Nortel Networks NN46120-104 Bedienungsanleitung

Nortel VPN GatewayUser GuideRelease: 7.1Document Revision: 02.01www.nortel.comNN46120-104216368-G.

10 PrefaceProduct NamesThe software described in this manual runs on several different hardwaremodels. Whenever the generic terms Nortel VPN Gateway,

100 Certificates and Client AuthenticationCopy-and-Paste CertificatesThe following steps demonstrate how to add a certificate using thecopy-and-paste m

Copy-and-Paste Certificates 1013 Paste the contents of the certificate file at the commandprompt.Now, paste the certificate at the command line interf

102 Certificates and Client AuthenticationIf you have obtained a certificate by other means, however, youmust also add the corresponding private key.-

Using TFTP/FTP/SCP/SFTP to add Certificates and Keys 1034 Apply your changes.>> Certificate 1# applyChanges applied successfully.Your certificat

104 Certificates and Client AuthenticationStep Action1 Put the certificate file and key file on your TFTP/FTP/SCP/SFTP server.Note: You may arrange to

Using TFTP/FTP/SCP/SFTP to add Certificates and Keys 105FTP User (anonymous): <username or press ENTER foranonymous mode>Password: <password

106 Certificates and Client Authenticationdesired VPN, using the /cfg/vpn #/server/ssl /certcommand.To view basic information about configured certifi

Create a New Certificate 107Update Existing CertificateWhenever you wish to substitute an existing certificate for a newcertificate, you should keep th

108 Certificates and Client AuthenticationConfigure a Virtual SSL Server to Require a ClientCertificateThis section describes how to configure client ce

Create a New Certificate 109the information displayed, decide which virtual SSL server toconfigure for client authentication.>> Main# cfg/cur ss

11How This Book Is OrganizedThe chapters in this book are organized as follows:Users Guide“Introducing the VPN Gateway” (page 15) provides an overview

110 Certificates and Client AuthenticationGenerating client certificatesBefore issuing client certificates, you should establish the means ofvalidating

Create a New Certificate 111To view basic information about all available certificates, use the/info/certs command.Note: Only certificates having the

112 Certificates and Client Authenticationsize is set to 512 bits, which is appropriate in most cases. Notethat export versions of Internet Explorer 4

Create a New Certificate 113By saving the certificate, you can later easily access thecertificate by specifying the assigned index number at the certp

114 Certificates and Client AuthenticationExport Client CertificateBefore you transfer the private key and client certificate to the subject,you should

Transmit Private Key and Certificate to User 115Transmit Private Key and Certificate to UserTransmit the client certificate and the pass phrase protect

116 Certificates and Client AuthenticationManaging Revocation of Client CertificatesCertificate revocation lists (CRLs) are maintained by certificate a

Revoking Client Certificates Issued within your Own Organization 117>> Revocation# importSelect protocol (tftp/ftp/scp/sftp) [tftp]: ftpEnter ho

118 Certificates and Client AuthenticationRepeat this step for each serial number you want to add. Todisplay the serial number (along with subject inf

Creating Your Own Certificate Revocation List 119Creating Your Own Certificate Revocation ListYou can easily build and manage certificate revocation li

12 Preface“Syslog Messages” (page 191), contains a list of all syslog messagesthat can be sent to a syslog server that is added to the NVG systemconfi

120 Certificates and Client AuthenticationOr, for a CRL in hexadecimal format, list the serial numbersby their hexadecimal values below the HEX ASCII

Automatic CRL Retrieval 121accordance with RFC 2255).Example:ldap://10.42.128.30:389/cn=VeriSign CRL,o=YourOrganization?CertificateDiscHyphenRevocatio

122 Certificates and Client Authentication>> Automatic CRL# passwdCurrent value: ""Enter password:4 Set the time interval for retrievi

Automatic CRL Retrieval 123Client certificate supportAuthentication with NVG server can be done through NDIC using clientcertificates.Follow these step

124 Certificates and Client AuthenticationSigning CSRsThis feature is primarily used when you have configured the virtual SSLserver to perform end to

Automatic CRL Retrieval 125>> Main# cfg/ssl/server #/adv/sslconnect/verify/cacertsCurrent value: ""Enter certificate numbers (separate

126 Certificates and Client AuthenticationGenerate Test CertificateIf needed, you can generate a self-signed certificate and private key fortesting pur

Automatic CRL Retrieval 127If the NVG software is used for SSL acceleration purposes, thecertificate should be mapped to the virtual SSL server, using

128 Certificates and Client AuthenticationGeneral CommandsThis section includes examples on how to use some general Certificatemenu commands.Show Cert

Show Key Information 129>> Certificate 1# validateValidate: key and certificate match.Show Key SizeThis command is used to show the size of the

13Typographic ConventionsThe following table describes the typographic styles used in this book.Table 1Typographic ConventionsTypeface orSymbolMeaning

130 Certificates and Client AuthenticationNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

131.Virtual DesktopSymantec On-Demand Agent (SODA) provides a Virtual Desktopenvironment to secure Web-based applications and services. Therefore,you

132 Virtual DesktopRunning the Virtual Desktop on Client ComputersThe Virtual Desktop runs on computers meeting the followingspecifications:•Pentium 6

Launch Vdesktop from Portal 1337 Click Save.--End--Launch Vdesktop from PortalFollow these steps to launch virtual desktop from portal:Step Action1 Op

134 Virtual DesktopVirtual Desktop OperationsOnce the vdesktop license is installed, you can perform the following tasks:•Print and copy information t

135.The Command Line InterfaceThis chapter explains how to access the Nortel VPN Gateway (NVG)through the command line interface (CLI).The NVG softwar

136 The Command Line InterfaceConnecting to the VPN GatewayYou can access the command line interface in two ways:•Using a console connection through t

Establishing a Telnet Connection 137You will next be required to log in by entering a user name and apassword. For more information about user account

138 The Command Line Interfacetelnet <IP address>You will then be prompted to enter a valid user name and password. Formore information about di

Establishing a Connection Using SSH (Secure Shell) 139configuring or collecting information from the VPN Gateway is encrypted.For information about di

14 PrefaceHow to Get HelpThis section explains how to get help for Nortel products and services.Getting help from the Nortel Web siteThe best way to g

140 The Command Line InterfaceAccessing the NVG ClusterTo enable better NVG management and user accountability, fivecategories of users can access the

Establishing a Connection Using SSH (Secure Shell) 141account name and the corresponding password. The default user accountsand passwords for each acc

142 The Command Line InterfaceCLI vs. SetupOnce the Administrator user password is verified, you are given completeaccess to the VPN Gateway. If the V

Establishing a Connection Using SSH (Secure Shell) 143Command Line History and EditingFor a description of global commands, shortcuts, and command lin

144 The Command Line InterfaceIdle TimeoutThe VPN Gateway will disconnect your local console connectionor remote connection (Telnet or SSH) after 10 m

145.Troubleshooting the NVGThis chapter provides troubleshooting tips for the following problems:•Cannot connect to the Nortel VPN Gateway (NVG) throu

146 Troubleshooting the NVGCannot Connect to VPN Gateway through Telnet orSSHVerify the Current ConfigurationConnect through a console connection and c

Check the IP Address Configuration 147Check the IP Address ConfigurationIf your host is allowed to access the VPN Gateway over the networkaccording to

148 Troubleshooting the NVGCannot Add an NVG to a ClusterWhen trying to add a VPN Gateway to a cluster by selecting join in theSetup menu, you may rec

Add Interface 1 IP Addresses and MIP to Access List 149Cannot Contact the MIPWhen trying to add a VPN Gateway to a cluster by selecting join in theSet

15.Introducing the VPN GatewayThe Nortel VPN Gateway (NVG) software includes two major functionalitygroups:•SSL Acceleration•VPNThese features can be

150 Troubleshooting the NVGAfter having upgraded the software version in the cluster, log in to the VPNGateway you want to add as the Administrator us

Console Connection 151The NVG Stops RespondingTelnet or SSH Connection to the Management IP AddressWhen you are connected to a cluster of VPN Gateways

152 Troubleshooting the NVGA User Password is LostAdministrator User PasswordIf you have lost the Administrator user password there is only one way to

Boot User Password 153An ASA 310-FIPS Stops Processing TrafficWhenever an ASA 310-FIPS has undergone a reboot (whetherintentionally invoked by the user

154 Troubleshooting the NVG>> Main# maint/hsm/loginVerify that HSM-USER iKey (blue) is inserted in card 0(with flashing LED).Hit enter when done

Boot User Password 155Resetting HSM Cards on the ASA 310-FIPSWhen removing an ASA 310-FIPS device from a cluster, you have theoption to reset (or de-i

156 Troubleshooting the NVGStep Action1 Log in to the ASA 310-FIPS that you want to delete from thecluster.In this step it is important that you conne

Boot User Password 157(continued)Verify that HSM-SO iKey (purple) is inserted in card 1(with flashing LED).Hit enter when done.Enter the current HSM-S

158 Troubleshooting the NVGAnASA 310-FIPS Cluster Must be Reconstructedonto New DevicesIf your cluster of ASA 310-FIPS devices has been damaged beyond

Boot User Password 159(new setup, continued)Card 1 successfully initialized.Should new or existing CODE iKeys be used? (new/existing) [new]:existing3

16 Introducing the VPN GatewaySSL AccelerationThe VPN Gateway can function as a peripheral Secure Sockets Layer(SSL) offload platform that attaches to

160 Troubleshooting the NVG(new setup, continued)Enter the old secret passphrase (it is used duringaddition of new iSDs to the cluster):<Enter the

Boot User Password 161(join setup, continued)Verify that CODE-SO iKey (black) is inserted in card 1(with flashing LED).Hit enter when done.Verify that

162 Troubleshooting the NVGlogin: adminPassword:Alteon iSD SSLSoftware version 7.1>> Main# cfg/gtcfgSelect protocol (tftp/ftp/scp/sftp) [tftp]:

aaa 163A User Fails to Connect to the VPNThere can be different reasons for why a user is having difficultyauthenticating to the VPN or why a client c

164 Troubleshooting the NVGThe output first shows groups received from configured authenticationdatabases. In the preceding example the trusted group

tg 165ipsecThe ipsec tag logs any AAA-related output concerning the establishmentof an IPsec tunnel.ippoolThe ippool tag logs messages related to the

166 Troubleshooting the NVGuprefThe upref tag shows information related to retrieval and storage of userpreferences, e.g. Portal bookmarks. For more i

netdirect_packet 167netdirectThe netdirect tag logs information pertaining to the Net Direct clientconnection, e.g. that a connection has been request

168 Troubleshooting the NVGUser Unable to Connect to the VPN Gatewaythrough the Net Direct ClientStart by verifying on your own PC that Net Direct wor

netdirect_packet 169For Linux and Mac (and Windows), is the Java appletwindow displayed properly?If an X is displayed in the Java applet window, check

Getting help through a Nortel distributor or reseller 17VPNThe VPN feature supports remote access to intranet or extranet resources(applications, mail

170 Troubleshooting the NVGVerify that the settings shown corresponds to the settings youhave made in the CLI/BBI. For example, the IP address usedsho

netdirect_packet 171Cannot download the NetDirect Zipped file fromclient PCFollow these steps to download the NetDirect_Zip file:Step Action1 Download

172 Troubleshooting the NVGSystem DiagnosticsA few system diagnostics can be performed on the VPN Gateway.Installed Certificates and Virtual SSL Server

Network Diagnostics 173The screen output provides information about the type of iSD (masteror slave), IP address, network mask, and gateway address fo

174 Troubleshooting the NVGTo capture and analyze decrypted SSL traffic sent between a client and avirtual SSL server, type the following command (whe

Unable to download NetDirect from VPN server 175Unable to download NetDirect from VPN serverAfter installing NetDirect v1.0.2.3+ as a result of upgrad

176 Troubleshooting the NVGNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

177.AppendixSupported CiphersThe Nortel VPN Gateway (NVG) supports SSL version 2.0, SSL version3.0, and TLS version 1.0. All ciphers covered in these

178 Supported CiphersTable 6Supported Ciphers (cont’d.)Cipher Name SSLProtocolKey ExchangeAlgorithm,AuthenticationEncryptionAlgorithmMAC DigestAlgorit

Unable to download NetDirect from VPN server 179Cipher List FormatsThe cipher list you specify for a virtual SSL server consists of one or morecipher

18 Introducing the VPN GatewayHardware PlatformsThe VPN Gateway software is supported on the following hardwareplatforms:•Nortel VPN Gateway 3050 and

180 Supported CiphersModifying a Cipher ListStarting from the RC4:ALL:!DH cipher list, an example of a slightlymodified cipher list can be: RC4:ALL:!E

Unable to download NetDirect from VPN server 181Supported Cipher Strings and MeaningsThe following table lists each supported cipher string alias and

182 Supported CiphersTable 7Cipher Strings and Meanings (cont’d.)ADH Cipher suites using anonymous DH encryptionalgorithms.AES Cipher suites using AES

183.AppendixThe SNMP AgentThere is one SNMP agent on each Nortel VPN Gateway (NVG), and theagent listens to the IP address of that particular device.

184 The SNMP AgentSupported MIBsThe VPN Gateway supports the following MIBs:•SNMPv2-MIB• SNMP-MPD-MIB•SNMP-FRAMEWORK-MIB• SNMP-TARGET-MIB• SNMP-NOTIFI

SNMP-VIEW-BASED-ACM-MIB 185• snmpBasicNotificationsGroup• snmpCommunityGroupSNMP-MPD-MIBThe following group is implemented:• snmpMPDGroupSNMP-FRAMEWOR

186 The SNMP AgentSNMP-USER-BASED-SM-MIBThe following group is implemented:•usmMIBBasicGroupWrite access to all objects in this MIB is turned off in V

DISMAN-EVENT-MIB 187IP-MIBThe following groups are implemented:•ipGroup•icmpGroupIP-FORWARD-MIBThe following group is implemented:•ipCidrRouteGroupENT

188 The SNMP AgentALTEON-ISD-PLATFORM-MIBThe ALTEON-ISD-PLATFORM-MIB contains the following groups andobjects:• isdClusterGroup• isdResourceGroup• isd

IANAifType-MIB 189Supported TrapsThe following SNMP traps are supported by the VPN Gateway:Table 8Traps Supported by the VPN GatewayTrap Name Descript

Software Features 19Feature ListSoftware FeaturesWeb Portal• Web Portal interface for remote users accessing the VPN Gateway inclientless mode, that i

190 The SNMP AgentTable 8Traps Supported by the VPN Gateway (cont’d.)Trap Name DescriptionlinkUp Sent when the agent detects that one of the links(int

191.AppendixSyslog MessagesThis appendix contains a list of the syslog messages that are sent from theNortel VPN Gateway (NVG) to a Syslog server (whe

192 Syslog MessagesList of Syslog MessagesThis section lists the Syslog messages that can be sent from a VPNGateway to a configured Syslog server. The

ALARM 193ERROR•Config filesystem corruptPossible loss of configuration. Followed by the message Configfilesystem re-initialized - reinstall required o

194 Syslog MessagesAlarm Severity Syslog LevelMAJOR CRITICALMINOR ERRORWARNING WARNING* ERRORAlarms are formatted according to the following pattern:I

ALARM 195• Name: copy_software_release_failed Sender: <IP>Cause: copy_failed | bad_release_package | no_release_package |unpack_failedExtra: &qu

196 Syslog Messagesname_resolv | nodename_occupiedExtra:"Severity: warningThe portal handling subsystem cannot be started.When an alarm is cleare

ERROR 197• Name: software_release_copyingSender: <IP>Extra: copy software release <VSN> from other cluster memberIndicates that <IP>

198 Syslog MessagesAn internal error occurred. Contact support with as much informationas possible to reproduce this message.• javascript error: <r

ERROR 199• Bad IP:PORT data <line> in hc scriptBad ip:port found in health check script. Reconfigure the health script.This should normally be c

Nortel VPN GatewayRelease: 7.1Publication: NN46120-104Document status: StandardDocument release date: 14 April 2008Copyright © 2007-2008 Nortel Networ

20 Introducing the VPN GatewayTransparent Mode AccessAccess to intranet resources in transparent mode, that is, without goingthrough the Web Portal, i

200 Syslog MessagesFailed to send troubleshooting log to CLI. Disabling CLI troubleshootinglog.• Can’t bind to local address: <ip>:<port>:

INFO 201WARNING•TPS license limit (<limit>) exceededThe transactions per second (TPS) limit has been exceeded.• No PortalGuard license loaded: V

202 Syslog MessagesNo certificate supplied by backend server when doing SSL connect.Session terminated to backend server.• No CN supplied in server ce

AAA Subsystem Messages 203Generated when more than the maximum allowed backend servershave been configured.• TPS license limit: <limit>TPS limit

204 Syslog MessagesERRORLDAP backend(s) unreachable Vpn=\"<id>\" AuthId=\"<authid>\"In case LDAP server(s) cannot be r

WARNING 205• HTTP Vpn="<id>" Host="<host>" User="<user>" SrcIP="<ip>"Request="<

206 Syslog Messages• Quick mode initiation to %s failed, error - %sQuickmode initiation failed.• All credits are exhausted for Isakmp SAMaximum number

INFO 207This indicates possible badly configured default gateways on someSecure Service Partitioning interface.• Failed to allocate IP addr from empty

208 Syslog Messages• Deleting the QM replaced by new rekeyed QMDeleting the old IPsec SA which has been replaced with the newrekeyed one.• No response

INFO 209Syslog Messages in Alphabetical OrderThis section lists the syslog messages in alphabetical order.Table 9Syslog Messages in Alphabetical Order

Software Features 21Client Security• Tunnel Guard. Feature for checking the security aspects of the remotePC client, that is, installed antivirus soft

210 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationBad clientcert, no matching cacert foundINFO

INFO 211Table 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationConfig filesystem corrupt ERROR OS Possible loss of con

212 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationDeleting the QM replaced bynew rekeyed QMINF

INFO 213Table 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type Explanationfailed to locate correspondingportal for portal authent

214 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type Explanationhsm_not_logged_in ALARM(CRITICAL)System Cont

INFO 215Table 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationIgnoring unauthenticatedinformational message from %sWA

216 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type Explanationjscript.encode error: <reason> ERROR T

INFO 217Table 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type Explanationlog_open_failed ALARM(MAJOR)System Control The event lo

218 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationNo Secure Service Partitioninglicense loaded

INFO 219Table 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationReceived Delete ISAKMP SAmessage from %sINFO IPsec Rece

22 Introducing the VPN Gateway• Private network authentication. Existing authentication servers withinthe customer’s private network can be used.• Acc

220 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type Explanationsocks error: <reason> ERROR TrafficPro

INFO 221Table 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationSystem started [isdssl-<version>]INFO System Cont

222 Syslog MessagesTable 9Syslog Messages in Alphabetical Order (cont’d.)Message Severity Type ExplanationVPN LoginFailed Vpn="<id>"Me

223.AppendixLicense InformationOpenSSL License IssuesThe OpenSSL toolkit stays under a dual license, that is, both theconditions of the OpenSSL Licens

224 License Information6. Redistributions of any form whatsoever must retain thefollowing acknowledgment: "This product includes softwaredevelope

2252. Redistributions in binary form must reproduce the preceding copyrightnotice, this list of conditions, and the following disclaimer in thedocumen

226 License InformationTERMS AND CONDITIONS FOR COPYING, DISTRIBUTION ANDMODIFICATION0. This License applies to any program or other work that contain

227saying that you provide a warranty), and that users may redistribute theprogram under these conditions, and telling the user how to view a copyof t

228 License InformationThe source code for a work means the preferred form of the work formaking modifications to it. For an executable work, complete

229this License be to refrain entirely from distribution of the Program. If anyportion of this section is held invalid or unenforceable under any part

Software Features 23• Ability to create multiple clusters of VPN Gateways, each capable ofserving its own group of real servers.• Supports rewriting o

230 License Information11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE,THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENTPERMITTED BY APPLICABLE L

2314. The names "Apache" and "Apache Software Foundation" must notbe used to endorse or promote products derived from this softwar

232 License InformationNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

233.AppendixHSM Security PolicyAll information in this Appendix is Copyright 2001 Rainbow Technologies.Rainbow Technologies CryptoSwift®HSM Cryptograp

234 HSM Security Policy2.0 Applicable DocumentsFIPS PUB 140-1 Federal Information Processing Standard, SecurityRequirements for Cryptographic Modules.

4.0 Capabilities 235secret is a Key-Wrapping-Key. When two or more boards contain thesame Key-Wrapping-Key, they are said to be in the same family. Th

236 HSM Security PolicyAlgorithmHow it is used by the HSM moduleUsed inFIPS 140-1Mode?3DES Used to generate Pseudo-random numbers using the X9.17Appen

7.1 Module Interfaces 2375.0 Physical SecurityThe board is designed to detect tampering attempts and will zeroize criticalsecurity parameters under a

238 HSM Security Policy6.5 Backup Battery InterfaceThe Backup Battery Interface is used to provide backup power to the HSM.This gives the HSM the capa

8.0 Definition of Security Relevant Data Items 239It also contains public keys and other information that are not considereddangerous if exposed (cert

24 Introducing the VPN GatewaySupported Key and Certificate Formats• PEM• DER•NET• PKCS12• PKCS8• KEY(MS IIS4.0)Supported Handshake Protocols• SSL ver

240 HSM Security Policywhen the SO invokes the Create User service. It is written to an iKey tokenthrough the trusted USB interface. Refer to followin

9.0 Roles and Services 2419.0 Roles and Services9.1 RolesThe HSM supports two roles. These are the User role and the SecurityOfficer role. Each role h

242 HSM Security PolicyiKey token. Initialization also creates the Security Officer account andassociates the SHA-1 hash of the random PIN with the Se

9.0 Roles and Services 243Service FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs Ac

244 HSM Security PolicyService FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs Acces

9.0 Roles and Services 245Service FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs Ac

246 HSM Security PolicyService FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs Acces

9.0 Roles and Services 247Service FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs Ac

248 HSM Security PolicyService FIPS140-1 Level 3 Mode Non- FIPS140-1 ModeNot authenticatedUserRoleSO Role Not authenticatedUserRoleSO Role SRDIs Acces

10.0 Key Management 249that the generated keys will be random and that the process used for theirconstruction will be compatible with FIPS 140-1 requi

Software Features 25Virtual DesktopSymantec On-Demand Agent (SODA) provides a Virtual Desktopenvironment to secure Web-based applications and services

250 HSM Security Policy10.5 Key DestructionCritical security parameters including plaintext private keys, symmetrickeys and intermediate values will b

12.0 Self-Tests 251DES3DES **SHA-1RSA SignRSA VerifySee the table in services section to identify the conditions necessary forperforming various HSM c

252 HSM Security PolicySelf-Test FIPS 140-1ModeNon-FIPS140-1 ModeWhen performedRC4 KAT No Yes Power-up, Self-TestService (ondemand)RSA Key Generation

253.AppendixDefinition of Key CodesNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

254 Definition of Key CodesSyntax DescriptionWhen using the Telnet applet available under the Portal’s Advanced tab,there is an option to specify a ke

Redefinable Keys 255Table 11Allowed Special CharactersSpecial CharacterExplanation\\bBackspace. This character is usually sent bythe <- key (Backsp

256 Definition of Key CodesTable 12Redefinable Keys (cont’d.)Key Representation RemarksREMOVEThe Remove key.UPThe Cursor Up key.DOWNThe Cursor Down ke

257.AppendixSSH host keysSSH host keys serve much the same purpose as server certificates inSSL/TLS, i.e. they primarily allow clients to authenticate

258 SSH host keysMethods for ProtectionIn many environments, it may be reasonable for a SSH client user tosimply accept the key from a previously unkn

Example of a Key Code Definition File 259The VPN GatewayThe VPN Gateway can act both as SSH server (when a user connects tothe CLI using a SSH client)

26 Introducing the VPN GatewayNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

260 SSH host keysNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

261.AppendixAdding User Preferences Attribute toActive DirectoryFor the remote user to be able to store user preferences on the NortelVPN Gateway (NVG

262 Adding User Preferences Attribute to Active DirectoryInstall All Administrative Tools (Windows 2000 Server)Step Action1 Open the Control Panel and

Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003) 2634 On the File (Console) menu, select Add/Remove Snap-in.The A

264 Adding User Preferences Attribute to Active Directory6 Under Snap-in, select Active Directory Schema and clickAdd.Active Directory Schema is added

Create a New Attribute (Windows 2000 Server and Windows Server 2003) 2654 In the Type the location of the item field, typeschmmgmt.msc.5 Click Next.Th

266 Adding User Preferences Attribute to Active Directory4 Create the isdUserPrefs attribute as shown:5 Click OK.--End--Create New ClassTo create the

Create New Class 2674 Click Next.5 Click Finish.--End--Add isdUserPrefs Attribute to nortelSSLOffload ClassStep Action1 In the Console window, on the

268 Adding User Preferences Attribute to Active Directory6 On the Default Security (Security) tab, set read/writepermissions for the group that should

Create New Class 2696 Click OK.Once you have enabled the User Preferences feature on theVPN Gateway (using the CLI command /cfg/vpn #/aaa/auth#/ldap/e

27.Introducing the ASA 310-FIPSThis section provides information about the ASA 310-FIPS model, whichcomes installed with the HSM (Hardware Security Mo

270 Adding User Preferences Attribute to Active DirectoryNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nort

271.AppendixUsing the Port Forwarder APINortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

272 Using the Port Forwarder APIGeneralThis appendix describes some of the tasks needed when using the PortForwarder API. The JavaDoc will give you a

Create New Class 273Creating a Port ForwarderThe Port Forwarder API is a collection of functions used to provideapplications with the ability to send

274 Using the Port Forwarder APIDemo ApplicationThe Demo application is, in a simple way, showing how the Port ForwarderAPI is used. It can be run bot

Create New Class 275The Custom Content concept (/cfg/vpn #/portal/content) can beused to host Java Web Start applications on the Portal. Building the

276 Using the Port Forwarder APICreating a Port Forwarder AuthenticatorA Port Forwarder authenticator must implement the PortForwarderAuthenticator in

Example 277Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

278 Using the Port Forwarder APIprivate String getCookieFromURL(String spec) {try {URL url = new URL(spec);URLConnection connection = null;((HttpURLCo

Example 279Adding a Port Forwarder LoggerA Port Forwarder logger must implement the PortForwarderLoggerinterface:public void log(int logLevel, int log

28 Introducing the ASA 310-FIPSHSM OverviewThe HSM card found on the ASA 310-FIPS model is an SSL accelerator,just like the ordinary CryptoSwift card

280 Using the Port Forwarder APIpublic void log(final int logLevel, final int logCode,final Object[] params, final Throwable throwable) {if ((logLevel

Example 281}}}}Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

282 Using the Port Forwarder APIConnecting Through a ProxyIf the port forwarder is connecting through a proxy a number of propertiesneed to be set for

Statistics 283Monitoring the Port ForwarderThe Port Forwarder uses the Observer/Observable framework, meaningthat anyone wanting to have information f

284 Using the Port Forwarder APIFollowing is an example of the code for monitoring Port Forwarderstatistics.This will print current statistics every 3

285.GlossaryAccess RulesApplies to the SSL VPN feature. When a user tries to log into the VPN server, either through the Portal page or through aVPN c

286 GlossaryCluster (of VPN Gateways)A cluster is a group of VPN Gateways that share the sameconfiguration parameters. There can be more than one NVGc

287message. The recipient decrypts the signature digest and alsorecomputes the digest from the received text. If the digests match,the message is prov

288 GlossaryHTTP ProxyApplies to the SSL VPN feature. Java applet accessible on thePortal page’s Advanced tab, enabling links executed on complexintra

289NslookupA utility used to find the IP address or host name of a machine ona network. To use the nslookup command on the VPN Gateway,it must have be

FIPS140-1 Level 3 Security 29Extended Mode vs. FIPS ModeWhen installing the very first ASA 310-FIPS into a new cluster, you canchoose to initialize th

290 GlossaryPortalApplies to the SSL VPN feature. The Portal page is displayedfollowing a successful login to a virtual SSL VPN serverconfigured as a

291SIP (Source IP) AddressThe source IP address of a frame.SlaveA VPN Gateway that depends on a master device in the samecluster for proper configurat

292 GlossarySSL (Secure Sockets Layer) ProtocolThe SSL protocol is the leading security protocol on the Internet.It runs above the TCP/IP protocol and

293VIP (Virtual Server IP) AddressAn IP address that the switch owns and uses to load balanceparticular service requests (like HTTP) to other servers.

294 GlossaryARP, the Layer 2 device attached to the switch will not know thatthe MAC address had moved in the network. For a more detaileddescription,

295.IndexAaccess levelsThe Administrator user 140The Boot user 140The Operator user 140The Root user 140activatesoftware upgrade package 75software ve

296through console 136through Secure Shell 138through Telnet 137console portcommunication settings 136connecting 136CRL, see certificate revocation lis

297configuration 36, 56minor release upgrade 74MIP, see Management IP 37Nnetworkdiagnostics 172Note passwords 141OOpenSSL license issues 223Operator us

298unable to connect through Telnet 146view certificates and SSL servers 172typographic conventions, in this manual 13Uupgradeactivate software package

3.ContentsPreface 7Who Should Use This Book 8Related documentation 9Product Names 10How This Book Is Organized 11Typographic Conventions 13How to Get

30 Introducing the ASA 310-FIPSThe Concept of iKey AuthenticationAccess to sensitive data on a ASA 310-FIPS is protected by a combinationof hardware t

Nortel VPN GatewayUser GuideCopyright © 2007-2008 Nortel NetworksAll Rights Reserved.Release: 7.1Publication: NN46120-104Document status: StandardDocu

Available Operations and iKeys Required 31by the Setup utility, the wrap key is split onto these two iKeys. Whenadding an additional ASA 310-FIPS to t

32 Introducing the ASA 310-FIPSTable 2Available Operations and iKeys Required (cont’d.)Type of iKey RequiredOperation Performed HSM-SO HSM-USERCODE-SO

Available Operations and iKeys Required 33Additional HSM Information• For detailed information about installing a new ASA 310-FIPS in anew cluster or

34 Introducing the ASA 310-FIPSNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

35.Initial SetupThis chapter covers the basic setup and initialization process for the NortelVPN Gateway (NVG ). It introduces the concept of clusters

36 Initial SetupClustersAll VPN Gateways are members of a cluster. A cluster can consistof one single VPN Gateway or a group of NVGs that share the sa

Real Server IP Address (RIP) 37IP Address TypesWhen configuring the VPN Gateway you will come across quite a numberof IP address types. Following are

38 Initial SetupPortsWhen installing a VPN Gateway (or any of the other supported hardwaremodels) in a new cluster, or adding a VPN Gateway to an exis

Two-Armed Configuration 39InterfacesDuring the initial setup procedure (see “Configuration at Boot Up” (page41)), you will be asked if you want to set

4Upgrading the NVG Software 73Performing Minor/Major Release Upgrades 74Managing Users and Groups 79User Rights and Group Membership 80Adding a New Us

40 Initial SetupFigure 2Two-Armed Configuration without Application SwitchNote: Two-armed configuration is not available for the ApplicationSwitch 242

The Setup Menu 41Configuration at Boot UpWhen starting a VPN Gateway for the very first time, you need to do thefollowing:•Connect the device’s uplink

42 Initial SetupInstalling an NVG in a New ClusterWhen you are installing a VPN Gateway as the first (or only) memberin a new cluster, you can either

Setting Up a One-Armed Configuration 43You can later use the /cfg/sys/host 1/interface 1command to view the resulting settings for Interface 1.Note: I

44 Initial SetupComplete the new setup by following the instructions in thesection “Complete the New Setup” (page 46).--End--Setting Up a Two-Armed Co

Setting Up a Two-Armed Configuration 45Enter network mask [255.255.255.0]: <Press ENTER ifcorrect>Enter VLAN tag id (or zero for no VLAN) [0]: &

46 Initial Setup10 Enter a Management IP address (MIP) on the managementinterface.Enter the Management IP (MIP) address: <IP address>Making sure

Complete the New Setup 47To maintain a high level of security when accessing the VPNGateway through an SSH connection, it is recommended thatyou accep

48 Initial Setup• VPN Portal IP address. Used by remote users to connect tothe VPN.•DNS search list. Enables use of short names on thePortal, for exam

Settings Created by the VPN Quick Setup Wizard 49• IPsec group login and secret. Enables IPsec access for thetrusted group, if this group was created

Licensing 5Cannot download the NetDirect Zipped file from client PC 171System Diagnostics 172Unable to download NetDirect from VPN server 175Supported

50 Initial SetupBasic VPN SetupThe following settings have been created:•A VPN. The VPN is typically defined for access to an intranet, parts ofan int

Settings Created by the VPN Quick Setup Wizard 51Default ServicesThe following service definitions were configured automatically. Servicedefinitions c

52 Initial SetupJoining a VPN Gateway to an Existing ClusterAfter having installed the first VPN Gateway in a cluster, additional NVGsmay be added to

Setting up a One-Armed Configuration 53[Setup Menu]join - Join an existing iSD clusternew - Initialize iSD as a new installationboot - Boot menuinfo -

54 Initial Setup6 Enter the Management IP address (MIP) of the existingcluster.The system is initialized by connecting to themanagement serveron an ex

Setting up a Two-Armed Configuration 55Specify the port you want to use for management traffic. Thisport will be assigned to an interface for manageme

56 Initial Setup8 If a connected router or switch attaches VLAN tag IDs toincoming packets, specify the VLAN tag ID used.Enter VLAN tag id (or zero fo

Complete the Join Setup 57or more VPN Gateways to a cluster that already contains fourmaster NVGs, each additional NVG is automatically configuredas s

58 Initial SetupInstalling an ASA 310-FIPSThe ASA 310-FIPS model is an where the ordinary SSL acceleratorcard has been replaced by the HSM (Hardware S

Installing an ASA 310-FIPS in a New Cluster 592 Follow the instructions for installing a VPN Gateway in anew cluster.Read the sections starting with “

6Nortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

60 Initial Setup— The purple HSM Security Officer iKey, embossed with"HSM-SO".— The blue HSM User iKey, embossed with "HSM-USER".L

Installing an ASA 310-FIPS in a New Cluster 61( new setup, continued)Verify that HSM-SO iKey (purple) is inserted in card 1(with flashing LED).Hit ent

62 Initial Setuplabeled CODE-SO and CODE-USER respectively will make thisprocedure easier.( new setup, continued)Should new or existing CODE iKeys be

Adding an ASA 310-FIPS to an Existing Cluster 63same cluster. When selecting Extended Security mode, this stepwill not appear.( new setup, continued)E

64 Initial SetupThe following applies when joining a new ASA 310-FIPS to an existingcluster:•If the ASA 310-FIPS you are about to join is installed on

Adding an ASA 310-FIPS to an Existing Cluster 65new prompts for configuring the ASA 310-FIPS will automaticallyappear (see Step 3).3 Initialize HSM ca

66 Initial Setup( join setup, continued)Verify that HSM-SO iKey (purple) is inserted in card 0(with flashing LED). <insert the HSM-SO iKey specific

Adding an ASA 310-FIPS to an Existing Cluster 67Enter a new HSM-USER password for card 1: <define a newHSM-USER password, or use the same HSM-USER

68 Initial Setup( join setup, continued)Verify that CODE-SO iKey (black) is inserted in card 1(with flashing LED). <insert the same CODE-SO iKey th

Adding an ASA 310-FIPS to an Existing Cluster 69If needed, you can now continue with the configuration of theASA 310-FIPS units using the command line

7.PrefaceThis User’s Guide describes how to perform basic configuration andmaintenance of the Nortel VPN Gateway (NVG).Nortel VPN GatewayUser GuideNN4

70 Initial SetupReinstalling the SoftwareWhen adding a new VPN Gateway to an existing cluster, and the softwareversion on the new VPN Gateway is diffe

Adding an ASA 310-FIPS to an Existing Cluster 71login: bootPassword: ForgetMe*** Reinstall Upgrade Procedure ***If you proceed beyond this point, the

72 Initial Setup(reinstall procedure, continued)Select protocol (ftp/scp/sftp) [ftp]: ftpEnter FTP server address: 10.0.0.1Enter file name of boot ima

73.Upgrading the NVG SoftwareThe Nortel VPN Gateway (NVG) software image is the executable coderunning on the VPN Gateway. A version of the image ship

74 Upgrading the NVG SoftwarePerforming Minor/Major Release UpgradesThe following description applies to a minor or a major release upgrade.To upgrade

Activating the Software Upgrade Package 752 Enter the host name or IP address of the server.Enter hostname or IP address of server: <server hostnam

76 Upgrading the NVG SoftwareFor minor and major releases, the software upgrade will take partsynchronously among the set of VPN Gateways in a cluster

Activating the Software Upgrade Package 77>> Software Management# activate 7.0.1Confirm action ’activate’? [y/n]: yActivate ok, relogin <you

78 Upgrading the NVG SoftwareNortel VPN GatewayUser GuideNN46120-104 02.01 Standard14 April 2008Copyright © 2007-2008 Nortel Networks.

79.Managing Users and GroupsThis chapter describes the rules that govern administrator/operator userrights, how to add or delete users from the system

8 PrefaceWho Should Use This BookThis User’s Guide is intended for network installers and systemadministrators engaged in configuring and maintaining

80 Managing Users and GroupsUser Rights and Group MembershipGroup membership dictates user rights, according to User Rights andGroup Membership. When

81Adding a New UserTo add a new user to the system, you must be a member of the admingroup. By default, only the admin user is a member of the admin g

82 Managing Users and Groups>> User# addName of user to add: cert_admin (maximum 255 characters,no spaces)4 Assign the new user to a user group.

83>> Groups# /cfg/sys/user>> User# edit cert_admin>> User cert_admin# passwordEnter admin’s current password: ( admin user password)

84 Managing Users and Groupsthe certadmin group should know the export passphrase. Theexport passphrase can contain spaces and is case sensitive.>&

Adding Users through RADIUS 852: admin3: oper>> Groups# apply--End--Adding Users through RADIUSThe RADIUS system administrator can add VPN Gatew

86 Managing Users and GroupsChanging a Users Group AssignmentOnly users who are members of the admin group can remove otherusers from a group. All use

87>> User# edit admin>> User admin# groups/addEnter group name: certadminNote: A user must be assigned to at least one group at anygiven t

88 Managing Users and GroupsChanging a Users PasswordChanging Your Own PasswordAll users can change their own password. Login passwords are casesensit

Changing Another Users Password 89Re-enter to confirm: (reconfirm new cert_admin userpassword)Password changed.--End--Changing Another Users PasswordO

Licensing 9Related documentationFor full documentation on installing and using the many features availablein the VPN Gateway software, see the followi

90 Managing Users and Groups>> User cert_admin# passwordEnter admin’s current password: ( admin user password)Enter new password for cert_admin:

91Deleting a UserTo delete a user from the system, you must be a member of the admingroup. By default, only the admin user is a member of the admin gr

92 Managing Users and GroupsThe imminent removal of the cert_admin user is indicated asa pending configuration change by the minus sign (-). To cancel

93.Certificates and Client AuthenticationThis chapter describes common tasks involving certificates andclient authentication. The chapter also provides

94 Certificates and Client AuthenticationGenerating and Submitting a CSR Using the CLIStep Action1 Initiate requesting a certificate signing request (

95• Organization Name: The registered name of theorganization. This organization must own the domain namethat appears in the common name of the Web se

96 Certificates and Client Authentication3 Apply your changes.>> Certificate 1# applyChanges applied successfully.4 Save the CSR to a file.Copy

97Copy the private key, including the "-----BEGIN RSA PRIVATEKEY----- " and "-----END RSA PRIVATE KEY----- "lines, and paste it in

98 Certificates and Client AuthenticationCopy the entire CSR, including the "-----BEGINCERTIFICATE REQUEST----- " and "-----ENDCERTIFIC

99Adding Certificates to the NVGUsing the encryption capabilities of the VPN Gateway requires addinga key and certificate that conforms to the X.509 st