Nortel VPN, Contivity VPN Client Client User Manual
Version 6.01
Part No. 311644-J Rev 00
August 2005
600 Technology Park Drive
Billerica, MA 01821-4130
Configuring the Contivity VPN
Client
2
311644-J Rev 00
Copyright © Nortel Networks Limited 2005. All rights reserved.
The information in this document is subject to change without notice. The statements, configurations, technical data, and
recommendations in this document are believed to be accurate and reliable, but are presented without express or implied
warranty. Users must take full responsibility for their applications of any products specified in this document. The
information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel Networks, the Nortel Networks logo, the Globemark, Unified Networks, and Contivity are trademarks of
Nortel Networks.
ActivCard is a trademark of ActivCard Incorporated.
Adobe and Acrobat Reader are trademarks of Adobe Systems Incorporated.
America Online is a trademark of America Online, Inc.
Datakey is a trademark of Datakey, Inc.
Entrust is a trademark of Entrust Technologies Inc.
iPass is a trademark of iPass Inc.
Java and Sun Microsystems are trademarks of Sun Microsystems, Inc.
Microsoft and Windows are trademarks of Microsoft Corporation.
Netscape and Netscape Navigator are trademarks of Netscape Communications Corporation.
SecurID is a trademark of RSA Security Inc.
VeriSign is a trademark of VeriSign Incorporated.
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer software,
the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth in the
Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the above
copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising materials,
and other materials related to such distribution and use acknowledge that such portions of the software were developed
3
Configuring the Contivity VPN Client
by the University of California, Berkeley. The name of the University may not be used to endorse or promote products
derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED “AS IS” AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF
MERCHANTABILITY AND FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that contains
restrictions on use and disclosure (that may incorporate by reference certain limitations and notices imposed by third
parties).
Nortel Networks Inc. software license agreement
This Software License Agreement (“License Agreement”) is between you, the end-user (“Customer”) and Nortel
Networks Corporation and its subsidiaries and affiliates (“Nortel Networks”). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE
AGREEMENT. If you do not accept these terms and conditions, return the Software, unused and in the original shipping
container, within 30 days of purchase to obtain a credit for the full purchase price.
“Software” is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is copyrighted
and licensed, not sold. Software consists of machine-readable instructions, its components, data, audio-visual content
(such as images, text, recordings or pictures) and related licensed materials including all whole or partial copies. Nortel
Networks grants you a license to use the Software only in the country where you acquired the Software. You obtain no
rights other than those granted to you under this License Agreement. You are responsible for the selection of the
Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the Software
on only one machine at any one time or to the extent of the activation or authorized usage level, whichever is applicable.
To the extent Software is furnished for use with designated hardware or Customer furnished equipment (“CFE”),
Customer is granted a nonexclusive license to use Software only on such hardware or CFE, as applicable. Software
contains trade secrets and Customer agrees to treat Software as confidential information using the same care and
discretion Customer uses with its own similar information that it does not wish to disclose, publish or disseminate.
Customer will ensure that anyone who uses the Software does so only in compliance with the terms of this Agreement.
Customer shall not a) use, copy, modify, transfer or distribute the Software except as expressly authorized; b) reverse
assemble, reverse compile, reverse engineer or otherwise translate the Software; c) create derivative works or
modifications unless expressly authorized; or d) sublicense, rent or lease the Software. Licensors of intellectual property
to Nortel Networks are beneficiaries of this provision. Upon termination or breach of the license by Customer or in the
event designated hardware or CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or
certify its destruction. Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s
Software activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to
include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks with respect
to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided “AS IS” without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated to
provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties, and, in
such event, the above exclusions may not apply.
4
311644-J Rev 00
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS OF,
OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or supplier
of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some jurisdictions do not
allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial computer
software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer fails
to comply with the terms and conditions of this license. In either event, upon termination, Customer must
either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software. If
the Software is acquired in the United States, then this License Agreement is governed by the laws of the state
of New York.
5
Configuring the Contivity VPN Client
Contents
Preface . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Before you begin . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 13
Text conventions . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 14
Acronyms and terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Related publications . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 16
Hard-copy technical manuals . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 17
Chapter 1
Installing the client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Windows installations . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Windows Domain Logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Two step domain logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 23
Graphical Identification and Authentication (GINA) . . . . . . . . . . . . . . . . . . . . . . . . 24
Logging on through client connection . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
First domain logon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Enabling and disabling Connect Before Logon . . . . . . . . . . . . . . . . . . . . . . . . 27
Uninstalling the client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 28
Chapter 2
Customizing the client. . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Configuring client profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 30
Setup.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .32
Customizing the setup.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 33
Installation modes and options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Verbose mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Skip Screens mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Silent mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 39
Quiet mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
6 Contents
311644-J Rev 00
Reboot Only mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Silent with Forced Reboot mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 40
Setting up the group.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Custom icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 42
Create your icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Client application icon (eacapp.ico) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Contivity VPN Client task bar icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Custom bitmaps . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Client dialog bitmap (eacdlg.bmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Client status bitmap (eacstats.bmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Client GINA bitmap (nnginadlg.bmp) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . .48
Security banners . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Dynamic Domain Name System (DNS) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
TunnelGuard Notify banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Installing a custom client . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Controlling the client from a third-party application . . . . . . . . . . . . . . . . . . . . . . . . . . . 52
Running in silent success mode . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 55
Remotely changing the group password . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 56
GINA chaining . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 58
IPsec mobility and persistent tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 59
Inverse split tunneling . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Using the 0.0.0.0/0 subnet wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring the subnet wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 60
Configuring tunneling modes using the CLI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Co-existence with MS IPsec service . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 62
Configuring co-existence with MS IPsec service . . . . . . . . . . . . . . . . . . . . . . 62
Chapter 3
Using certificates . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
MS CryptoAPI . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 65
MS-CAPI feature dependencies and backward compatibility . . . . . . . . . . . . . . . . 66
MSCAPI server CRL checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 66
Microsoft CA digital certificate generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 67
Steps from browser running on client system or CA system . . . . . . . . . . . . . . 67
Contents 7
Configuring the Contivity VPN Client
Netscape digital certificate generation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 68
Importing a digital certificate into MS-CAPI store . . . . . . . . . . . . . . . . . . . . . . . . . 68
Microsoft CA digital certificate retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Netscape digital certificate retrieval . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 69
Configuring Contivity VPN Client for MS stored certificates . . . . . . . . . . . . . . . . . 70
Server certificate CRL checking . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 70
Entrust certificate-based authentication . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 71
Custom installation . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 72
Entrust certificate enrollment procedure . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 73
Entrust certificate enrollment tunnel . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Direct access enrollment process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 74
Entrust certificate enrollment process . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 75
Entrust roaming profiles support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Offline and online . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 77
Configuring Entrust for Roaming Profiles . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Configuring the Certificate Authority Server . . . . . . . . . . . . . . . . . . . . . . . . . . 79
Create a Roaming Profile Administrator from RA . . . . . . . . . . . . . . . . . . . . . . 81
Configuring Roaming Profile Clients . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 83
Appendix A
Client logging . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
Index . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 89
8 Contents
311644-J Rev 00
9
Configuring the Contivity VPN Client
Figures
Figure 1 Welcome screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 19
Figure 2 License Agreement screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 3 Destination screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 20
Figure 4 Program folder screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 5 Install and run screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 21
Figure 6 Start Copying Files screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 22
Figure 7 Connect Before Logon screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 25
Figure 8 Contivity VPN Client logon screen . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 26
Figure 9 Options menu . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 27
Figure 10 Client application icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 43
Figure 11 Sample icon . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 12 Blink none (blinknone.ico) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 13 Blink right (blinkright.ico) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 44
Figure 14 Blink left (blinkleft.ico) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 15 Both (blinkboth.ico) . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 16 Client connecting icons . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 45
Figure 17 Contivity VPN Client bitmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 18 Client status bitmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 46
Figure 19 GINA bitmap . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 47
Figure 20 Security banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 48
Figure 21 Screen with View Banner option . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 49
Figure 22 TunnelGuard Notify banner . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 50
Figure 23 Edit > IPsec page for wildcard . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Figure 24 IPsec Settings page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 63
Figure 25 Groups > Edit > IPsec page . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 64
Figure 26 An Entrust PKI server can be located in three places . . . . . . . . . . . . . . . 73
Figure 27 PCs connected to roaming server . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 79
10 Figures
311644-J Rev 00
11
Configuring the Contivity VPN Client
Tables
Table 1 Acronyms and terms . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 15
Table 2 VPN Client support . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 29
Table 3 Supported UseTokens and TokenType settings . . . . . . . . . . . . . . . . . . . . 31
Table 4 [Options] section and keyword settings for setup.ini file . . . . . . . . . . . . . . 33
Table 5 Settings for group.ini file . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 41
Table 6 Command line parameters . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 53
Table 7 Tunneling mode options . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 61
Table 8 Client error messages . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . . 85
12 Tables
311644-J Rev 00
13
Configuring the Contivity VPN Client
Preface
This guide helps you install the Nortel* Contivity VPN Client. Topics include:
• Installing the client
• Creating custom icons
• Installing a custom client
• Using certificates on a client
This guide is intended for network managers who are responsible for setting up
client software for the Contivity gateway. This guide assumes that you have the
following background:
• Experience with windowing systems or graphical user interfaces (GUI)
• Familiarity with network management
Complete details for configuring and monitoring the Contivity* Secure IP
Services Gateway are in Configuring Basic Features for the Contivity Secure IP
Services Gateway.
Before you begin
The minimum PC requirements for running the Contivity VPN Client are:
• Windows 2000, Windows XP or better
• 200 MHz Pentium
• 64 MB memory
• 10 MB free hard disk space
14 Preface
311644-J Rev 00
Text conventions
This guide uses the following text conventions:
angle brackets (< >) Indicate that you choose the text to enter based on the
description inside the brackets. Do not type the
brackets when entering the command.
Example: If the command syntax is
ping <ip_address>, you enter
ping 192.32.10.12
bold Courier text
Indicates command names and options and text that
you need to enter.
Example: Use the
show health command.
Example: Enter
terminal paging {off | on}.
braces ({}) Indicate required elements in syntax descriptions where
there is more than one option. You must choose only
one of the options. Do not type the braces when
entering the command.
Example: If the command syntax is
ldap-server
source {external | internal}
, you must enter
either
ldap-server source external or
ldap-server source internal
, but not both.
brackets ([ ]) Indicate optional elements in syntax descriptions. Do
not type the brackets when entering the command.
Example: If the command syntax is
show ntp [associations], you can enter
either
show ntp or show ntp associations.
Example: If the command syntax is default rsvp
[token-bucket
{depth | rate}], you can enter
default rsvp, default rsvp token-bucket
depth, or default rsvp token-bucket rate.
ellipsis points (. . . ) Indicate that you repeat the last element of the
command as needed.
Example: If the command syntax is
more diskn:<directory>/...<file_name>,
you enter
more and the fully qualified name of the file.
Preface 15
Configuring the Contivity VPN Client
Acronyms and terms
This guide uses the following acronyms and terms Tab le 1.
italic text Indicates new terms, book titles, and variables in
command syntax descriptions. Where a variable is two
or more words, the words are connected by an
underscore.
Example: If the command syntax is
ping <ip_address>, ip_address is one variable
and you substitute one value for it.
plain Courier
text
Indicates system output, for example, prompts and
system messages.
Example:
File not found.
separator ( > ) Shows menu paths.
Example: Choose Status > Health Check.
vertical line (
| ) Separates choices for command keywords and
arguments. Enter only one of the choices. Do not type
the vertical line when entering the command.
Example: If the command syntax is
terminal paging {off | on}, you enter either
terminal paging off or terminal paging on,
but not both.
Table 1 Acronyms and terms
Certification path Ordered sequence of certificates, leading from a
certificate whose public key is known by a client to a
certificate whose public key is to be validated by the
client.
Certificate revocation list (CRL) List of revoked but unexpired certificates issued by a
CA.
Digital certificate Digitally signed data structure defined in the X.509
standard that binds the identity of a certificate holder
(or subject) to a public key.
Public Key Cryptography
Standards (PKCS)
Collection of de facto standards produced by RSA
covering the use and manipulation of public-private
keys and certificates.
16 Preface
311644-J Rev 00
Related publications
For more information about the Contivity Secure IP Services Gateway, refer to the
following publications:
• Release notes provide the latest information, including brief descriptions of
the new features, problems fixed in this release, and known problems and
workarounds.
• Configuring Basic Features for the Contivity Secure IP Services Gateway
introduces the product and provides information about initial setup and
configuration.
• Configuring Servers, Authentication, and Certificates for the Contivity Secure
IP Services Gateway provides instructions for configuring authentication
services and digital certificates.
• Configuring Firewalls, Filters, NAT, and QoS for the Contivity Secure IP
Services Gateway provides instructions for configuring the Contivity Stateful
Firewall and Contivity interface and tunnel filters.
• Configuring Advanced Features for the Contivity Secure IP Services Gateway
provides instructions for configuring advanced LAN and WAN settings, PPP,
frame relay, PPPoE, ADSL and ATM, T1CSU/DSU, dial services and
demand services, DLSw, IPX, and SSL VPN.
• Configuring Tunneling Protocols for the Contivity Secure IP Services
Gateway configuration information for the tunneling protocols IPsec, L2TP,
PPTP, and L2F.
• Configuring Routing for the Contivity Secure IP Services Gateway provides
instructions for configuring BGP, RIP, OSPF, and VRRP, as well as
instructions for configuring ECMP, routing policy services, and client address
redistribution (CAR).
PKCS #7 Cryptographic Message Standard. (Reply with digital
certificate.)
PKCS #10 Certification Request Syntax Standard.
PKCS #12 Personal Information Exchange Syntax.
X.509 Standard certificate format.
Table 1 Acronyms and terms
Preface 17
Configuring the Contivity VPN Client
• Managing and Troubleshooting the Contivity Secure IP Services Gateway
provides information about system administrator tasks such as backup and
recovery, file management, and upgrading software, and instructions for
monitoring gateway status and performance. Also, provides troubleshooting
information and inter-operability considerations.
• Reference for the Contivity Secure IP Services Gateway Command Line
Interface provides syntax, descriptions, and examples for the commands that
you can use from the command line interface.
• Configuring TunnelGuard for the Contivity Secure IP Services Gateway
provides information about configuring and using the TunnelGuard feature.
Hard-copy technical manuals
To print selected technical manuals and release notes free, directly from the
Internet, go to www.nortel.com/documentation. Find the product for which you
need documentation, then locate the specific category and model or version for
your hardware or software product. Use Adobe* Acrobat Reader* to open the
manuals and release notes, search for the sections you need, and print them on
most standard printers. Go to the Adobe Systems website at www.adobe.com to
download a free copy of the Adobe Acrobat Reader.
How to get Help
This section explains how to get help for Nortel products and services.
Getting Help from the Nortel Web site
The best source of support for Nortel products is the Nortel Support Web site:
http://www.nortel.com/support
This site enables customers to:
• download software and related tools
• download technical documents, release notes, and product bulletins
• sign up for automatic notification of new software and documentation
• search the Support Web site and Nortel Knowledge Base
18 Preface
311644-J Rev 00
• open and manage technical support cases
Getting Help over the phone from a Nortel Solutions Center
If you have a Nortel support contract and cannot find the information you require on the
Nortel Support Web site, you can get help over the phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the Web site below and look up the phone number that
applies in your region:
http://www.nortel.com/callus
When you speak to the phone agent, you can reference an Express Routing Code (ERC) to
more quickly route your call to the appropriate support specialist. To locate the ERC for
your product or service, go to:
http://www.nortel.com/erc
Getting Help through a Nortel distributor or reseller
If you purchased a service contract for your Nortel product from a distributor or
authorized reseller, you can contact the technical support staff for that distributor or
reseller.
19
Configuring the Contivity VPN Client
Chapter 1
Installing the client
This chapter provides information on how to install the client on Microsoft*
Windows XP and Windows 2000 systems. It also includes information on
Windows Domain Login and Nortel graphical identification and authentication
(NNGINA).
Windows installations
To install the client, copy the Contivity VPN Client (EAC601D.exe) that is on the
Contivity Secure IP Services Gateway CD into the Client folder onto your hard
drive.
1 Double-click EAC601D.exe. The Welcome screen appears. (Figure 1)
Figure 1 Welcome screen
20 Chapter 1 Installing the client
311644-J Rev 00
2 Click Next. The License Agreement screen appears. (Figure 2)
Figure 2 License Agreement screen
3 Click Yes to accept the license. The Destination screen appears. (Figure 3)
Figure 3 Destination screen
Chapter 1 Installing the client 21
Configuring the Contivity VPN Client
4 Click Next to accept the default installation location or click Browse to install
in another directory. The Select Program Folder screen appears. (Figure 4)
Figure 4 Program folder screen
5 Click Next to select the default program folder or choose one of the listed
program folders. The Install and run Contivity VPN Client screen appears.
(Figure 5)
Figure 5 Install and run screen
22 Chapter 1 Installing the client
311644-J Rev 00
6 Select the method that you want to use to install and run the client:
• Application (default)
• Windows service (Two step Domain Logon); see “Two step domain
logon” on page 23
• Windows GINA (Connect Before Logon); see “Graphical Identification
and Authentication (GINA)” on page 24
7 Click Next. The Start Copying Files screen appears. (Figure 6)
Figure 6 Start Copying Files screen
8 Click Next to continue the installation.
9 When prompted at the end of the installation, reboot your system.
10 Double-click the Contivity VPN Client icon.
a Enter a new Connection name.
b Optionally, enter a description for the connection.
c Create a new Dial-up Connection. Click on Tool (next to the Dial-up
Connection list box), select New, and follow the wizard.
Chapter 1 Installing the client 23
Configuring the Contivity VPN Client
d If you have made any changes in the Network Control Panel, click OK,
and then reboot the system.
If you are using the client over a dial-up connection, be sure to check the
following for your system:
• Windows 2000: Install the Remote Access Service under the Network
Control Panel (from the Start menu, select Settings > Control Pane, then
double-click the Network icon to open the Network Control Panel). Select the
Services tab and click Add. Scroll down to select Remote Access Service and
click OK.
• Windows XP: Install the Remote Access Service under the Network Control
Panel (from the Start menu, select Settings > Control Pane, then double-click
the Network icon to open the Network Control Panel). Select the Network
Connection icon and click Create a New Connection to bring up the New
Connection Wizard.
• Under the Network Control Panel for Windows XP and Windows 2000,
verify that NetBEUI is not installed. If NetBEUI is listed, click it, then click
Remove. This forces the Network Neighborhood to use NetBIOS over TCP/
IP, which is compatible with the switch. Click OK and reboot your system.
Windows Domain Logon
There are two ways to logon to the Windows domain:
• Windows service (Two-step Domain Logon)
• Windows GINA (Connect Before Logon)
Two step domain logon
You can log on to an existing Windows domain that exists on the private side of
the switch. You must have a valid Windows domain account that is accessible
from the private side of the switch.
Note: In Windows 2000 and Windows XP, the Contivity VPN Client
adapter is not displayed in the Network Control Panel. However, if you
run a utility such as IPCONFIG, it will respond.
24 Chapter 1 Installing the client
311644-J Rev 00
To log on to the Windows domain:
1 Launch the Contivity VPN Client.
2 Make a connection to the switch that has the Windows NT domain.
3 Press Ctrl + Alt + Delete to log on to the Windows NT domain from the
already established connection to the switch.
Graphical Identification and Authentication (GINA)
A Graphical Identification and Authentication (GINA) Dynamic Link Library
(DLL) provides an automated process to complete a Windows domain logon
through a VPN tunnel. GINA implements the authentication policy of the
interactive logon and performs all identification and authentication user
interactions for the Windows system. You do not need to log on locally to launch
the client, then log off the local system to authenticate to the Windows domain.
The Nortel GINA (nngina.dll) launches and synchronizes a successful tunnel
creation with the Contivity VPN Client and disconnects the Contivity tunnel when
you log off. After making a successful Contivity VPN connection, the Windows
domain logon is continued through the established Contivity VPN tunnel
connection. GINA chaining detects the presence of a previously installed
third-party GINA and passes all pass-through calls to that particular GINA (see
Chapter 2, “Customizing the client,” on page 58).
This feature is supported on:
• Windows 2000
• Windows XP Professional
To install GINA, select the Windows GINA (Connect Before Logon) option on
the Install and run Contivity VPN Client screen. When prompted at the end of the
installation, reboot your system.
Note: When you install GINA, Windows disables fast user switching.
Chapter 1 Installing the client 25
Configuring the Contivity VPN Client
Logging on through client connection
After the client installation is complete, use the following procedure to log on
through a Contivity VPN Client connection.
1 Press Control + Alt + Delete. The Contivity VPN Client GINA interface
appears. This is a Contivity GINA dialog (not the Windows GINA dialog).
(Figure 7)
Figure 7 Connect Before Logon screen
2 Enter your Windows credentials, which are used to perform a local system
logon. The Contivity VPN client is launched. (Figure 8 on page 26)
Note: Auto domain logon is the default.
Note: If you do not want to use the Connect Before Logon feature after
it is installed, click on Cancel and the Windows domain logon screen
will appear.
26 Chapter 1 Installing the client
311644-J Rev 00
Figure 8 Contivity VPN Client logon screen
3 Enter the Contivity VPN tunnel credentials. A successful VPN tunnel
connection is completed from the Contivity VPN client. The Windows
domain logon is automatically executed using the authentication credentials
provided in the Contivity Client GINA dialog. The Domain logon is
established using the existing Contivity VPN tunnel connection.
First domain logon
You can also log on to the system using an existing local account to establish the
Contivity VPN Tunnel. You are then logged into the local system with the
credentials provided.
Note: When the Contivity VPN Client is running as a service under
Windows 2000 or Windows XP, you may not be able to log off after you
log in and log off several times. This is a known Windows issue when an
NT Service is involved with an active GUI interface. To work around the
problem, you must first disconnect the Contivity VPN Client service and
then log off.
Chapter 1 Installing the client 27
Configuring the Contivity VPN Client
To enable a completely automated Windows domain logon, you are authenticated
locally and require a previous successful user logon to the target Windows
domain. The first time you attempt a domain logon directly through the Contivity
GINA, without a prior successful Windows domain logon from the local system,
the initial user logon attempt fails.
You can either execute the current Contivity VPN Client Windows domain logon
or use the Contivity Client GINA by deselecting the “Auto Domain Logon”
option and logging on using an existing local user account. The Windows GINA
screen appears to complete the domain logon.
Enabling and disabling Connect Before Logon
To enable or disable Connect Before Logon, go to the Options menu (Figure 9)
and either select or deselect the Connect Before Logon option. The Contivity VPN
Client GINA dialog provides simultaneous Windows NT domain logon when
logging on to the workstation. The Contivity VPN Client must be installed with
the GINA option to be available.
Figure 9 Options menu
Note: The client system must have been previously configured to allow
access to the desired Windows domain. This configuration can be set up
by the Windows domain administrator.
Loading...