring dial interfaces

online help for information about specific fields in the PPP Authentication Settings screen.

Note: The authentication client and server settings apply to the PPP connection only. The authentication client information is designed to be used by the Contivity gateway when dialing and logging into a Dial-In Server. The authentication server settings on a Contivity are only used when some one dials into that Contivity gateway (the Contivity gateway is acting as the dial-in server). To prevent anyone from dialing into a Contivity and getting access to the network, incoming authentication is always enabled and the default user name and password are the same as what is stored in memory. The default user name and password can be overridden through the "Authentication Server" username and password fields. "Authentication Server" is less often used for dial-out calls. You can use it to effect bi-directional authentication.

5 Click Advanced Settings to access the Advanced Settings screen, which provides additional, advanced parameters for PPP. See the online help for information about specific fields in the PPP Advanced Settings screen.

Configuring ISDN BRI

315899-B Rev 00 Chapter 3 Configuring dial interfaces 55

Figure 13 System > Dial Interfaces > Interface Configuration

1 Enter a text description for the connection in the Description field. 2 Provide an ID for the circuit. 3 Select the interface filter from the list of available filter options. You can click New Interface Filter to access the Profiles > Filters screen if you want to create a new interface filter to apply to this dial interface. 4 Enter the ISDN dial out phone number. 5 Select whether the interface is private or public. 6 To configure the PPP settings for the connection, click Configure PPP. The Configure PPP screen appears. See Configuring PPP for more information. 7 Click Configure ISDN BRI to configure ISDN device parameters. The BRI Configuration screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 56 Chapter 3 Configuring dial interfaces

Figure 14 System > Dial Interfaces > Interface Configuration > BRI Configuration

8 Select the Country Code for which country or continent this Contivity gateway will operate in. When you select this command, the gateway automatically loads country-specific information. Each country or continent has a set of valid ISDN switch types.

Note: Not all ISDN parameters are valid for all countries.

315899-B Rev 00 Chapter 3 Configuring dial interfaces 57

9 Use this option to enable and disable the automatic switch detection option for ISDN BRI. This command applies to type NI-2 ISDN switches only (North America only). • Auto - Specifies that the ISDN switch type will be automatically detected. • Disable - Disables automatic ISDN switch type detection. • On-reset - Specifies that the ISDN switch type will be automatically detected after the gateway is reset. 10 Select the switch type based on your location.

Location Switch types Europe ETSI Hong Kong HKT Japan KDD NTT Korea KOR North America Lucent 5E10 DMS-100 NI-2

11 Enable the DOVBS option to implement data over voice bearer services (DOVBS). An adaptation rate of 56 Kb/s is typically used to send digital data over a call line that is used for voice communication.

Note: This command does not apply to all countries and all switch types. Check with your local ISDN provider.

12 Use the Auto SPID Detect option to enable automatic detection of the service profile ID (SPID) for ISDN BRI. This command applies only to NI-2 ISDN switches (North America only). Automatic detection of the SPID is set to disabled by default. 13 Enter Local Phone Numbers 1 and 2 for SPID 1 and 2. 14 Set the SPID 1 and SPID 2 options to set the service profile IDs (SPID) for registration of the B channel with the service provider’s ISDN switch. If you

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 58 Chapter 3 Configuring dial interfaces

do not have an SPID number (used mostly in North America), select none as the SPID number. 15 Set the Manual TEI option to specify that the terminal end-point identifier (TEI) will be entered manually. Some switches do not support automatic TEI. The TEI number is obtained from the local ISDN provider. 16 Use the Dial Out MultiLink option to enable multilink for outgoing calls. If enabled, outgoing calls are a bundling of two B-channels into a 128 Kbps pipe to provide higher bandwidth on an "as needed" basis. 17 Use the Dial In MultiLink option to enable multilink for an incoming call. If enabled, incoming call will be negotiated for multilink, if the other side is capable of doing multilink. If it is not capable, the call will fall back to plain PPP, and the incoming call will be negotiated for no multilink. 18 Enable Auto Answer to enable automatic answering of incoming calls. Select Disable to disable the automatic answering of incoming calls. The default is disabled. 19 Click OK to save the ISDN device settings and return to the System > Dial Interfaces > Interface Configuration screen. 20 Click Connect to make the defined ISDN connection.

Note: ISDN cannot be configured as an on-demand connection. ISDN can only be used by manually making the connection or with BIS to backup a failed connection.

315899-B Rev 00 59 Chapter 4 Configuring PPTP

The Point-to-Point Tunneling Protocol (PPTP) is supported by Nortel Networks and several other vendors. The Microsoft PPTP client is available for Windows* 95, Windows NT Workstation (Version 4.0), Windows ME, and Windows NT* Server (except Version 3.51). The Microsoft PPTP client is bundled with Windows 98 software. Network TeleSystems (www.nts.com) provides tunneling product support for Windows 3.1 and Macintosh* operating systems.

You can obtain the PPTP client upgrade for Windows 95 directly from Microsoft (www.microsoft.com). Installation instructions are also available from this site.

The PPTP client software is on the Contivity Secure IP Services Gateway CD and is built into the Windows NT operating system. PPTP offers the following features:

• Connections can be made from a range of clients without requiring special ISP services. • The PPTP client is available for the most common client operating systems. • PPTP supports IP address translation using encapsulation, support for IPX tunneling, and RC4 encryption (either 56- or 128-bit, within the limits of United States export law).

Configuring PPTP settings

You can change the default values for PPTP settings at any of these levels:

• Services > PPTP • Profiles > Groups > Edit > PPTP Settings • Profiles > Branch Office > Edit Connection > PPTP Tunnel Type

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 60 Chapter 4 Configuring PPTP

To change global PPTP settings:

1 Select Services > PPTP on the Contivity Secure IP Services Gateway menu.

Figure 15 PPTP screen

2 Configure the Authentication settings. PPTP settings allow you to select a specific authentication server type, for example, RADIUS. Each server type allows you to specify an authentication scheme: MS-CHAP, CHAP, PAP, None or PAP or CHAP.

Note: Not all RADIUS servers support all forms of authentication. Failure to match PPP authentication methods with RADIUS server capabilities results in user-authentication failures. Check your vendor’s RADIUS documentation for additional information.

315899-B Rev 00 Chapter 4 Configuring PPTP 61

3 Configure the PPP Multilink setting. Use the list box to toggle the PPP Multilink between enabled and disabled. PPP Multilink allows a user to open multiple PPP connections to a given host. (Refer to RFC 2701 for a complete description of PPP Multilink.) 4 Configure the Authentication Order. The Authentication Order table lists the corresponding servers, authentication types, associated groups, and actions. The LDAP server is always queried first, then RADIUS, if applicable.

Configuring group PPTP settings

To change group PPTP settings:

1 Select Profiles > Groups, then click Edit for the associated group that you want to configure. 2 Click Configure in the PPTP section of the screen. The PPTP screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 62 Chapter 4 Configuring PPTP

Figure 16 Groups Edit PPTP screen

3 Click the Configure button for a specific parameter to make changes to that parameter. Click Configure in the All Fields section to edit all parameters at the same time. Use the Inherited button to set all fields to their inherited values. 4 Select one or more of the PPTP Authentication methods. 5 Configure the compression setting. Click to enable the PPTP Microsoft Point-to-Point Compression (MPPC) packet compression. Compression should be used when encryption is selected on analog modems. This is because encryption renders a modem’s compression ineffective, and it can severely affect the performance of compressible applications. Also, data that is compressed before being transmitted makes more efficient use of lower speed network links.

You should use data compression in most typical situations. Users with cable modems or xDSL connections to the ISP, or locally on the LAN, would find it

315899-B Rev 00 Chapter 4 Configuring PPTP 63

is probably unnecessary to compress packets. This is because the speed of the link, relative to the rate of compression and the benefit of compressing before encrypting, might be negligible or might not increase performance.

Also, some data cannot be compressed; for example, a previously compressed file does not lend itself well to additional compression. 6 Set the Use Client-Specified Address parameter. Click to enable use of a Client-Specified Address. This option allows the gateways to accept the IP address from a remote user's system during tunnel setup. This option is Disabled by default.

When enabled and the client provides an IP address, this is the IP address that is used by the client for the duration of the tunneled session (it becomes the first or default choice). 7 Enter the Primary DNS. Enter the address of the Primary Domain Name System (DNS) server that is located on your private network. This DNS address is provided by the server to tunnel clients at setup and is used through the tunnel. The DNS server translates textual host names into IP addresses for the gateways. For example, DNS can translate the fully qualified host www.mycompany.com to its IP address 192.19.2.33.

Always use the IP address for setting a DNS server host instead of a domain name. 8 Enter the Secondary DNS. Enter an address for the Secondary Domain Name System (DNS) server. If the Primary DNS server is unavailable, service is requested of the Secondary DNS server. 9 Enter the Primary WINS. Enter an address for the primary Windows Internet Naming Service (WINS) server. A WINS server resolves NetBIOS names (for Windows networking file and print services) to IP addresses. Using a WINS server enables normal Windows file and print services to be accessed correctly through a tunnel connection.

Windows NT Server Version 4.0 and later supports a built-in WINS server.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 64 Chapter 4 Configuring PPTP

The WINS server eliminates the need to manually map NetBIOS names to IP addresses (for example, using the textual LMHOSTS file on Windows) by updating a name-to-address mapping file dynamically on the WINS server.

Note: If no WINS servers are specified, the client is forced to broadcast for NetBIOS names.

10 Enter an address for the Secondary Windows Internet Naming Service (WINS) server; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server.

315899-B Rev 00 Chapter 4 Configuring PPTP 65

Configuring branch office connection PPTP settings

To change PPTP settings for a branch office connection:

1 Select Profiles > Branch Office, then click Edit for the associated connection that you want to configure. 2 To configure PPTP settings, select PPTP as the tunnel type.

Figure 17 Branch Office Edit Connection screen

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 66 Chapter 4 Configuring PPTP

3 Select one of the PPTP Authentication methods. Click the drop-down list and select the authentication method that you want to use for the branch office connection.

Note: When you change the Authentication Type, the screen immediately changes to reflect the requirements of the new authentication method. Any changes that you might have made on the Authentication part of the previous screen are lost.

4 Enter the local user ID and password for the local gateways that you are configuring. 5 Enter the user ID of the remote gateways that you are configuring in the Peer field. 6 Enter the password for the UID, then confirm the password to verify that you entered it correctly. If you selected a variation of MS-CHAP V2 authentication, no password is required for the Local UID. 7 Select a Compression setting. Click to Enable or Disable compression. Click to enable the IPsec Hi/fn LZS compression or the PPTP, L2TP, or L2F Microsoft Point-to-Point Compression (MPPC) packet compression. Compression should be used when encryption is selected on analog modems. This is because encryption renders a modem’s compression ineffective, and it can severely affect the performance of compressible applications. Also, data that is compressed before being transmitted makes more efficient use of lower speed network links. 8 Select the Compression/encryption stateless mode. Click to Enable or Disable this selection. This selection is not used if encryption and compression are both disabled.

315899-B Rev 00 67 Chapter 5 Configuring L2TP

Layer 2 Tunneling Protocol (L2TP) is supported by Nortel Networks and other vendors. L2TP combines the best features of the L2F and PPTP tunneling protocols. L2TP tunneling allows secure remote access to corporate networks across the public Internet. L2TP tunnels are generally established between a network access server (NAS) at the ISP and the gateway.

L2TP allows you to specify MS-CHAP, CHAP, or PAP authentication, enable compression, and assign DNS and WINS servers to the tunnel.

You can use IPsec transport-protected L2TP tunneling for both remote access traffic and branch office tunnel traffic. Windows 2000 can act as a peer in a branch office connection using L2TP/IPsec or IPsec tunnel mode. Also, Windows 2000 can act as a client using L2TP/IPsec. Authentication for L2TP/IPsec tunnels can be either shared secret or digital certificate. It also provides configuration support for both voluntary and compulsory L2TP/IPsec remote access connections. (Windows 2000 authentication must be digital certificate.)

The gateway supports IPsec transport mode to support the termination of Microsoft Windows 2000 L2TP/IPsec connections and to provide security for L2TP traffic for client-to-gateway connections and gateway-to-gateway connections.

Note: You must use stateless mode for L2TP tunnels if you have an environment where packets might be lost. Stateful mode forces the tunnel to drop more packets once a packet loss is detected. Multicast does not work over a Contivity OSPF L2TP tunnel through a Cisco router.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 68 Chapter 5 Configuring L2TP

Configuring L2TP settings

L2TP parameters are configured on a global level on the Services > L2TP screen and individually for groups and branch office connections from the Profiles menu.

• Global IPsec L2TP is configured globally on the Services > L2TP screen. • Group L2TP Group L2TP settings are configured on the Profiles > Groups > Edit > L2TP screen. • Branch Office Connection L2TP Branch office connection L2TP settings are configured on the Profiles > Branch Office > Edit Connection screen.

To change global L2TP settings:

1 Select Services > L2TP. The Services > L2TP screen appears.

315899-B Rev 00 Chapter 5 Configuring L2TP 69

Figure 18 L2TP settings screen

2 Configure L2TP authentication. L2TP settings allow you to select a specific authentication server type; for example, RADIUS. Each server type allows you to specify an authentication scheme: MS-CHAP, CHAP, PAP, None or PAP or CHAP.

3 To enable PPP Multilink, select Enabled in the list box. 4 Configure L2TP Authentication Order. The Authentication Order table lists the corresponding servers, authentication types, associated groups, and actions. The LDAP server is always queried first, then RADIUS, if applicable. 5 Configure L2TP Access Concentrators.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 70 Chapter 5 Configuring L2TP

• Delete−Click to remove the configured concentrator. You are prompted to confirm your deletion request. • Add−Click to go to the Add L2TP Access Concentrator screen. • Edit−Click to go to the Edit L2TP Access Concentrator screen and modify the settings of an existing concentrator. The L2TP Add Access Concentrators screen allows you to configure the authentication between the gateway and the NAS. Use the Edit Access Concentrators screen to modify the information for an existing concentrator.

Configuring group L2TP settings

To change group level L2TP settings:

1 Select Profiles > Groups, then click Edit for the associated group that you want to configure. The Edit Group screen appears. 2 Click Configure in the L2TP section of the screen. The Groups > Edit > L2TP screen appears.

315899-B Rev 00 Chapter 5 Configuring L2TP 71

Figure 19 Groups Edit L2TP screen

3 Click the Configure button for a specific parameter to make changes to that parameter. Click Configure in the All Fields section to edit all parameters at the same time. Use the Inherited button to set all fields to their inherited values. 4 Select one or more of the L2TP Authentication methods. 5 Configure the compression setting. Click to enable the L2TP Microsoft Point-to-Point Compression (MPPC) packet compression. Compression should be used when encryption is selected on analog modems. This is because encryption renders a modem’s compression ineffective, and it can severely affect the performance of compressible applications. Also, data that is compressed before being transmitted makes more efficient use of lower speed network links.

You should use data compression in most situations. Users with cable

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 72 Chapter 5 Configuring L2TP

modems or xDSL connections to the ISP, or locally on the LAN, would find it is probably unnecessary to compress packets. This is because the speed of the link, relative to the rate of compression and the benefit of compressing before encrypting, might be negligible or might not increase performance.

Also, some data cannot be compressed; for example, a previously compressed file does not lend itself well to additional compression. 6 Set the Use Client-Specified Address parameter. Click to enable use of a Client-Specified Address. This option allows the gateway to accept the IP address from a remote user's system during tunnel setup. This option is Disabled by default.

When enabled and the client provides an IP address, this is the IP address that is used by the client for the duration of the tunneled session (it becomes the first or default choice). 7 Enter the Primary DNS. Enter the address of the Primary Domain Name System (DNS) server that is located on your private network. This DNS address is provided by the server to tunnel clients at setup and is used through the tunnel. The DNS server translates textual host names into IP addresses for the gateway. For example, DNS can translate the fully qualified host www.mycompany.com to its IP address 192.19.2.33.

315899-B Rev 00 Chapter 5 Configuring L2TP 73

Windows NT Server Version 4.0 and later supports a built-in WINS server. The WINS server eliminates the need to manually map NetBIOS names to IP addresses (for example, using the textual LMHOSTS file on Windows) by updating a name-to-address mapping file dynamically on the WINS server.

Note: If no WINS servers are specified, the client is forced to broadcast for NetBIOS names.

10 Enter an address for the Secondary Windows Internet Naming Service (WINS) server; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server.

Configuring branch office connection L2TP settings

To change L2TP settings for a branch office connection:

1 Select Profiles > Branch Office, then click Edit for the associated connection that you want to configure. The Branch Office > Edit Connection screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 74 Chapter 5 Configuring L2TP

Figure 20 Branch Office Edit Connection screen

2 To configure L2TP settings, select L2TP as the tunnel type. 3 Select one of the L2TP Authentication methods. Click the drop-down list and select the authentication method that you want to use for the branch office connection.

4 Enter the local user ID and password for the local gateway that you are configuring. 5 Enter the user ID of the remote gateway that you are configuring.

315899-B Rev 00 Chapter 5 Configuring L2TP 75

6 Enter the password for the UID, then confirm the password to verify that you entered it correctly. If you selected a variation of MS-CHAP V2 authentication, no password is required for the Local UID. 7 Select a Compression setting. Click to enable the L2TP Microsoft Point-to-Point Compression (MPPC) packet compression. Compression should be used when encryption is selected on analog modems. This is because encryption renders a modem’s compression ineffective, and it can severely affect the performance of compressible applications. Also, data that is compressed before being transmitted makes more efficient use of lower speed network links. 8 Select the Compression/encryption stateless mode. Click to Enable or Disable this selection. This selection is not used if encryption and compression are both disabled. 9 Select an L2TP access concentrator. Use this entry to specify the L2TP Access Concentrator that you want to perform authentication between the gateway and the NAS. You can use the New L2TP Access Concentrator link to jump to the screen where you can create a new access concentrator. 10 Select an IPsec data protection level.

Configuring L2TP over IPsec

Windows 2000 supports only L2TP with IPsec transport mode for remote access or branch office. (L2TP cannot be used without IPsec.) It supports only RSA Digital Certificates for IPsec transport authentication with the gateway. Windows 2000 Professional Server or Advanced Server can act as a Windows 2000 L2TP/ IPsec client to a gateway server.

To configure L2TP over IPsec on the gateway:

1 Configure an L2TP user account on the gateway through the Profiles > Users page and enter an L2TP user ID and password. 2 Before doing any per-user configuration, the gateway must be issued a certificate and must have the issuer’s certificate installed. a Generate a certificate request from the System > Certificates page. This request can be transferred to a CA server that issues the certificate. The certificate can then be installed from the same page.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 76 Chapter 5 Configuring L2TP

b You must also install the CA server’s certificate on the gateway through the System > Certificates page. If the Windows 2000 certificate is issued by a different CA, you must also install its certificate. 3 Configure an IPsec transport account on the gateway in one of three ways: • Configure the Subject DN or Alternate Subject Name of the Windows 2000 certificate on the same page as the L2TP user account. Pull down the Valid Issuer Certificate Authority and select the CA who issued the Windows 2000 certificate. Pull down the Server Certificate and choose the gateway’s certificate to be returned to Windows 2000. Windows 2000 checks the issuer’s certificate also, so choose a certificate issued by a CA that Windows 2000 knows about. You may also check the Require Own IPsec Credentials now if you want to ensure that this L2TP user always uses this IPsec transport account. • Go to the System > Certificates page and select the Enable Allow All Feature check box. For the CA that issued the Windows 2000 certificate, select the Allow All Enabled check box. Select a user group from the Default Group pull-down. Be sure the user group selected has Allow IPsec Transport enabled and configured (not inherited) in its IPsec group properties. This configuration is very useful when L2TP user accounts are in RADIUS, since no L2TP or IPsec transport information needs to be stored in the LDAP server per user. • Create a separate user that contains the IPsec transport account. Set up the account as described in the first option. Do not check the Require Own IPsec Credentials for either this user or the L2TP user. This configuration is supported mainly for L2TP user accounts that are in RADIUS or compulsory tunneling (many L2TP users sharing an IPsec transport connection). Alternatively (for testing), you could install a single certificate on multiple Windows 2000 PCs, in which case they would be sharing a single IPsec transport account. Windows 2000 does not support compulsory tunneling. 4 Configure the L2TP profile for the user: a At a minimum, you must set the desired minimum data protection level for the user. L2TP traffic arriving through an IPsec transport that does not meet this requirement is discarded. This is done in the L2TP properties of the group and therefore applies to all L2TP users under this group. No checking is done to determine whether the selection makes sense. For example, selecting 3DES as the minimum protection level implies that 3DES must be able to be negotiated with the Windows 2000 PC. To do

315899-B Rev 00 Chapter 5 Configuring L2TP 77

this, DES must be enabled in the Services... IPsec page, must be enabled in the IPsec properties of the group containing the IPsec transport account, and must be configured on the Windows 2000 machine as an acceptable encryption type. Table 1 describes the mapping of minimum data protection levels.

Table 1 Mapping minimum data protection levels to encryption levels

Minimum data protection level Encryption levels 128-bit AES ESP-AES with SHA1 Integrity Triple DES ESP-Triple DES with SHA1 Integrity ESP-Triple DES with MD5 Integrity 56-bit DES ESP-Triple DES with SHA1 Integrity ESP-Triple DES with MD5 Integrity ESP-56-bit DES with SHA1 Integrity ESP-56-bit DES with MD5 Integrity 40-bit DES ESP-Triple DES with SHA1 Integrity ESP-Triple DES with MD5 Integrity ESP-56-bit DES with SHA1 Integrity ESP-56-bit DES with MD5 Integrity ESP-40-bit DES with SHA1 Integrity ESP-40-bit DES with MD5 Integrity Authentication only ESP-Triple DES with SHA1 Integrity ESP-Triple DES with MD5 Integrity ESP-56-bit DES with SHA1 Integrity ESP-56-bit DES with MD5 Integrity ESP-40-bit DES with MD5 Integrity ESP-40-bit DES with SHA1 Integrity ESP-NULL (Authentication Only) with SHA1 Integrity ESP-NULL (Authentication Only) with MD5 Integrity AH-Authentication Only (HMAC-SHA1) AH-Authentication Only (HMAC-MD5)

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 78 Chapter 5 Configuring L2TP

Table 1 Mapping minimum data protection levels to encryption levels (continued)

Minimum data protection level Encryption levels Not required ESP-Triple DES with SHA1 Integrity ESP-Triple DES with MD5 Integrity ESP-56-bit DES with SHA1 Integrity ESP-56-bit DES with MD5 Integrity ESP-40-bit DES with SHA1 Integrity ESP-40-bit DES with MD5 Integrity ESP-NULL (Authentication Only) with SHA1 Integrity ESP-NULL (Authentication Only) with MD5 Integrity AH-Authentication Only (HMAC-SHA1) AH-Authentication Only (HMAC-MD5) Data is allowed through even if it does not come through an IPsec transport with this data protection level.

b If the Require Own IPsec Credentials check box is not selected on the L2TP user page, Require IPsec Credentials from Group must select a user group that contains a set of allowed IPsec transport accounts. These IPsec transport accounts may be contained at any level below this group. L2TP traffic that arrives through an IPsec transport not contained in this group is discarded. c Turn on compression in the L2TP group properties if compression is desired. Compression for the PPP traffic is done if both the gateway and Windows 2000 agree that compression is enabled. Windows 2000 does not support compression at the IPsec transport level. d Authentication may be MSCHAPV1, MSCHAPV2, CHAP, or PAP. Of these, Windows 2000 prefers to perform MSCHAPV2 followed by MSCHAPV1 followed by CHAP followed by PAP. Windows 2000 does sure the Not Encrypted check box is also enabled. 5 Configure the IPsec transport profile by making sure Allow IPsec Transport is enabled in the group containing the IPsec transport account. 6 By default, Windows 2000 does not have Perfect Forward Secrecy (PFS) enabled. It is enabled by default on the gateway. These two settings are not compatible and generate an appropriate error indicating such in the event log when a connection is attempted. To disable PFS on the gateway, go to the IPsec properties of the IPsec transport group and disable PFS.

315899-B Rev 00 Chapter 5 Configuring L2TP 79

Windows 2000 configuration

Windows 2000 Professional, Server or Advanced Server may act as a Windows 2000 L2TP/IPsec client to a gateway server. The steps for configuring the Windows 2000 side of this follow. To install a certificate on the Windows 2000 PC using a Windows 2000 Microsoft CA, connect to a CA server and get a certificate. This involves pointing a browser at the CA server with the URL / certsrv.

1 Choose Request a Certificate. 2 Choose Advanced request. 3 Submit a certificate request to this CA using a form. 4 On the form provide the identifying information. This becomes the subject DN in the certificate that is entered on the gateway IPsec transport account. 5 Choose IPsec Certificate as the Intended Purpose. 6 Select Use local machine store under Key Options. 7 When the certificate has been issued at the CA server, return to the first page. 8 Choose Check on a pending certificate. 9 Click Install this certificate. This installs the certificate in the local computer certificate store. To view this store, run the mmc command from the Start > Run prompt. Select Console > Add/Remove Snap-in. From the list of snap-ins, choose Certificates and select Computer account. At the console, expand Personal > Certificates under Certificates (Local Computer). The installed certificate should appear. Clicking on it brings up an information window that indicates its validity and that a private key exists for this certificate.

To install the CA server certificate for the Windows 2000:

1 If the gateway’s certificate was issued by a different CA, that server’s certificate should also be installed. For the Microsoft CA, go back to the home page and select Retrieve the CA certificate or certificate revocation list. 2 Click on the Install this CA certification path. This installs the CA certificate as a trusted CA, which can be seen in mmc under Trusted Root Certificates > Certificates.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 80 Chapter 5 Configuring L2TP

To set up the dial-up networking entry to use L2TP over IPsec:

1 Click on My Computer and click on Network and Dial-up Connections. Click on Make New Connection. 2 Choose Connect to a private network through the Internet for the network connection type. 3 Enter the interface address of the gateway server. 4 Edit the properties of this new connection and select the Networking tab. Change the Type of VPN server to L2TP. 5 Connect to the gateway using the L2TP user ID and password entered on the gateway. The certificate installed previously is automatically used to set up the IPsec transport connection.

Configuring branch office for L2TP over IPsec

Windows 2000 Server or Advanced Server may act as a Windows 2000 L2TP/ IPsec gateway to a gateway. Both static routing and dynamic (RIP and OSPF) routing are possible through this branch connection.

To configure the gateway:

1 Configure an L2TP branch connection on the gateway. Go to Profiles > Branch Office. 2 Enter the IP address of the Windows 2000 server as the remote endpoint. Select L2TP as the tunnel type. 3 Choose MS-CHAPV2 unencrypted as the authentication type. 4 Enter a local UID for the gateway. 5 Enter a peer UID for Windows 2000. 6 Enter a shared password. 7 Select L2TP if you want compression. As with remote access, compression is not supported on Windows 2000 for the IPsec transport connection. 8 If you want L2TP tunnel authentication supported, you must provide an L2TP Access Concentrator definition. Windows 2000 does not support L2TP tunnel authentication.

315899-B Rev 00 Chapter 5 Configuring L2TP 81

9 Select the minimum data protection level. If you select anything other than Not Required, you must set up an IPsec account. Mappings of data protection levels to encryption levels are exactly as shown in Table 1 on page 77. 10 As with remote access, the IPsec transport account must be set up. By default, Windows 2000 supports only certificate authentication, so a process exactly like that described for remote access must be performed. The CA Allow All authentication option is not available for branch office connections. The L2TP branch office must use the IPsec transport account specified in the connection if data protection is required. 11 You can set up routing as either static or dynamic.

To configure Windows 2000:

1 You must install a certificate for Windows 2000 and the CA certificates as described above. 2 Start the Routing and Remote Access administrative tool. 3 Right-click on Routing Interfaces and choose New Demand-dial Interface. 4 Choose the name of the branch connection. This name becomes the L2TP user ID of the gateway. MSCHAPV2 is case sensitive for user IDs. To ensure interoperability with the gateway, use lowercase user IDs. 5 Select Connect using VPN. 6 Select L2TP as the VPN type. 7 Enter the interface address of the gateway. 8 Select Route IP packets on this interface and select Add a user account so a remote router can dial in. 9 Select a password for the gateway L2TP user ID. If the gateway initiates branch office connections to Windows 2000, this password must match that entered on the gateway Branch Office Connection page. If not, then this password does not matter. 10 Choose the Windows 2000 L2TP user ID and the shared password. If the Windows 2000 initiates branch office connections to the gateway, this password must match that entered on the gateway Branch Office Connection page. The Domain field may be left blank.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 82 Chapter 5 Configuring L2TP

11 The gateway supports only MSCHAPV2 as a branch office L2TP authentication method, so be sure you enable this method in the properties (it is by default). 12 If you want static routes to demand dial on this connection, expand IP Routing > Static Routes and right-click on New Static Route. Select the interface just created and enter the subnet information. Be sure you enable Use this route to initiate demand-dial connections. Alternatively, you can dial the connection by right-clicking on it and selecting Connect.

315899-B Rev 00 83 Chapter 6 Configuring L2F

The L2F (Layer 2 Forwarding) tunneling protocol is supported by Nortel Networks and other vendors. L2F tunneling allows remote access to corporate networks across the public Internet. L2F tunnels are generally established between the network access server at the ISP and the gateway.

There is no direct client software required for L2F beyond the PPP dialer software, such as the dial-up networking utility provided with Windows 95 and Windows 98. L2F tunnels are actually made from the ISP to the corporate gateway on behalf of the user. These connections depend on the domain associated with the dial-in username. Therefore, ISPs must offer services that are based on L2F; currently, L2F is available on a limited basis. L2F provides IP address translation using encapsulation and support for IPX tunneling, but it does not perform encryption. L2F offers the following features:

• Requires special ISP services • No requirement for special software on the client • No data encryption

Configuring L2F settings

L2F parameters are configured on a global level on the Services > L2F screen and individually for groups, users, and branch offices from the Profiles menu.

• Global L2F L2F is configured globally on the Services > L2F screen. • Group L2F Group L2F settings are configured on the Profiles > Groups > Edit > L2F screen.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 84 Chapter 6 Configuring L2F

Configuring global L2F settings

To change global L2F settings:

1 Select Services > L2F. The L2F Settings screen appears.

Figure 21 L2F screen

2 Configure L2F authentication. L2F allows you to add a RADIUS server for authentication. The Authentication portion of this screen allows you to specify an authentication scheme of either CHAP or PAP. 3 Configure the L2F authentication order. The Authentication Order table lists the corresponding servers, authentication types, associated groups, and actions. The LDAP server is always queried first, then RADIUS, if applicable. 4 Configure Network Access Servers. This table provides the UIDs for the network access servers (NAS) and gateway, and the possible Actions you can

315899-B Rev 00 Chapter 6 Configuring L2F 85

take. The NAS acts like a middleman between the remote user and the gateway. It authenticates each side, and once validation is complete, a tunnel is formed. The user has a standard connection (for example, PPP) to the NAS, but an L2F tunnel is formed between the NAS and the gateway.

Configuring group L2F settings

To change group L2F settings:

1 Select Profiles > Groups, then click Edit for the associated group that you want to configure. The Edit Group screen appears. 2 Click Configure in the L2F section of the screen. The Groups > Edit > L2F screen appears.

Figure 22 Groups Edit L2F screen

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 86 Chapter 6 Configuring L2F

3 Select one or more of the L2F Authentication methods. 4 Configure the compression setting. Click to enable the L2F Microsoft Point-to-Point Compression (MPPC) packet compression. Compression should be used when encryption is selected on analog modems. This is because encryption renders a modem’s compression ineffective, and it can severely affect the performance of compressible applications. Also, data that is compressed before being transmitted makes more efficient use of lower speed network links.

You should use data compression in most typical situations. Users with cable modems or xDSL connections to the ISP, or locally on the LAN, would find it is probably unnecessary to compress packets. This is because the speed of the link, relative to the rate of compression and the benefit of compressing before encrypting, might be negligible or might not increase performance.

Also, some data cannot be compressed; for example, a previously compressed file does not lend itself well to additional compression. 5 Set the Use Client-Specified Address parameter. Click to enable use of a Client-Specified Address. This option allows the gateway to accept the IP address from a remote user’s system during tunnel setup. This option is Disabled by default.

When enabled and the client provides an IP address, this is the IP address that is used by the client for the duration of the tunneled session (it becomes the first or default choice). 6 Enter the Primary DNS. Enter the address of the Primary Domain Name System (DNS) server that is located on your private network. This DNS address is provided by the server to tunnel clients at setup and is used through the tunnel. The DNS server translates textual host names into IP addresses for the gateway. For example, DNS can translate the fully qualified host www.mycompany.com to its IP address 192.19.2.33.

315899-B Rev 00 Chapter 6 Configuring L2F 87

Always use the IP address for setting a DNS server host instead of a domain name. 7 Enter the Secondary DNS. Enter an address for the Secondary Domain Name System (DNS) server. If the Primary DNS server is unavailable, service is requested of the Secondary DNS server.

8 Enter the Primary WINS. Enter an address for the primary Windows Internet Naming Service (WINS) server. A WINS server resolves NetBIOS names (for Windows networking file and print services) to IP addresses. Using a WINS server enables normal Windows file and print services to be accessed correctly through a tunnel connection.

Note: If no WINS servers are specified, the client is forced to broadcast for NetBIOS names.

9 Enter an address for the Secondary Windows Internet Naming Service (WINS) server; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 88 Chapter 6 Configuring L2F

315899-B Rev 00 89 Chapter 7 Configuring PPPoE

Point-to-Point Protocol over Ethernet (PPPoE) allows PPP to run over Ethernet. Typically, PPP runs over serial interfaces and in most cases runs over phone lines connected to a server.

With DSL and cable modems, where a personal computer is connected to the Ethernet interface of the modem, ISPs cannot run PPP because PPP cannot run directly over Ethernet. ISPs often prefer to use PPP to provide features such as user authentication and bandwidth monitoring.

Typically, PPPoE is set up in two different configurations: PPPoE for the single user (Figure 23) or PPPoE on a local network. For locations with single computers, the PPPoE client is typically loaded on the computer and it reaches the PPPoE server through the Ethernet connection via the DSL modem. The DSL modem then forwards the packets to the WAN interface without interpreting the PPPoE packets. The PPPoE packets reach their final destination (PPPoE server) for further handling. This implementation is in compliance with RFC 2516.

Figure 23 PPPoE for single user

Internet PC Modem

PPPoE Server 10750EA

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 90 Chapter 7 Configuring PPPoE

The second configuration is usually seen in multi-computer locations, small offices, or branch offices where the entire LAN is connected to the Internet via DSL or cable modem. In this case, either the modem or the gateway acts as a PPPoE client. Figure 24 shows how a Contivity 1100 gateway connected to the DSL modem acts as the PPPoE client. In this configuration, the PPPoE client encapsulates the LAN traffic in the PPPoE header and forwards it to the PPPoE server.

Figure 24 PPPoE on a local network

Contivity 1010 Internet Modem Contivity Switch PC PPPoE Server

PC 10749EA

PPPoE has the following usage restrictions:

• PPPoE MTU limitation of 1492 bytes. (Reset PC from MTU=1500 to MTU=1492) • Must set the appropriate filter (deny all by default) • PPPoE changes are not dynamically applied (must bounce service for edits) • Must be set on a public Ethernet interface • Must set the Administrative State to enabled (disabled by default) • PPPoE is supported as only one session on one interface

315899-B Rev 00 Chapter 7 Configuring PPPoE 91

• Cannot use dynamic routing on PPPoE interfaces (unless tunneling)

Note: Due to DNS-Ping packet traffic on the PPPoE on demand link, it does not go into IDLE/ TIMEOUT state. In the process of doing a health check on the DNS servers, it sends out DNS-Ping packet traffic, which sends traffic over the PPPoE link if there is a DNS server configured that can be reached over this link. This keeps the PPPoE link up. The status of the DNS servers can be checked using the HealthCheck and the System > Identity screens on the GUI. The Alert LED will not come on if there is a DNS Server Alert.

Configuring PPPoE settings

To configure PPPoE:

1 Go to the System > LAN screen. 2 Choose a public interface, select PPPoE from the Protocol list, and click on Apply.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 92 Chapter 7 Configuring PPPoE

Figure 25 System LAN screen

3 On the Add PPPoE Interface screen, select permit all for the Interface Filter and click on OK. 4 From the System > LAN screen, click on the Edit button, and the Edit PPPoE Interface screen appears.

315899-B Rev 00 Chapter 7 Configuring PPPoE 93

Figure 26 Edit PPPoE screen

a Enable the administrative state to activate. b Enable On Demand. The default is disabled (nailed PPPoE service). c Enter the Idle Timeout parameter value from the range specified on the screen to specify n minutes of inactivity after which to tear down the connection. d Enter a value from the range specified on the screen to indicate the cost of the connection. e Optionally, enter a service name that describes the connection. You should use this field only if the ISP has provided a service name. f Enter the local IP address, which is dynamically assigned to the interface. The default 0.0.0.0 indicates that the address will dynamically come from the ISP server. 5 For PPP Authentication Settings, click on Configure. The default authentication is None. The PPP Local Authentication screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 94 Chapter 7 Configuring PPPoE

Figure 27 PPP Local Authentication screen

a Select either PAP or CHAP. b Enter the UID. c Enter a password. d Click on OK. 6 For PPP Advanced Settings, click on Configure. The PPP Advanced screen appears.

315899-B Rev 00 Chapter 7 Configuring PPPoE 95

Figure 28 PPP Advanced screen

a Configure the appropriate LCP and IPCP options. b Click on OK.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 96 Chapter 7 Configuring PPPoE

315899-B Rev 00 97 Chapter 8 Configuring PPP

The Point-to-Point Protocol (PPP) is a standard for transporting multi-protocol datagrams over point-to-point links. PPP has three main components:

• Encapsulation for multi-protocol datagrams. • A Link Control Protocol (LCP) for establishing, configuring, and testing the data-link connection. • Network Control Protocols (NCPs) for establishing and configuring different network-layer protocols.

For more information, see RFC 1661.

Configuring PPP settings

To configure PPP settings:

1 Select System > WAN on the Contivity Secure IP Services Gateway menu. The System > WAN Interfaces screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 98 Chapter 8 Configuring PPP

Figure 29 System WAN Interfaces screen

2 Select the interface that you want to configure by clicking the associated radio button in the Select column and then clicking Configure. The System > WAN Interfaces > Configure screen appears. The System WAN Configure screen contains information common to all WAN link protocols and interfaces.

315899-B Rev 00 Chapter 8 Configuring PPP 99

Figure 30 WAN Interfaces Configure screen

3 Enter an optional description of the interface in the Description field. 4 Enter a unique text name in the Circuit ID field. 5 Select an Interface Filter from the drop-down list. 6 Select PPP from the Protocol drop-down list. The default is PPP. 7 Click Configure. The System > WAN Interfaces > Configure > Configure PPP screen appears. Information about the interface is given at the top of the screen, including the slot number and interface number.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 100 Chapter 8 Configuring PPP

Figure 31 WAN Interfaces Configure PPP screen

8 Enter a description. 9 Enter the IP address. 10 Specify the remote IP address setting. 11 Select the interface type, public or private. 12 Click PPP Authentication settings to configure the PPP authentication settings for this interface, including Local PAP and CHAP User IDs and Passwords. The System > WAN Interfaces > Configure PPP > Authentication screen appears. (To configure a CSU/DSU, click Configure CSU/DSU. Refer to Chapter 11, “Configuring a T1 CSU/DSU,” on page 123.)

315899-B Rev 00 Chapter 8 Configuring PPP 101

Figure 32 WAN Interfaces Configure PPP Authentication screen

13 Select the appropriate authentication type, PAP or CHAP, as required by the ISP. If authentication is not required, select None. 14 The ISP providing the WAN connection to the gateway might require a user ID and password. If so, enter and confirm the password. Click OK to save the settings and return to the Configure PPP screen. 15 You can optionally click Configure PPP Advanced Settings to further configure the PPP interface, including Link Control Protocol (LCP) and IP Control Protocol (IPCP) settings. The PPP Advanced Settings screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 102 Chapter 8 Configuring PPP

Figure 33 WAN Interfaces Configure PPP Advanced Settings screen

16 The Link Control Protocol (LCP) session negotiates various link options between the gateway and the ISP.

Click Address Control Field Compression to enable Address Control Field Compression, which then compresses the Address Control Field and reduces packet overhead by one byte. Address Control Field compression is Disabled by default.

Click Protocol Field Compression to enable Protocol Field Compression, which then compresses the Protocol Field and reduces packet overhead by one byte. Protocol Field Compression is disabled by default.

Set the Echo Fault Threshold. You can set the number of times LCP attempts an Echo request without receiving a reply. The link is dropped when the number of echo requests exceeds the number in the Echo Fault Threshold box. The range is 0 to 255 (0 indicates disabled); default is 1.

315899-B Rev 00 Chapter 8 Configuring PPP 103

Set the Echo Interval. You can set the Echo request Interval in seconds. Use this interval along with the value of the Echo Fault Threshold box to determine if a link has been disconnected. The range is 0 to 255; default is 0 (disabled). 17 The IP Control Protocol (IPCP) settings allow you to specify certain dial-up networking attributes. Typically, IPCP handles address assignment and configuration of domain name system (DNS) or windows Internet naming service (WINS) server settings.

Set the VJ Negotiation. Click to enable Van Jacobson (VJ) Compression Negotiation VJ Compression compresses the TCP/IP header fields on a per TCP/IP flow basis and reduces packet overhead. VJ Negotiation is disabled by default.

Set the VJ Connect ID Compression Negotiation. Click to enable Van Jacobson (VJ) Connect ID Compression, which then further reduces the VJ compression header and increases packet transmission performance. This option is used only when a single TCP/IP flow is active at any single time over the link. VJ-style TCP/IP header compression identification is Disabled by default.

Set the VJ Max Slots. This is the Maximum number of concurrent VJ-compressed TCP/IP flows. The range is from 2 to 16; default is 8. 18 In the LCP/NCP section of the screen, set the Interface Debug option, if needed. This option, under the Link Control Protocol/Network Control Protocol, sends PPP control packets to the Event log. This is a Nortel Networks internal Customer Support utility that helps diagnose and troubleshoot WAN interface problems. 19 Click OK to save the settings and return to the System > WAN Interfaces > Configure > Configure PPP screen.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 104 Chapter 8 Configuring PPP

Figure 34 WAN Interfaces Configure PPP CSU/DSU screen

315899-B Rev 00 105 Chapter 9 Configuring frame relay

Frame relay is a high-speed, packet-switching WAN protocol that connects geographically dispersed LANs. Frame relay (FR) is usually offered by a public network provider; however, private organizations can acquire and manage their own frame relay networks as well. You can configure frame relay on any WAN interface on the gateway.

Frame relay is a connection-oriented protocol, which means that it relies on end-to-end paths between devices connected across the network. It implements these connections using permanent virtual circuits (PVCs) or switched virtual circuits (SVCs). Contivity Secure IP Services Gateway supports PVCs.

The Contivity Secure IP Services Gateway functions as a frame relay access device (FRAD) in a frame relay network. In frame relay, there are multiple virtual point-to-point connections (virtual circuits) on a single physical interface. Each virtual circuit has a unique local IP/remote IP point-to-point connection.

Each PVC on the Contivity Secure IP Services Gateway is a separate IP address. With frame relay, IP addresses are assigned to virtual circuits, and the virtual circuit is in turn associated with a physical interface. Also, there may be multiple PVCs on a single physical interface, and hence multiple IP interfaces on a single physical interface. In PPP, there is only a single IP address per physical interface.

Figure 35 shows a single public interface to an ISP. In this scenario, a frame relay PVC is configured between Contivity 1 and the ISP for Contivity 2 and 3. The PVC replaces a dedicated PPP connection. The frame relay PVC is generally less expensive than the dedicated PPP link.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 106 Chapter 9 Configuring frame relay

Figure 35 Frame relay single public interface to ISP

Figure 36 shows three frame relay PVCs (logical connections) running over a single interface on Contivity 1. These logical connections would not be possible using PPP. The connections in this example do not have to be branch office tunnels. They could also be unsecure, clear text connections over the secure frame relay private network.

315899-B Rev 00 Chapter 9 Configuring frame relay 107

Figure 36 Frame relay multiple public interfaces

Figure 37 shows a gateway between an existing frame relay network and a new IP VPN network. Contivity 1 acts as a gateway between the newer unsecure public network (Internet) and the older, secure frame relay private network. Contivity 1 is connected to Contivity 2 and 3 using a branch office tunnel over a frame relay PVC. Contivity 1 is also connected to the BayRS router using a clear text WAN connection over another frame relay PVC, which takes advantage of the WAN as secure interface.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 108 Chapter 9 Configuring frame relay

Figure 37 Gateway between frame relay network and VPN network

Permanent virtual circuits

A permanent virtual circuit (PVC) is a dedicated logical path that connects two devices over a network. When configured, a PVC is always available to the connected devices; a PVC does not require setup before data can travel across the network, nor does it need to be disconnected after data has passed. Because many PVCs can coexist for one physical line, devices can share the bandwidth of the transmission line.

RFC 1490

RFC 1490 defines the encapsulation method for sending data across a frame relay network. Nortel Networks routers implement RFC 1490 for all protocols that Nortel Networks supports over frame relay networks.

315899-B Rev 00 Chapter 9 Configuring frame relay 109

Traffic shaping

Traffic shaping relieves bottlenecks in topologies with high-speed connections to the central site, and low-speed connections at remote sites. Committed information rate enforcement and quality of service are the major components of Nortel Networks traffic shaping. The traffic shaping parameters are defined in CCITT I.370.

Committed information rate

The committed information rate (CIR) is the rate at which the network supports data transfer under normal operations. Its name is descriptive: you have a contract with your carrier, who has committed to providing a given throughput, here called the committed information rate. The CIR is measured in bits per second. You configure this value that the carrier provides per virtual circuit.

When configuring the CIR, consider the following:

• CIR of 0

You can contract with a carrier for a CIR of 0, which yields best-effort service at low cost. The carrier transmits data, but does not commit to providing a specified throughput. To configure a CIR of 0, set both the throughput (which is the CIR) and the committed burst (Bc) to 0, and set the excess burst (Be) to a value greater than 0. For more information about burst rates, see the next section, “Committed burst rate and excess burst rate.”

• Maximum CIR

The maximum CIR should not be greater than the speed of the access line on the slower end of a virtual circuit. In a big pipe/little pipe topology, likely CIRs at the remote sites would be 32 Kb/s, 56 Kb/s, or 64 Kb/s. If you configure CIRs for these virtual circuits at the central site, you can use CIR enforcement (described in the next topic) to prevent the big pipe from sending traffic that exceeds the PVC CIRs.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 110 Chapter 9 Configuring frame relay

• CIR enforcement

CIR enforcement means restricting the speed of outbound traffic to a rate no faster than the CIR. It is the major component of traffic shaping. You can configure CIR enforcement to operate over Synchronous, High-Speed Serial Interface (HSSI), T1, E1, and Integrated Services Digital Network (ISDN) lines, for frame relay backup, demand, bandwidth-on-demand, and leased lines at the virtual circuit level. CIR enforcement operates on whole frames only. It controls congestion either by bringing down the virtual circuit, or by throttling the traffic.

Committed burst rate and excess burst rate

The committed burst size (Bc) defines the number of bits that the router can transmit over a specified time interval (Tc) when congestion is occurring. The excess burst size (Be) defines the number of extra bits that the router attempts to send over the Tc when there is no congestion. Both the Bc and the Be are values that you configure.

The sum of the Bc and the Be is the maximum amount of traffic that can travel across the network per Tc when there is no congestion. If you set the Be to a value greater than zero, the router can send traffic exceeding the CIR. To enforce the CIR, that is, to limit traffic that the router can send to the amount of the CIR, set the Be to 0.

If you enable congestion control and set the congestion method to throttle, the virtual circuit sends only Bc bits of data over the time interval Tc when congestion occurs, even if you have configured the Be to a value greater than 0. It queues the excess data until congestion abates. If you set the congestion method to throttle-then-shutdown, the virtual circuit first queues traffic when congestion occurs, and then terminates the virtual circuit if throttling does not alleviate congestion.

Traffic shaping configuration notes

Traffic shaping is best used at central offices to prevent the “big pipe” from sending too much data too quickly to remote sites with “little pipes.” This concept should guide your decisions about how to configure traffic shaping.

Consider the following when you configure traffic shaping:

315899-B Rev 00 Chapter 9 Configuring frame relay 111

• In general, the value you assign to the Bc should equal 1/4 of the CIR to avoid excessive queuing and dropped packets.

If, however, you are sending frames that exceed the size of the Bc, data travels slowly because the router must use multiple time periods to accommodate the packet size and avoid exceeding the CIR. If setting the Bc to 1/4 of the CIR yields a value lower than the packet size, set the Bc to 1/3 or even 1/2 of the CIR. For example, a typical TFTP frame is 548 bytes. If the CIR is 16,000 bits, the Bc configured according to the 1/4 guideline would be 4,000 bits, or 500 bytes, which is not big enough to accommodate a TFTP frame.

If you set the Bc to 16,000/2, or 1/2 CIR, the result is 8,000 bits, or a packet size of 1,000 bytes, which works, but may result in excessive queuing because the Tc is 1/2 second. If you set the Bc to 16,000/3, or 1/3 CIR, the result is a Bc of 5,333 bits or 666 bytes, much closer to the 548 TFTP frame size. • If you cannot predict the typical frame size, monitor frame relay shaping statistics for numbers of large frames and dropped frames. If either of these numbers is increasing constantly or dramatically, adjust the Bc to a higher value in small increments.

Overview of frame relay configuration

Each physical WAN interface may be configured to run either PPP or frame relay as a link protocol, but not both simultaneously. However, in a Contivity gateway with multiple WAN interfaces, one interface may run PPP and another interface may run frame relay. PPP is the default link protocol.

Frame relay on the Contivity gateway acts as a UNI device; it does not support NNI. Each WAN link can be configured to run either PPP (the default) or frame relay. Each frame relay link can be a switched (default) or direct connection.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 112 Chapter 9 Configuring frame relay

The gateway type is set on a per-link basis. The possible setting are ITU-T and ANSI. This determines both the LMI format and the FECN/BECN processing. The LMI Poll Interval Timer and Poll Interval Counter may be configured when LMI is enabled.

Note: Only ~1500 byte (Ethernet maximum) sized frames are supported. Any larger frames will be discarded as excessively long frames. This is an implementation limitation, not a protocol limitation.

Configuring frame relay settings

To configure frame relay settings:

1 Select System > WAN on the Contivity Secure IP Services Gateway menu. The System > WAN Interfaces screen appears.

Figure 38 WAN Interfaces screem

2 Select the interface that you want to configure by clicking the associated radio button in the Select column and then clicking Configure.

315899-B Rev 00 Chapter 9 Configuring frame relay 113

The System > WAN Interfaces > Configure screen appears. The System WAN configure screen contains information common to all WAN link protocols and interfaces.

Figure 39 Interfaces Configure screen

3 Enter an optional description of the interface in the Description field. 4 Enter a unique text name in the Circuit ID field. This field is optional. This is a character string specified by the circuit vendor. It can be useful when communicating with the vendor during troubleshooting.

Note: Note that while Circuit ID is defined in the T1/E1 MIB (RFC 1406) it is applicable to almost any WAN connection, and so it is configured at the interface level.

5 Select an Interface Filter from the drop-down list. 6 Select FR from the Protocol drop-down list. The default is PPP.

Note: When you change from frame relay to PPP, you lose all configured frame relay virtual circuits.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 114 Chapter 9 Configuring frame relay

7 Click Configure. The System > WAN Interfaces > Configure > Frame Relay screen appears.

Figure 40 Interface Configure Frame Relay screen

8 Enable the Debug checkbox to have packet information logged in the Event Log. 9 Choose the connection type, either switched or direct.

To connect to a frame relay gateway, the connection type must be set to “switched.” In this mode, the gateway type is user configurable. The gateway type determines both the LMI format and the FECN/BECN processing.

Two Contivity gateways can be directly connected without an intervening frame relay gateway via the interface connection type “direct.” When direct mode is selected, LMI messages are disabled and FECN/BECN processing is not performed. The UNI is defined by FRF 1.1. 10 Select the gateway type, either ITU-T, ANSI or ILMI. 11 Enter a value for the LMI (Local Management Interface) poll interval timer. The gateway supports LMI, as defined in ITU-T Q.933 annex A and ANSI

315899-B Rev 00 Chapter 9 Configuring frame relay 115

T1.617 Annex D. The LMI type is determined by the gateway type parameter when the physical interface is in the switched mode. This parameter also determines the FECN/BECN processing. LMI is disabled when the physical interface is in the direct mode. • Minimum: 5 • Maximum: 30 • Default: 10 12 Enter a value for the LMI (Local Management Interface) poll interval counter. • Minimum: 1 • Maximum: 255 • Default: 6 13 Click Configure Virtual Circuit. The System > WAN Interfaces > Configure > Frame Relay > VC screen appears. Each frame relay PVC is individually configured.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 116 Chapter 9 Configuring frame relay

Figure 41 Interfaces Configure Frame Relay VC screen

14 Enter a description. This is the same user-entered text description used by the existing physical interfaces. 15 Select the state for the VC. This is the same as the physical interface enable/ disable. There are 4 values: TRUE, TRUE_DEBUG, FALSE, FALSE_DEBUG. The _DEBUG values cause the packet to displayed in the event log. 16 Select the VC protocol, IP MPoFR. 17 Specify the Local IP address (static). 18 Select the interface. This is the same public/private (or untrusted/trusted) parameter used by the existing physical interfaces. 19 Specify the remote IP address (static). 20 Enter a value for the DLCI (Data Link Connection Identifier) parameter.

315899-B Rev 00 Chapter 9 Configuring frame relay 117

21 Enter a value for the CIR (Committed Information Rate) parameter. The supported range is 0 to the maximum line speed. The default is 0.

The Contivity gateway supports traffic shaping and congestion control as defined in CCITT I.370. The traffic shaping parameters, CIR, Bc, and Be, are configured on a per-VC basis. FECN/BECN processing is supported as defined in ANSI T1.618 Annex A. The DE flag is not set. CLLM is not supported.

22 Enter a value for the Bc (Committed Burst Size) parameter. The supported range is 0 to the maximum line speed. The default is 0.

23 Enter a value for the Be (Excess Burst Size) parameter. The supported range is 0 to the maximum line speed. The default is the maximum line speed. 24 Click Statistics to view collected statistics for the interface. 25 Use the Add button to create and define additional PVCs on the interface.

Frame relay monitoring

Statistics are collected on both a per-link and a per-PVC basis, and are displayed through MIBs, CLI, and the Admin > Healthcheck screen. Statistics are divided into two categories: generic statistics and frame-relay specific statistics. The generic statistics apply to any data link and are reported through the MIB-II ifTable (RFC 2233). All the statistics are reported, even if they are not collected. Any statistic which is not collected is reported as zero.

Frame relay OM statistics

All the frame relay related statistics can be displayed through the Admin > Healthcheck screen and through the CLI. Statistics not collected are reported as zero. Statistics are initialized to 0 when an object is enabled.

These statistics support the CLI show interface serial command.

IP statistics

The current per-WAN interface statistics are collected on a per-PVC basis. They are not collected on a per-frame relay interface basis.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 118 Chapter 9 Configuring frame relay

315899-B Rev 00 119 Chapter 10 Configuring IPX

The Internetwork Packet Exchange (IPX protocol is the Novell* adaptation of the Xerox Networking System (XNS) protocol. IPX has the following characteristics:

• It is a connectionless datagram delivery protocol. A datagram is a unit of data that contains all of the addressing information required for it to be delivered to its destination. • It does not guarantee the delivery of packets. Higher-level protocols assume the responsibility for reliability.

The gateway supports IPX by encapsulating IPX traffic within PPTP client connections.

Note: The gateway IPX support is not available for the IPsec tunneling protocol.

Overview of IPX

IPX is the network-layer routing protocol used in the Novell NetWare* environment. The primary tasks of IPX are addressing, routing, and switching information packets from one location to another on a network. In a LAN-based client the network interface card (NIC) provides network node addressing; in a tunneled environment, the gateway provides the network node addressing.

Network addresses form the basis of the IPX internetwork addressing scheme for sending packets between network segments. Every network segment of an internetwork is assigned a unique network address by which routers forward packets to their final destination network. On the gateway, all public interfaces are

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 120 Chapter 10 Configuring IPX

treated as a single network segment with a unique network address. A network address in the NetWare environment consists of eight hexadecimal characters. In the following example, 0x indicates that this is a hexadecimal number, and n is any hexadecimal character.

0xnnnnnnnn

Socket numbers are the basis for an IPX intranode address (the address of an individual entity within a node). They allow a process (for example, IPX Routing Information Protocol [RIP] and Service Access Points [SAP]) to distinguish itself to IPX. To be able to communicate on the network, the process must request a socket number. Any packets IPX receives addressed to that socket are then passed on to the process within the node.

The gateway uses IPX RIP and SAP to dynamically learn and advertise IPX routes and services. The gateway assigns IPX addresses to tunneled clients; remote users cannot configure the IPX tunnel address for their systems.

The gateway does not forward IPX packets from a private nontunneled LAN to another private nontunneled LAN, nor does it propagate routing or server tables from a private nontunneled LAN to another private nontunneled LAN.

IPX client

On the PPTP client (for example, Microsoft Dial-Up Networking), you must enable the dial-up networking IPX option. Enabling the IPX option allows you to tunnel using IPX, IP, or IPX and IP according to the dial-up networking selections.

Windows 95 and Windows 98

When running Windows 95 or Windows 98, load the intraNetWare client, which is available from the Novell Web site:

http://www.novell.com

Note: The NetWare client for Windows 95 and Windows 98 does not function properly; therefore, you must use the Novell intraNetWare client when using IPX with PPTP.

315899-B Rev 00 Chapter 10 Configuring IPX 121

Windows NT

The NetWare client is already on Windows NT systems. You can use that or the Novell intraNetWare client, which you can access from the Novell Web site at http://www.novell.com.

Enabling IPX for group users

IPX is disabled on a per-group basis by default. Therefore, you must enable IPX for group users to access IPX. Enable IPX for group users from the Profiles > Groups > Edit > Connectivity screen.

Sample IPX VPN gateway topology

Regardless of the number of IPX public interfaces that are configured on the gateway, they all use the same IPX network address. You must enable the private interfaces that you want to use for IPX traffic, and for each private interface you must configure the IPX network address and IPX frame type. The IPX network address that you configure must match the IPX network address for that LAN, and the IPX frame type must match the IPX frame type for that LAN. In the following figure, the public interface IPX network address that the gateway provides is 0000A100.

In Figure 42, the private interface network address to the NetWare server is 00000B16 and the Frame Type is 802.3; similarly, the private interface network address to the Nortel Networks Router is 00000C22 and the Frame Type is SNAP.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 122 Chapter 10 Configuring IPX

Figure 42 IPX topology

LAN

PPTP Public IP Address (VPN Address)

Contivity VPN gateway

00000B16 0000A100 PDN 00000B16 802.3 Public 802.3 WAN SNAP 00000C22 NetWare Private Server LAN SNAP 00000C22 Nortel Router NetWare 802.2 00000D35 Default Nearest Server 802.2 00000D35

NetWare Server

Note: The Private LAN can also carry IP and IPX traffic simultaneously. The IP addresses are not shown in this figure.

315899-B Rev 00 123 Chapter 11 Configuring a T1 CSU/DSU

Management screens that you access from the System > WAN Interfaces > Configure screen enable you to configure the settings for a T1 with an integrated CSU/DSU, including extended super frame (ESF) framing parameters and adding fractional T1 channels.

Newer T1 services use extended super frame (ESF) framing, which uses out-of-band signaling. The configuration parameters with ESF are:

• Line framing is ESF. • Line coding is B8ZS. • HDLC polarity is normal. • Performance report message value is determined by the T1 service provider.

Older T1 services use super frame (SF) framing, which uses in-band signaling. The configuration parameters with SF are:

• Line framing is SF. • Line coding is AMI. • HDLC polarity is inverted. • Performance report message should be set to “none” as it has no effect in SF framing.

Because SF framing uses in-band signaling, the data can generate a false yellow alarm. These false yellow alarms can be eliminated by setting one fractional T1 channel to “off.” If you have the option of using SF or ESF framing, Nortel Networks recommends ESF framing because it provides better diagnostics and does not generate false yellow alarms.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 124 Chapter 11 Configuring a T1 CSU/DSU

Viewing status

Following is a list of screens that allow you to either configure or view status for the T1 interface with an integrated CSU/DSU:

• System > WAN • System > WAN > Configure • Admin > Health Check • Status > Statistics > WAN Status

Initial configuration takes place when you install the card, and configuration changes are necessary when adding additional fractional T1 channels.

Note: You must restart the gateway after adding a T1 card or after enabling a fractional T1 line.

All of the CSU/DSU commands can be configured through the Web interface, the serial interface, or the command line interface.

Configuring a T1 CSU/DSU

To configure a T1 CSU/DSU:

1 Click Configure CSU/DSU on the System > WAN Interfaces > Configure PPP/Frame Relay screen. The Configure CSU/DSU screen appears.

315899-B Rev 00 Chapter 11 Configuring a T1 CSU/DSU 125

Figure 43 Configure CSU/DSU screen

2 Set the Clock Source. This field sets where the timing is being determined, from the gateway (Internal) or from the T1 service provider (Loop). The clock source is usually set to Loop when connected to a live T1 service. Internal clocking is used for local or test applications only. 3 Set the Line Build Out (dB) value. The line build out value is a power level that is set based on the distance from the CSU/DSU to the T1 service provider’s gateway. If the CSU/DSU card is close by, the gateway requires less power and the line build out value is lower; if the card is far away, the gateway requires more power and the line build out value is higher. This setting is determined by the T1 service provider. Valid options are: • 0.0 • -7.5 • -15.0 • -22.5

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 126 Chapter 11 Configuring a T1 CSU/DSU

4 Set the Line Coding value. This field sets the method of encoding binary digits on the line. The line coding value is supplied by the T1 service provider. Valid options are AMI and B8ZS. 5 Select the HDLC Polarity. This field determines whether or not the user data is inverted. This field must be synchronized with the AMI line coding; otherwise, you might violate the AMI specification. Both the local and the remote CSU/DSU must terminate the T1 data circuit with the same setting: either both using Normal or both using Inverted. Valid options are Normal and Inverted. 6 Set the Line Framing value. This field determines the low-level protocol between the T1 service provider and the gateway. It determines how the data is encapsulated and it handles the signaling for alarms and loopbacks. The newer ESF framing uses out-of-band signaling, while the older SF framing uses in-band signaling. The line framing value is supplied by the T1 service provider. Valid options are SF and ESF. 7 Select the Performance Report Message setting. The Performance Report Message parameter is a part of the ANSI T1 specification. It generates messages that state how many errors there are per second. This value is used with ESF framing only. When using SF framing, this parameter has no effect but should be set to None to avoid any confusion. The Performance Report Message value is supplied by the T1 service provider and are None and ANSI. 8 Enable Fractional T1. A T1 service consists of up to 24 channels. Typically, you purchase the number of necessary channels from the service provider, and you can add additional channels (up to 24) as growth requires. When you add a fractional T1 channel, you must enable it through this parameter and restart the system. Valid options for each of the 24 DS-0 channels are On (checked) and Off (unchecked).

315899-B Rev 00 127 Chapter 12 Configuring Backup Interface Services (BIS)

Backup Interface Services (BIS) provide an automated mechanism that enables a backup interface when a designated primary connection fails. BIS allows for any interface on the Contivity Secure IP Services Gateway to be used as a backup interface. When the primary connection goes down, BIS enables the backup interface using parameters configured in the corresponding BIS profile. The primary connection can be an interface group, a specific route, or a connection to a specific destination.

Backup Interfaces

Any Contivity interface can be configured as a backup interface, not only dial or ISDN interfaces. For example, you could designate any of the following interfaces as a backup interface for a primary T1 circuit on your gateway:

• ISDN interface • Ethernet interface attached to a DSL modem • Dial interface (V.90 modem)

The interface to be used as the backup interface must already be installed and configured before it can be used in a BIS configuration.

Trigger Modes

BIS supports several methods of identifying the failure of a primary connection and triggering of the Backup interface. Different modes to trigger enabling of a backup interface include:

• Interface Group • Route Unreachable

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 128 Chapter 12 Configuring Backup Interface Services (BIS)

• Ping • Time of day

Interface Group Failure

In the context of BIS, an interface group can consist of branch office tunnels, physical interfaces, or a combination of tunnels and interfaces. When you configure an interface group as the BIS trigger, BIS assumes the backup role when all components of the interface group are down.

Note: To back up a single physical interface, you can configure an interface group that contains only that single physical interface. A physical failure—for example, on a WAN interface, the loss of synchronization clocking—will trigger BIS.

When you configure an interface group as a BIS trigger, include business critical tunnels in the group (for example, a tunnel to corporate headquarters). You may not want to include non-business critical tunnels in an interface group, especially if the backup interface is a dial or ISDN interface.

When you configure BIS to activate the backup interface upon failure of an interface group, you can include tunnels and physical interfaces in the interface group.

The time it takes to detect a failure depends on these factors:

• Tunnels: The gateway watches for the loss of IPsec keepalives on the tunnels included in an interface group. By default, IPsec keepalive messages are sent every 15 minutes, so 15 minutes could elapse before the backup interface is triggered. You can reduce the IPsec keepalive interval, but more frequent keepalive messages can burden the central site Contivity gateway. • Physical interfaces: The gateway checks the status of a physical interface included in an interface group every 30 seconds. If a physical interface fails immediately after this check, 30 seconds will elapse before the gateway discovers the failure and activates the backup interface.

315899-B Rev 00 Chapter 12 Configuring Backup Interface Services (BIS) 129

Route Unreachable

You can configure BIS to become active when a specific route times out in the routing table. (To configure a route, execute the network command in Global Configuration mode or go to the Profiles > Networks screen.) If you choose this type of trigger, you must configure at least one static route in the BIS profile so that the Contivity can reach the tunnel end point via the backup interface.

This type of trigger is useful only if your IP network uses RIP or OSPF and if alternative routes exist between end points. If you have not configured redundant routing paths into your network, route timeout and, therefore, BIS activation, can take several minutes to fail over as the Contivity waits for the routing protocol to determine that the route no longer exists.

For example, if you have a direct route and one or more multiple-hop routes to your corporate headquarters and the direct route fails, RIP or OSPF steers the traffic through a multi-hop path. If the connection is completely lost, the route times out in the routing table and triggers BIS. Several minutes could elapse, however, before BIS is triggered.

Ping Failure

You can configure BIS to be triggered by the failure of a ping to a specified destination. The main application for the ping trigger is DSL with attached Ethernet DSL modem. The Contivity pings the device on the other end of the local loop, for example, a DSLAM. In this way, the Contivity determines whether there is a local loop failure or a failed connection to the Internet Service Provider (ISP).

Note: Configure the ping to confirm connectivity to the immediate downstream IP address, for example, the address of the ISP. The IP address to be pinged must not be a Circuitless IP address. Any other implementation of the ping trigger will cause adverse results.

If you choose this type of trigger, you must configure at least one static route in the BIS profile so that the Contivity can reach the tunnel end point via the backup interface.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 130 Chapter 12 Configuring Backup Interface Services (BIS)

Time of day

You can configure BIS to become active at a specific time of day or on specific days of the week.

You can also use a time-of-day specification in conjunction with one of the other trigger types: ping, interface group, or route unreachable. For example, you could configure BIS to be activated when a specific interface group fails, but only during the hours 8:00 through 17:00 Monday through Friday.

You can configure BIS to be triggered by the timing out of a specific route in the routing table. For this type of trigger to be effective, your IP network must use RIP or OSPF and have multiple paths between end points.

Without such a network, route timeout and, therefore, BIS activation, can take several minutes to fail over as the gateway waits for the routing protocol to determine that the route no longer exists. If you have not configured redundant routing paths into your network, then route failure is not a good choice for a BIS trigger.

Usage on an asynchronous branch office tunnel (ABOT)

When configuring an asynchronous branch office tunnel (ABOT) for use over a primary link and a backup link, you must enable the Aggressive Mode Initial Contact Payload parameter on both the initiator and responder side of the ABOT. This parameter can be found under the IPsec parameters on the Profiles > Branch Office > Groups > Configure screen. If you do not have this configured on both sides, the change from the primary interface to the backup interface (or vice versa) will fail for a period of time equal to the ABOT idle timeout on the responder side. If you have not implemented this optional IPsec feature, you can work around the issue by lowering the idle timeout value until the outcome is satisfactory. If you make the idle timeout too low, it can cause unnecessary tunnel tear downs when there is a break in traffic.

Configuring BIS

To configure backup interfaces:

315899-B Rev 00 Chapter 12 Configuring Backup Interface Services (BIS) 131

1 Select Services > Backup Interfaces on the Contivity Secure IP Services Gateway menu. The Backup Interface screen appears. (For information about specific fields or parameters in the screens, refer to the online help.)

Figure 44 Services > Backup Interfaces

2 Check the Enable box in the top section of the screen to globally enable Backup Interface Services on the Contivity Secure IP Services Gateway. 3 Click the Add button in the Interfaces section of the screen to add a backup interface. The Add Backup Interface screen appears.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 132 Chapter 12 Configuring Backup Interface Services (BIS)

Figure 45 Services > Backup Interface > Add Interface

4 Enter a descriptive name for the backup interface configuration and click OK. The Services > Backup Interface > Add Interface > Interface screen appears. You use this screen to configure the backup interface you created. The name of the Backup Interface is shown in the Name field as you entered it in the Add Backup Interface screen.

315899-B Rev 00 Chapter 12 Configuring Backup Interface Services (BIS) 133

Figure 46 Services > Backup Interface > Add Interface > Interface

5 Check the Enabled box to enable this specific Backup Interface configuration. 6 Select a trigger option for this backup interface from the list. Trigger options include Interface Group, Hour, Route Unreachable, and Ping. When you select the trigger, the screen is redrawn to include parameters that must be configured for that specific type of trigger. See the following section for information about configuring each trigger type.

Configuring BIS with Interface Group Trigger 1 When you select Interface Group as the Trigger, the Interface Group trigger parameters are presented in the top section of the screen.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 134 Chapter 12 Configuring Backup Interface Services (BIS)

Figure 47 Interface Group Trigger Parameters

2 Select the Interface Group for which this is the backup interface. To create a new interface group to add to the list, click Add an Interface Group to jump to the Routing > Interface Group screen, which you can use to create the new interface group. 3 Select the Backup Interface (physical interface) that this backup interface will use. 4 You can further restrict this Backup Interface to function only at specific times by setting the Hours parameter. You can use dial-out hours to configure the hours that a calling route is either permitted or denied to make a demand-dial connection. Dial-out hours are applied before the connection is made. If a dial backup connection is still up after dial-out hours, the connection will be disconnected. 5 Configure the default and static routes for the backup interface. See Configuring BIS Default and Static Routes.

Configuring BIS with Hour Trigger 1 When you select Hour as the Trigger, the Hour trigger parameters are presented in the top section of the screen.

315899-B Rev 00 Chapter 12 Configuring Backup Interface Services (BIS) 135

Figure 48 Hours Trigger

2 Select the Backup Interface (physical interface) that this backup interface will use. 3 You can further restrict this Backup Interface to function only at specific times by setting the Hours parameter. You can use dial-out hours to configure the hours that a calling route is either permitted or denied to make a demand-dial connection. Dial-out hours are applied before the connection is made. If a dial backup connection is still up after dial-out hours, the connection will be disconnected. 4 Configure the default and static routes for the backup interface. See Configuring BIS Default and Static Routes.

Configuring BIS with Route Unreachable Trigger 1 When you select Route Unreachable as the Trigger, the route unreachable parameters are presented in the top section of the screen. Use this option to configure a BIS profile that activates the backup interface when a specific route times out in the routing table. This type of trigger requires that your IP network use RIP or OSPF with redundant routes between end points. If the connection is completely lost, the route times out in the routing table and triggers BIS.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 136 Chapter 12 Configuring Backup Interface Services (BIS)

Figure 49 Route Unreachable

Note: To configure a network route use the Profiles > Networks screen.

2 Select the network route connection to monitor in the Route list. Use the Add a Network button to define a network route and add it to the list. 3 Select the Backup Interface (physical interface) that this backup interface will use. 4 You can further restrict this Backup Interface to function only at specific times by setting the Hours parameter. You can use dial-out hours to configure the hours that a calling route is either permitted or denied to make a demand-dial connection. Dial-out hours are applied before the connection is made. If a dial backup connection is still up after dial-out hours, the connection will be disconnected. 5 Configure the default and static routes for the backup interface. See Configuring BIS Default and Static Routes.

315899-B Rev 00 Chapter 12 Configuring Backup Interface Services (BIS) 137

Configuring BIS with Ping Trigger 1 When you select Ping as the Trigger, the Ping trigger parameters are presented in the top section of the screen.

Figure 50 Ping

2 Enter the ping destination address. This is the IP address that you want to regularly ping. This connection is the entity that will be backed up. 3 Select the ping source interface. This specifies the interface on this Contivity gateway that is the source of the ping. 4 Enter the ping delay. This specifies the maximum number of seconds that the gateway waits to receive an ICMP reply before it assumes that the connection has failed and triggers the backup interface. Enter an integer from 1 through 900. The default value is 5. 5 Enter the maximum number of ping retries allowed before the gateway assumes that the connection has failed and triggers the backup interface. Enter an integer from 1 through 6. The default value is 3.

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 138 Chapter 12 Configuring Backup Interface Services (BIS)

6 Select the Backup Interface (physical interface) that this backup interface will use. 7 Select hours of access for the backup interface from the list of existing configured access hours. You can use access hours to restrict the hours that a calling route is either permitted or denied to make a demand-dial connection. Use the Add an Access Hour button to create a new Access Hour. 8 Configure the default and static routes for the backup interface. See Configuring BIS Default and Static Routes.

Configuring BIS Default and Static Routes 1 Use this option to enable a default route for the backup interface. This enables insertion of the default route for this interface in the routing table. 2 Enter the cost of the default route. Enter an integer from 1–4294967295. 3 Enable up to three static routes for the backup interface. 4 Check the Restore Defaults option to restore the original values.

Figure 51 Backup Interface Default and Static Route parameters

315899-B Rev 00 139 Index

A client policy 31 Add Backup Interface 131 client-specified address 63, 72, 86 address control field compression 102 compression 29, 38, 62, 66, 71, 75, 86, 102 asynchronous serial interfaces 47 Country Code 56 authentication 25 customer support 15 branch office 33 methods 62, 66, 71, 74, 86 D Authentication Order 84 Dial In 58 Auto Answer 58 Dial interfaces 47 Auto SPID 57 Dial Out 58 AXENT 21, 26 DNS primary 30, 63, 72, 86 B secondary 30, 63, 72, 87 DOVBS 57 Backup Interface Services enable 131 banner 45 E branch office echo authentication 33 fault threshold 102 interval 103 C enable 131 encryption 26, 38 cable modems 62, 72, 86 certificates branch office 33 F CHAP 60, 69, 84 fail-over 23 client failover autoconnect 44 client 43 domain name 45 forced logout 43 failover 43 full distinguished name password storage 45 branch office 34 policy 45 screen saver 45

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 140 Index

G MPPC 62, 66, 71, 75, 86 MS-CHAP 60, 69 globally 131 MultiLink 58 group ID 26 password 26 N Nailed-Up 39 I NAS 85 IKE NetWare client 121 Internet Key Exchange 27, 38 NI-2 ISDN 57 interface Novell intraNetWare client 121 debug 103 Internetwork Packet Exchange 119 O IPCP settings 103 OmniGuard/Defender 26 IPSec client 39 P third-party clients 41 PAP 60, 69 IPX 119 Point to Point Protocol over Ethernet (PPPoE) 89 IPX client 120 pre-shared key 33 ISAKMP retransmission 39 primary ISDN 55 Windows Internet Naming Service (WINS) 30, ISDN BRI 54 63, 72, 87 ISP 62, 72, 86, 101 product support 15 protocol K field compression 102 publications keepalive 39 hard copy 14 client 43 R L RADIUS LCP 102 L2F 84 load balancing 22 rekey data count 30, 39 rekey timeout 29, 39 M remote identity 33 Manual TEI 58 RFC 2233 117 Microsoft Point-to-Point Compression 62, 66, 71, 75, 86

315899-B Rev 00 Index 141

S primary 30, 63, 72, 87 secondary 31, 64, 73, 87 SecurID 26 Security Dynamics SecurID 21, 26 X serial port 47 xDSL 62, 72, 86 server certificate branch office 35 SPID 57 split tunneling 24, 40 third-party clients 42 static tunnel failover 44 support, Nortel Networks 15

T technical publications 14 technical support 15 TEI 58 third party clients configuring 25 supported 25 third-party clients authentication methods 42 split tunneling 42 third-party IPSec clients 41

V V. 9 0 47 valid issuer certificate authority branch office 33 Van Jacobson compression 103 VJ compression 103 identification compression 103 max slots 103 negotiation 103

W WINS 30, 63, 72, 87

Configuring Tunneling Protocols and Advanced WAN Settings for the Contivity Secure IP Services 142 Index

315899-B Rev 00