Avaya 3.7 User Manual
Size:
3.14 Mb
Download

VPNmanager® Confi guration Guide

Release 3.7

670-100-600Issue 4 May 2005

Copyright 2005, Avaya Inc.

All Rights Reserved

Notice

Every effort was made to ensure that the information in this document was complete and accurate at the time of release. However, information is subject to change.

Warranty

Avaya Inc. provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the limited warranty. In addition, Avaya’s standard warranty language as well as information regarding support for this product, while under warranty, is available through the following website:

http://www.avaya.com/support

Preventing Toll Fraud

“Toll fraud” is the unauthorized use of your telecommunications system by an unauthorized party (for example, a person who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf). Be aware that there may be a risk of toll fraud associated with your system and that, if toll fraud occurs, it can result in substantial additional charges for your telecommunications services.

Avaya Fraud Intervention

If you suspect that you are being victimized by toll fraud and you need technical assistance or support, in the United States and Canada, call the Technical Service Center's Toll Fraud Intervention Hotline at 1-800-643-2353.

Disclaimer

Avaya is not responsible for any modifications, additions or deletions to the original published version of this documentation unless such modifications, additions or deletions were performed by Avaya. Customer and/or End User agree to indemnify and hold harmless Avaya. Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgements arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation to the extent made by the Customer or End User.

How to Get Help

For additional support telephone numbers, go to the Avaya Web site: http://www.avaya.com/support/. If you are:

Within the United States, click Escalation Management link. Then click the appropriate link for the type of support you need.

Outside the United States, click Escalation Management link. Then clickInternational Services link that includes telephone numbers for the International Centers of Excellence.

Providing Telecommunications Security

Telecommunications security (of voice, data, and/or video communications) is the prevention of any type of intrusion to (that is, either unauthorized or malicious access to or use of) your company's telecommunications equipment by some party.

Your company's “telecommunications equipment” includes both this Avaya product and any other voice/data/video equipment that could be accessed via this Avaya product (that is, “networked equipment”).

An “outside party” is anyone who is not a corporate employee, agent, subcontractor, or is not working on your company's behalf. Whereas, a “malicious party” is anyone (including someone who may be otherwise authorized) who accesses your telecommunications equipment with either malicious or mischievous intent.

Such intrusions may be either to/through synchronous (time-multiplexedand/orcircuit-based)or asynchronous(character-,message-,orpacket-based)equipment or interfaces for reasons of:

Utilization (of capabilities special to the accessed equipment)

Theft (such as, of intellectual property, financial assets, or toll-facilityaccess)

Eavesdropping (privacy invasions to humans)

Mischief (troubling, but apparently innocuous, tampering)

Harm (such as harmful tampering, data loss or alteration, regardless of motive or intent)

Be aware that there may be a risk of unauthorized intrusions associated with your system and/or its networked equipment. Also realize that, if such an intrusion should occur, it could result in a variety of losses to your company (including but not limited to, human/data privacy, intellectual property, material assets, financial resources, labor costs, and/or legal costs).

Responsibility for Your Company’s Telecommunications Security

The final responsibility for securing both this system and its networked equipment rests with you - Avaya’s customer system administrator, your telecommunications peers, and your managers. Base the fulfillment of your responsibility on acquired knowledge and resources from a variety of sources including but not limited to:

Installation documents

System administration documents

Security documents

Hardware-/software-basedsecurity tools

Shared information between you and your peers

Telecommunications security experts

To prevent intrusions to your telecommunications equipment, you and your peers should carefully program and configure:

Your Avaya-providedtelecommunications systems and their interfaces

Your Avaya-providedsoftware applications, as well as their underlying hardware/software platforms and interfaces

Any other equipment networked to your Avaya products.

TCP/IP Facilities

Customers may experience differences in product performance, reliability and security depending upon network configurations/design and topologies, even when the product performs as warranted.

Standards Compliance

Avaya Inc. is not responsible for any radio or television interference caused by unauthorized modifications of this equipment or the substitution or attachment of connecting cables and equipment other than those specified by Avaya Inc. The correction of interference caused by such unauthorized modifications, substitution or attachment will be the responsibility of the user. Pursuant to Part 15 of the Federal Communications Commission (FCC) Rules, the user is cautioned that changes or modifications not expressly approved by Avaya Inc. could void the user’s authority to operate this equipment.

Product Safety Standards

This product complies with and conforms to the following international Product Safety standards as applicable:

Safety of Information Technology Equipment, IEC 60950, 3rd Edition including all relevant national deviations as listed in Compliance with IEC for Electrical Equipment (IECEE) CB-96A.

Safety of Information Technology Equipment, CAN/ CSA-C22.2No.60950-00 /UL 60950, 3rd Edition

Safety Requirements for Customer Equipment, ACA Technical Standard (TS) 001 - 1997

One or more of the following Mexican national standards, as applicable: NOM 001 SCFI 1993, NOM SCFI 016 1993, NOM 019 SCFI 1998

Electromagnetic Compatibility (EMC) Standards

This product complies with and conforms to the following international EMC standards and all relevant national deviations:

Limits and Methods of Measurement of Radio Interference of Information Technology Equipment, CISPR 22:1997 and EN55022:1998.

Information Technology Equipment – Immunity Characteristics – Limits and Methods of Measurement, CISPR 24:1997 and EN55024:1998, including:

Electrostatic Discharge (ESD) IEC 61000-4-2

Radiated Immunity IEC 61000-4-3

Electrical Fast Transient IEC 61000-4-4

Lightning Effects IEC 61000-4-5

Conducted Immunity IEC 61000-4-6

Mains Frequency Magnetic Field IEC 61000-4-8

Voltage Dips and Variations IEC 61000-4-11

Powerline Harmonics IEC 61000-3-2

Voltage Fluctuations and Flicker IEC 61000-3-3

Federal Communications Commission Statement

Part 15:

Note: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. These limits are designed to provide reasonable protection against harmful interference when the equipment is operated in a commercial environment. This equipment generates, uses, and can radiate radio frequency energy and, if not installed and used in accordance with the instruction manual, may cause harmful interference to radio communications. Operation of this equipment in a residential area is likely to cause harmful interference in which case the user will be required to correct the interference at his own expense.

Canadian Department of Communications (DOC) Interference Information

This Class A digital apparatus complies with Canadian ICES-003.

Cet appareil numérique de la classe A est conforme à la norme NMB-003du Canada.

This equipment meets the applicable Industry Canada Terminal Equipment Technical Specifications. This is confirmed by the registration number. The abbreviation, IC, before the registration number signifies that registration was performed based on a Declaration of Conformity indicating that Industry Canada technical specifications were met. It does not imply that Industry Canada approved the equipment.

DECLARATIONS OF CONFORMITY

United States FCC Part 68 Supplier’s Declaration of Conformity (SDoC)

Avaya Inc. in the United States of America hereby certifies that the equipment described in this document and bearing a TIA TSB-168label identification number complies with the FCC’s Rules and Regulations 47 CFR Part 68, and the Administrative Council on Terminal Attachments (ACTA) adopted technical criteria.

Avaya further asserts that Avaya handset-equippedterminal equipment described in this document complies with Paragraph 68.316 of the FCC Rules and Regulations defining Hearing Aid Compatibility and is deemed compatible with hearing aids.

Copies of SDoCs signed by the Responsible Party in the U. S. can be obtained by contacting your local sales representative and are available on the following Web site:

http://www.avaya.com/support

All Avaya media servers and media gateways are compliant with FCC Part 68, but many have been registered with the FCC before the SDoC process was available. A list of all Avaya registered products may be found at:

http://www.part68.org/

by conducting a search using “Avaya” as manufacturer.

European Union Declarations of Conformity

Avaya Inc. declares that the equipment specified in this document bearing the “CE”Conformité(Europeénne ) mark conforms to the European Union Radio and Telecommunications Terminal Equipment Directive (1999/5/EC), including the Electromagnetic Compatibility Directive (89/336/EEC) and Low Voltage Directive (73/23/EEC). This equipment has been certified to meet CTR3 Basic Rate Interface (BRI) and CTR4 Primary Rate Interface (PRI) and subsets thereof in CTR12 and CTR13, as applicable.

Copies of these Declarations of Conformity (DoCs) can be obtained by contacting your local sales representative and are available on the following Web site:

http://www.avaya.com/support

Japan

This is a Class A product based on the standard of the Voluntary Control Council for Interference by Information Technology Equipment (VCCI). If this equipment is used in a domestic environment, radio disturbance may occur, in which case, the user may be required to take corrective actions.

China

BMSI (Chinese Warning Label)

Hardware, including technical data, is subject to U.S. export control laws, including the U.S. Export Administration Act and its associated regulations, and may be subject to export or import regulations in other countries. Customer agrees to comply strictly with all such regulations and acknowledges that it has the responsibility to obtain licenses to export, re-export,or import hardware.

Acknowledgments:

This product includes software developed by the Apache Software Foundation (http://www.apache.org).

Environmental Health and Safety:

! WARNING:

Risk of explosion if battery is replaced by an incorrect type. Dispose of used batteries according to Avaya Environmental Health and Safety guidelines.

Documentation:

For the most current versions of documentation, go to the Avaya support Web site: http://www.avaya.com/support/

Contents

Preface

. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

What Products are Covered . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

VPNmanager Overview . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

15

Network-wide Visibility and Control . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Intranet and Extranet Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Secure VPN Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

No Special Consoles Required . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

16

Complementary to SNMP Management Tools . . . . . . . . . . . . . . . . . . . . . . . .

17

Using VPNmanager Help . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

Related Documentation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

How This Book Is Organized . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

17

Contacting Technical Support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

19

Chapter 1: Overview of implementation . . . . . . . . . . . . . . . . . . . . . . . . .

21

Components of the Avaya security solution . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

Security gateways . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

21

VPNremote Client software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

VPNmanager software . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

22

Overview of the VPN management hierarchy . . . . . . . . . . . . . . . . . . . . . . . . . . .

23

Preparing to configure your network. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

Security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

24

Static Routes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

IP groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

Remote users and user groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

26

Security policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

Firewall policies . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

Denial of Service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

27

QoS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28

VoIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

28

Additional features . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

NAT . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

SNMP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

29

Syslog. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Client IP address pooling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

SSL for Directory Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Sequence to configure your VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

30

Issue 4 May 2005 5

Contents

Chapter 2: Using VPNmanager . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

About VPNmanager administrators . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

Role Based Management . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

33

Log into the VPNmanager console . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

Add a policy server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

35

Open Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36

Navigating the main window. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

36

File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

37

Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

39

Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40

Help menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

40

VPN view pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

42

Network Diagram View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

42

Tiled View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43

Tree View . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

43

Alarm monitoring pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

44

Configuration Console window . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

44

Configuration Console Menu bar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

File menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

Edit menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

45

View menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46

Tools menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

46

Toolbar . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Contents pane . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Details pane. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Update Devices . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

47

Preferences . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

48

Dyna Policy Defaults (User) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

49

Dyna Policy Defaults (Global) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

49

Dyna Policy Authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

50

Advanced . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51

Remote Client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

51

Alarm/Monitoring . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

TEP Policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

52

6 Avaya VPNmanager Configuration Guide Release 3.7

 

Contents

Chapter 3: Setting up the network . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55

New VPN Domain . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

55

Configuring a security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

Creating a new security gateway . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

57

Using Device tabs to configure the security gateway . . . . . . . . . . . . . . . . . . . . . . .

59

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

60

Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

62

DNS tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

63

Configuring the DNS tab for security gateways at 4.3 or later . . . . . . . . . . . . . .

63

Configuring the DNS tab for VSU at VPNos 4.2 or earlier . . . . . . . . . . . . . . . .

65

Interfaces tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

66

Options for IP addressing for interface zones . . . . . . . . . . . . . . . . . . . . . .

70

Static addressing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

70

DHCP addressing. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

70

Point-to-Point Protocol Over Ethernet (PPPoE) Client . . . . . . . . . . . . . . . . . .

71

Local DHCP Server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

71

DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Static . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Changing network interfaces . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

73

Private port tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

76

Adding an IP Device Configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . .

77

DHCP Relay . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

78

None . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79

Device users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

79

Network Object tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

80

Routing . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

81

Default Gateway for VPN Traffic (VPNos 3.X) . . . . . . . . . . . . . . . . . . . . . . . .

83

Policies tab, NAT services. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

About NAT types for VPNos 4.31 . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

85

Configuring NAT (VPNos 4.31) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

86

About NAT types for VPNos 3.X . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

88

NAT applications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

88

Accessing the Internet from private networks. . . . . . . . . . . . . . . . . . . . . . .

89

Setting up VPN with overlapping private addresses . . . . . . . . . . . . . . . . . . .

90

Using NAT to support multiple gateway configurations . . . . . . . . . . . . . . . . . .

92

Interface for VPNos 4.2 . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

93

Add NAT Rule (VPNos 4.2 or earlier) . . . . . . . . . . . . . . . . . . . . . . . . . . .

94

Original . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

94

Tunnel NAT rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

95

Issue 4 May 2005 7

Contents

Chapter 4: Configuring IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

About IP Groups . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

Creating a New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

97

New IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

98

IP Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

98

Add IP Group member. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

100

Configuring an IP Group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

101

Configuring an IP Group that connects to an extranet . . . . . . . . . . . . . . . . . . . .

102

Delete . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

103

Memo . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

104

Chapter 5: Configuring remote access users . . . . . . . . . . . . . . . . . . . . . .

105

Default client configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

105

Using dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

106

Configuring a global dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

107

Dyna-Policy Defaults (User) tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

107

VPN configuration files on remote user’s computer . . . . . . . . . . . . . . . . . . .

108

Disable split tunneling. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

108

Dyna-Policy Defaults (Global) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

108

Dyna-Policy Authentication tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

109

Local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

RADIUS authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

LDAP authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

Dynamic VPNs (VPNos 3.x) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

110

Remote Client tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

111

Client DNS resolution redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

111

Client DNS resolution redirection . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

112

Remote Client inactivity connection time-out (VPNos 3.x) . . . . . . . . . . . . . . . .

112

Send Syslog messages. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

112

Configure a default CCD with global dyna-policy . . . . . . . . . . . . . . . . . . . . . . . . .

113

Creating new user object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

114

Default user . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115

About creating individual dynamic-policy . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115

User - General tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

115

Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

116

Dyna-Policy tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

116

Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

117

Configuring a remote user object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

118

8 Avaya VPNmanager Configuration Guide Release 3.7

 

Contents

Information for VPNremote Client users. . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

119

Using local authentication. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

120

Using RADIUS authentication (VPNos 3.X and VPNos 4.31) . . . . . . . . . . . . . .

120

Using LDAP authentication (VPnos 3.X only). . . . . . . . . . . . . . . . . . . . . . .

120

Using Policy Manager for user configuration . . . . . . . . . . . . . . . . . . . . . . . . . . .

120

Client IP address pool configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

120

Add Client IP address pool . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

121

Add Client DNS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

121

Add Client WINS . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

122

To configure the Client IP configuration. . . . . . . . . . . . . . . . . . . . . . . . . .

122

Configuring client attributes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

122

Creating a message . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

122

Enforce brand name . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

123

RADIUS/ACE Services . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

124

Enable RADIUS/ACE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

124

Settings . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

125

RADIUS concepts . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

125

The RADIUS protocol . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

Add (RADIUS/ACE server) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

Authenticating (secret) password . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

RADIUS server data . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

126

To add a RADIUS server: . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

127

Chapter 6: Configuring user groups . . . . . . . . . . . . . . . . . . . . . . . . . . .

129

New user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Group - General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Group - Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

User Group - Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

Configuring a user group . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

. . . . .

129

. . . . .

130

. . . . .

130

. . . . .

131

. . . . .

131

Chapter 7: Configuring VPN objects . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

Types of VPN objects . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

SKIP VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

133

IKE VPNs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

134

VPN packet processing modes . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

134

Default VPN policy. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

135

Creating a new VPN object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

136

Creating a default VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

136

Creating a designated VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

137

Issue 4 May 2005 9

Contents

 

Using the VPN tabs . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

General tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

General tab with IKE . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

138

General tab with SKIP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139

Memo tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

139

Members-Users tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140

Members-IP Groups tab. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

140

Security (IKE) tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

141

Pre-Shared Secret . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

144

Security (IPSec) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

144

IPSec Proposals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

145

Add IPSec proposal . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

146

Actions tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

VPN configuration . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

Export . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

148

Rekey site-to-site VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149

Rekey . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149

Advanced VPN tab . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

149

Configuring a SKIP VPN. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

150

Configuring an IKE VPN . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

152

Enabling CRL checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

156

Exporting a VPN object to an extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

158

VPN Object export checklist. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

159

Export procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

160

Importing a VPN object from an extranet . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

161

Rekeying a VPN object . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

162

Chapter 8: Establishing security . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

163

Firewall rules set up . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

163

Levels of firewall policy management . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

163

Firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

164

Domain level firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

164

Device level firewall rules . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

166

Priority of Firewall rules versus NAT rules . . . . . . . . . . . . . . . . . . . . . . . .

167

Setting up firewall rules for FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167

FTP and Firewall/NAT Operation . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

167

Security Gateways and FTP . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

168

Firewall templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

169

Predefined templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

170

User defined templates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .

170

10 Avaya VPNmanager Configuration Guide Release 3.7