The information i n this manu al is pr ovided wit hout warr anty of a ny kind and is
subject to change wit hout not ice. Luc ent Techno logies Inc. ass umes no respon sibility, and shall have no liability of any kind arising from supply or use of
this publication or any material contained herein.
Company and product names are trademarks or registered trademarks of their
respective companies.
This device complies with Part 15 of the FCC Rules and Regulations. Operation is subject to the following two conditions:
•The device may not cause harmful interference.
•The device must withstand any interference received, including interfer-
ence that may cause undesired operation.
The Access Point rout er has been tested and found to comply with the limits
for a Class A digital device pursuant to Part 15 of the FCC Rules and Regulations. These limits are designed to provide reasonable protection against harmful interference when this equipment is operated in a commercial environment.
This equipment generat es, uses , an d can ra diate radi o-frequen cy e ner gy an d, if
not installed and used in accordance with the instruction manual, may cause
harmful interfer ence to radio and televisi on communica tions. Oper ation of thi s
equipment in a residential area is likely to cause interference in which case the
user will be required to correct the interference at his or her own expense.
Access Point QVPN Builder User Guide III
Important - Please Read
Shielded cables must be used with this unit to ensure compliance with the FCC
Class A limits.
The Access Point™ IP Services family comprises a set of bridging routers with advanced bandwidth management and VPN server capabilities.
The Access Point QVPN Builder
monitor a virtual private network of Access Point systems. This guide
explains how to install, configure, and manage the Access Point QVPN
Builder application. Chapter titles and their subject areas are outlined
below.
Chapter TitleAreas Treated
1
2
3
4
5
6
7
Product OverviewProvides an overview of the Access Point
Installing the QVPN BuilderProvides information about installing Access
Getting Started With Builder Provides general information about the
Managing VPNsExplains how to configure IPSEC tunnels
Managing QoS/Firewall
Policies
Managing NATExplains how to configure the Network
Advanced Features of
Builder
™ application lets you manage and
QVPN Builder application
Point QVPN Builder
Builder graphical user interface, applicationwide tasks, and associated applications
using VPN definitions
Explains how to set firewall rules and QoS
policies
Address Translator (NAT)
Provides information about preferences,
logging, and user profiles for Builder
. . . . .
Audience
The Access Point product is a bridging router with advanced bandwidth
management and VPN capabilities. Configuring any IP routing engine
Access Point QVPN Builder User Guide XI
PREFACE
requires considerable experience with routers, hubs, bridges, and other networking devices. In particular, Lucent Technologies assumes that persons
installing, configuring, and managing the Access Point product have several
years of networking experience.
The Access Point QVPN Builder application lets you configure and manage
virtual private networks from a cen tral management stati on. Build er is fl exibl e
enough to provis ion t he sec urit y prof iles , fir ewall rule s, and Quali ty of Servi ce
policies for small or large VPNs.
Conventions
This guide uses the following conventions.
•Bold indicates items that you select from the Builder application.
•Italics indicates command.
•A vertical bar | between elements indicates that you must choose one of
them.
•Square brackets [ ] indicate optional elements.
•Parentheses ( ) contain a group from which you make a selection.
•Angle bracket s < > con tain a n element that y ou sp ecify, suc h as a name o r
an address.
•Ellipses ... following a component, subcomponent, or parameter indicate
that it can be repeated.
S
AFETYSYMBOLS
The following safety symbols are used to call attention to certain topics. To
avoid equipment damage or possible injury, please devote special attention to
these areas and follow all applicable procedures and warnings.
WARNING:
This symbol calls attention to issues or practices that
could cause serious injury to yourself or others if safety
precautions are disregar ded .
CAUTION:This symbol calls attention to issues or practices that
could damage the equipment or cause loss of data if you
disregard the required safety precautions.
XII Access Point QVPN Builder User Guide
Contacting Lucent Support
For questions or probl ems with th e Access Point QVPN Builder app licati on or
the Access Point router, refer to this manual or to the Lucent Technologies
Lucent Worldwide Services Web site at:
http://www.lucent.com/networkcare
If you are not able to find t he he lp you need, contact Lucent Technologi es I nc.
at one of the following locations:
The Access Point QVPN Builder™ applic ation (Builde r) lets you manage
and monitor a virtual private network consisting of Access Point
tems (APs). This application lets you:
As use of the Interne t for busi ness-class application s continues to grow , so
has the importance of virtual private networks (VPNs). VPNs use a combination of encryption, authentication, and tunneling techniques to create
secure pathways, or tunnels, between geographicall y separ ated ho sts ove r
a public network infrastructure. Moreover, with the increasing flow of
data over costly infrastructure, bandwidth management and firewalling
capabilities are essential to classify and schedule IP traffic. Setting up
secure tunnels and managing bandwidth and firewalls to protect business
communications among widely dispersed sites can be time-consuming
and costly.
The Access Point QVP N Builder application is a powerful tool that l ets
you create and deploy VPNs easily from a central management station.
While most VPNs must be configured on a host-by-host basis, Builder
enables VPNs to be defined at a single location and exported to defined
Access Point QVPN Builder User Guide 1
1
PRODUCT OVERVIEW
Integrated Applications
sets of hosts (Acce ss Po int systems) without network disrupt ions. Builder also
lets you incorporate firewall and Quality of Service (QoS ) parameters as part
of a VPN definition, allowing you to rate-limit and shape traffic flowing over
tunnels. Thus, you get the benefits of IP QoS integrated within a remotely
managed tunnel framework, or QVPN.
This section provides general information about installing the Access
Point QVPN Builder application (Builder) and performing initial startup
tasks. Read through the installation and initial startup sections to determine specific requirements for those tasks.
Before installing or using Builder, make sure the Access Point systems
(APs) are configured and reachable through SNMP. Otherwise, Builder
will not be able to configure these systems. You must configure the AP
with Access Point version 2.2.1 or later software beforehand (including
SNMP access and routing informat ion) so that the Builder can connect to
each AP to perform its tasks.
The Builder has two versions — standalone and client/server.
The standalone version has these features:
•Installs on a single system
•Supports up to 250 QVPN nodes per VPN (VPN count is limited
by only disk space)
The client/server version has these features:
•Installs on a single server or many clients of the central server
•Supports up to 800 QVPN nodes per VPN (VPN count is limited
by only disk space)
Access Point QVPN Builder User Guide 5
2
INSTALLING THE QVPN BUILDER
Installing Builder
This section describes how to install either the standalone or the client/server
version of the Builder on Solaris or Windows NT systems. You will find
instructions fo r installing Bui lder from bot h a CD-ROM and an exec utable file.
Refer to one of the following sections to install the Builder.
•“Installing the Standalone Version on Solaris Systems” on Page 6
•“Installing the Clie nt/Server Version on Solaris Systems” on Page 9
•“Installing the Standalone Version on Windows NT Systems” on Page 13
•“Installing the Client/Server Version on Windows NT Systems” on Page
14
I
NSTALLING THE STANDALONE VERSION ON SOLARIS SYSTEMS
Builder runs on a Sun SPARC workstation with these system requirements:
•Solaris 2. 6 operating system
•The JDK patches for Solaris SPARC 2.6 (5.6) with these patch IDs:
To download the patches, start at http://www.sun.com/solaris/java and fol-
low the link s to download the JDK; the patche s are available on the same
page as the JDK. Follow the instructions to load the patch from the
README.sparc file.
•100 MB disk, 256 MB RAM (standalone version)
NSTALLINGTHE STANDALONE VERSIONON SOLARIS SYSTEMSFROMA CD-ROM
I
Builder is distributed on a CD-ROM. LUxavs, the standalone version of the
Builder applica ti on, co me s as a directory pack age that is ready f or i nst allation.
The following procedure describes how to install Builder:
1Make sure you are logged on as a superuser (root).
2To install Builder, enter the following command:
The installation asks if you want to create the installation directory if it
doesn’t already exist.
4Next, the installation asks if you want to run the included scripts as root.
Answer “y”.
5You’ll be asked additional questions about how you want to configure
Builder. After you’ve answered all the questions, the installation begins.
6After the in stallation completes , you can check if the package is installed
or retrieve additional package information by entering the following command:
pkginfo -l -R <installed-package-path> LUxavs
To remove the Builder installation from the system, enter the following
command:
pkgrm -R <installed-package-path> LUxavs
. . . . .
NOTE Be sure to use the pkgrm command to delete the installation,
so files are removed in an orderly manner.
Solaris systems provide man pages for th e various pac kage commands jus t
mentioned.
7After Builder is installed, you can go to the installation directory where
you will find the AccessView subdirectory. The QVPNBuilder script is
located in the bin subdirectory. You can include the path to Build er in your
shell initialization file. You can also create a soft link to the Builder using
the ln -s com mand.
Start Builder with the following command:
> QVPNBuilder
NOTEYou must not be logged on as the superuser when starting the
application.
INSTALLINGTHE STANDALONE VERSIONON SOLARIS SYSTEMSFROMAN
E
XECUTABLE FILE
To install the standalone version of Builder from an executable file, complete
the following steps:
1Make sure you are logged on as a superuser (root).
Access Point QVPN Builder User Guide 7
2
INSTALLING THE QVPN BUILDER
Installing Builder
2Copy the xavs2_4_R001.bin program to the appropriate directory.
3Use the chmod +x command (specifying your program file) to change the
privileges so you can execute the program.
4Use the ./xavs2_4_R001.bin command to install the program.
You are asked if you want to con figur e the QVPN Reques t Confi g daemon
to start at system boot as part of the installation procedure. If you reply
with yes, then the necessary boot script files are created and the installation procedure asks if you want to start the QVPN Reques t Config daemon
immediately. If you reply with yes, the Config daemon is started immediately. If you reply with no, you can start the daemon at any time with the
QVPNRequestConfigDaemon command. Refer to “Using the QVPN
Request Config Daemon” on Page 32 for more information.
You will see output simila r to the following:
Installing Lucent Technologies Access Point QVPN Builder Client/Server version: 2.4.B002 02-27-2001...
Checking for available space...
Unpacking...
Checksumming...
0
0
Extracting...
Done.
Shutting down the ObjectStore Server in /AV2.4/Acc essView /odi/ostore on host psara.
Shutting down the ObjectStore Cache Manager in /AV2.4/Acce ssView/odi/ostore on host psara.
Shutting down Cache Manager process
010321 140658.168 ObjectStore Release 6.0 Service Pack 4 Database Server
The ObjectStore server is running.
Successfully created /etc/rc2.d/S80ostore4.
Successfully created link from /etc/rc2.d/K80ostore4
to /etc/rc2.d/S80ostore4.
This script will now verify the installation:
The ObjectStore Server daemon process is accessible.
Schema databases are accessible.
The cache manager launcher (/AV2.4/AccessView/odi/ostore/lib/oscminit6)
has correct modes and ownership.
ObjectStore configuration completed.
Do you wish to evolve existing databases ? [yes] no
QVPNBuilder setup ...
Lucent Access Point QVPN Builder configuration completed.
QVPNRequestConfigDaemon setup ...
8 Access Point QVPN Builder User Guide
INSTALLING THE QVPN BUILDER
Do you want the QVPNRequestConfigDaemon configured to start at system boot ? [yes]
Successfully created /etc/rc2.d/S90rcd.
Successfully created link from /etc/rc2.d/K90rcd
to /etc/rc2.d/S90rcd.
Do you want to start the QVPNRequestConfigDaemon now ? [yes]
Lucent Access Point QVPN Builder 2.4.B002 02-27-2001 Installation Complete:
To start the QVPN Builder application run /AV2.4/AccessView/bin/QVPNBuilder
To start the Tunnel Status application run /AV2.4/AccessView/bin/TunnelStatus
To start the Traffic Status application run /AV2.4/AccessView/bin/TrafficStatus
To control the Request Config Daemon use the "/etc/rc2.d/S90rcd <start|stop>" command
Note that the Tunnel Status and Traffic Status applications were installed
and can be run. Refe r to “Usin g the Traffic Status and Tunnel Status Appli-
cations” on Page 29 for more information.
Installing Builder
. . . . .
5You can include the path to Builder in your shell in itializatio n file. You can
also create a soft link to the Builder using the ln -s comman d. The Builder
executable file is located in the directory where you installed the application.
After installing Builder, you can start up the application with this command:
> QVPNBuilder
NOTEYou must not be logged on as the superuser when starting the
application.
To uninstall the application, execute this command as the superuser:
# ./uninstall
This procedure keeps the AccessView directories for upgrade purposes. To
completely remove the application, delete the AccessView directory.
I
NSTALLING THE CLIENT/SERVER VERSION ON SOLARIS SYSTEMS
Builder runs on a Sun SPARC workstation with these system requirements:
•Solaris 2. 6 operating system
Access Point QVPN Builder User Guide 9
2
INSTALLING THE QVPN BUILDER
Installing Builder
•The JDK patches for Solaris SPARC 2.6 (5.6) with these patch IDs:
To download the patches, start at http://www.sun.com/solaris/java and fol-
low the link s to download the JDK; the patche s are available on the same
page as the JDK. Follow the instructions to load the patch from the
README.sparc file.
•200 MB disk, 256 MB RAM (client/server version)
NOTE
If you already have Builder V2.1 installed on your system, it is
recommended that you install V2.4 directly over it without
uninstalling the V2.1 software to ensure that the existing
databases are evolved properly.
If you install Builder V2.4 in a different directory than the one in
which V2.1 was installed, see Page 18 for information about
how to evolve the existing databases manually.
INSTALLINGTHE CLIENT/SERVER VERSIONON SOLARIS SYSTEMSFROMA CD-ROM
Builder is distributed on a CD-ROM. LUxavd, the database (client/server) version of the Builder application, comes as a directory package that is ready for
installation. The following procedure describes how to install Builder:
1Make sure you are logged on as a superuser (root).
2To install Builder, enter the following command:
Do you want to install these as setuid/setgid files [y,n,?,q]
The installation asks if you want to create the installation directory if it
4
doesn't already exist.
5Next, the installation asks if you want to run the included scripts as root.
Answer “y”.
10 Access Point QVPN Builder User Guide
INSTALLING THE QVPN BUILDER
Installing Builder
6You’ll be asked additional questions about how you want to configure
Builder , including whether you want to insta ll as a cl ie nt or a ser ver. After
you’ve answere d all the questions, the installation begins.
7After the in stallation completes , you can check if the package is installed
or retrieve additional package i nformation by entering the follo wing command:
pkginfo -l -R <installed-package-path> LUxavd
To remove the Builder installation from the system, enter the following
command:
pkgrm -R <installed-package-path> LUxavd
NOTE Be sure to use the pkgrm command to delete the installation,
so files are removed in an orderly manner.
Solaris systems provide man pages for th e various pac kage commands jus t
mentioned.
. . . . .
8After Builder is installed, you can go to the installation directory where
you will find the AccessView subdirectory. The QVPNBuilder script is
located in the bin subdirectory. You can include the path to Build er in your
shell initialization file. You can also create a soft link to the Builder using
the ln -s com mand.
Start Builder with the following command:
> QVPNBuilder
NOTEYou must not be logged on as the superuser when starting the
application.
INSTALLINGTHE CLIENT/SERVER VERSIONON SOLARIS SYSTEMSFROMAN
E
XECUTABLE FILE
T o install the client/server version of Builder from an executable file, complete
the following steps:
NOTE
1
2Copy the xavd2_4_R001.bin program to the appropriate directory.
Builder cannot be installed in an NFS mounted partition.
Make sure you are logged on as a superuser.
3Use the chmod +x command (specifying your program file) to change the
privileges so you can execute the program.
Access Point QVPN Builder User Guide 11
2
INSTALLING THE QVPN BUILDER
Installing Builder
4Use the ./xavd2_4_R001.bin command to install the applicat ion as a se rver
or as a client.
To install the application as a server, use the -s option.
To install the application as a client, use the -c option.
If you install the app li cat i on as a client, you are ask ed t o provide the name
of the server and the full pathname for the master database. This information can be found in the DatabaseInfo.txt file located in the AccessView
installation directory of your database server. If your client is using a Windows NT server, you must specify the full pathname using escape characters. To represent a colon (:), a space, or a backslash (\), place a backslash
(\) in front of these special characters. For example, to represent the full
pathname of the master database in the default database directory on a
Windows NT server, enter:
To represent the full pathname of the master database in the default database directory on a Solaris server, enter:
NOTE
/usr/AccessView/db/AccessViewMaster.db
The rest of the installation is the same for either the server or the client.
You are asked if you want to con figur e the QVPN Reques t Confi g daemon
to start at system boot as part of the installation procedure. If you reply
with yes, then the necessary boot script files are created and the installation procedure asks if you want to start the QVPN Reques t Config daemon
immediately. If you reply with yes, the Config daemon is started immediately. If you reply with no, you can start the daemon at any time with the
QVPNRequestConfigDaemon command.
The QVPNRequestConfigDaemon uses port 161. If another
application or service (such as snmpdx) is using port 161, the
QVPNRequestConfigDaemon might not start at system boot.
Refer to “Using the QVPN Request Config Daemon” on Page 32 fo r more
information.
Note that the Tunnel Status and Traffic Status applications were installed
and can be run. Refe r to “Usin g the Traffic Status and Tunnel Status Appli-
cations” on Page 29 for more information.
5You can include the path to Builder in your shell in itializatio n file. You can
also create a so ft li nk to Buil der us ing the ln -s command. Th e Build er exe -
12 Access Point QVPN Builder User Guide
INSTALLING THE QVPN BUILDER
Installing Builder
cutable file is located in the directory where you installed the application.
After installing Builder, you can start up the application with this command:
> QVPNBuilder
NOTEYou must not be logged on as the superuser when starting the
application.
To uninstall the application, execute this command as the superuser:
# ./uninstall
This procedure keeps the AccessView directories for upgrade purposes. To
completely remove the application, delete the AccessView directory.
I
NSTALLING THE STANDALONE VERSION ON
Builder ru ns on PCs with these system requirements:
W
INDOWS
NT S
. . . . .
YSTEMS
•Windows NT 4.0 (Service Pack 5 or greater) operating systems
•400 MHz system with 50 MB disk, 128 MB RAM (standalone ver-
sion)
Builder requires Java Runtime Environment version 1.2.2 software. If this
software is not already on your system, the installation procedure lets you add
it.
INSTALLINGTHE STANDALONE VERSIONON WINDOWS NT FROMA CD-ROM
Builder is distributed on a CD-ROM. The following procedure describes how
to install Builder.
1Insert the CD into your CD-ROM drive.
2Double click on the CD-ROM drive icon.
3Double click on the Setup.exe file.
If you have a previous version of Builder installed, the installation procedure asks if you want to remove it. After the previous installation is
removed, double click on the Setup.exe file to restart the installation.
4Follow the instructions on the screen.
Access Point QVPN Builder User Guide 13
2
INSTALLING THE QVPN BUILDER
Installing Builder
INSTALLINGTHE STANDALONE VERSIONON WINDOWS NT FROMAN
E
XECUTABLE FILE
To install Builder from an executable file, complete the following steps:
1Close down all Windows programs.
2In Windows Explorer, double-click on the self-extracting executable pro-
gram (xavs_2.4.R001.exe) and follow the InstallShield prompts.
By default, Builder is installed in the
C:\Program Files\Lucent\AccessView directory.
3Optionally, the icons for the applications can be placed on your desktop.
Start up the application by clicking on the icon on your desktop (if available)
or selecting Start → Programs → Lucent Access Point → QVPN Builder.
To uninstall the application, select Start → Settings → Control Panel → Add/Remove Programs. Select AccessView from the list and click
Add/Remove. This procedure keeps the AccessView directories for upgrade
purposes. T o completely remove the application, delete the AccessView folder.
I
NSTALLING THE CLIENT/SERVER VERSION ON
Builder ru ns on PCs with these system requirements:
•Windows NT 4.0 (Service Pack 5 or greater) operating systems
•400 MHz system with 270 MB disk, 256 MB RAM (client/server ver-
sion)
NOTE
Builder requires Java Runtime Environment version 1.2.2 software. If this
software is not already on your system, the installation procedure lets you add
it.
The installation requires 270 MB of disk space, including 180
MB in your system’s TEMP directory. Make sure you have
enough disk space, especially if your TEMP and installation
directories are on the same disk.
After installation, the system requires at least 100 MB to run
the application. Remember that the number of VPNs depends
on available disk space.
W
INDOWS
NT S
YSTEMS
14 Access Point QVPN Builder User Guide
INSTALLING THE QVPN BUILDER
Installing Builder
INSTALLINGTHE CLIENT/SERVER VERSIONON WINDOWS NT FROMA CD-ROM
Builder is distributed on a CD-ROM. The following procedure describes how
to install Builder.
1Insert the CD into your CD-ROM drive.
2Double click on the CD-ROM drive icon.
3Double click on the Setup.exe file.
If you have a previous version of Builder installed, the installation procedure asks if you want to remove it. After the previous installation is
removed, double click on the Setup.exe file to restart the installation.
4Follow the instructions on the screen.
I
NSTALLINGTHE CLIENT/SERVER VERSIONON WINDOWS NT FROMAN
E
XECUTABLE FILE
. . . . .
If you have previously installed Builder, complete the following before installing a new version of the application:
1Uninstall Builder (existing databases will remain after the uninstall)
2Uninstall ObjectStore
Now you can reinstall Builder.
To install Builder from an executable file, complete the following steps:
1Make sure you are logged on as an administrator.
2Close down all Windows programs.
3In Windows Explorer, double-click on the self-extracting executable pro-
gram (xavd_2.4.R001.exe) and follow the InstallShield prompts.
Install the application as a server or as a client by selecting the Object
Database Server (default) or Object Database Client radio button. If you
install the application as a client, you are asked to provide the name of the
server and the full pathname for the master database. If you install the
application as a client and you intend to communicate with a UNIX database server, you must set up access to the UNIX database server as
described on “Accessing UNIX Server Databases From Windows NT Cli-
ent Systems” on Page 19.
The installation procedure requests a destination path for Object Database
Access Point QVPN Builder User Guide 15
2
INSTALLING THE QVPN BUILDER
Initial S tar tu p Tasks
Installation. The default installation destination path is C:\ODI.
By default, Builder is installed in C:\Program Files\Lucent\AccessView
directory. The C:\Program Files\Lucent\AccessView\db directory is the
default database destination path. Remember the destination path, as you
must use it when starting up the application.
Optionally, the icons for the applications can be placed on your desktop.
4You must reboot after the installation.
Start up the application by clicking on the icon on your desktop (if available)
or selecting Start → Programs → Lucent Access Point → QVPN Builder.
NOTE
To uninstall the client/server version, you must uninstall the
application (by selecting Start
→ Add/Remove Programs) before you uninstall the
ObjectStore software.
Uninstall the ObjectStor e software by selecting Start →
Programs→ObjectStore Win32→ ObjectStore Uninstall.
This procedure keeps the AccessView directories for upgrade
purposes. To completely remove the application, delete the
AccessView folder.
When you start up the app licati on, the QVPN Bui lder Lo gin windo w shown in
Figure 1 appears.
Figure 1 QVPN Builder Login Screen
16 Access Point QVPN Builder User Guide
Before anyone else can use Builder:
•The user root must log in with the initial account information.
•The user root should modify the root account’s password. The user
root can also create other user profiles.
L
OGGING IN FOR THE FIRST TIME
To log in, y ou must ente r the following information for the initial account:
•Username — root
•Password — lucent
This initial account (root) is the only user s et up with superuser pr ivilege.
When the user root has logged in, this user can mod ify the password for the
root account to make it more secure. The user root can also create other user
profiles to provi de a ddi ti onal access to Builder. See “Managing User Profiles”
on Page 130 for more information about what functions can be performed by
users with different privileges.
INSTALLING THE QVPN BUILDER
Initial Startup Tasks
. . . . .
L
OGGING IN FOR THE FIRST TIME AS A CLIENT
If you are logging i n as a cl ient
and you did not enter the database information, you will not
see the initial login screen
(Figure 1) until you enter the
information in the Specify the
database server parameters
window shown at right.
You must enter the following information:
•Database Server — the database server to which you want to connect
Specify the IP address or the host name of the database server.
•Database Name — the database name
The database name is the file specification for the AccessViewMaster.db
file (located in the db directory). If you have installed the application on a
Solaris system or on the Windows NT server, then the db directory is
located in the directory where you installed the application. Specify this
Access Point QVPN Builder User Guide 17
2
INSTALLING THE QVPN BUILDER
Initial S tar tu p Tasks
file using the naming convention of the server to which you are connecting.
For a PC with the application installed in the default directory:
For a PC using the c:\AccessView installation directory:
c:\AccessView\db\AccessViewMaster.db
For a Solaris system using the /lucent installation directory:
/lucent/AccessView/db/AccessViewMaster.db
E
VOLVING VERSION
For Solaris systems, if you already have Builder V2.1 or V2.3 installed on
your system, first do a full deployment to all APs with V2.1 or V2.3. Then
install V2.4 directly over V2.1 or V2.3 without uninstalling the software. This
automatically evolves the existing databases properly. Now, do a full deployment of V2.4.
2.1
AND
2.3 D
ATABASES
NOTE
If you install Builder V2.4 in a different directory on the Solaris system than
the one in which V2.1 or V2.3 was installed, you should evolve the existing
databases manuall y with the f ollowi ng proc edure before us ing t hem in V2. 4 of
Builder.
For an NT system, you can evolve a V2.1 or V2.3 da tabase to a V2.4 databa se
manually with the following procedure.
1Copy all the VPN databases from the 2.1 or 2.3 directory to the 2.4 instal-
lation database directory.
If you have already created VPN databases in V2.4 of Builder,
make sure you do not have conflicting file names before you
copy the files because the new files will be overwritten by those
being copied.
Do not copy the AccessViewMaster database
(AccessViewMaster.db) if you have already used V2.4 to
create rule sets. To copy the existing rule sets from V2.1 or
V2.3, expo rt t h e ru l e s ets from Bui ld er V2 . 1 o r V2 . 3 an d im po rt
them into V2.4. (See Page 85 for information about exporting
and importing rule sets.)
2
Change directory to the Access View database directory located under the
18 Access Point QVPN Builder User Guide
INSTALLING THE QVPN BUILDER
Initial Startup Tasks
directory where you installed Builder using this command:
cd <dir>/AccessView/db
3
Manually run the evolve process on all of the copied databases using this
command:
For a Solaris system:
../bin/EvolveDatabase <database name>
For an NT system:
..\bin\EvolveDatabase.bat <database name>
NOTEWhen you open the VPN databases for the first time after
evolving them, you must know the file name and enter it
manually because they will not be listed in the VPN Open
Dialog box.
. . . . .
A
CCESSING
S
YSTEMS
UNIX S
If you are using the client/server version and you want to access a UNIX database from a Windows NT system, you must use the Windows NT registry editor (REGED T32 utility) to set up RP C authentication. Follow these st eps to
use RPC authentication:
1Determine your UNIX user ID (UID) and group ID (GID) using the id
command on your UNIX system.
2Run the registry editor on your Windows NT system.
3Set up the following variables:
Set the values for UNIX.UID and UNIX.GID to the values you found in
step 1.
ERVER DATABASES FROM
W
INDOWS
NT C
LIENT
Access Point QVPN Builder User Guide 19
2
S
ETTING UP THE
D
ATABASES
INSTALLING THE QVPN BUILDER
Initial S tar tu p Tasks
To set up the QVPN Reques t Conf ig dae mo n s er vic e o n Windows NT systems
to access UNIX databases, follow these steps:
1With User Manager, create a local NT account specifying your machine
2Add the UID and GID to the registry. See “Accessing UNIX Server Data-
3From the Start menu, select Settings → Contr ol Pane l → Services. In the
QVPN R
name as the domain na me and the user who exists o n yo ur UNIX database
server as a local account.
bases From Windows NT Client Systems” on Page 19.
Services window, select QVPN Request Config Daemon and click the
Startup button. In the Log On As se ction of the Service wi ndow, select the
This Account radio button and click the button to the right of this field to
reconfigure the QVPN Request Config daemon service to run as the user
created in step 2. In the Add User win dow, select your machine name from
the List Names From drop-down list and the user created in step 2. Click
OK to return to the Service window. Click OK to return to the Services
window. Click Close to complete the procedure.
EQUEST CONFIG DAEMON TO ACCESS
UNIX
4Activate the servi ce by r eboo ting the PC. If you have already r eb oote d t he
PC, click the Start button in the Services window to activate the service.
This section describes the Access Point QVPN Builder application
(Builder) graphical user interface. It also provides information about
application-wide tasks and associated applications. The following sections provide this information:
•About the Builder Window
•Getting Detailed Hel p Information
•Configuring SNMP Access Settings
•Managing Access Point Systems
•Using the Traffic Status and Tunnel Status Applications
The Builder window (shown in Figure 2) appears when you start the
application and lets you specify the properties for the VPN and its APs.
The Definition View comprises three frames:
•Tree frame which displays VPN and AP relationship.
•Configuration and Deployment Frame which dis plays config ured and
deployed data.
•Log frame which displays log messages.
Access Point QVPN Builder User Guide 21
3
Figure 2 QVPN Builder Definition View Window
Expand Frame Arrow
Tree Frame
Configuration and
Deployment Frame
Expand Frame Arrow
GETTING STARTED WITH BUILDER
About the Builder Window
Log Frame
Message Area
Note that if you make any changes t o the prop erties, a n asteri sk appears next to
the modifi ed item in the tree fram e. Once you s ave the VPN definition, the
asterisk disappears.
22 Access Point QVPN Builder User Guide
T
HE TREE FRAME
The Tree frame shows the relationship
between the VPN and Access Point in a tree
format. You can expand or collap se the tree
at any time. The root of the tree (the global
VPN) contains four children: VPN,
Qos/Firewall, NAT, and APs. VPN,
Qos/Firewall, and NAT are configuration
types and appear as folders. The folders
represent collections of properties that
allow you to globally configure the VPN.
There can be multiple APs within a VPN.
Each AP also contains t he sa me thr ee types
of configurations — VPN, Qos/Firewall,
and NAT . Changes made at AP level pert ain
to that AP only. Before you can perform
many actions from the toolbar or main menu, you need to select an item in the
Tree fra me. For t he global VPN, APs, and configuration types you can use the
right mouse button menu for some tasks. These same menu items are also
available in the main menu.
GETTING STARTED WITH BUILDER
About the Builder Window
. . . . .
T
HE CONFIGURATION AND DEPLOYMENT TABS
Each property folder has configuration and deployment tabs. The Configuration tab displays data that reflects the item selected in the tree fr ame. You can
edit the information displayed in the Configuration frame. When you make a
change in the frame, the Apply button is enabled. Any edits you make, however, do not take effect until you click the Apply button.
Access Point QVPN Builder User Guide 23
3
GETTING STARTED WITH BUILDER
About the Builder Window
THE DEPLOYMENTTAB
The Deployment tab provides details about the tunnels that will be generated.
As with the Configuration tab, the Deployment tab reflects the item selected in
the tree frame. The Deployment tab shows what actions will be taken when the
APs are configured according to the properties you’ve selected.
T
HE LOG FRAME
The Log frame displays log messages generated by certain events, including
changes, deployments, and deployment failures.
You can clear or purge (erase from disk) the log. For more information, see
“Configuring Logging” on Page 129.
24 Access Point QVPN Builder User Guide
GETTING STARTED WITH BUILDER
About the Builder Window
Table 1 describes the tool bar buttons in the Definition View window.
. . . . .
Table 1.
Button Description
Create a new VPN
Creates a new VPN definition. Same as File → New.
Open an existing VPN
Opens a VPN definition that you choose from the dialog box.
Same as File
Removes the curren t VPN
Removes the open VPN definition. Same as File
Save the current VPN
Saves the open VPN definition. Same as File → Save.
Clear current entries from log table display
Clears the Log table display. Same as Edit → Log → Clear.
Delete all log entries from database and clear display
Clears the database and the Log table display. Same as
→ Log → Purge.
Edit
Apply All Configs to All APs, or Apply VPN, QoS/Firewall, and/or
NAT to all or selected APs
Same as Device
Definition View Tool Bar Buttons
→ Open.
→ Remove.
→ Apply → Apply Configuration popup.
Query VPN and/or QoS/Firewall, based on selected APs
Same as Device
Display Rule Set Editor
Brings up the QoS/Firewall Rule Set Editor. Same as Tools
Rule Set Editor....
View tunnel status
Brings up the Tunnel Status application. Same as Tools
Status Applications
View traffic status
Brings up the Traffic Status application. Same as Tools →
Status Applications
Launch telnet session to current selected AP
Same as Tools → Telnet.
Launch browser application of current selected AP
Same as Tools
→ Query → Query Configuration popup.
→
→ T un nel Status.
→ Traffic Status.
→ Browser.
Access Point QVPN Builder User Guide 25
→
3
GETTING STARTED WITH BUILDER
Getting Detailed Help Information
Table 1. Definition View Tool Bar Buttons (Continued)
Button Description
Launch SSH session to current selected AP
Same as Tools
Display program information, version number and copyright
Displays program, version number, and copyright information.
Builder do es not perform general AP router configuration. The APs must be
configured and reachable by means of SNMP for Builder to configure QVPN
tunnels, QoS/firewall, and NAT. The SNMP access settings for the connected
AP and Builder must match so that Builder can communicate with each AP.
With the root VPN selected, select Edit → SNMP Properties to specify how
Builder should set up SNMP access for the APs added to the VPN definition.
26 Access Point QVPN Builder User Guide
GETTING STARTED WITH BUILDER
Configuring SNMP Access Settings
For the AP, select Edit → SNMP Properties to make changes to the SNMP
access info rmation.
. . . . .
The SNMP Properties Dial og let s you co nfigur e SNMP para meters for ea ch of
the following SNMP operations:
•Config — used when applying a configuration
•Query — used when making queries
•SLA Polling — used by the pol ler application. These SNMP para meters
are exported to a text file when you select Tools → Export → Probe List.
The different operations provide flexibility, allowing more security, such as
SNMPv3 and encryption, when applying configurations, and allowing faster
access, using SNMPv2 and no encryption, when making queries.
By default, the Use same parameters for all SNMP operations checkbox is
checked. When chec ked, the same pa rame ters are us ed for all thre e op erations .
If you uncheck the Use same parameters for all SNMP operations checkbox,
the drop-down list is enabled, and lets you specify individual parameters for
each of the three oper ations.
You can specify the SNMP version as V2 (for simple SNMP acces s) or V3 (fo r
Access Point QVPN Builder User Guide 27
3
GETTING STARTED WITH BUILDER
Managing Access Point Systems
secure SNMP access). If you are using either SNMPv2 or SNMPv3, you
should specify the Community/user name.
If you are usin g SNMPv3, you can specify the aut henticat ion prot ocol (NONE,
MD5, or SHA) and its password. You can also specify the type of encryption
(NONE or DES) and its privacy password. Note that you must specify values
for authenticati on protocol (not NONE) and it s password, if you have sp ecified
the type of encryption.
When you have finished configuring SNMP, click on the () button to the
right of the IP Address field to test the specified validity of SNMP access.
Refer to the Access Point Configuration Guide for more information about
configuring SNMPv3.
You can add, modify, and remove APs for VPNs, QoS/Firewalls, and NAT
using Builder.
A
DDING ACCESS POINT SYSTEMS
T o add an Access Poin t system (AP) to the VPN defi nition, se lect Edit → Add
AccessPoint and change any settings in the Access Point Properties frame as
necessary. After making the necessary changes, you should verify the configuration and deploy the configuration to ensure that the configuration is updated.
M
ODIFYING ACCESS POINT SYSTEMS
Modify the Access Point entries in the VPN definition frame by selecting the
AP in the Tree frame and making the changes in the Access Point Properties
frame.
R
EMOVING ACCESS POINT SYSTEMS
Remove an AP from a VPN definition by selecting the AP in the Tree frame
and selecting Edit →Remove AccessPoint. The AP is removed from the
VPN definition frame.
28 Access Point QVPN Builder User Guide
GETTING STARTED WITH BUILDER
Using the Traffic Status and Tunnel Status Applications
. . . . .
USINGTHE TRAFFIC STATUSAND TUNNEL STATUS APPLICATIONS
As part of Builder, you can use the Traffic Status and Tunnel Status applications. To use either application, select the AP for which you want to display
this status information and select the Traffic Status tool bar button ( ) or Tunnel Status tool bar button ( ) on the Definition View screen.
These app lications can also be i nstalled as standalone applications.
On Solaris systems, they are installed in the same directory as Builder. You can
include the path to Bui lder in your she ll initi alization file. You can create a soft
link to the applications using these commands:
> ln -s /<installation directory >/Ac ce ssView/bi n/TunnelStatus
On Windows NT systems, you can install the standalone applications with
their own display icons on the deskto p. Click on the Lucent Traffic Status icon
on your desktop or select Start → Programs → Lucent Access Point →Traffic Status to start up the Traffic Status application. Click on the Lucent
Tunnel Status icon on your desktop or select Start → Programs → Lucent Access Point→Tunnel Status to start up the Tunnel Status application.
If you start up either application as standalone, then you must enter the appropriate information for your AP in the Enter the Host Name dialog box.
Access Point QVPN Builder User Guide 29
3
T
RAFFIC STATUS APPLICATION
GETTING STARTED WITH BUILDER
Using the Tr af fic Status and T u nn el Status Applications
The Traffic Status application displays:
•A graphical representation of the CBQ tree running on the AP
•A pie chart showing the bandwidth allocated to each class as a percentage
of its parent (when you have selected the Allocated tab)
30 Access Point QVPN Builder User Guide
GETTING STARTED WITH BUILDER
Using the Traffic Status and Tunnel Status Applications
•Bar charts showing the actual bandwidth usage by selected classes (when
you have selected the Equalizer tab)
. . . . .
The Traf fi c S tat us appli cati on also le ts you ch ange the bandwidth for a parti cular class. To change the bandwidth:
1Select the class and then the Bandwidth field.
2Enter the bandwidth (for example, 100 Kbps or 10 Mbps) and press the
Return key to make your change.
Note that the change is not permanent. The bandwidth changes only for the
session.
T
UNNEL STATUS APPLICATION
The Tunnel Status application displays:
•A graphical representation of the tunnels running on the AP
•Summary information about the selected tunnel or interface (when you
Access Point QVPN Builder User Guide 31
3
GETTING STARTED WITH BUILDER
Using the QVPN Request Config Daemon
have selected the Summary tab)
•Bar charts showing the traffic rates on selected tunnels (when you have
Designed to be used with Builde r, the QVPN Request Config daemon (Config
daemon) allows an AP to request its own configuration (VPN, QoS/firewall,
and NAT) from Builder. The AP can request only information that is configured by Builder.
32 Access Point QVPN Builder User Guide
If you are using the standalone version, the Config daemon runs on the same
machine as Builder. If you are using the client/server version, the Config daemon runs on the same machine as the ObjectStore server or client.
The Config daemon recei ves r equest s via SNMP f rom the AP f or it s conf igura tion information ba sed on it s rout er addr ess. Once the Confi g daemon r eceive s
the request, it l ooks up the VPN definitions as soci at ed with this AP in the mas ter database on the Ob jectStore serv er (client/server ver sion) or in Builder’s
database directory (standalone version). The Config daemon opens each associated VPN definitio n and sends the configuration info rmation to the AP that
originated the reques t.
S
TARTING UP THE DAEMON
The Config daemon is installed during the Builder installation.
On Windows NT sy stems, the Confi g daemon is star ted automatical ly. You can
verify that it is started by checking the Status for the QVPN Request Config
Daemon entry in the Services dialog box in the Control Panel.
GETTING STARTED WITH BUILDER
Using the QVPN Request Config Daemon
. . . . .
On Solaris systems, yo u are as ked if you want t o confi gure t he Con fig daemon
to start at system boot as part of the installation procedure. If you reply with
yes, the necessar y script files are create d to pe rform this op eration. If yo u reply
with no, you can start the Config daemon at any time by typing the
QVPNRequestConfigDaemon command at the system prompt.
NOTE
U
SING THE DAEMON
To use the Config daemon on the AP to reque st its conf igurat ion fr om Builder,
follow these steps:
1Using Builder, configure the VPN definition to include the AP that will
use the Config daemon to request its configuration.
Make sure the VPN’s configuration method is set to accept configuration
requests from APs.
Make sure that the AP’s configuration method is Requested in the Access
Point Properties frame.
The QVPNRequestConfigDaemon uses port 161. If another
application or service (such as snmpdx) is using port 161, the
QVPNRequestConfigDaemon might not start at system boot.
Access Point QVPN Builder User Guide 33
3
GETTING STARTED WITH BUILDER
Using the QVPN Request Config Daemon
NOTEYou must close the VPN definition before using the daemon
from the AP to request a configuration.
2
Using the CLI, issue the following command from the AP to request the
configuration:
qvpn_BuilderConfigRequest <IP address> private
Replace <IP address> with the IP address of the daemon (usually the same
machine running the ODI server).
For help about the qvpn_BuilderConfigRequest command, use the qvpn_BuilderConfigRequest help command.
S
HUTTING DOWN THE DAEMON
On Windows NT systems, you can shut down the Config daemon by selecting
the QVPN Request Config Daemon entry in the Services dialog box in the
Control Panel and clicking the Stop button.
On Solaris systems, shut down the Config daemon by entering the following
command on the machine running the daemon (where <dir> is the directory
where Builder was installed):
<dir>/AccessView/bin/remotecommand co nfi g shutdown
V
ERIFYING DAEMON OPERATION
If you want to verify the actions of the Config daemon, display the log file
located in the installation directory.
On Solaris systems, use this command:
tail -f ConfigDaemon.log
On Windows NT systems, use either of these commands:
type ConfigDaemon.log
more ConfigDaemon.log
34 Access Point QVPN Builder User Guide
C
HANGING THE
GETTING STARTED WITH BUILDER
Using the QVPN Request Config Daemon
SNMP C
OMMUNITY NAME FOR THE DAEMON
You can change the SNMP Community name for the Config daemon as follows:
Change the line to pass in a -user option with the Community name you
want. In this example, community-name is a variable re presenting the
string you enter.
If you need to troubleshoot the daemon, you can enter the following help command for a list of additional commands that provide more information about
the daemon.
bin/remotecommand help
Access Point QVPN Builder User Guide 35
3
GETTING STARTED WITH BUILDER
Using the QVPN Request Config Daemon
The following table lists the daemon commands and provides a description:
CommandDescription
show versionShows the current version of the daem on
show debug Shows the debug mode
show databaseShows the database path where the daemon
looks for VPNs
show snmpShows the daemon’s SNMP configuration
show logSh ow s the dae mo n’s log
show clientsShows the daemon’s remote command clients at
present
show statsShows the daemon’s current statistics
config shutdownShuts down the daemon
config debugSets debug mode. Debug mode can be one of
The Access Point QVP N Builder application (Builder) reduces the complexity of deploying large-scale virtual private networks (VPNs) by
enabling you to centrally define tunnel configurations and policies.
Instead of manua lly configuring each site, Builder centra li zes policy management tasks, reducing the time and cost needed to set up a VPN. Once
policies are established as part of a VPN definition, Builder securely distributes the configuration to the Access Point systems (APs) that make up
that VPN.
Builder ha s an easy-to-use interface that lets you quickly configure tunnels using VPN definitions. These VPN definiti ons are fil es that contai n
QVPN tunnel configuration information for the entire VPN and the individual APs, including:
•VPN and AP properties
. . . . .
•Probe settings
You can create, delete, open, and save these files. All users can display
VPN definitions, but users must have read-write privilege to add, modi fy,
or delete VPN definitions.
This section describes how to create or change VPN settings for the VPN and
Access Point properties. It also describes how to add and remove APs from
your VPN configuration.
When you start Builder, the Tree and Configuration and Deployment frames
appear as shown below:
You’ll need to provide information for the following fields in the VPN General
Properties frame of the Configuration tab:
Field Description
QVPN Name Replace New VPN with the name. This name is an
identifier used by the application. It is not used by the AP.
Config Method Specify how the configuration is deployed to the APs; by
the Builder, the AP, or Mixed. By default, the Builder
pushes out the configuration to the APs. If you select
Mixed as the configuration method, select the appropriate
APs and change their configuration methods. See
“Selecting the Configuration Method” on Page 38.
S
ELECTING THE CONFIGURATION METHOD
You specify how the configuration is deployed to the APs by changing the
Config Method field in the VPN Properties frame. The possible values are:
•Builder Push (default) — The Builder pushes out the configuration to all
the APs when requested.
•AccessPoint Request — The AP must request the configuration using the
QVPN Builder Configuration daemon. See “Using the QVPN Request
38 Access Point QVPN Builder User Guide
MANAGING VPNS
Creating or Modifying VPN Definitions
Config Daemon” on Page 32.
•Mixed — The configuration method must be selected for each AP.
If you have chosen the Mixed configuration method for the VPN, you must
select the configura tion metho d for ea ch AP (unless you acc ept the def ault) by
following these steps:
1Select the AP for which you want to sp ecify a co nfigurat ion method to dis-
play its Access Point Properties frame.
2Select the appropriate method from the Config Method drop-down list.
Builder (de fault) indic ates that the Builder pushes out the configuratio n to
the AP when requested.
Requested indicates that the AP will request the configuration using the
QVPN Builder Configuration daemon. See “Using the QVPN Request
Config Daemon” on Page 32.
3Click Apply.
. . . . .
C
HANGING
VPN S
When defining the VPN settings for the VPN properti es, conside r your VPN’s:
ETTINGS FOR THE
VPN
•Probe Poller ID
•Security profile
•Use of wildcard tunnels (When setting up large VPNs, wildcards allow
you to quickly configure large numbers of tunnels.)
•Use of routing protocols for unnumbered interfaces
•IKE authentication method
•Type
•Use of SLA Probes without tunnels or in a probe-only setting
Access Point QVPN Builder User Guide 39
4
MANAGING VPNS
Creating or Modifying VPN Definitions
On the Tree frame, click on VPN to display the VPN Properties frame.
The following table describes th e fields in th e VPN Prope rties frame:
Field Description
Poller ID A user-definable option for future expansion.
Security Profile Specify the security profile (default-strong is the default
value). The security profile is the security specification for
the entire VPN. Use one of the su ppl ied default profiles or
create a new one. See “Managing Security Profiles” on
Page 58 for more information.
Use Wildcard
Tunnels
Use Dyna mic Routing If this selection is checked, you can turn on RIP and OSPF
IKE Auth Method Specify the IKE authentication method for tunnel
If this selection is not checked, a tunnel is created from
each subnet on this AP to each subnet on the other APs.
In this case, the AP itself will create static routes for the
tunnels.
If this selection is checked, the application will create a
single (wildcarded) tunnel between each AP and static
routes for each su bnet s pecified in the AP. This provide s a
means of quickly scali ng to a large VPN.
routing protocols for the unnumbered interfaces of the
tunnels.
VPN Type Display the VPN topology. By default, a full mesh topology
is created. If you w ant to create a hu b-and-spoke t opology,
select the AP you want to use as the hub and change the
HUB Type in the Access Point Properties frame. See
“Configuring Hub-and-Spoke VPN Types” on Page 41.
Probe Only VPN If checked, only the SLA Probes for the VPN are created
when deploying the configuration to the APs.
VPN S
ETTINGS FOR THE ACCESS POINT SYSTEMS
For the AP, click on the VPN folder to display the Access Point Properties
frame. When defining the VPN settings for the APs, you must specify the following fields:
Field Description
. . . . .
Router AddressThe IP and router addresses are often the same. Builder
automatically fills in the router address field (if left blank)
with the IP address you entered in the Edit SNMP
Properties Dialog when you added the AP to the VPN.
HUB TypeSee “Configuring Hub-and-Spo ke VPN T ypes ” on Page 41
for more information.
Route CostRoute cost is applicable both to full mesh and hub-and-
spoke topologies. For full mesh topologies, you can
accept the default cost or configure an AP as a backup
node. To configure a primary or secondary (backup) hub,
see “Configuring Hub-and-Sp oke VPN Types” on Page 41
for more information.
IKE Keep Alive
Update
Security ProfileSpecify the security profile (default-strong is the default
SubnetsSubnets indicate the networks that reside as protected
C
ONFIGURING HUB-AND-SPOKE VPN TYPES
See “Configuring IKE Keepalive Update” on Page 42 for
more information.
value).
VPN endpoints on this AP.
By default, the VPN type is a full mesh topology as shown in the VPN Properties frame. To create a hub-and-spoke topology:
1Select the AP that you want to use as the hub to display its Access Point
Access Point QVPN Builder User Guide 41
4
MANAGING VPNS
Creating or Modifying VPN Definitions
Properties frame.
2Select Primary or Secondary from the HUB Type drop-down list.
Primary sets the AP as the prima ry hub . Route s to the pr ima ry hub are cre ated with a cost of 50.
Secondary sets the AP as the backup hub. Routes to the s econdary hub are
created with a higher cost of 60 so that the routes to the primary hub are
used first.
To use load balancing, set both hubs to be the same typ e (e ither primar y or
secondary).
Tunnels will be created between each AP designated as a hub and every
other AP that is not a hub.
NOTE
3
C
ONFIGURING IKE KEEPALIVE UPDATE
If you want to reset the VPN topology to full mesh, change the
HUB Ty pe field to Not a Hub.
Click Apply.
The IKE Keepalive update deter mines whether a remote gateway is reachable
by sending update messages to it at regular (configurable) interv als. When a
response is not received after a specified number of updates, Keepalive
assumes the gateway is unreacha ble. In this event, Keepalive places its IPSec
42 Access Point QVPN Builder User Guide
MANAGING VPNS
Creating or Modifying VPN Definitions
subinterface in a down and then a testing state, and attempts to reestablish a
tunnel connection.
You can specify how often Keepalive update messages are sent. By default,
Keepalive update messages are sent every 10 seconds as shown in the Access
Point Properties frame.
To change the frequency:
1Select the AP for which you want to change the frequency to display its
Access Po int Properties frame.
. . . . .
2Change the IKE Keep Alive Update field.
When Keepalive is enabled, the possible values are 10 - 3600 (1 hour).
A value of 0 (zero) disables Keepalive.
3Click Apply.
C
HANGING PROBE SETTINGS
The AP has the abi lity t o send p ropriet ary probe packets . For more in formation
about probes, see the Access Point Configuration Guide. You can specify
whether the APs respond to Probes and configure Probe parameters. By
default, the device (AP) manages probes and Builder does nothing.
For the root VPN, expand VPN and select Probe to specify Probe settings for
Access Point QVPN Builder User Guide 43
4
MANAGING VPNS
Creating or Modifying VPN Definitions
the APs that you add to VPN definitions.
The following table explains the interaction of the checkboxes in the Probes
Properties frame:
Field Description
Device Manages
Probes
Builder Manages
Probes
Create Probe On
Remote APs
When checked, the AP creates probes for all APs to which it
has tunnels. If unchecked, the APs create no probes.
When checked (and Device Manages Probes is unchecked),
Builder manages probes. When used in conjunction with the
Create Probe On Remote APs checkbox, Builder can
configure probes for specific dev ices. If unchecked, Builder
will not create any more probes and removes any prob es it
previously created.
If checked here and checked on remote APs, Builder can
create a probe for each remote AP on this AP.
In order to delet e all probes from th e devic e us ing Buil der, uncheck the Device
Manages Probes and Builder Manages Probes checkboxes in the Probe Prop-
erties for that device in Builder and deploy to that device. Any previously created probes are removed.
After configuring you r set ti ngs , you can apply the changes to either all APs or
to selected APs by selecting the appropriate button for Apply Parameters To...
as shown below.
44 Access Point QVPN Builder User Guide
MANAGING VPNS
Saving the VPN Definition
If you click on the Selected
AP(s) button, the Access-
Points Dialog appears which
allows you to select the APs to
which you want to apply the
probe settings.
For the AP you want, expand VPN and select Probe to make changes to the
Probe settings.
. . . . .
The Override Default Backlog? checkbox is for future expansion.
To save the VPN definition to the database, se lect File → Save As... or File →
Save.
Access Point QVPN Builder User Guide 45
4
S
AVING THE
MANAGING VPNS
Opening VPN Definitions
VPN D
When using the stan dal one ver si on, the Save VPN As... dialog window shown
here appears.
EFINITION
W
ITH THE STANDALONE VERSION
Enter the n ame of the fi le to which you want to save the VPN definition and
click on the Save button.
S
AVING THE
VPN D
When using the client/server version, if you select File → Save to save the
VPN definition and th e VPN name is unique , the VPN defi nitio n is s aved with out any prompts.
If the VPN name is not unique or you select
File→ Save As... , the Save As window shown
at right appears to prompt you for a name.
Enter the name of the VPN definition and
click OK.
To open a specific VPN definition, select File → Open.
If you want to use VPN definitions that were created with V ersion 1.1, refer to
“Importing VPN Definitions From Version 1.1” on Page 53.
46 Access Point QVPN Builder User Guide
O
PENING THE
MANAGING VPNS
Opening VPN Definitions
VPN D
When using the standalone version, the Choose the VPN to be opened dialog
window shown here appears.
EFINITION
W
ITH THE STANDALONE VERSION
. . . . .
O
PENING THE
Select the VPN definition you want to open and click Open to open the VPN
definition. You can now modify the VPN or APs for this VPN definition.
VPN D
When using the client/server version,
the VPN Open dialog box shown at
right appears.
Select the VPN name you want to use
from the list of VPN names and click
on the Open butto n. Y ou c an also open
a VPN definition according to its file
name by entering the file name (for
example, vpn30.db) in the database
name field below the VPN name list.
You can now modify the VPN or APs
for this VPN definition. Note that the
file must re side in the server’s database (db) directory.
EFINITION
W
ITH THE CLIENT/SERVER VERSION
Access Point QVPN Builder User Guide 47
4
A
CCESSING LOCKED FILES
MANAGING VPNS
Removing VPN Definitions
If the application was not shut down properly or if another user is actively
using the same VPN definiti on, the St eal the lock ? pop-up window shown he re
appears.
NOTE
You should steal the lock only if the application was not shut
down properly.
If someone else is actively using the VPN definition, you should
only open the VPN definition in read-only mode. Stealing the
lock while someone is using the VPN definition can corrupt the
definition.
To remove a specific VPN definition, choose the appropriate method for the
standalone or client/server version.
R
EMOVING THE
VPN D
When using the standalone version, to remove VPN definitions:
1Open the VPN definition or select the VPN definition you want to remove
from the Most Recently Used drop-down list. This drop-down list (found
above the tool bar) displays the last 10 VPN definitions.
2Select File→Remove to delete the selected VPN.
EFINITION
W
ITH THE STANDALONE VERSION
3Confirm that you really want to remove the VPN. The VPN is removed
from the drop-down list and from the database/log (db) directory.
48 Access Point QVPN Builder User Guide
MANAGING VPNS
Using VPN Definitions
. . . . .
R
EMOVING THE
VPN D
When using the client/server version, to remove VPN definitions:
1Select File→Remove to display the VPN Open dialog box.
2Select the VPN name you want to remove and click Remove.
3Confirm that you really want to remove the VPN. Once confirmed, you
cannot cancel th e operation. The VPN is re moved from the drop-down list
and from the database/log (db) directory.
To export the Probe li st for a VPN definition to a text file, select Tools →
Export → Probe List to display the Choose the export file name window
where you can specify the export path for the Probe list file.
By default, the export file is placed in the export directory.
Access Point QVPN Builder User Guide 49
4
I
MPORTING
F
ORMATTING VPN DATA FILES
MANAGING VPNS
Using VPN Definitions
VPN D
You can import V PN data text files for VPN definitions. To import this data,
select Tools → Import → VPN Text File. You create these text files using the
format described in the next section.
When creating a VPN data file, follow these general formatting guidelines:
ATA FILES
•Empty lines are allowed between lines or definition blocks.
•A pound sign (#) precedes comment lines.
•A space is allowed between commas or keywords.
•If the field i s empty, the word none must be included as the value.
•Each line that includes fields must start with one of these case-sensitive
keywords:
-VPN to indicate the VPN’s definition block
-SNMP to i ndicate the S NMP properties for the VPN o r AP
-ACCESSPOINT to indicate the AP’s definition block
-SUBNET to indicate the AP’s subnets
The following lines display the four keywords and their fields. The field
values must be specified in the order shown.
# VPN, QVPN name, VPN ID, Use Wildcard Tunnels
# SNMP, SNMP Version, Communit y/Us er, Auth Protocol , Auth Pas swor d,
# Encryption, Private Password, Retries, Timeout, Port
# ACCESSPOINT, IP Address, AP Name, Router Address
# SUBNET, IP Address, Mask
Follow these steps when creating the VPN data file:
1The first line in the VPN data file that is not a comment li ne must start
with the VPN keyword. Each VPN data file can contain only one VPN
line.
The QVPN name field in the VPN line can be more than one word.
50 Access Point QVPN Builder User Guide
MANAGING VPNS
Using VPN Definitions
2The next line must start with the SNMP or ACCESSPOINT keyword.
If the next line is not the SNMP line, then the VPN uses the default SNMP
access parameters. Otherwise, these rules apply to the fields in the SNMP
line:
-The SNM P Vers ion field must be v2 or v3. These values are case-sen-
sitive.
-The Com munity/User, Auth Password, and Private Password fields
can be more than one word.
-The Auth Protocol field must be md5, sha, or none. These values are
case-sensitive.
-The Encryption field must be des or none. These val ue s are case- sensi -
tive.
Any lines containi ng the ACCESSPOI NT keyword ind icate th e start of the
AP definition block.
. . . . .
NOTE
-The AP name field in the ACCESSPOINT line can be more than one
word.
-The IP Address and Router Address fields must be in the IP address
format (X.X.X.X).
3The next line following an ACCESSPOINT line must start with the SNMP
or SUBNET keyword.
The order is not import ant, but only one SNMP line is allo wed within each
AP definition block. There can be many SUBNET lines within each AP
definition block.
If there is no SNMP line, then the AP uses the default SNMP access
parameters specified for the VPN.
If you are specifying SUBNE T lines, the IP Addre ss and Ma sk fiel ds must
be in the IP address format (X.X.X.X).
If you import a text file with definitions for one or more APs and
they are not preceded by a VPN definition block, the AP
definitions are appended to the VPN that is open in Builder.
If you try to import AP definitions and there is no VPN open in
Builder, you will receive an error.
# More AccessPoint definitions
# ACCESSPOINT,198.202.232.127,AP Two,none -> When router addr
# specified as "none", router addr will use AP’s IP addr
ACCESSPOINT,198.202.232.127,AP Two,10.200.1.196
SNMP,v3,swnm,none,none,none,none,2,5,161
SUBNET,20.1.1.0,255.255.255.0
SUBNET,20.1.2.0,255.255.255.0
Click on the Deploymen t tab s for VPN and AP confi gurat ion typ es to vie w the
configuration that will be deployed to the APs. Refer to Page 54 for more
information about the VPN Deployment table.
To apply the configur atio n shown i n the VPN Depl oyment t able, s elect Device →Apply (or use the seventh tool bar button ( ) from the left). When the
Apply Configuration popup appears, adjust the selections if necessary and
click on the Start button.
Access Point QVPN Builder User Guide 53
4
MANAGING VPNS
Using the VPN Deployment Tables
You also have the option of applying
all configurations to all APs by selecting All Configuration s. Click on the
Start button when you are finished. If
you have not saved t he VPN definition
yet, the application prompt s you to do
so before applying the configuration..
When you apply the VPN configuration to APs , Builder performs these
actions:
•Gets version information.
•Gets the VPN Deployment table,
the IPSec interface table, and the security profile table.
•Sets any security profiles used by this VPN, but does not remove the
defaults of other existing security profiles that might be used by other
VPNs going through this AP.
•Creates and conf igures al l neces sary IPSe c interf aces. Not e that k ey values
for shared keys are configured each time this step is done because shared
keys are not readable from the AP (for security reasons).
•Removes all tunnels that are marked as remove in the VPN Deployment
table.
•Creates all tunnels or modifies the tunnels in the tunnel list.
If any one of the above act io ns f ai ls , the appl y aborts. Note, however, that part
of the configuration might have been applied before the failure occurred.
To apply the VPN configuration to selected APs, select the APs in the Tree
frame, select Device → Apply, and in the Apply Configuration popup that
appears, a djust the selections if necessary, and click on the Start button.
The application displays information about these tunnels using Deployment
tables. By selecting an item in the Tree and then clicking on the Deployment
tab in the Configura tion an d Deployment frame, you can obt ain st atus an d configuration information about VPNs.
54 Access Point QVPN Builder User Guide
MANAGING VPNS
Using the VPN Deployment Tables
You can sort the VPN Deployment table in ascendin g or de scending order fo r a
specific field by sel ecting the hea der for the fi eld you want. The sort ing toggles
between ascending and descending order each time you click on the field’s
header.
. . . . .
VPN S
TATISTICS
Selecting the VPN root and then clicking on the Deployment tab displays the
following information:
•AP Name — the AP name
•Type — full mesh or hub
•VPN Update — when the VPN configuration was deployed
•CBQ Update — when CBQ configuration was deployed
•NAT Update — when NAT configuration was deployed
•Last Request — time of the last configuration request from the Config
daemon
The window resembles the following display:
VPN
OR
AP S
UMMARY INFORMATION
Selecting VPN at th e VPN r oot or an AP and then clicking on the Deployment
tab provides access to summary information about Tunnels, Routes, IPSec
Interfaces, and Probes.
Access Point QVPN Builder User Guide 55
4
MANAGING VPNS
Using the VPN Deployment Tables
The window resembles the following display:
T
UNNEL
, R
OUTE, AND
Selecting VPN for an AP and then clicking on the Deployment tab provides
three views — Tunnels, Routes, and IPSec Interfaces:
The Tunnels tab displays th e followin g information:
IPSEC I
NTERFACE INFORMATION
•State — the tunnel’s current configuration state (Add — to be added,
Current — deployed, Remove — to be removed)
•C — configuration
•Q — query
•Tunnel Name — the tunnel name
•Remote AP — IP address of the remote gateway
•Mode — the tunnel’s mode (Enabled or Disabled)
•Security Profile — the tunnel’s security profile, which is determined b y
the weakest profile of the participating APs
You can select any tunnel with a mouse click to highlight the row.
56 Access Point QVPN Builder User Guide
MANAGING VPNS
Using the VPN Deployment Tables
The Tunnels tab resembles th e following display:
The Routes tab displays the following information:
•State — the route’s current configuration state (Add — to be added,
Current — deployed, Remove — to be removed)
•C — configuration
. . . . .
•Destination — IP address of the remote gateway
•Mask — address mask
•Cost — route cost
•Router Address — IP address of the local or remote gateway
The Routes tab resembles the following display:
The IPSec Interfaces tab displays the following information:
•State — IPSec’s current configuration state (Add — to be added,
Current — deployed, Remove — to be removed)
•C — configuration
Access Point QVPN Builder User Guide 57
4
MANAGING VPNS
Managing Security Profiles
•Remote Gateway — IP address of the remote gateway
The IPSec Interfaces t ab resembles the following display:
You can sort VPN Deployment tables in ascending or descending order for a
specific field by clicking on the header for the field you want to sort. The sorting toggles between ascending and descending order each time you click on
the field’s header.
If you have read-write privilege, you can add, modify, or delete other security
profiles.
58 Access Point QVPN Builder User Guide
A
DDING SECURITY PROFILES
To add security profiles:
1Select Edit →Security
Profiles to display the
Security Profile Dialog
window.
2Click Add to add the
new security profile.
3Select <New Security
Profile> from the
Profile List as shown
here.
4Replace <New Secu-
rity Profile > with the
correct name in the
Profile Parameters
section and set the other parameters as appropriate.
MANAGING VPNS
Managing Security Profiles
. . . . .
5Click Apply to add the security profile.
6Repeat steps 2 through 5 for each additional profile.
7Click Done when you have finished adding profiles.
M
ODIFYING SECURITY PROFILES
To modify security profiles:
1Select Edit →Security Profiles to display the Security Profile Dialog
window.
2Select the profile from the Profile list.
3Make any changes in the Profile Parameters section.
4Click Apply to modify the profile.
5Repeat steps 2 and 3 for each additional profile.
6Click Done when you have finished modifying profiles.
Access Point QVPN Builder User Guide 59
4
D
ELETING SECURITY PROFILES
MANAGING VPNS
Managing Security Profiles
To delete security profiles:
1Select Edit →Security Profiles to display the Security Profile Dialog
window.
2Click on the profile in the Profile List that you want to delete and click
Remove to delete the profile.
3Repeat step 2 for each additional profile.
4Click Done when you have finished deleting profiles.
The Access Point system (AP) uses CBQ to provide firewall and QoS services by classifying and scheduling how traffic flows through the AP.
Traffic is classified by matching it against criteria configured for the interface. Traffic is scheduled by assigning it some portion of available bandwidth. In some cases, you might allow traffic to borrow additional
bandwidth or you might deny bandwid th based on availab ility. The goal is
to provide a guaranteed level of service to certain traffic classes. In addition, firewalls can be set up to drop specified traffic classes. In effect, the
QoS and firewall policies you establish provide the complementary benefits of bandwidth management and a higher level of security.
The Access Point QVPN Builder application (Builder) lets you set f irewall rules a nd QoS polic ies for an interface fro m a centralized location
when you configure your tunnels (see Chapter 4). As part of your VPN
definition, you can associate specific rule sets for a VPN or an AP. You
define generic rule sets for the VPN nodes. Each rule in the rule set can
have classification and application parameters. You set parameter values
to provide specific values for each AP in the VPN. Each rule set and its
parameters specify the QoS and firewall policy for a particular AP.
. . . . .
Each rule has these capabilities:
•Defines pa rameters for firewall or QoS services.
•Prioritizes itself by its order of appearance in the rule set’s hierarchi-
cal list.
Access Point QVPN Builder User Guide 61
5
MANAGING QOS/FIREWALL POLICIES
Using the QoS/Fire wall Rule Set Edit or
•Supplies values for th e parameters from the rule set or the Access Point
properties.
The more specificity provided by the rule, the more secure the rule. You can
create, modify, save, and delete rule sets.
With Builder, you can implement QoS or firewall policies in four steps:
1Define the rule set that specifies QoS or firewall policies using the
QoS/Firewall Rule Set Editor.
2Associate the rule set with the VPN or AP.
3Set parameter values for each AP.
4Deploy the configuration to distribute the configuration to all or selected
Use the QoS/Firewall R ule Set Editor to create or modify a rule set. Figure 3
shows a sample window.
Figure 3 QoS/Firewall Rule Set Editor Window
Table 1 describes the tool bar buttons in the QoS/Firewall Rule Set Editor.
Table 1 QoS/Firewall Rule Set Editor Tool Bar Buttons
Button Description
Create a new rule set
Creates a new rule set. Same as File → New.
Open an existing rule set
Opens a rule set that you choose from the dialog box. Same as
→ Open.
File
62 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Button Description
Save the active rule set
Saves the open rule set. Same as File
Set selected rule as a peer to current parent
Changes the exec ution orde r of the selected rule from a child to a
peer of the current parent.
Set preceding peer as parent for select ed rule
Changes the execution order of the selected rule to be a child to
preceding peer.
Move selected rule above a preceding peer
Changes the executi on order of the s elected ru le to be before the
preceding peer.
Move selected rule below a succeeding peer
Changes the execution order of the selected rule to be below the
succeeding peer.
Using the QoS/Firewall Rule Set Editor
. . . . .
→ Save.
The QoS/Firewall Rule Set Editor fields are described in the following table:
Field Description
Seq Indicates the execution order of the rule and the
hierarchy in the rule set. For example, child rule
1.1.
Rule Hierarchy Indicates the name of the rule in the form of a tree.
Src Indicates the source of the traffic. Specify host
ranges or domains if you want to be more specific
about the traffic to allow or deny.
Dst Indicates the destination of the traffic. Specify host
ranges or domains if you want to be more specific
about the traffic to allow or deny.
Service Specifies service classification. Classify a service
as stateful, stateless, ToS range, or datalink.
Interface Indicates the interface(s) where CBQ classes are
created. If the service classification is stateful, you
can specify a stateful interface.
Access Point QVPN Builder User Guide 63
5
D
EFAULT TEMPLATE RULE SET DEFINITION AND MODIFICATION
MANAGING QOS/FIREWALL POLICIES
Using the QoS/Fire wall Rule Set Edit or
Field Description
Action Specifies the action to take for the selected traffic.
You can deny, permit, limit, or shape traffic. These
actions determine which tree (input or output) is
used and based upon this , which ad dition al actio ns
(such as forwarding policy or datalink marking) are
allowed.
Comment Indicates any comment s for the associa ted rule.
When you select File → New in t he Rule Set Editor, the current default tem -
plate rule set is duplicated as the current rule set definition. The default template provides a set of rules that allow, at a minimum, management of the AP
by means of SNMP, TELNET, or a web browser. Provid ing acc ess t o an AP b y
means of SNMP allows Builder to create Firewall/QoS classes with the Rule
Set Editor. In addition, Builder must be able to manage an AP over a WAN,
LAN, or VPN. By default, two rules (shown in Figure 3) are defined in the
template:
1allowAPMgmt — permits management access o f the AP d evice. It has the
Note that allowAPMgmt uses an “or” operator wh ich affects filtering.
2APMgmt-default — default rule that denies all other traffic to and
through the AP. It has the following flow definition:
•Bandwidth allocation: 0
•Bounded: true (any traffic not classified by rule 1 is filtered (denied))
64 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Using the QoS/Firewall Rule Set Editor
Remember that the “-default” suffix has special meaning when appli ed
to a CBQ class on t he AP ( For more in form ation about defaul t cl asses ,
see the Access Point Configur ati on Guide).
. . . . .
NOTE
NOTE
These rules do not provide a default firewall.
Both of these rules are applied to the APMgmt interface which must be set it in
the definition of each AP to which this rule set is applied. If the AP will be
accessed across a LAN or WAN connection, you’ll nee d to se lect the appropriate CBQ interface (See “Sele cting or Editing Interface Parameters” on Page
73), so you don’t inadvertently prevent access to the AP during rul e s et c onf ig-
uration. VPN protocols are included in the default template, so an AP can be
managed across a VPN tunnel. You can modify or delete the allowAPMgmt
rule. However, when you attempt to edit it, Builder issues a warning and asks
if you wish to proceed. You can modify or delete the APMgmt-default.
The best way to modify the behavior of the default template is to add child
rules within the allowAPMgmt rule or to override the service classification
parameters for this rule for a particular AP.
Inappropriate modifications can prevent access to the AP.
The default template does not ensure management access of
an AP through an intermediate AP when this template is
applied to both APs.
To add an additional level of s ecuri ty for managemen t acc ess, you ca n defi ne a
child rule with a sourc e host address range that defin es t he IP addresses of systems that can le gitim atel y manage th e AP. To allow an AP to request it s conf iguration, you also need to add a child rule with a destination host range that
defines the IP address of the system running the Request Config daemon.
The previous example used child rules to modify the allowAPMgmt rule. An
acceptable override might prevent certain types of management access. For
instance, to deny browser access, you can override (See “Editing Service
Parameters” on Page 70) the APMgmtServices service classification by
removing http from the destination port ranges.
See “Modifying the D efault New Rule Set” on Page 78 for details about how
to edit/reset the default template.
If you would like to shape traf f ic withou t confi guring a firewal l, you can do so
as follows :
1Delete the default rule set template.
Access Point QVPN Builder User Guide 65
5
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
2Add the following rule: APAllowShaping-default. Configure this ru le
before setting up additional rules, so you don’t inadvertently prevent
access to th e AP. Give the rule the following flow shape action:
•The parameters used to specify the desired QoS or firewall polici es.
•The order in which to execute the rules.
After creating rule sets, you implement the QoS or firewall policies by specifying them as part of the VPN or AP definition.
To define a rule set:
1Select Tools →Rule Set Editor... to bring up the QoS/Firewall Rule Set
Editor. If you had selected a VPN or an AP, its rule set appears in the
QoS/Firewall Rule Set Editor.
Refer to “Using the QoS/Firewall Rule Set Editor” on Page 62 for information about using the QoS/Firewall Rule Set Editor.
2If you are defining a new rule set, select File →New to bring up the
default new rule set shown in Figure 3.
If you are modifying an existing
rule set, select File → Open in the
QoS/Firewall Rule Set
Editor to bring up the Open Rule
Set Dialog box shown at right.
Select the rule set you want to
modify and click Open Rule Set.
3Add or modify the rules in your
rule set.
66 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
NOTEIf you are modifying a rule set for an AP, make sure you set
parameter values so you can provide the correct values for a
specific AP. Refer to “Setting Parameter Values” on Page 80
for more information.
4
Save the rule set by selecting File → Save As... or File → Save.
A
DDING A RULE
When you add a rule, you must decide th e exe cution order of the rule . You can
add the rule as a child (Within), a preceding peer (Before), or a succeeding
peer (After) to a selected rule.
To add a rule:
1Select a rule and select Rule → Insert → (Within, Before, or After) to
add the rule as a child, as a preceding peer, or as a succeeding peer for the
selected rule.
. . . . .
2Save the rule set by selecting File → Save As... or File → Save.
S
PECIFYING PARAMETERS
The Classi fication pa rameters indicate the traffic flows affected by this rule.
Specify the source (Src), destination (Dst), and service (Service) that the traffic
must match.
The Apply parameters indicate where CBQ classes are created and the action
to take for th e selected traffic. That is, it defin es the allowed actions for the
specified interface — the LAN, the WAN, the DMZ (the demilitarized zone, or
public network, between the corporate LAN and the WAN), and the VPN.
To specify the parameters for a particular rule:
1Select the field in the rule for which you want to add or change the param-
eter.
2Click on the right mouse button a nd make a choi ce fro m the po p-up menu.
For Classification pa rameters (Src, Dst, or Service), choose one of these
options:
•Any as the parameter
•Select... to specify a parameter
Access Point QVPN Builder User Guide 67
5
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
•Edit... to add or change a parameter
For Apply parameters (Interface or Action), choose one of these options:
•A value as the parameter
•Edit... to add or change a parameter
NOTE
3
If a parameter doesn’t exist, first you need to create it. After
you’ve created it, select the parameter to specify it in the rule.
See “Editing Source or Destination Parameters” on Page 69 or “Editing Servic e Para met ers” on Page 70 for information about
creating parameters.
Save the rule set by selecting File → Save As... or File → Save.
The parameters you set for the rule set can be fairly generic, so when associating a rule set with an AP, remember to set the appropriate values for the AP as
described in “Setting Parameter Values” on Page 80.
S
ELECTING CLASSIFICATION PARAMETERS
For Classification parameters, y ou can
select the appropriate parameter for your
rule. When you choose Select... from the
pop-up menu, a dialog box appears for you
to make a selection. The dialog box dis plays
the Classification parameter, the rule for
which you are making the sel ect io n, and the
available selections. The Select Source
Parameter dialog box is shown here.
Select the appropriate parameter for your
rule and click OK to make your selection.
68 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
EDITING SOURCEOR DESTINATION PARAMETERS
When you choose Edit... from the pop-up menu for source or destination
parameters, the Rule Source Definition Dialog or Rule Destination Definition
Dialog appears. The Rule Source Definition Dialog is shown here.
Defining a Rule Set
. . . . .
NOTE
A source or destination ca n be a range of host s, a single ho st, or a domain. Add
a new source or destination by specifying the name and the source or destination type (Host Ran ge or Do main) f rom the drop-d own lis t and c licki ng Add in
the New Source/Destination section. Remove a selected source or destination
by selecting the classification from the Source/Destination List and clicking
Remove Selected in the New Source/Destination section. If the source or destination you want to remove is referenced in a rule, a warning is displayed.
Edit the source or destination by adding or removing selected source or destination types. Add a type by entering the type and clicking Add in the
Source/Destination Edit section. Remove an application by selecting the type
from the list and clicking Remove in the Source/Destination Edit section.
Click OK to make your changes.
You can use an empty Source or Destination parameter as a
placeholder to allow overrides for all or a subset of APs.
Access Point QVPN Builder User Guide 69
5
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
EDITING SERVICE PARAMETERS
When you choose
Edit... from the
pop-up menu for service parameters, the
Rule Classification
Dialog appears.
Add a new service
classification by
specifying the name
and the classifi cati on
type (Stateful, Stateless, TOS Range, or
Datalink) from the
drop-down list and
clicking Add in the
New Classification
section.
Stateful cl as si fi cat ion lets you create a si ngl e c las s f o r aggr eg ati ng all possible
port pairings for a service, making it easier to classify traffic for well-known
services and to provide a firewall capability. Stateless classification requires
exact matching for specified packet characteristics (addresses and protocols).
TOS Range classifi cation let s you classi fy traf fic bas ed on the ToS values used
to implement Diff-Serv. Datalink classification lets you classify packets based
on datalink inf ormati on (s uch as p riori ties that you have s et u p for yo ur VLAN
traffic).
Remove a selected classif ication by selec ting the item in the Classif ication List
and clicking Remove Select ed in the Ne w Classification section.
Edit the classificati on by selecting the item in the Classification List and specifying the appropriate information on the right side of the dialog box.
70 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
For the Statef ul cl assif icati on type , in addi tion t o making i t easy t o creat e a sin gle class for aggregating all possible port pairings for a well-known service,
you can statefully classify TCP and UDP applications. To do so, select the
allTcp or allUdp type and click Add in the Stateful Classification Edit section.
. . . . .
To specify the port ranges for the applications, click Tcp/Udp Port Range... to
display the Port Classification dialog box. You can select the application or
port range from the Ports drop-down list. If you select port range, enter the
range. Click Add Src or Add dest as appropriate in either case and click OK.
For the TOS Range classification type, add the ToS Range by filling in the
Start and End fields (hex values that specify the start and end of the range of
bit patterns that the AP will match against the masked area of IP packets) in the
ToS Range Definition section. Fill in the Mask field (hex value that specifies
the bits in the ToS byte of IP packets that will be read and matched against by
the AP) in the ToS Mask Definition section. Click Apply.
Access Point QVPN Builder User Guide 71
5
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
For the Datalink class ificati on type, add the da tali nk index (r ange lis t of 16-bit
TCI value expressed in he x) by fil li ng i n the Add Da ta li nk In dices section and
clicking Add Indices. Add th e datalink mask (mas k that is app l ied to the TCI
and each value in the datalink index range expressed in hex) by filling in the
Datalink Mask section and clicking Apply.
72 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
For the Stateless classification type, add a type by selecting the appropriate
protocols and ports and clicking Add as shown here.
. . . . .
Remove a classification type by selecting the item in the list and clicking
Remove in the Classification Edit section.
Click OK to make your changes.
NOTE
You can use an empty Service parameter as a placeholder to
allow overrides for all or a subset of APs.
SELECTINGOR EDITING INTERFACE PARAMETERS
Interfaces are pl aceholders fo r CBQ overrides which you must set for each AP.
Although the override names have meaning, there are no restrictions or verification to ensure that you’ve selected the proper overrides.
Access Point QVPN Builder User Guide 73
5
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
For interface parameters, select th e Interface field you want to change, click on the
right mouse button, and select the appropriate value from the pop-up menu. If you
select Edit..., then the Rule Set Interface
Association Dialog window appears.
If the Service classification type is stateful,
your interface should be stateful so you
can enter the two interfaces used for the
application’s traffic flow. If the interface is
stateful, you must also enter the From
Interface. If the interf ace is stateful, you
can also allow tr affic to flow in both di re ctions by checking the Bi- Dir ect i onal
Definition check box.
The bidirectiona l int erfa ce pai r is d ispla yed wit h a doub le -heade d arro w (<=>)
between the two interfaces and four separate classes are created with names
based on the rule name. For example, if you created a rule called test for a
LAN<=>WAN bidirectional interface, the test-R- est and test classes are created on the LAN inter fa ce and the test-est and test-R classes are c reated on the
WAN interface. Note that the established classes receive a peer classification
to ensure that they are c l assified b efore eithe r base class.
Click OK to make your changes.
S
ELECTING ACTION PARAMETERS
For action parameters, select the Action field
you want to change, click on the right mouse
button, and select Deny, Permit, Limit
(inbound traffic), or Shape (outbound traffic)
from the pop-up menu. If you select Limit or
Shape, then the Rule Action Definition Dial og
window appears so you can enter the rate, the
maximum bandwidth, and bounding information. Table 2 shows default action profiles and
associated CBQ trees.
If you select Limit, then you can specify a forwarding policy f or s ta tef ul or stateless cl as si fi cation (see Page 101 for information about
creating a forwar di ng po li cy). When you spec-
74 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
ify a forwarding policy for stateful classes, the forwarding policy is applied to
the From interface speci fied in the Rule Set Inter face Dialog box when edit ing
the Interfa ce field.
Table 2 Default Action Profiles and Associated CBQ Trees
CBQ TreeStateful
Established
From
ActionBandwidthBounded
Deny0TrueInputInputInput tree of
Permit0FalseInputInputInput tree of
Limit>=0T rue/FalseInputInputInput tree of
Shape>=0T rue/FalseOutputOutputOutput tree of
Interface
To
Interface
Class
Returned To
To interface
To interface
To interface
To interface
. . . . .
If you select Shape, then you can specify the
datalink traffic index or flag. These values
map traffic classes to specific datalink selection param eters. These values differ between
datalinks (such as Ethernet, Frame Relay,
ATM, and ISDN) and should be specifie d only
for stateless classes. Note that you cannot
configure the datalink using Builder; the
datalink must already be configured.
Click OK to make your selections or changes.
C
HANGING THE RULE NAME
The rule names are listed in the Rule Hierarchy column. To change a name:
1Select the name you want to change.
Access Point QVPN Builder User Guide 75
5
MANAGING QOS/FIREWALL POLICIES
Defining a Rule Set
2Click on the right mouse button
and select Rename... from the
pop-up menu (same as selecting
Rule→Rename...). Fill in the
new name when prompted.
3Click OK to change the name.
4Save the rule set by selecting File → Save As... or File → Save.
S
PECIFYING EXECUTION ORDER
The rules are executed in hierarchical order. Within a peer group, however,
rules are executed sequentially, except for default rules, so you m ust ensure
that your rules ar e sp ecified in the correct order. To mod if y th e order shown in
the Seq field use the arrows in the tool bar:
1Select the rule for which you want to change the execution order.
2To make the rule a child, click the right arrow () button.
To make the rule a peer of the current parent, click the left arrow (
ton.
To move the rule up or down in the execution order as a peer, click on
either the up arrow (
3Save the rule set by selecting File → Save As... or File → Save.
A
DDING OR CHANGING COMMENTS
The comments are listed in the Comment column. To change a comment:
1Select the comment field for the appropriate rule.
2Make your changes.
3Save the rule set by selecting File → Save As... or File → Save.
) but-
) or down arrow () buttons.
76 Access Point QVPN Builder User Guide
R
EMOVING A RULE
To remove a rule:
1Select the rule you want to delete.
2Select Rule →Delete (or click on the right mouse button and select Delete
from the pop-up menu) to remove the selected rule from the rule set.
3Save the rule set by selecting File → Save As... or File → Save.
P
URGING UNUSED PARAMETERS
To remove parameters that are not being used by a rule set:
1Select the rule set from which you want to delete unused parameters.
2Select File→Purge Unused Parameters to remove any unreferenced
parameters from the rule set.
MANAGING QOS/FIREWALL POLICIES
Modifying a Rule Set
. . . . .
A pop-up message appears to let you know that no unreferenced parameters were purged or to ask you to confir m the del et io n of any unreferenced
parameters.
3Save the rule set by selecting File → Save As... or File → Save.
1Select Tools →Rule Set Editor... to bring up the QoS/Firewall Rule Set
Editor. If you had selected a VPN or an AP, its rule set appears in the
QoS/Firewall Rule Set Editor.
Refer to “Using the QoS/Firewall Rule Set Editor” on Page 62 for information about using the QoS/Firewall Rule Set Editor.
Access Point QVPN Builder User Guide 77
5
MANAGING QOS/FIREWALL POLICIES
Modifying the Default New Rule Set
2Select File→Open in the
QoS/Firewall Rule Set Editor to
bring up the Open Rule Set Dialog box.
Select the rule set you want to
modify and click Open Rule Set.
3Modify the rules in your rule set.
NOTE
4
If you are modifying a rule set for an AP, make sure you set
paramet er values so that you can provid e the corr ect value s for
a specific AP. Refer to “Setting Parameter Values” on Page 80
for more information.
Save the rule set by selecting File → Save As... or File → Save.
To use rule sets in your VPN, you must associate a rule set with an AP or a
VPN in the VPN definition as follows:
1For either the global VPN or AP in Builder’s Tree frame, click on
QoS/Firewall.
2If you are associating a rule set for an AP, the Use VPN Firewall Ruleset
Access Point QVPN Builder User Guide 79
5
MANAGING QOS/FIREWALL POLICIES
Setting Parameter Values
box is checked by default as shown below.
Make sure the Use VPN Firewall Ruleset box is no t chec ked if y ou want to
use a differe nt rule set from the on e specified i n the VPN Prope rties fr ame.
3Click Select Rule Set... to choose the rule set that you wa nt to associate
with this AP or VPN from the Select Rule Set Dialog box and click Select Rule Set.
NOTE
4
5Save the rule set association for this VPN definition by selecting File →
Be sure to set parameter overrides for each AP. Refer to
“Setting Parameter Values” on Page 80 for more information.
Click Apply in the upper left-hand corner of the Properties frame.
When you associate a rule set with an AP or a VPN, you must set values for
certain parameter s so th at y ou use th e approp ri ate par ameter values for th e AP.
You must set values for the Interface parameters. In many ca se s, you will modify the valu es for the source (Src) and destina tion (Dst) parameters as well.
You should check to see whether the Service parameter values must be modified.
To set parameter values for particular APs:
1In Builder’s Tree frame, click on QoS/Firewall for the AP.
2Make sure th at the specif ied rule set is the one you want to use. If it is not
80 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Setting Parameter Values
the correct one, associate the correct rule set with this AP as described in
“Associating a Rul e Set” on Page 79.
3A list of parameters for this rule set appears in the drop-down list below
the Set AP Parameter button. Select the parameter for this AP for which
you want to specify a value and click Set AP Parameter to modify the
parameter value.
4Modify the parameter values in the Rule Source Definition D ialog, Rule
Destinatio n Definiti on Dialog, Rule Classification Dialog, or Interface
Dialog windows that appear (depending on the parameter you selected)
and click Apply.
When you set
classification
parameter
values, that
parameter is
marked with the
letters AP
enclosed in a
yellow circle as
shown at right.
. . . . .
Once you set
parameter values, the parameter is listed in the
Parameter Overrides list. Edit or
remove an override by selecting the parameter in the Parameter Ov errides
Access Point QVPN Builder User Guide 81
5
MANAGING QOS/FIREWALL POLICIES
Verifying the QoS/Firewall Policies
list and clicking Edit Override or Remove Override.
5Apply your changes t o the QoS/Fir ewall Proper ties and sa ve the defin itio n
so that these QoS/Firewall pol i cies are included as part of your VPN definition.
Click on the Deployment tab of the Configuration and Deployment frame to
view the configuration that will be deployed to the APs. You must still deploy
the config uration to th e APs. Refe r to Page 83 for more information about the
QoS/Firewall Deployment table.
When you apply the QoS/firewall policies of the VPN definition to APs,
Builder pe rforms these actions:
•Gets version information.
•Gets forwarding policy definitions.
•Creates and configures all forwarding policies referenced in the rule set.
•Gets the QoS/Firewall Deployment table and the CBQ interface table.
•Creates and configures all necessary CBQ interfaces.
•Removes all CBQ clas ses t hat a re mar ked as removed in the QoS/Firewa ll
82 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Using the QoS/Firewall Deployment Table
. . . . .
Deployment table.
•Creates or modifies all CBQ classes in the class list.
To apply the QoS/firewall policies to all the APs, select Device → Apply and
in the Apply Configuration popup that appears, adjust the selections if necessary, and click on the Start button.
To apply the QoS/firewall policies to selected APs, select the APs in the Tree
frame, select Device → Apply, and in the Apply Configuration popup that
appears, a djust the selections if necessary, and click on the Start button.
Builder displays in for mati on about the CBQ classes for the selec ted VPN defi nition in the QoS/Firewall Deployment table. The QoS/Firewall Deployment
table has two views:
•Definition View — Displays status when the application generates or
updates the QoS/Firewall Deployment table
•Apply/Query View — Displays status when the application deploys the
configuration to all APs or queries the APs for CBQ class status
You can sort the QoS/Firewall Deployment table in ascending or descending
order for a specific field by selecting the header for the field you want. The
sorting toggles between ascending and descending order each time you click
on the field’s header.
M
ODIFYING THE DEFINITION VIEW
The Definition View of the QoS/Firewall Deployment table displays the configuration that will be deployed to the APs. You must still deploy the configuration to the APs. The Definition View displays the following information
about the CBQ classes.
•If — the CBQ interface layer associated with this class
•Parent — the parent of the class
•Name — the class name
•Mode — the mode for this class (Enabled, Disabled). You can modify the
mode by clicking the mode field and usi ng the dro pdown box. This config -
Access Point QVPN Builder User Guide 83
5
MANAGING QOS/FIREWALL POLICIES
Using the QoS/Firewall Deployment Table
ures the class but sets it to not in service.
•Definition — the definition fo r this class
•Comment — the comment associated with this class
To display the Definiti on View, cl ick on the QoS/ Firewal l Depl oyment ta b and
then the Definition View tab. All the classes for the VPN you have selected
should be displayed in a window resembling this figure:
Select any class with a mouse click to highlight the row.
Modify the Mode field in the QoS/Firewall Deployment table by selecting the
appropriate value from the drop-down list. Changes to the QoS/Firewall
Deployment table fields temporarily modify the VPN definition, but are not
saved until you deploy the configuration to all the APs.
U
SING THE APPLY/QUERY VIEW
The Apply/Query View of the QoS/Firewall Deployment table displays status
after you have depl oyed the confi guration. The Apply/Query View displays the
following information when you deploy the configuration to all APs by selecting Device→Apply () or Device →Query () and make the appropriate
selections from the Apply Configuration or Query Configuration popups.
•If — the interface associated with this class
•Parent — the parent of the class
84 Access Point QVPN Builder User Guide
MANAGING QOS/FIREWALL POLICIES
Using Rule Sets
•Name — the class name
•Message Stat us — the message status for this class
•State — the current state for this class (Modify, Add, Current, or Remove)
•C — configuration
•Q — query
To display the Apply/Query View, click on the QoS/Firewall Deployment tab
and then the Apply/Query View tab. Apply/Query V iew pro vides de tail s abou t
class status in a window resembling the following figure.