Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Configuring a SKIP VPN

7.If you want to add User Objects orUser Group Objects as members of this VPN Object, do the following.

Click the Members-Users tab to bring it to the front.

From the Available list, select specific User Objects and User Group Objects. User Group Objects are always located at the bottom of the list.

Note:

Tip: Hold the Shift key to simultaneously select many adjacent items, or hold theCrtl key to simultaneously select manynon-adjacentitems.

Click Move Left to move the selected items to theCurrent Members list.

8.If you want to add IP Group Objects as members of this VPN Object, do the following.

Click the Members-IP Groups tab to bring it to the front.

From the Available list, select specific IP Group Objects.

Click Move Left to move the selected items to theCurrent Members list.

9.Click the Security (SKIP) tab to bring it to the front.

10.From the Encryption Algorithm list, do one of the following.

Select Triple DES to divide VPN traffic into 64 bit blocks and encrypt each block three times with three different keys.

Select DES to divide VPN traffic into 64 bit blocks and encrypt each block with a56-bitkey.

Select NONE to not encrypt VPN traffic.

11.From the Authentication Algorithm drop-downlist, do one of the following.

Select Keyed MD5 if you want VPN tunnelend-pointsto authenticate themselves using the Message Digest 5 hash function.

Tunnel end-pointsare security gateways and VPNremote Clients.

Select NONE if you do not want tunnelend-pointto authenticate themselves.

12.From the Compression Algorithm list, do one of the following.

Select Stac if you want the payloads of VPN packets to be compressed using the STACLempel-Zifstandard compression. Since encryption istime-consuming,compression speeds up the entire process.

Select NONE you do not want payloads of VPN packets to be compressed.

13.Click Save to save your work.

Issue 4 May 2005 151

Configuring VPN objects

Configuring an IKE VPN

Note:

security gateways at each end of a tunnel must use the same IKE settings.

To configure a new IKE VPN Object:

1.Move to the Configuration Consolewindow.

2.From the Icon toolbar, click VPN to list all VPN Objects in theContents column.

3.From the Contents column, select the VPN Object that needs to be configured.

4.Click the General tab to bring it to the front.

5.Select one of the following to control how tunnel end-pointsmust authenticate themselves.End-pointsare defined as security gateways and VPNremote Clients.

Select Certificate Based to use X.509public-keycertificates.

Select Preshared Secret to use shared secret keys.

6.(Optional) Click the Memo tab to bring it to the front, then type in a note about this specific VPN Object.

7.To add User Objects orUser Group Objects as members of this VPN Object, do the following.

Click the Members-Users tab to bring it to the front.

From the Available list, select specific User Objects and User Group Objects. User Group Objects are always located at the bottom of the list.

Click Move Left to move the selected items to theCurrent Members list.

8.To add IP Group Objects as members of this VPN Object, do the following.

Click the Members-IP Groups tab to bring it to the front.

From the Available list, select specific IP Group Objects.

Click Move Left to move the selected items to theCurrent Members list.

9.Click the Security (IKE) tab to bring it to the front.

10.Configuring the encryption and authentication algorithms used at the end-pointsof a VPN tunnel.

11.Use the Encryption Algorithm list to select a specific type of encryption algorithm that each security gateway and VPNremote Client must use for this VPN Object.

Select Any if you want the security gateways to automatically negotiate which algorithm to use.

Select DES to divide VPN traffic into 64 bit blocks and encrypt each block with a56-bitkey.

152 Avaya VPNmanager Configuration Guide Release 3.7

Configuring an IKE VPN

Select 3DES to divide VPN traffic into 64 bit blocks and encrypt each block three times with three different keys.

12.Use the Authentication Algorithm list to select a specific type of algorithm that each security gateway must use to authenticate each other.

Select Any if you want the security gateways to automatically negotiate which algorithm to use.

Select MD5 if you want each security gateway to authenticate each other using the

Message Digest 5 (MD5) hash function.

Select SHA1 if you want each security gateway to authenticate each other using the

Secure Hash Algorithm-1(SHA-1).

SHA1 is considered to be a stronger hash function than MD5, and may be required for US Federal applications that do not require a digital signature.

13.From the Lifetime text boxes and lists to configure the time limit for creating and exchanging a new set of unique keys.

14.If the Time-based value expires before theThroughput value, key creation and exchange is performed, and likewise, ifThroughput expires before theTime-based value.

15.Click Modify Secret to open theModify Secret dialog. Create a shared secret for authenticating security gateways and members of the VPN.

To manually create a secret, type in an alphanumeric string in the text box

To automatically create a secret, click Auto-generate.

16.Click OK.

Note:

Modify Secret is only available when creating a VPN based on Preshared Secret.

17.Click the Security (IPSec) tab to bring it to the front.

18.The Security (IPSec) tab is used to set up the desired IPSec protocol information (parameters relating to payload) that the VPNs use.Two sets of options are available. The IPSec options control packet alteration, and theIPSec Proposal options are used to create up to four different proposals for payload encryption and authentication.

19.Use the LZS list for applying compression to packet payloads.

20.According to RFC 2395, “IP Payload Compression using LZS,” experiments have shown that the LZS algorithm compressed a64-bytefile to 85% of its original size, while a16384-bytefile was compressed to 47% of its original size. Whether or not your network benefits from compression, depends on what is typically transported; for example, video and sound traffic are already compressed, so additional compression has little effect and may load the security gateway.

Select Yes to apply compression.

Select No to not apply compression.

21.Use the Perfect Forward Secrecy list to control key creation.

Issue 4 May 2005 153

Configuring VPN objects

22.Perfect Forward Secrecy (PFS) is akey-creationmethod used for assuring that a new key is not related to any previous keys. This is done by using key creation values which are independent of past values.

Select Yes to use PFS.

Select No to not use PFS.

23.Use the AH/ESP list to create packets containing IPSec headers. The payloads contain the entire original packet (header and payload).

Select AH Header to authenticate the entire packet.

This inserts an Authentication Headerand Encapsulating Security Payload (ESP) Headerinto packets and perform encryption on the payload.

Select ESP Trailer to authenticate the entire packet, except for the IP header.

This will insert an ESP Header andESP Trailer into packets and perform encryption on the payload.

24.Use the Diffie-Hellman Group list to select whichmodulus to use for the keying algorithm.

Select 1 to use a768-bitmodulus.

Select 2 to use a1024-bitmodulus.

25.For detailed information about Group 1 and Group 2 algorithms, see section 6.2 of IETF RFC 2395.

26.Use the IPSec Proposals options to create one or more proposals.

27.A proposal defines which IPSec parameters all the security gateways of a VPN must use. If all the security gateways are of the same type, only one proposal needs to be created.

28.If an extranet (a VPN belonging to another organization) is going to connect to your VPN, and its proposal is different, or unknown, additional proposals can be added to the Proposal List to accommodate that unique security gateway. The security gateways will automatically go through the list and negotiate on which proposal to use at the appropriate time.

Click Add to open theAdd IPSec Proposal dialog box.

From the Encryption drop-downlist, select the type of encryption to be applied to packet payloads.

Null. Payload is not encrypted, but AH/ESP headers are included. Used by engineers for packet analysis.

DES Single. DES encryption is applied to the payload.

3DES Triple. DES encryption is applied to the payload.

AES-128.AES-128advanced encryption is applied to the payload.

RC5. Applies RC5 encryption.

Any. Let the security gateways negotiate which encryption method to use.

154 Avaya VPNmanager Configuration Guide Release 3.7

Configuring an IKE VPN

From the Authentication drop-downlist, select the type of authentication to use.

None. Packets are not authenticated.

HMAC-MD5.Packets are authenticated using theHash-based Message Authentication Code (HMAC) coupled with theMessage Digest 5 (MD5) hash function.

HMAC-SHA.Packets are authenticated using theHash-based Message Authentication Code (HMAC) coupled with theSecure Hash Algorithm (SHA). SHA is considered to be a stronger authentication algorithm than MD5.

Any. The security gateways negotiates which encryption method to use.

Use the Lifetime text boxes and lists to control the period for creating and exchanging a new set of unique keys.

If the Time-based value expires before theThroughput value, key creation and exchange is performed, and likewise, ifThroughput expires before theTime-based value.

Use the Locate this Proposal options to select where to put your new proposal in thePriority Proposal List. Security gateways always start from the top of the list when making a query.

29.Click the Advanced tab to bring it to the front.

30.Select Apply VPN to clients only if you have created a VPN Object whereUser andUser Group Objects can communicate withIP Group Objects, but IP Group Objects cannot communicate with each other.

Note:

This is an advanced control, used for a rare case. The default setting will apply to most configurations.

31.Select Use aggressive mode for clients if you want tospeed-upthe time needed for VPNremote Clients to establish a secure connection with the VPN.

32.Select CRL Checking if you want to automatically track certificates that have been revoked by a specific Certificate Authority (CA).

Note:

This control is only available for certificate based VPNs.

33.Tunnel endpoints (VPNRemote Clients and security gateways) that use certificates shown by a Certificate Revocation List (CRL) are denied access to the VPN. To use this feature, you must obtain a CRL from your Certificate Authority then manually install it in the directory server on a periodic basis. SeeEnabling CRL checking on page 156 for more information.

34.If you use CRL Checking, in the Directory Name of Certificate Authoritytext box, type in the distinguished name (DN) of the certificateauthority object located in directory server. The object is where the CRL is located.

35.Click Save.

Issue 4 May 2005 155

Configuring VPN objects

Enabling CRL checking

For certificate-basedVPNs using IKE negotiation, a security gateway must verify the other certificate of the VSU. WhenCertification Revocation List (CRL) Checking is enabled, the VSU validates the certificate revocation list downloaded from the VPNmanager using theCertificate Authority (CA) certificate. The VSU checks the certificate against the validated CRL. If the CRL locates a revoked certificate, the IKE negotiation is cancelled.

To manually install a CRL into Directory Server from the CA’s LDAP server:

1.From the CA’s LDAP server, obtain the CRL that is associated with your installed issuer certificate.

2.Save the CRL as crl content.txt.

3.Open the crl content.txt file to extract the necessary CRL information.

4.To extract the necessary CRL information, open the crl content.txt file.

5.Locate the dn header with the organization unit (ou) that corresponds to the CRL. For example, dn: ou=vpnet VSU, o=Avaya Inc., c=US

6.Locate the paragraphs starting with cacertificate;binary andcertificaterevocationlist;binary.

7.For example, cacertificate;binary::MIICKzCCAZSgAwIBAgIQRTP4LaWmlSRKYLv86Cphk

.

.

.

ygPDgMZlQq4oQoNyy26HRAV0yJ== certificaterevocationlist;binary::MIIC2zCCAkQwDQYJKoZIhvcNAQEEBQAw

8.Copy the cacertification;binaryand certificaterevocationlist;binaryparagraphs to a new file.

9.Save the new CRL as crl.ldif.

10.Add a certificate dn header to the crl.idif file. Use the following dn header format:

Note:

dn: cacertificate=IssuerCRL, ou=VPN Domain, o=DNS Domain objectclass: certificationAuthority

Note:

dn specifies where the CRL file is filed.

156 Avaya VPNmanager Configuration Guide Release 3.7

Enabling CRL checking

11.Import the crl.ldif file by opening theNetscape Console login dialog box.

Solaris OS: In the server root, enter ./startconsole.

Windows NT: From the windows Taskbar, click Start/Programs/Netscape Server Family/Netscape Console.

12.In the User ID text box, type in theAdministrative ID string used during the server installation procedure.

13.In the Password text box, type in thePassword string used during the server installation procedure.

14.Click OK to open theConsole window.

15.From the left pane, select the directory server containing your VPN data.

16.Double click to open the console window for that server.

17.Click the Configuration tab to bring it to the front.

18.From the left pane, select Database.

19. .Click the right mouse button to select Import to import the crl.ldif file.

20.In the Import Database window, browse to locate thecrl.ldif file.

21.Click Open to import thecrl.ldif file.

22.The Import Database message box appears upon successful import.

23.From the VPNmanager Console, click Config.

24.From the left pane, click VPN then theGeneral tab to bring it to the front.

25.In the General tab, clickCertificate Based to enable certificate based VPN checking.

26.Click the Advanced tab to bring it to the front.

27.In the Advanced tab, clickCRL checking and enter the CRL dn in the Directory Name of Certificate Authority field.

Note:

For the CRL dn, use the same dn used in Step 9.

28.From the left pane, click Device then theServers tab to bring it to the front.

29.Add the Directory Server IP address and port number. Default clear = 389, default SSL:636

30.Click OK.

31.From the Configuration Console, click Save.

32.From the Configuration Console, click Update Devices.

During IKE negotiations, the CRL is uploaded to the VSU for CRL checking. The CRL is held in the memory of the VSU.

Issue 4 May 2005 157

Configuring VPN objects

If the Directory Server has been updated using a new CRL, the cached CRL must be manually removed from the VSU console.

To remove the CRL from the VSU:

1.From the VSU Console, enter 3 for the Utilities menu.

2.From the Utilities menu, enter18 to Show CRL information.

3.After selecting 18 from theUtilities menu, a list of serial numbers appear on the screen.

4.Enter Y to delete the CRL list.

5.From the VPNmanager main menu, click Config.

6.Select Device.

7.From the Content pane, select the security gateway that includes the CRL list.

8.Click the Advanced tab.

9.Clear the CRL checking box.

10.Click Update Devices.

Exporting a VPN object to an extranet

Exporting a VPN object is a feature used for interconnecting VPN domains. Each domain views other domains as extranets.

158 Avaya VPNmanager Configuration Guide Release 3.7

Exporting a VPN object to an extranet

Figure 51: Exporting a VPN Object to an Extranet

DomainA created the VPN Object that was exported to an extranet (DomainB). This method allows members of VPN ObjectA and VPN ObjectB to privately share network resources and communicate.

 

 

 

 

VPN ObjectA is built with IP GroupA and IP

DomainA

 

 

GroupB. IP GroupA is configured with IP

 

 

 

 

 

 

 

 

address masks for terminal devices in

VPN ObjectA

 

 

DomainA, and IP GroupB is configured with

 

 

 

 

IP Group ObjectA

IP Group ObjectB

IP address masks for terminal devices in

DomainB.

 

 

 

 

 

 

 

 

Device ObjectA

 

Extranet Device

 

VPN Object

A

is exported to Domain .

 

 

 

 

 

B

 

 

 

 

 

 

 

DomainB

IP Group ObjectA is configured with Device ObjectA, but Device ObjectA does not get exported to DomainB.

IP Group ObjectB is configured with an Extranet Device. The device is configured with the IP address of Device ObjectB.

VPN ObjectA

IP Group ObjectA IP Group ObjectB Device OB

Extranet Device

Device ObjectB is configured from DomainB.The Extranet Device and Device ObjectB have the same IP addresses, therefore, traffic to DomainA will automatically use Device ObjectB for

VPN services.

VPN Object export checklist

Table 9 lists what to do before you export a VPN Object. The terms used byFigure 51 are used for orientation.

Table 9: VPN Object Export Checklist

Task

For certificate based IKE VPNs, administrators of DomainA and DomainB assure that all security gateways which are participating in the extranet connection are using the correct certificates (IKE Certificate Usage on page 240).

Administrators of DomainA and DomainB agree that AdministratorA create the VPN Object that is exported to DomainB.

1 of 2

Issue 4 May 2005 159

Configuring VPN objects

Table 9: VPN Object Export Checklist (continued)

Task

AdministratorB creates security gateway ObjectB and supplies the IP address of that object to AdministratorA.

AdministratorA creates IP Group ObjectB (Creating a New IP Group on page 97) and configures it with anextranet device (To configure an IP Group that is associated with an extranet: on page 102) having the IP address supplied by AdministratorB.

AdministratorA creates security gateway ObjectA(Configuring a security gateway on page 57).

AdministratorA creates IP Group ObjectA (New IP Group on page 98) and configures it with security gateway ObjectA.

AdministratorA creates VPN ObjectA (Creating a new VPN object) and configures it with IP Group ObjectA and IP Group ObjectB.

AdministratorA exports VPN ObjectA data to AdministratorB (Exporting a

VPN object to an extranet on page 158).

AdministratorB imports VPN ObjectA data into DomainB. (Importing a

VPN object from an extranet on page 161)

2 of 2

Export procedure

Exporting a VPN Object involves copying the object data to a file, then sending the file to the extranet administrator, who will import the file into their VPN Domain.

To export a VPN Object:

1.Move to the Configuration Consolewindow.

2.From the Icon toolbar, click VPN to list all VPN Objects in theContents column.

3.From the Contents column, select the VPN Object that needs to be configured.

4.From the Tools menu, select Export VPN to open the Export VPN dialog.

5.From the list box, select the VPN Object you want to export.

6.Click OK to open the Export VPN password dialog.

7.In the Password text box, type in a password to protect the exported data.

8.From 1 to 16 characters can be used.

9.In the Retype text box, type in your password to confirm it.

160 Avaya VPNmanager Configuration Guide Release 3.7