Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Device Advanced

Examples of traffic destined for the private network are:

Decapsulated IPSec packets destined for the private network.

SNMP Get Responses being sent to a VPNmanager console residing on the private side of the VSU

Traps sent to a VPNmanager console residing on the private side of the VSU

Note:

It is important to remember that ARP often works in conjunction with the

Advanced Filter setting.

Device in parallel with firewall or router - For example, if you setup a VSU in parallel with a network device that provides firewall and routing services and you only want the VSU to:

send ARPs for addresses in its primary IP address space out the public interface and,

send ARPs for addresses in its private IP address space out the private interface,

you would then want to:

1.Set the above to “Bind one IP address to each port” and

2.Set the Advanced Filter to Deny all non-VPNtraffic. The latter prevents a ARP from going out both interfaces.

Device in One-Arm Mode. - Suppose you have deployed the VSU inone-armmode (which requires that only the private port be plugged into the network) and you have used theBind one IP address to each port setting. This topology requires that the Advanced Filter setting be “Permit allnon-VPNpackets”. This allows ARPs for the VSU's primary IP address that come in the private port (remember it is the only port plugged in) to be resolved.

The “Bind Both Primary and Private IP Address to the Private Port” setting is available for legacy support. In particular, with this setting the VSU always ARPs out both ports independent of the Advanced Filter setting and it always uses the private port's MAC address for all packets originating from the VSU. Use this setting if you need a VSU running VPNOS 3.1.xx, or later, to support this legacy behavior.

Generally, only if the VSU firmware is earlier than 3.1, and the VSU is the only device between the internet and the private network (not in parallel with a firewall), is Bind both Primary and Private IP addresses to private port checked.

Path MTU Discovery

When a device communicates with another network device, it attempts to discover the largest packet it can transmit to the other network device. The largest packet the network can transmit is called maximum transmission unit (MTU).

Issue 4 May 2005 201

Using advanced features

As a packet is routed through different networks, it may be necessary for a router to divide the packet into smaller pieces because it might be too large to transmit as a single packet on a different network. This may occur at the interfaces of physically different networks.

The MTU of a security gateway passing secure traffic is 1404 bytes, which includes the additional IPSec information. The MTU of a security gateway passing unprotected traffic is 1514 bytes.

If Path MTU Discovery is running, a security gateway does not convert the following types of packets into secured traffic, and it uses an ICMP message to ask the source of the packets to fragment them.

Packets larger than 1404 bytes

Packets with the Don’t Fragment Bit set

Packets being the first fragment in the IP datagram

Following are reasons why you may not want a security gateway to participate in Path MTU:

A firewall sits between the security gateway and the source of packets needing VPN services. This would prevent the source from receiving security gateway ICMP messages indicating that fragmentation is needed.

The source of packets needing VPN services does not fragment packets, even when notified by a security gateway ICMP message.

A router in the network is outdated and will not send an ICMP need fragmentation message, or will not send a message at all.

The symptom of either of these situations would be that a network sniff indicates the security gateway is sending a fragmentation-neededICMP message, but the traffic initiator is retransmitting the original packet.

To configure the Path MTU Discovery:

1.From the Device>Contents column, select the security gateway you want to configure.

2.Click the Advanced tab to bring it to the front.

3.From the Properties column, selectMTU Path Discovery to display theMTU Path Discovery values.

4.From the Values list, do the following.

Select the On radio button to run MTU Path Discovery.

Select the Off radio button todisable MTU Path Discovery.

5.Enter the Path MTU Timeoutvalue.

The path MTU timeout value is the number of minutes the SG will remember the new MTU learned for a path. When the timeout expires, the SG will attempt to send the maximum configured packet size. The default value is1000. The timeout value 0 means that the path MTU will never timeout.

202 Avaya VPNmanager Configuration Guide Release 3.7

Device Advanced

6.In the Fragmentation Control for Encapsulated VPN Trafficarea, select the appropriate Do Not Fragment (DF) bit property.

Note:

If DF bit is set in the IP header, the packet would not be fragmented further down the network path.

Copy DF bit from the source packet. If this property is selected, the DF bit from the source IP header is copied to the VPN traffic. When Path MTU is enabled (On), the copy DF bit from the source packet property is the default behavior. When Path MTU is disabled (Off), the copy DF bit from the source packet property is a configurable behavior.

Set DF bit. If this property is selected, the DF bit VPN traffic is always ON. When Path MTU disabled (Off), the set DF bit property is a configurable behavior.

Clear DF bit. If this property is selected, the DF bit for the VPN traffic is always OFF. When Path MTU disabled (Off), the clear DF bit property is a configurable behavior.

7.When finished, click Save.

8.When you want to send the configuration to one or more VSUs, click Update Devices.

NAT Traversal

Configurable NAT traversal is available for VPNos 4.31 and later.

Note:

For VPNos 3.2, NAT Traversal is enabled by default. You cannot change or disable it.

When a NAT device exists in a network path between security gateways that are part of a VPN, NAT Traversal allows the VPN traffic to successfully pass from one device to another. The default is NAT traversal is enabled.

You can do the following:

Disable NAT traversal. Avaya recommends that you do not disable NAT traversal even if a NAT device does not exist in the network path of two VPNs.

Set the value for KeepAlive. The time configured here is used when the security gateway is in the private network of a NAT device. The security gateway behind the NAT device sends a keep alive packet to reserve the dynamic source port. The default is 20 seconds.

Because NAT devices can clear port assignments after a period of inactivity, a still open VPN session may be broken. When a new packet arrives after a certain period of inactivity, a NAT device can assign a new dynamic source port for the packet which causes the VPN connection to fail. To avoid this problem, keep alive packets are sent from the VPN peer which is behind the NAT device.

Issue 4 May 2005 203

Using advanced features

Port for dyna-policydownload

If a VSU is configured to receive dyna-policies from a remote server instead of storing them locally, it uses a specific port for listening to the remote server. The port uses theSecure Sockets Layer (SSL) for protection, and its default number is 1443. The port number can be changed if necessary.

To change the port number:

1.From the Device>Contents column, select the VSU you want to configure.

2.Click the Advanced tab to bring it to the front.

3.From the Propertiescolumn, select Port for Dyna Policy Downloadto display the SSL Porttext box.

4.In the SSL Port text box, type in a port number.

5.Click Save.

6.When you want to send the configuration to the VSU, click Update Devices.

Port for Secure Authentication

Text field for the port number on which the VSU listens for a response from a VPNremote client (over an SSL connection) after the client has been issued an authentication challenge (default port = 2444). A response received on this port is then forwarded to the external LDAP or RADIUS server for authentication.

Private IP Address (VPNos 3.x)

Beginning with VPNos 4.5, private IP address is configurable as part of the interface configuration on the Interfaces Tab.

A VSU may have two IP addresses assigned to it. The private IP address is used and ARP is set to “Bind one IP address to each port”, it is applied to the private port of the VSU, and the public address is applied to the public port. If you specified a private IP address during the VSU Console Quick Setup and the VPNmanager VSU Setup wizard, this address should match that address.

A VSU does not need a private IP address to operate, but some networks may require that a VSU use two addresses. For example, the VPNmanager Console may be running on a machine that is on the private side of the VSU (having a single address). VPNmanager Console-to-VSUcommunication then has to be routed to the public port of the VSU, which may not be a direct path. The direct path would be to the private port.

204 Avaya VPNmanager Configuration Guide Release 3.7

Device Advanced

A typical use of the private IP address is when the VSU’s private side IP network is a different network (different network number and/or mask) from the VSU’s public side IP network. For example, when you deploy the VSU in parallel with a firewall or other access device.

If you are using the VSU’s primary IP address as the management IP address, use caution when changing it from the VPNmanager. Modifying the private IP address when it is used as the management IP address may cause loss of connectivity between the VSU and the VPNmanager.

Note:

The VSU’s private (and public) IP address may be used as a gateway IP address for VPN traffic.

To add a private IP address:

1.From the Device>Contents column, select the VSU you want to configure.

2.Click the Advanced tab to bring it to the front.

3.From the Properties column, selectPrivate IP Address to display the address controls.

4.Select the Enable Private IP Addresscheck box.

5.In the Private IP Address text boxes, type in the second address assigned to the VSU.

6.In the Private IP Mask text boxes, type in a subnet mask for the address.

7.Select the Use this address when directly communicating with this devicecheck box if you want the VPNmanager Console to use this address for communicating with the VSU.

8.Click Save, or if you want to send the configuration to the VSU, clickUpdate Devices.

Send Device Names

Send VSU Names is an advanced control for managing how remote clients get theirDyna-Policies.TheDyna-Policycan be stored locally on one or more VSUs, the Directory Server, or a RADIUS Server. If the policies are stored locally on VSUs, the VSUs in the domain must identify themselves to each other so they can share their database ofDyna-Policies.

To select a VSU name distribution method:

1.From the Device>Contents column, select the VSU you want to configure.

2.Click the Advanced tab to bring it to the front.

3.From the Properties column, selectSend VSU Names to display the sending options.

4.Select the one of the options.

Send all VSU names. Select this option so each VSU in the domain identifies themselves to other VSUs. Use this option if one or more VSUs are storing Dyna-Policieslocally.

Issue 4 May 2005 205

Using advanced features

Send VSU(s) names that are involved in CCD only. Select this option if you want the remote client to query only those VSUs that are performing Dyna-Policyservices. This is useful if a domain contains many VSUs that are not used for authenticating remote clients. This saves time for the remote client because they don’t have to query every VSU to build a completeDyna-Policy.

Send no VSU names. Select this option if a Directory Server or RADIUS Server is used for storing Dyna-Policies.No VSUs are use for locally storing the polices.

Customize. Select this option if you wish to specify individual VSU names to be sent.

5.When finished, click Save.

6.When you want to send the configuration to one or more VSUs, click Update Details.

SuperUser Password (VPNos 3.x)

This function allows you to disable the SuperUser password allowing only LDAP-basedcommunication in the future. Normally used in conjunction withrole-basedmanagement.

This feature consists of two options for authenticating into a VSU to perform configuration changes:

VSU/Advanced/SuperUser Password ON (default)

VSU/Advanced/SuperUser Password OFF

Advanced/SuperUser Password ON (default) - both SuperUser and LDAP authentication are allowed. The VSU attempts to authenticate VPNmanager via SuperUser account first. If this fails the VSU then attempts to authenticate via the VPNmanager user's LDAP account. A successful connection requires that the VSU's authorization provider be set to LDAP user or SuperUser/LDAPuser (default).

When a new configuration is downloaded to the VSU, the VSU authorization provider is reset to SuperUser/LDAPuser, regardless of the previous setting. The next time VPNmanager attempts to connect it may use either SuperUser account or the VPNmanager user's LDAP account.

Advanced/SuperUser Password OFF - only LDAP authentication is allowed. The VSU only attempts to authenticate VPNmanager via the user's LDAP account. A successful connection requires that the VSU authorization provider be set to LDAPuser or SuperUser/LDAPuser (default). When a new configuration is downloaded to the VSU, the VSU authorization provider is reset to LDAPuser, no matter the previous setting. The next time VPNmanager attempts to connect it must use the VPNmanager user's LDAP account.

If VPNmanager has been incorrectly set with VSU/Advanced/SuperUser Password OFF and no LDAP server/user account is configured or available, you must access the VSU console and reset the authorization provider. Before re-attemptingto connect, the VPNmanager must set VSU/Advanced/SuperUser Password back to ON, or only a single connection is authenticated, and with SuperUser password left in the OFF position, the VSU only allows LDAP authentication on the next attempt.

206 Avaya VPNmanager Configuration Guide Release 3.7

Device Advanced

Note:

The VSU determines what type of authentication it permits, but this is dependent upon the authentication policy last downloaded from VPNmanager (SuperUser Password OFF or ON). Remember that if you set the SuperUser Password to OFF you are no longer able to connect to the VSU using the SuperUser account. The only way to recover SuperUser authentication is to change the setting to back to ON, then do one of the following:

1.Authenticate via your LDAP user account or

2.Go to the VSU console and reset the Configuration/VPNmanager Authorization/ Authorization Provider value to SuperUser/LDAPuser, then authenticate by either your LDAPuser account or SuperUser account.

Tunnel Persistence

This feature consists of the following radio buttons:

Maintain VPN tunnels on device update

Rebuild all VPN tunnels on device update

In a multiple VPN structure with tunnel persistence set to Maintain VPN tunnels on device update, traffic is interrupted within the modified VPN only. In a multiple VPN structure with tunnel persistence set toRebuild All VPN tunnels on device update, all VPNs related to the modified device are interrupted until the configuration update is complete.

Figure 63, illustrates tunnel persistence between SGs. IfMaintain VPN tunnel is enabled, the addition of SGD to VPN2 interrupts andre-establishestunnel persistence in VPN2 only. Because modifications have not been made in VPN1 (SGA and SGB), or VPN3 (SGB and SGD) tunnels remain persistent.

Issue 4 May 2005 207

Using advanced features

Figure 63: VSU Tunnel Persistence

Figure 64, illustrates tunnel persistence between SGs and remote users (RUser). The addition of SGD to VPN2 (SGA, SGC, SGD, and Remote User) interrupts tunnel persistence in VPN2, thus breaking the remote connection. Once the configuration update is complete, the remote connection will be restored. Because modifications have not been made in VPN1 (SGA and SGB) and VPN3 (SGB and SGD), tunnels remain persistent.

Figure 64: Remote User Tunnel Persistence

208 Avaya VPNmanager Configuration Guide Release 3.7

TEP Policy

TEP Policy

The Tunnel End Point (TEP) Policy tab provides control of the security policy applied to the traffic that flows between the end points of a tunnel. The default is off, or Do not apply configured VPN policies to TEP traffic.

Figure 65: Tunnel End Point Policy

Enabling apply configured VPN policies to TEP traffic encrypts the traffic destined to and from tunnel end points when the following conditions are met:

Primary IP address of VSUs in your VPN domain must be included in the IP group they are protecting.

SKIP tunnel mode or IKE is being used (SKIP Transport mode NOT being used).

Failing to meet these conditions, packets be subject to the non-VPNtraffic policy (Permit or Deny) selected in the VSU Packet Filtering/Advanced tab.

A typical example of when enabling Apply configured VPN policies to TEP traffic is desired is in the situation of remotely reading an Active Sessions MIB object of a VSU. The information returned here includes the user name or IP address for each session currently active on the selected VSU. Obviously, having this SNMP information pass over the internet in the clear is not desirable.

This feature is not supported in releases of VPNmanager prior to 3.1. Because both tunnel end points must have Apply configured VPN policies to TEP traffic enabled, the VSUs on each end must also be running VPN NOS 3.1 or later.

Issue 4 May 2005 209

Using advanced features

Servers

The Servers tab is used for adding backup directory servers to a specific security gateway. There is no practical limit on how many backups you can configure. Backup servers can be added at anytime, and they can be organized so that when one fails, a specific one can be used as a backup.

To install additional servers, see your iPlanet Directory Server documentation for instructions. The following procedure only establishes it as a backup server. The Directory Servers tab is shown in Figure 66.

Figure 66: The Directory Servers tab

Servers list presents a list of available directory servers. Three columns appear which include IP address or DNS Name, port, and SSL state.

Move Up/Down arrows are provided to change the position of the highlighted server.

Edit/Delete/Add buttons are provided at the bottom of the pane.

Add servers

Brings up a dialog box to add additional servers. Enter the new server’s IP address or DNS Name. The Locate This Server box contains three radio buttons used to place the new server:

Beginning of List

End of List (default)

After Selected Item

210 Avaya VPNmanager Configuration Guide Release 3.7