Avaya 3.7 User Manual

Size:
3.14 Mb
Download

Servers

To create a backup server:

1.Move to the Configuration Consolewindow.

2.From the Device>Contents column, select the security gateway that needs to have the backup server.

3.Click the Directory Servers tab to bring it to the front.

4.Click Add to open theAdd Directory Server dialog box.

5.Use Table 15 configuring a connection to a server.

Table 15: Add Directory Server Commands

Item

Description

 

 

Enter IP Address or

Type in the IP address or host name used by the server.

DNS Name

 

 

 

Locate This Server

Use these options to insert the server into a specific position in the

 

Directory Servers list.

 

 

Port

Type in the port number of the server (default is 389). To verify the

 

number, move to the computer running iPlanet Directory Server,

 

then start the iPlanet Console; the number can be seen from the

 

Console tab.

 

 

Use SSL

Select this check box to protect the communication between the

 

VPNmanager Console and the Directory Server with a Secure

 

Socket Layer (SSL). Read Appendix A: Using SSL with Directory

 

Server, before making this selection.

 

 

6.Click OK to return to the Directory Servers tab. The new backup server appears in the

Directory Servers list.

7.When finished, click Save to save your work.

Managing the server list

The backup servers shown in the Servers list can be edited, have their sequence changed, or even deleted. The list organizes the servers in the sequence in which they must be used, where the one at the top of the list is always used first.

To edit, change the sequence, or delete a backup server:

1.Move to the Configuration Consolewindow.

2.From the Device>Contents column, select the security gateway that has the backup server that needs to be changed.

3.Click the Servers tab to bring it to the front.

Issue 4 May 2005 211

Using advanced features

4.From the Servers list, select a specific secondaryend-point.

5.Use Table 16 for performing specific management tasks.

Table 16: Servers list commands

Command

Description

 

 

Edit

Use this command to edit the server with the Add

 

Directory Server dialog box.

 

 

Move Up

Click this button to move the server higher in the list.

 

 

Move Down

Click this button to move the server lower in the list.

 

 

Delete

Click this button to remove the server from the list.

 

 

When finished, click Save to save your work.

Resilient Tunnel

Tunnels are used to protect VPN traffic that moves through the public networks. The endpoints for tunnels are located in VSUs. Resilient Tunnels are used for backing up a specific primary tunnel. Up to three resilient tunnels can be created to backup a specific security gateway. VSUs can report tunnel switching to a common SNMP manager (SeeUsing SNMP to monitor the device on page 245).

Note:

Resilient tunnels are configurable on VSUs running VPNos 3.x.

Figure 67 illustrates a simple example. San Francisco LAN has two gateways to the WAN. Thehigh-speedroute is used by the primary tunnel, and thelow-speedroute is used by the resilient tunnel. If the circuit in which VSUB is located goes out of service, traffic automatically switches to VSUC. Once VSUB is backin-service,VPN traffic then switches to the primary tunnel. The switching is controlled by VSUA which is located in the Tokyo LAN.

212 Avaya VPNmanager Configuration Guide Release 3.7

Resilient Tunnel

Figure 67: Primary and Resilient Tunnels

Resilient Tunnels are used for backing-upPrimary Tunnels.

Should a Primary Tunnel go out of service, the Resilient

Tunnel will automatically be used for VPN traffic.

Primary Tunnel

 

Tokyo LAN

 

 

 

 

 

 

 

 

 

San Francisco LAN

 

 

 

 

 

 

 

High-speed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Router

 

VSU

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

LAN

 

VSU A

 

Router

 

WAN

 

 

 

 

 

HUB

 

LAN

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Router

 

VSU

 

 

 

 

 

 

 

 

 

 

 

 

Low-speed

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Resilient Tunnel

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

 

Tunnel Switching

The switching mechanism involves time and a packet called aHeartbeat.Figure 68 illustrates how tunnels are switched.

Figure 68: Tunnel Switching

 

 

1

 

 

 

 

2

 

 

Control End-point:

 

5

Primary

 

tunnel switching is

 

 

 

 

6

End-point

controlled here.

 

 

 

 

 

 

 

 

High-speed

 

 

VSUA Router

WAN

Router VSUB

 

LAN

HUB

LAN

 

 

 

Router VSUC

 

 

 

 

Low-speed

 

 

 

4

Secondary

 

 

End-point

 

 

3

 

 

 

 

Explanation for Figure 68

1.VSUA listens to VSUB’s heartbeat. The heartbeat has a configurable period called a

Heartbeat Interval.

2.If VSUA realizes a dead heartbeat, it asks VSUB for a heartbeat.

3.The number of times that VSUA can make a request is configurable, and is called the

Heartbeat Retry Limit.

4.If the number of requests exceeds the Heartbeat Retry Limit, VSUA then begins to establish a connection with VSUC.

5.Since VSUC uses alow-speedconnection, VSUA must anticipate a delayed response from VSUC. That delay is calledHold-up Time, and is configurable with VPNmanager Console.

Issue 4 May 2005 213

Using advanced features

6.After VSUA establishes a connection with VSUC, the resilient tunnel is used for VPN traffic.

7.On a periodic basis, VSUA continues to request a heartbeat from VSUB. The period is called

Dead Primary Poll Interval.

8.If VSUA reconnects with VSUB, VSUA waits for a specific time before it switches traffic back to VSUB. The waiting period is calledHold-down Time.

Note:

If packet filtering is used, be sure the heartbeat packets are not filtered. The security gateway heartbeat listening port = 1643 using UDP protocol.

Creating a resilient tunnel

Resilient tunnels are configured from the Resilient Tunnel tab.

Figure 69: The Resilient Tunnel tab for a security gateway Object

Enable SNMP Traps. Check this box if you want SNMP traps enabled for the resilient tunnel.

Dead Poll Intervals. The number of seconds between heartbeat poll requests to a dead primary. This is different from the normal Heartbeat Interval because the primary security gateway is believed to be inactive and no response is expected. Therefore, the interval is much longer than a normal heartbeat request interval.

214 Avaya VPNmanager Configuration Guide Release 3.7

Resilient Tunnel

Add resilient tunnel

There are four parameters associated with Resilient Tunnel automatic backup mode. They are:

Heartbeat Interval

The time, in seconds, between heartbeat request attempts made by the remote security gateway to the primary security gateway. Default is 10 seconds.

Heartbeat Retry Limit

The number of times a heartbeat request is sent by the remote security gateway before the primary security gateway is declared inactive. Default is 3 tries.

Hold Up Time

The time (in seconds) to wait before the remote security gateway attempts to contact the secondary tunnel endpoint security gateway. This allows for the latency of a dialup link, typically much longer than the heartbeat interval. Default is 0.

Hold Down Time

Wait time between the remote security gateway determining that the primary endpoint security gateway is able to reconnect, and when the switchover actually occurs. This wait time ensures that the primary security gateway is stable before switching occurs. Default is 20 seconds.

Prerequisites

Security gateway for the controlling, primary, and secondary end-pointsmust exist. For instructions, seeConfiguring a security gateway on page 57.

A VPN Object that uses the controlling and primary security gateway objects must exist. For instructions see Creating a new VPN object on page 136.

To create a resilient tunnel:

1.Move to the Configuration Console window. The Device tabs are displayed.

2.From the Device>Contents column, select the device that is operating as the primaryend-point(seeFigure 68).

3.Click the Resilient Tunnel tab to bring it to the front.

4.Click Addto open the Add Resilient Tunnel Devicedialog box.

5.From the Select a Device list, select the security gateway that is the secondaryend-point.

6.Select the Save as Enabled check box so Resilient Tunnel services begins as soon as the VSUs are updated.

Issue 4 May 2005 215

Using advanced features

7.From the Properties list, click onHeartbeat Interval so theheartbeat interval values appears.

In the Heartbeat Interval drop-downlist, select a unit of time.

In the Heartbeat Interval text box, type in a duration that defines the period of the primaryend-point’sheartbeat.

8.From the Propertieslist, click on Heartbeat Retry Limitso the heartbeat retry limit values appears.

In the Times text box, type in the number of times a heartbeat must be requested by the controllingend-pointbefore it switches traffic to the secondaryend-point.

9.If the secondary end-pointuses a slower circuit than the primaryend-point,the controllingend-pointmust be aware of the expected delay. That delay is calledHold-Up Time.

10.From the Properties list, click onHold Up Time so theHold Up Time values appears.

In the Hold-Up Time drop-downlist, select a unit of time.

In the Hold-Up Time text box, type in a duration that the controllingend-pointmay have to wait for a response from the secondaryend-point.

11.From the Properties list, click onHold-Down Time so thehold-down time values appears.

In the Hold-Down Time drop-downlist, select a unit of time.

In the Hold-Down Time text box, type in a duration that the controllingend-pointmust wait before it switches VPN traffic from the secondaryend-pointto the primaryend-point.The wait begins after the controllingend-pointreconnects with the primaryend-point.

12.Click OK to return to the Resilient Tunnel tab. Your new secondaryend-pointappears in the

Resilient Tunnel list.

13.Click Save to save your work.

Managing the resilient tunnel list

The secondary end-pointsshown in theResilient Tunnel List can be edited, have their sequence changed, or even deleted. The list organizes the secondaryend-pointsin the sequence in which they must be used, where the one at the top of the list is always used first.

To edit, change the sequence, or delete a filtering policy:

1.Move to the Configuration Consolewindow.

2.From the Device>Contents column, select the security gateway that acts as the primaryend-pointfor a tunnel.

3.Click the Resilient Tunnel tab to bring it to the front.

4.From the Resilient Tunnel List, select a specific secondaryend-point.

216 Avaya VPNmanager Configuration Guide Release 3.7

Resilient Tunnel

5.You can edit, move up, move down or delete.

6.When finished, click Save to save your work.

Stopping and starting resilient tunnel services

Resilient tunnel services for a specific primary end-point or secondaryend-pointcan be stopped or started at any time.

Primary end-pointservice

To stop or start resilient tunnel services for a primary end-point:

1.Move to the Configuration Consolewindow. Select Devices.

2.From the Device>Contents column, select the device that acts as the primaryend-pointfor a tunnel.

3.Click the Resilient Tunnel tab to bring it to the front.

4.Do one of the following:

Select the Enable Resilient Tunnel check box to start services.

Clear the Enable Resilient Tunnel check box to stop services.

5.Click Save to save your work.

6.To send the configuration to the device, click Update Devices.

Secondary end-pointservice

To stop or start resilient tunnel services for a secondary end-point:

1.Move to the Configuration Consolewindow. Select Devices.

2.From the Device>Contents column, select the security gateway that acts as the secondaryend-pointfor a tunnel.

3.Click the Resilient Tunnel tab, to bring it to the front.

4.From the Resilient Tunnel List, select a specific secondaryend-point.

5.From the Enabled column, do one of the following:

Select the check box to start services.

Clear the check box to stop services.

6.Click Save to save your work.

7.To send the configuration to the device, click Update Devices.

Issue 4 May 2005 217

Using advanced features

Failover TEP

Failover TEP is used to protect site-to-siteVPN traffic that moves through the public networks. The endpoints for tunnels are located in SGs. Up to fourhead-enddevices can be configured to backup a specific security gateway.

Upon completion of the Failover TEP configuration, the VPNmanager will download identical VPN configuration to the alternate head-enddevices. When a remote device fails at the primaryhead-end,the alternatehead-enddevice will provide the same VPN services.

The most desirable configuration would include the same devices; however, this is not required as long as each device has a license to service the number of VPNs configured on the primary head-enddevice. For example, if thehead-enddevice is an SG203 and supports 8000 tunnels, the alternatehead-enddevices should be SG203 support 8000 tunnels. If thehead-enddevice is a VSU100, the alternatedhead-enddevices should be VSU100s. For more information regarding configuring VSUs with a similar Failover TEP configuration, seeResilient Tunnel on page 212.

Note:

Beginning with VPNmanager 3.6, Failover TEP is configurable on security gateways running VPNos 4.5.

Figure 70: The Failover TEP tab for a security gateway object

218 Avaya VPNmanager Configuration Guide Release 3.7

Advanced Action

Configuring failover TEP

Failover TEP is configured from the Failover TEP tab.

To configure failover TEP:

1.Move to the Configuration Console window. The Device tabs are displayed.

2.From the Device>Contents column, select the device that is operating as the headend device.

3.Click the Failover TEP tab to bring it to the front.

4.Select the Enable checkbox to enable failover TEP on the device.

The enable checkbox allows the configured device to download all user VPNs to the selected alternate head-enddevices. The checkbox default is not selected.

5.Click Add to open the Failover TEP dialog box.

6.From the Failover TEP Device drop-downmenu, select the security gateway that will be the alternatehead-enddevice.

7.Click OK to return to the Failover TEP tab. Your alternatehead-enddevice appears in the Failover TEP(s) list.

8.Click Save to save the Failover TEP configuration.

To complete the Failover TEP configuration, you must enter the Failover Remote TEP information in the Failover tab.

9.To configure the Failover Remote TEP go to, the VPNmanager Console main window, select Failover as a New Object. The Failover tab appears.

10.From the Failover>Contents column select the device to configure for Failover.

11.In the Remote TEP field, clickAdd, to enter the tunnel endpoints (TEP) for the central site that the remote VPN device establishes a network connection. If the network path failure criteria is met while the remote security gateway is trying to establish a network connection, the remote VPN tries to alternate TEPs until a network connection is made.

For more information regarding Failover, see Failover on page 226.

Advanced Action

The Device Advanced Action tab provides access to advanced security gateway functions including switching the NOS execution from flash 0 to flash 1 (or back), resetting the security gateway’s password, or disabling FIPS on the selected security gateway.

Issue 4 May 2005 219

Using advanced features

Figure 71: Advanced Action tab

Switch Flash

Switch flash is used to switch the flash chip from which the security gateway is executing its NOS. Normally, a duplicate image of the NOS is loaded into the second flash bank, however, a new or previous NOS image may alternately be loaded when it is desired to switch between the two NOS versions.

The flash from which the security gateway is currently executing its NOS is indicated (Flash 0 or Flash 1). Additional information can be found in the security gateway Data portion of the security gateway General tab.

Reset password

Reset password is used to change the console password on the selected security gateway. An example of when this is used is if you were to forget the security gateway console password, you may change it using this dialog box.

Disable FIPS

This key is used to turn Federal Information Processing Standards (FIPS) mode off. FIPS indicates whether the VSU is running in the normal or FIPS level 2 mode. Avaya recommends that this mode be used only if an organization’s policy requires FIPS 140-1level 2 certification for cryptographic devices.

220 Avaya VPNmanager Configuration Guide Release 3.7