Avaya Router - Virtual Private Networking BCM50 User Manual

BCM50 Rls 6.0
Router - Virtual Private Networking
Task Based Guide
Router – Virtual Private Networking
Copyright © 2010 Avaya Inc. All Rights Reserved.
Notices
While reasonable efforts have been made to ensure that the information in this document is complete and accurate at the time of printing, Avaya assumes no liability for any errors. Avaya reserves the right to make changes and corrections to the information in this document without the obligation to notify any person or organization of such changes.
Documentation disclaimer
Avaya shall not be responsible for any modifications, additions, or deletions to the original published version of this documentation unless such modifications, additions, or deletions were performed by Avaya. End User agree to indemnify and hold harmless Avaya, Avaya’s agents, servants and employees against all claims, lawsuits, demands and judgments arising out of, or in connection with, subsequent modifications, additions or deletions to this documentation, to the extent made by End User.
Link disclaimer
Avaya is not responsible for the contents or reliability of any linked Web sites referenced within this site or documentation(s) provided by Avaya. Avaya is not responsible for the accuracy of any information, statement or content provided on these sites and does not necessarily endorse the products, services, or information described or offered within them. Avaya does not guarantee that these links will work all the time and has no control over the availability of the linked pages.
Warranty
Avaya provides a limited warranty on this product. Refer to your sales agreement to establish the terms of the
limited warranty. In addition, Avaya’s standard warranty language, as well as information regarding support for
this product, while under warranty, is available to Avaya customers and other parties through the Avaya Support Web site: http://www.avaya.com/support
Please note that if you acquired the product from an authorized reseller, the warranty is provided to you by said reseller and not by Avaya.
Licenses
THE SOFTWARE LICENSE TERMS AVAILABLE ON THE AVAYA WEBSITE,
HTTP://SUPPORT.AVAYA.COM/LICENSEINFO/ ARE APPLICABLE TO ANYONE WHO DOWNLOADS,
USES AND/OR INSTALLS AVAYA SOFTWARE, PURCHASED FROM AVAYA INC., ANY AVAYA AFFILIATE, OR AN AUTHORIZED AVAYA RESELLER (AS APPLICABLE) UNDER A COMMERCIAL AGREEMENT WITH AVAYA OR AN AUTHORIZED AVAYA RESELLER. UNLESS OTHERWISE AGREED TO BY AVAYA IN WRITING, AVAYA DOES NOT EXTEND THIS LICENSE IF THE SOFTWARE WAS OBTAINED FROM ANYONE OTHER THAN AVAYA, AN AVAYA AFFILIATE OR AN AVAYA AUTHORIZED RESELLER, AND AVAYA RESERVES THE RIGHT TO TAKE LEGAL ACTION AGAINST YOU AND ANYONE ELSE USING OR SELLING THE SOFTWARE WITHOUT A LICENSE. BY INSTALLING, DOWNLOADING OR USING THE SOFTWARE, OR AUTHORIZING OTHERS TO DO SO, YOU, ON BEHALF OF YOURSELF AND THE ENTITY FOR WHOM YOU ARE INSTALLING, DOWNLOADING OR USING THE SOFTWARE (HEREINAFTER REFERRED TO INTERCHANGEABLY AS "YOU" AND "END USER"), AGREE TO THESE TERMS AND CONDITIONS AND CREATE A BINDING CONTRACT BETWEEN YOU AND AVAYA INC. OR THE APPLICABLE AVAYA AFFILIATE ("AVAYA").
Copyright
Except where expressly stated otherwise, no use should be made of the Documentation(s) and Product(s) provided by Avaya. All content in this documentation(s) and the product(s) provided by Avaya including the selection, arrangement and design of the content is owned either by Avaya or its licensors and is protected by copyright and other intellectual property laws including the sui generis rights relating to the protection of databases. You may not modify, copy, reproduce, republish, upload, post, transmit or distribute in any way any content, in whole or in part, including any code and software. Unauthorized reproduction, transmission, dissemination, storage, and or use without the express written consent of Avaya can be a criminal, as well as a civil offense under the applicable law.
Third Party Components
Certain software programs or portions thereof included in the Product may contain software distributed under third party agreements ("Third Party Components"), which may contain terms that expand or limit rights to use certain portions of the Product ("Third Party Terms"). Information regarding distributed Linux OS source code (for those Products that have distributed the Linux OS source code), and identifying the copyright holders of the Third Party Components and the Third Party Terms that apply to them is available on the Avaya Support Web site:
http://support.avaya.com/Copyright.
Trademarks
The trademarks, logos and service marks ("Marks") displayed in this site, the documentation(s) and product(s) provided by Avaya are the registered or unregistered Marks of Avaya, its affiliates, or other third parties. Users are not permitted to use such Marks without prior written consent from Avaya or such third party which may own the Mark. Nothing contained in this site, the documentation(s) and product(s) should be construed as granting, by implication, estoppel, or otherwise, any license or right in and to the Marks without the express written permission of Avaya or the applicable third party. Avaya is a registered trademark of Avaya Inc. All non-Avaya trademarks
are the property of their respective owners.
2 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
Downloading documents
For the most current versions of documentation, see the Avaya Support. Web site: http://www.avaya.com/support
Contact Avaya Support
Avaya provides a telephone number for you to use to report problems or to ask questions about your product. The support telephone number is 1-800-242-2121 in the United States. For additional support telephone numbers, see
the Avaya Web site: http://www.avaya.com/support
Copyright © 2010 ITEL, All Rights Reserved The copyright in the material belongs to ITEL and no part of the material may
be reproduced in any form without the prior written permission of a duly authorised representative of ITEL.
NN40011-047 Issue 1.2 BCM50 Rls 6.0 3
Router – Virtual Private Networking
Table of Contents
Virtual Private Networking Guide..................................... 6
Overview .......................................................................................... 6
BCM50 Integrated Router VPN Types ............................................. 6
Client VPN ......................................................................................................... 6
Branch VPN ....................................................................................................... 7
Client Termination .............................................................................................. 8
IPSec Algorithms ............................................................................. 8
Authentication Header (AH) Protocol................................................................. 9
Encapsulating Security Payload ........................................................................ 9
VPN and NAT ................................................................................ 10
VPN Branch IP Relationships ........................................................ 10
Content ID & Type ......................................................................... 11
Required Information ..................................................................... 12
Flowchart ....................................................................................... 12
Accessing the Web Router GUI ..................................................... 13
From Element Manager ................................................................................... 13
Access Directly via a Web Browser ................................................................. 18
VPN Configuration ......................................................................... 20
VPN & RIP ....................................................................................................... 20
Client Rule ..................................................................................... 20
Exclusive Mode for Client Rules ...................................................................... 24
Branch Rule ................................................................................... 25
Client Termination .......................................................................... 36
SA Monitor ..................................................................................... 43
Global Settings .............................................................................. 45
Additional Information .................................................... 47
Creating a tunnel between two BCMs ............................................ 47
Configuration on Switch A ............................................................................... 47
Configuration on Switch B ............................................................................... 49
4 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
Routing Information Protocol (RIP) ................................................ 51
Avaya Documentation Links .......................................... 52
NN40011-047 Issue 1.2 BCM50 Rls 6.0 5
Router – Virtual Private Networking
Note: This guide relates to the BCM50a/ba and BCM50e/be models only.
Note: Although the BCM50a/ba models will not be supplied with BCM 6.0, it is
possible to upgrade the variants of these models to BCM 6.0, if they were originally supplied with BCM50 R2 or BCM50 R3 software.
Note: The BCM50 Integrated Router is almost identical to the Business Secure Router (BSR) models. BCM50a/ba routers are based on the BSR252 and BCM50e/be routers are based on the BSR222.
Virtual Private Networking Guide
Overview
BCM50 Integrated Router models can provide secure connection to other sites using the IP Sec protocol. For example, data can be sent between two BCM50 Integrated Router’s over the Internet. One usage of VPN’s would be to create VoIP (Voice over IP) gateways between geographically separated sites, so that the voice traffic can be securely transmitted.
BCM50 Integrated Router VPN Types
The BCM50 Integrated Router (also known as BCM50 Integrated Router) can provide three types of VPN connections:
Client: The BCM50 Integrated Router acts as a client connecting to a
VPN router (e.g. Contivity switch or another BCM50 Integrate Router).
Branch: The BCM50 Integrated Router can connect to multiple other
BCM50 Integrated Routers via secure connections.
Client Termination: The BCM50 Integrated Router allows multiple
Contivity clients, e.g. Contivity software clients or BCM50 Integrated Routers configured in Client mode to connect securely.
Client VPN
With the BCM50 Integrated Router set up as a Client VPN, the BCM50 Integrated Router sets up a secure connection to a corporate network via a Contivity switch or another BCM50 Integrated Router. In this scenario, the BCM50 Integrated Router is the Client.
Note: If the BCM50 Integrated Router is configured with the VPN Client rule, it cannot have any other VPN configuration, i.e. the BCM50 Integrated Router can only VPN to one designated Contivity switch or main office BCM50 Integrated Router. The Contivity switch/main office BCM50 Integrated Router administrator provides the client BCM50 Integrated Router administrator with basic account details to connect to their network.
6 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
Branch VPN
The BCM50 Integrated Router Branch VPN rules allow the configuration of up to 10 secure connections to other equivalent IPSec routers, e.g. another BCM50 Integrated Router, over the public network. VPN connections could be used for transferring information between PCs or setting up secure VoIP tunnels between handsets.
When configuring Branch rules, settings must be agreed upon before configuration can successfully take place. These settings include security details (IKE, VPN Protocol, Pre-Shared Key), and manually entered information such as WAN IP Addresses, Local/Remote IP Addresses, Content Type etc. The information must match on both the local and remote ends otherwise the connection will not be successfully made.
A worked example configuration is provided later in this guide.
NN40011-047 Issue 1.2 BCM50 Rls 6.0 7
Router – Virtual Private Networking
Client Termination
This configuration allows multiple remote users to connect to the BCM50 Integrated Router via Contivity client software running on a PC/laptop, or via another BCM50 Integrated Router (also BSR router) configured in Client VPN mode.
Mobile or home workers will find this feature useful for connecting to the main office network, for data transfer or VoIP purposes.
IPSec Algorithms
The IPSec standard defines a set of security protocols that authenticate IP connections and add confidentiality and integrity to IP packets. IPSec packets are transparent to applications and the underlying network infrastructure. IPSec supports various encryption and authentication protocols so that your security policy can dictate levels of data privacy and authentication. IPSec uses a flexible key management scheme called the Internet Security Association Key Management Protocol (ISAKMP), which enables peer connections to quickly and dynamically agree on compatible security and connection parameters (keys, encryption, and authentication).
There are two possible types of IPSec encryption algorithm on the BCM50: Authentication Header (AH), and Encapsulating Security Payload (ESP).
8 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
Authentication Algorithm
Description
MD5 (Message Digest 5)
Produces a 128-bit digest to authenticate packet data.
SHA-1 (Secure Hash Algorithm)
Produces a 160-bit digest to authenticate packet data. For minimal security use MD5, or for maximum security use SHA-1.
Encryption Algorithm
Description
DES (Data Encryption Standard)
A widely used method of data encryption using a private (secret) key. DES applies a 56-bit key to each 64-bit block of data.
3DES (Triple DES)
A variant of DES, which iterates three times with three separate keys (3 x 56 = 168 bits), effectively doubling the strength of DES.
AES (Advanced Encryption Standard)
A newer method of data encryption that also uses a secret key. This implementation of AES applies a 128-bit key to 128-bit blocks of data. AES is faster than 3DES.
For minimal security use DES, or for maximum security use 3DES.
Authentication Header (AH) Protocol
In applications where confidentiality is not required, an AH can be employed to ensure integrity. This type of implementation does not protect the information from dissemination but will allow for verification of the integrity of the information and authentication of the originator.
AH Protocol Options
Encapsulating Security Payload
The ESP protocol provides encryption as well as some of the services offered by AH. ESP authenticating properties are limited compared to the AH due to the non-inclusion of the IP header information during the authentication process. However, ESP is sufficient if only the upper layer protocols need to be authenticated.
An added feature of the ESP is payload padding, which further protects communications by concealing the size of the packet being transmitted.
ESP Protocol Options
NN40011-047 Issue 1.2 BCM50 Rls 6.0 9
Router – Virtual Private Networking
VPN and NAT
Normally it is not possible to set up a VPN when there is a NAT Router in between two VPN switches. This is because the NAT Router changes the header of the outgoing IPSec packet so it does not match the header for which the receiving VPN switch is checking. Therefore, the receiving VPN switch does not respond and the tunnel cannot be built.
The BCM50 Integrated Router solves this problem by the use of NAT Traversal; an option that can be selected when configuring VPN Branch rules. Both VPN switches should have NAT Traversal enabled.
Note: For NAT Traversal to be successful, the VPN Branch rule should be configured to use the ESP algorithm and also to use tunnel mode.
VPN Branch IP Relationships
The configuration of VPN Branch rules requires the definition of both global (WAN IP address used on the Internet) and private (LAN IP addresses) IP Addresses. The reason for this is so that a path can be securely set up from one LAN to another, via WAN IP addresses used on the internet. The following diagram helps explain the relationship between these global and LAN IP addresses involved in VPN connections.
10 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
Note: The Domain name and e-mail options do not have to actually exist and are purely referential.
Field
Switch A
Switch B
Local ID Type
E-mail
DNS
Content
Sys2@yahoo.com
www.iteluk.com
Peer ID Type
DNS
E-mail
Content
www.iteluk.com
Sys2@yahoo.com
The above diagram shows the information required for the VPN Branch setup from switch A’s perspective:
“My” IP Address is the WAN IP address issued by the ISP (Internet
Service Provider) to switch A
Secure Gateway Address is the WAN IP address issued by the ISP to
switch B
Local IP Address Range is the range of IP Addresses used on the LAN
connected to switch A
Remote IP Address Range is the range of IP Addresses used on the
LAN connected to switch B
If a PC on switch A requests information from a PC on switch B, switch A will initiate a VPN connection via switch B’s Secure gateway Address. Therefore, the two LANs can communicate via the global (WAN) IP addresses specified.
From switch B’s perspective, the set information is the same but the terminology is reversed, i.e. switch A’s “My” IP address becomes switch B’s Secure Gateway Address and switch As Local IP Address Range becomes switch B’s Remote IP Address Range etc.
Content ID & Type
Content ID and Type are extra security features that act as extra levels of security for incoming VPN requests. They do not replace any of the possible encryption methods (ESP, AH).
The options for type are:
IP – IP address of a computer or BCM50 Integrated Router router Domain (DNS) – A designated domain name E-mail – A designated e-mail address
When using this feature, both local and remote (peer) Content ID and Type will have to be specified and mirrored for either end of the VPN connection.
For example, referring back to the diagram in the VPN Branch Relationships section, the Content ID and Type fields on switches A and B could be as follows:
This information has to be agreed by the BCM switch administrators of both BCM50 Integrated Router switches.
NN40011-047 Issue 1.2 BCM50 Rls 6.0 11
Router – Virtual Private Networking
A single connection to a Contivity switch or another BCM50 Integrated Router
Which type of VPN do you need to configure for the BCM50 Integrated Router?
Refer to the Client Rule section of this guide.
Refer to the Branch Rule section of this guide.
Refer to the Client Termination section of this guide.
Client Termination for remote users using Contivity Client software or a 1100 series IP phone
Multiple VPN connections to other BCM50 Integrated
Check that the VPN connections are successfully connected: Refer to the SA Monitor section of this guide.
Do you want to set up exclusive access for just one device to use the VPN connection?
Refer to the
Exclusive Mode for Client Rules section
of this guide.
No
Yes
Required Information
Before configuring IPSec, the following information is required:
What is the required level of encryption to be used? What is the password to be used for the Pre-shared key? What Content ID and Type will be used? What are the WAN IP addresses of the local and remote BCM50
Integrated Router’s?
What are the LAN IP addresses of the local and remote LANs?
Flowchart
The flow chart below shows which sections of the guide you should use when configuring VPN connections.
12 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
Accessing the Web Router GUI
There are two methods of accessing the Web Router GUI, independent on which model you are configuring:
Via Element Manager (management application for all BCM50 models) Directly from a web browser
From Element Manager
1. To access the Business Element Manager application from the Start Menu, navigate to Start, Programs, Avaya, Business Communications Manager, Business Element Manager.
2. Alternatively, double-click on the Business Element Manager desktop icon.
NN40011-047 Issue 1.2 BCM50 Rls 6.0 13
Router – Virtual Private Networking
3. You will be presented with the Element Manager interface.
4. Open the Network Elements folder and select the IP Address of the BCM.
5. Enter the User Name of the BCM in the User Name field, by default this is nnadmin. Then enter the Password in the Password field, by default the password is PlsChgMe!. Click the Connect button.
14 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Router - Virtual Private Networking
6. A warning screen will appear, read the warning and click OK.
7. You will be presented with the Element Manager interface.
NN40011-047 Issue 1.2 BCM50 Rls 6.0 15
Router – Virtual Private Networking
Note: if the above logon details do not work, try Username = admin, and Password = setup.
8. Click the Data Services link, select the Router link and click the Launch Router Web GUI Tool button.
9. The Business Secure Router logon screen will be displayed. Enter the Username (default = nnadmin) and Password (default = PlsChgMe!) and click Login.
10. Change the password and click Apply, or click Ignore to continue.
16 NN40011-047 Issue 1.2 BCM50 Rls 6.0
Loading...
+ 36 hidden pages