CCM
Using Contivity Configuration
Manager to Configure Contivity
251
318128-B
.
Document status: Standard
Document version: 01.01
Document date: March 2006
Copyright © 2006, Nortel Networks
All Rights Reserved.
The information in this document is subject to change without notice. The statements, configurations, technical
data, and recommendations in this document are believed to be accurate and reliable, but are presented without
express or implied warranty. Users must take full responsibility for their applications of any products specified in this
document. The information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel, Nortel Networks, the Nortel Networks logo, the Globemark, Contivity, and Contivity Configuration Manager
are trademarks of Nortel Networks.
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth
in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software
were developed by the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION,THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that
contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices
imposed by third parties).
Nortel Networks Inc. software license agreement
This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel
Networks Corporation and its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.
If you do not accept these terms and conditions, return the Software, unused and in the original shipping container,
within 30 days of purchase to obtain a credit for the full purchase price.
"Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is
copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data,
audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole
or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the
Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for
the selection of the Software and for the installation of, use of, and results obtained from the Software.
1.
Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the
Software on only one machine at any one time or to the extent of the activation or authorized usage level,
whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer
furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such
hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as
confidential information using the same care and discretion Customer uses with its own similar information that it
does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software
does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify,transferor
distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer
or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d)
sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of
this provision. Upon termination or breach of the license by Customer or in the event designated hardware or
CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction.
Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software
activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to
include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated
to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties,
and, in such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS
OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or
supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some
jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial
computer software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer
fails to comply with the terms and conditions of this license. In either event, upon termination, Customer
must either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action
arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software.
If the Software is acquired in the United States, then this License Agreement is governed by the laws of
the state of New York.
Contents
Using Contivity Configuration Manager to Configure Contivity
251 7
Before you begin 7
How to get help 7
New features for this release 8
Bandwidth Management 8
Certificate Management 9
IPSec Tunnel Nail Up 9
SSH/HTTPS for Remote Management 9
Contivity 251 user notes 9
Contivity 251 configuration tasks 9
Configuring Bandwidth Management 10
Configuring Certificate Management 13
Configuring IPSec Tunnel Nail Up 16
Configuring SSH/HTTPS for Remote Management 17
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
6 Contents
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Using Contivity Configuration Manager
to Configure Contivity 251
This guide summarizes how to get started using Contivity Configuration
Manager* (CCM) to configure Contivity 251 Virtual Private Network (VPN)
switches in your network. This document is intended for network engineers
who have some familiarity with the Nortel* Contivity 251 device.
Note: Contivity is also known as VPN Router, and Contivity
Configuration Manager is also known as VPN Router Multi-Element
Manager.
Before you begin
For information about Contivity 251 and Contivity Configuration Manager,
see the following documents:
•
Configuring and Troubleshooting the Contivity 251 VPN Switch
•
Contivity 251 VPN Switch Quick Start Guide
•
Contivity Configuration Manager 2.2 User Guide
How to get help
This section explains how to get help for Nortel products and services.
Getting help from the Nortel web site
The best way to get technical support for Nortel products is from the Nortel
Technical Support web site:
www.nortel.com/support
This site provides quick access to software, documentation, bulletins, and
tools to address issues with Nortel products. From this site, you can:
•
download software, documentation, and product bulletins
• search the Technical Support Web site and the Nortel Knowledge Base
for answers to technical issues
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
8 Using Contivity Configuration Manager to Configure Contivity 251
•
sign up for automatic notification of new software and documentation
for Nortel equipment
•
open and manage technical support cases
Getting help over the phone from a Nortel Solutions Center
If you do not find the information you require on the Nortel Technical Support
web site, and you have a Nortel support contract, you can also get help over
the phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following web site to obtain the phone
number for your region:
www.nortel.com/callus
Getting help from a specialist by using an Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express
Routing Code (ERC) to quickly route your call to a specialist in your Nortel
product or service. To locate the ERC for your product or service, go to:
www.nortel.com/erc
Getting help through a Nortel distributor or reseller
If you purchased a service contract for your Nortel product from a distributor
or authorized reseller, contact the technical support staff for that distributor
or reseller.
New features for this release
New features for this release include:
•
"Bandwidth Management" (page 8)
•
"Certificate Management" (page 9)
•
"IPSec Tunnel Nail Up" (page 9)
•
"SSH/HTTPS for Remote Management" (page 9)
Bandwidth Management
With the Bandwidth Management feature, you can allocate the outgoing
capacity of an interface to specific types of traffic. You can also ensure
that the Contivity 251 forwards certain types of traffic (especially real-time
applications) with minimum delay. This feature allows you to manage
bandwidth for the Contivity 251 by configuring classes and filters for LANs
and WANs.
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 251 configuration tasks 9
Certificate Management
The Contivity 251 uses certificates (also called digital IDs) to authenticate
users. Certificates are based on public-private key pairs. Certificates
provide a way to exchange public keys for use in authentication.
IPSec Tunnel Nail Up
This feature ensures that the Contivity 251 automatically renegotiates an
IPSec tunnel when the IPSec Security Association (SA) lifetime expires.
When the Contivity 251 restarts, it automatically renegotiates any nailed-up
tunnels. In effect, the IPSec tunnel becomes an always on connection after
the tunnel is initiated.
SSH/HTTPS for Remote Management
Secure Shell (SSH) is a secure communication protocol that combines
authentication and data encryption to provide secure encrypted
communication between two hosts over an unsecured network. Hypertext
Transfer Protocol over SSL (HTTPS) is a web protocol that encrypts and
decrypts web pages. The Contivity 251 device supports these protocols
for remote management purposes.
Contivity 251 user notes
In certain cases, an object may be colored red to indicate that it is a
duplicate even after the duplicated line is deleted. Because the line is in red,
it is not exported to the device. To correct this situation so that the line can
be exported, modify the duplicate object, select another object to remove
the red, and then change the object back to the desired value.
The order of the SUA/NAT address mapping rules in the Contivity 251 device
is important because they are processed in numeric order. Both CCM and
Contivity 251 provide for gaps in the rules specifications, so that you can
insert rules between other rules in the table. CCM expands on this capability
by providing the ability to Copy a rule from one place in the table and Paste
it to overwrite another rule in the table. Note that, when using this CCM
capability, you need to write over other existing rules in the table; hence,
leaving gaps within the table makes rearranging rules easier. (Q00857737)
Note: Do not enter special characters, such as ", into any text fields in
CCM. CCM does not accept special characters in text fields.
Contivity 251 configuration tasks
The CCM client must be connected to the CCM server to perform the
configuration tasks described in this guide. To perform configuration
operations on the Contivity devices in the network, the CCM server requires
TCP/IP connectivity to the Contivity 251 device. Any other sessions to the
Contivity 251 device should be logged out before attempting to access the
Contivity 251 device with CCM.
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
10 Using Contivity Configuration Manager to Configure Contivity 251
The following is a list of configuration tasks for new features:
•
"Configuring Bandwidth Management" (page 10)
•
"Configuring Certificate Management" (page 13)
•
"Configuring IPSec Tunnel Nail Up" (page 16)
•
"Configuring SSH/HTTPS for Remote Management" (page 17)
See the following sections for detailed explanations of these tasks. See
previous versions of this document for an explanation of legacy configuration
tasks.
Configuring Bandwidth Management
To configure Bandwidth Management:
Step Action
1
In the CCM navigation pane, select the Contivity 251 device and
expand it.
2
Select Bandwidth Management and click the Properties tab.
3
Click the Summary tab, then select the appropriate Active check
boxes. See Figure 1 "Contivity 251 Bandwidth Management" (page
10).
Figure 1
Contivity 251 Bandwidth Management
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 251 configuration tasks 11
4
For the Active check boxes you selected, enter the appropriate
speed.
5
In Bandwidth Management, select the LAN Root Class element.
6
Click the LAN Root Class Properties tab.
7
On the Properties page, select the Class Configuration tab.
The Class Name and Bandwidth Budget fields contain the values
specified in the Bandwidth Management Properties tab. See Figure
2 "Contivity 251 Class Configuration" (page 11).
Figure 2
Contivity 251 Class Configuration
8
In the LAN Root Class node, select a LAN class or create a new
one if required.
Note: To create a new LAN class, select LAN Root Class, and
click the Palette tab. Double-click Class Set-up.
9
On the LAN class Properties page, click the Class Configuration
tab.
10
Enter the Class Name and the Bandwidth Budget values in the
boxes. See Figure 3 "Contivity 251 LAN Class Configuration" (page
12).
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
12 Using Contivity Configuration Manager to Configure Contivity 251
Figure 3
Contivity 251 LAN Class Configuration
11
On the Properties page, select the Bandwidth Filter tab.
12
Configure the fields as required. See Figure 4 "Contivity 251
Bandwidth Filter" (page 13).
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 251 configuration tasks 13
Figure 4
Contivity 251 Bandwidth Filter
13
Repeat steps 10 to 12 for each LAN class requiring configuration.
—End—
Configuring Certificate Management
Use the Certificate Create wizard to import and create certificates. Also,
use this wizard for Contivity 251 devices or for Certificates, My Certificates,
Trusted Certificates, and Trusted Remote Host Certificates.
To configure Certificate Management:
Step Action
1
In the CCM navigation pane, select the Contivity 251 device and
expand it.
2
Select Certificates and expand it.
3
In the Certificates node, select the Trusted CAs node.
4
In the Trusted CAs node, import a trusted CA certificate by using
the Certificate Create wizard. For more information about importing
a trusted CA certificate, refer to the Certificate Create wizard in
Contivity Configuration Manager Wizards.
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
14 Using Contivity Configuration Manager to Configure Contivity 251
5
In the Trusted CAs node, delete any CA certificate that is no longer
trusted.
6
In the Certificates node, select and expand the My Certificates
node.
7
In the My Certificates node, select a self-signed certificate. See
Figure 5 "Contivity 251 My Certificates self-signed certificate" (page
14).
Figure 5
Contivity 251 My Certificates self-signed certificate
Note: Use the Certificate Create wizard to import a certificate
issued by a certification authority or to create a self-signed
certificate or a certificate request. See Contivity Configuration
Manager Wizards.
8
Click the Properties tab of the self-signed certificate. On the Basic
page, the certificate name, properties, the certification path, and
other certificate information appears. If more than one self-signed
certificate exists, you can select one of them as the default
self-signed certificate by editing the chosen certificate’s property
Default self-signed certificate, which signs the imported remote
host certificates.
9
In the My Certificates node, select a certificate issued by a
certification authority.
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 251 configuration tasks 15
10
Click the Properties tab of the certificate. On the Basic page,
the certificate name, properties, the certification path, and other
certificate information appears.
11
In the My Certificates node, select a certificate request.
12
Click the Properties tab of the certificate request. On the Basic
page, the certificate name, properties, the certification path and
other certificate information appears.
13
On the Certificates node, select the Trusted Remote Host
Certificate node.
14
In Directory Servers, select a directory service.
15
Click the Properties tab of the directory service.
16
On the Basic page, enter the necessary information in the Directory
Service Setting and Login Setting boxes. See Figure 6 "Contivity
251 Directory Services" (page 15).
Figure 6
Contivity 251 Directory Services
—End—
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
16 Using Contivity Configuration Manager to Configure Contivity 251
Configuring IPSec Tunnel Nail Up
To configure IPSec Tunnel Nail Up:
Step Action
1
In the CCM navigation pane, select the Contivity 251 device and
expand it.
2 Select VPN and expand it.
3
In the VPN node, select a branch office connection.
4
Click the Properties tab of the branch office connection, then select
the Basic tab.
5
Select the Nailed Up check box. See Figure 7 "Contivity 251 Nailed
Up option for branch office connection" (page 16).
Figure 7
Contivity 251 Nailed Up option for branch office connection
6
If required, for all IP Policies of the branch office connection node,
click the IP Policy tab, and select the Enable Control Ping check
box. If you select Enable Control Ping, you must specify which IP
is the endpoint of the control ping. See Figure 8 "Contivity 251
Control Ping" (page 17).
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 251 configuration tasks 17
Figure 8
Contivity 251 Control Ping
—End—
Configuring SSH/HTTPS for Remote Management
To configure SSH/HTTPS for Remote Management:
Step Action
1
In the CCM navigation pane, select the Contivity 251 device and
expand it.
2
Select Remote Management and click the Properties tab.
3
Click the SSH tab.
4
From the Server Certificate list, select the appropriate server
certificate. See Figure 9 "Contivity 251 SSH for Remote
Management" (page 18).
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
18 Using Contivity Configuration Manager to Configure Contivity 251
Figure 9
Contivity 251 SSH for Remote Management
5
From the Access Status list, select Enable or Disable.
6
In the Server Port box, enter the server port number.
7
In the Secured Client IP Address box, enter the IP address.
8
On the Properties page, select the HTTPS tab.
9
Select and enter the appropriate information in the boxes, lists, and
check boxes. See Figure 10 "Contivity 251 HTTPS for Remote
Management" (page 19).
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 251 configuration tasks 19
Figure 10
Contivity 251 HTTPS for Remote Management
—End—
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
20 Using Contivity Configuration Manager to Configure Contivity 251
CCM
Using Contivity Configuration Manager to Configure Contivity 251
318128-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
CCM
Using Contivity Configuration Manager to Configure Contivity 251
Copyright © 2006, Nortel Networks
All Rights Reserved.
Publication: 318128-B
Document status: Standard
Document version: 01.01
Document date: March 2006
Loading...