Nortel Networks NN46120-104 User Manual

Download

Nortel VPN Gateway

User Guide

Release: 7.1 Document Revision: 02.01

www.nortel.com

NN46120-104

216368-G

Nortel VPN Gateway Release: 7.1 Publication: NN46120-104 Document status: Standard Document release date: 14 April 2008

The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks.

*Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks.

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be required by the U.S. Department of Commerce.

Licensing

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit

ttps://www.openssl.org/).

This product includes cryptographic software written by Eric Young (eay@cryptsoft.com).

This product includes software written by Tim Hudson (tjh@cryptsoft.com).

This product includes software developed by the Apache Software Foundation h

ttp://www.apache.org/

Preface 7

Who Should Use This Book 8 Related documentation 9 Product Names 10 How This Book Is Organized 11 Typographic Conventions 13 How to Get Help 14 Getting help from the Nortel Web site 14 Getting help over the phone from a Nortel Solutions Center 14 Getting help from a specialist by using an Express Routing Code 14 Getting help through a Nortel distributor or reseller 14

Introducing the VPN Gateway 15

SSL Acceleration 16 VPN 17 Hardware Platforms 18 Feature List 19

Introducing the ASA 310-FIPS 27

HSM Overview 28 Extended Mode vs. FIPS Mode 29 The Concept of iKey Authentication 30 Additional HSM Information 33

Initial Setup 35

Clusters 36 IP Address Types 37 Ports 38 Interfaces 39 Configuration at Boot Up 41 Installing an NVG in a New Cluster 42 Joining a VPN Gateway to an Existing Cluster 52 Installing an ASA 310-FIPS 58 Reinstalling the Software 70

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Upgrading the NVG Software 73

Performing Minor/Major Release Upgrades 74

Managing Users and Groups 79

User Rights and Group Membership 80 Adding a New User 81 Changing a Users Group Assignment 86 Changing a Users Password 88 Deleting a User 91

Certificates and Client Authentication 93

Generating and Submitting a CSR Using the CLI 94 Adding Certificates to the NVG 99 Update Existing Certificate 107 Configure a Virtual SSL Server to Require a Client Certificate 108 Generating client certificates 110 Managing Revocation of Client Certificates 116 Client certificate support 123 Signing CSRs 124 Generate Test Certificate 126 General Commands 128

Virtual Desktop 131

Running the Virtual Desktop on Client Computers 132 Licensing vdesktop 132 Launch Vdesktop from Portal 133 Virtual Desktop Operations 134

The Command Line Interface 135

Connecting to the VPN Gateway 136 Accessing the NVG Cluster 140 CLI vs. Setup 142 Command Line History and Editing 143 Idle Timeout 144

Troubleshooting the NVG 145

Cannot Connect to VPN Gateway through Telnet or SSH 146 Cannot Add an NVG to a Cluster 148 Cannot Contact the MIP 149 The NVG Stops Responding 151 A User Password is Lost 152 An ASA 310-FIPS Stops Processing Traffic 153 Resetting HSM Cards on the ASA 310-FIPS 155 AnASA 310-FIPS Cluster Must be Reconstructed onto New Devices 158 A User Fails to Connect to the VPN 163 User Unable to Connect to the VPN Gateway through the Net Direct Client 168

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Licensing 5

Cannot download the NetDirect Zipped file from client PC 171 System Diagnostics 172 Unable to download NetDirect from VPN server 175

Supported Ciphers 177

Cipher List Formats 179 Modifying a Cipher List 180 Supported Cipher Strings and Meanings 181

The SNMP Agent 183

Supported MIBs 184 Supported Traps 189

Syslog Messages 191

List of Syslog Messages 192 Syslog Messages in Alphabetical Order 209

222

License Information 223 HSM Security Policy 233 Definition of Key Codes 253

Syntax Description 254

SSH host keys 257

Methods for Protection 258 The VPN Gateway 259

Adding User Preferences Attribute to Active Directory 261

262

Using the Port Forwarder API 271

General 272 Creating a Port Forwarder 273 Demo Application 274 Creating a Port Forwarder Authenticator 276 Adding a Port Forwarder Logger 279 Connecting Through a Proxy 282 Monitoring the Port Forwarder 283

Glossary 285 Index 295

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Preface

This User’s Guide describes how to perform basic configuration and maintenance of the Nortel VPN Gateway (NVG).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

8 Preface

Who Should Use This Book

This User’s Guide is intended for network installers and system administrators engaged in configuring and maintaining a network. It assumes that you are familiar with Ethernet concepts and IP addressing.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Product Names

The software described in this manual runs on several different hardware models. Whenever the generic terms Nortel VPN Gateway, VPN gateway or NVG are used in the documentation, the following hardware models are implied:

•

Nortel VPN Gateway 3050 (NVG 3050)

•

Nortel VPN Gateway 3070 (NVG 3070)

•

Nortel SSL VPN Module 1000 (SVM 1000)

• Nortel SSL Accelerator 310-FIPS (ASA 310-FIPS)

• The integrated SSL Accelerator (SSL processor) on the Nortel

2424-SSL switch

• Nortel VPN Gateway Universal Serial Bus

Similarly, all references to the old product name – iSD-SSL or iSD – in commands or screen outputs should be interpreted as applying to the preceding hardware models.

Note: Manufacturing of the Nortel SSL Accelerator (formerly Alteon

SSL Accelerator) has been discontinued.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

How This Book Is Organized

The chapters in this book are organized as follows:

Users Guide

“Introducing the VPN Gateway” (page 15) provides an overview of the

major features of the VPN Gateway, including its physical layout and the basic concepts of its operation.

“Introducing the ASA 310-FIPS” (page 27) provides information about

the ASA 310 equipped with HSM cards, as well as information about the available security modes and the concept of iKey authentication.

“Initial Setup” (page 35) describes how to install the NVG in a new cluster,

and how to add an NVG to an existing cluster. The chapter also provides information about the concept of NVG clusters, as well as the usage and configuration of ports and networks within a cluster. A section describing how to reinstall the software is also included.

“Upgrading the NVG Software” (page 73) describes how to upgrade the

NVG software for a minor release upgrade, and a major release upgrade, as well as upgrading from software versions earlier than 2.0.11.16 to version 3.0.7.

“Managing Users and Groups” (page 79) describes the management

of users, groups, and passwords. The chapter also explains how the Administrator user role can be fully separated from the Certificate Administrator user role.

“Certificates and Client Authentication” (page 93) describes how to

generate and prepare keys and certificates for use with the NVG.

“The Command Line Interface” (page 135) describes how to connect to the

NVG and access the information and configuration menus.

“Troubleshooting the NVG” (page 145) provides suggestions for

troubleshooting basic problems. Information about performing system diagnostics on the NVG is also included, as well as some operations related to the ASA 310-FIPS model.

Appendices

provides a list of ciphers supported in this product.

“The SNMP Agent” (page 183) provides information about the SNMP

agent on the NVG, and which MIBs (Management Information Bases) are supported.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

12 Preface

“Syslog Messages” (page 191), contains a list of all syslog messages

that can be sent to a syslog server that is added to the NVG system configuration.

“License Information” (page 223) provides licensing information for the

software used in this product.

“HSM Security Policy” (page 233) provides detailed information about the

security policy of the CryptoSwift

HSM card that comes installed in the

ASA 310-FIPS.

“Definition of Key Codes” (page 253) provides information about how

to compile a keycode definition file to be used with the Terminal applet available on the Telnet/SSH tab (located under the Portal’s Advanced tab).

“SSH host keys” (page 257) provides information about the purpose of

SSH host keys and how they are used to protect the connection between the SSH client and the VPN Gateway.

“Adding User Preferences Attribute to Active Directory” (page

261) provides step-by-step instructions on how to add the User

Preferences attribute to Active Directory. This is required to support storage of Portal bookmarks in Active Directory.

“Using the Port Forwarder API” (page 271) provides instructions on how to

perform the tasks needed when using the Port Forwarder API. The Port Forwarder API is used to provide tunnels through the Nortel VPN Gateway (NVG) without the user having to start any applets from the Portal.

“Glossary” (page 285) includes definitions of terminology used throughout

this document.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Typographic Conventions

The following table describes the typographic styles used in this book.

Table 1 Typographic Conventions

Typeface or Symbol

AaBbCc123

[ ] Command items shown inside

Meaning Example

This type is used for names of commands, files, and directories used within the text.

It also depicts on-screen computer output and prompts.

This bold type appears in command examples. It shows text that must be typed in exactly as shown.

This italicized type appears in command examples as a parameter placeholder. Replace the indicated text with the appropriate real name or value when using the command. Do not type the brackets.

This also shows book titles, special terms, or words to be emphasized.

brackets are optional and can be used or excluded as the situation demands. Do not type the brackets.

View the readme.tx t file.

Main#

Main# sys

To establish a Telnet session, enter:

host# telnet <IP address>

Read your User’s Guide thoroughly.

host# ls[-a]

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

14 Preface

How to Get Help

This section explains how to get help for Nortel products and services.

Getting help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel Technical Support Web site: h This site provides quick access to software, documentation, bulletins, and tools to address issues with Nortel products. From this site, you can:

•

download software, documentation, and product bulletins for answers to technical issues

• sign up for automatic notification of new software and documentation

for Nortel equipment

•

open and manage technical support cases

Getting help over the phone from a Nortel Solutions Center

If you do not find the information you require on the Nortel Technical Support web site, and have a Nortel support contract, you can also get help over the phone from a Nortel Solutions Center. In North America, call 1-800-4NORTEL (1-800-466-7835). Outside North America, go to the following web site to obtain the phone number for your region:

ww.nortel.com/callus

ttps://www.nortel.com/support/

Getting help from a specialist by using an Express Routing Code

An Express Routing Code (ERC) is available for many Nortel products and services. When you use an ERC, your call is routed to a technical support person who specializes in supporting that product or service. To locate the ERC for your product or service, go to: h

ttp://www.nortel.com/erc/

Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a distributor or authorized reseller, contact the technical support staff for that distributor or reseller.

Nortel VPN Gateway

NN46120-104 02.01 Standard

User Guide

14 April 2008

Introducing the VPN Gateway

The Nortel VPN Gateway (NVG) software includes two major functionality groups:

•

SSL Acceleration

•

VPN

These features can be used separately or be combined. This User’s Guide covers the basic tasks that need to be completed irrespective of which feature you wish to deploy.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

16 Introducing the VPN Gateway

SSL Acceleration

The VPN Gateway can function as a peripheral Secure Sockets Layer (SSL) offload platform that attaches to a Nortel Application Switch or a comparable switch from another vendor. (The VPN Gateway can also operate in standalone mode, i.e. without being connected to a switch.)

The VPN Gateway performs a TCP three-way handshake with the client through the Nortel Application Switch and performs all the SSL encryption and decryption for the session. Combined with the load balancing features of the Nortel Application Switch, the VPN Gateway offloads SSL encryption/decryption functions from back-end servers.

For examples on how to configure the VPN Gateway for SSL Acceleration, see the Application Guide for SSL Acceleration.

For more information about the basic operations of the VPN Gateway, see the "Public Key Infrastructure and SSL" chapter in the Application Guide for SSL Acceleration.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

VPN

Getting help through a Nortel distributor or reseller 17

The VPN feature supports remote access to intranet or extranet resources (applications, mail, files, intranet web pages) through a secure connection. What information should be accessible to the remote user after login is determined by access rules (ACLs).

The intranet’s resources can be accessed in clientless mode, transparent mode or both:

•

From any computer connected to the Internet (clientless mode). The remote user connects to the VPN Gateway through a secure SSL connection through the web browser. When successfully authenticated, the user can access services and resources on the intranet from a Web Portal provided by the VPN Gateway. Clientless mode also enables download of the Net Direct client, a simple and secure method for accessing intranet resources through the remote user’s native applications.

•

From a computer with the Nortel IPsec VPN client (formerly Contivity VPN client) or the Nortel SSL VPN client installed (transparent mode).

For examples on how to configure the VPN Gateway for VPN deployment, see the Application Guide for VPN.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

18 Introducing the VPN Gateway

Hardware Platforms

The VPN Gateway software is supported on the following hardware platforms:

•

Nortel VPN Gateway 3050 and 3070

•

Nortel SSL VPN Module 1000

• Nortel SSL Accelerator 310 and 410

• Nortel SSL Accelerator 310-FIPS, with FIPS-compliant Hardware

Security Module (HSM). See “Introducing the ASA 310-FIPS” (page

27).

• Nortel 2424-SSL Application Switch

For a detailed technical specification of the hardware platforms, see the "Specifications" appendix in the VPN Gateway 3050/3070 Hardware

Installation Guide and the Alteon SSL Accelerator Hardware Installation Guide respectively.

No hardware installation is required for the Nortel Application Switch 2424-SSL. The VPN Gateway software resides on the SSL Processor which is mounted inside the switch chassis.

Note: Manufacturing of the Nortel SSL Accelerator (formerly Alteon

SSL Accelerator) has been discontinued.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Feature List

Software Features

Web Portal

• Web Portal interface for remote users accessing the VPN Gateway in

clientless mode, that is, through the browser.

•

Corporate resources available to users as preconfigured group links or accessible through the Portal tabs.

• Support for native Telnet and SSH (including X11 forwarding) access

to intranet servers through terminal Java applet (available on the Portal’s Advanced tab).

• Support for handling plugins, Flash and Java applets using HTTP

proxy Java applet (available on the Portal’s Advanced tab).

•

Support for application tunneling (port forwarding) through SOCKS encapsulated in SSL (available on the Portal’s Advanced tab).

•

API provided for developing a custom application that automatically logs in the user to the desired VPN and executes a previously configured port forwarder link

Software Features 19

•

Support for customizing the Web Portal, for example, color, logo, language and company name.

•

Three user views available (novice, medium and advanced) to limit access to Portal tabs.

•

Support for automatic redirection of requests to another URL (Portal pass-through).

•

Support for Portal bookmarks.

•

Ability to specify domains for which single sign-on is allowed.

•

Net Direct client (SSL). VPN client temporarily downloaded from the Portal and removed when the user exits the session. On Windows, Net Direct is also available as an installable client (setup.exe file).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

20 Introducing the VPN Gateway

Transparent Mode Access

Access to intranet resources in transparent mode, that is, without going through the Web Portal, is accomplished using Windows VPN clients installed on the client PCs. In this mode, remote users will experience network access as if sitting within the local area network. The following VPN clients are available:

• Nortel SSL VPN client (TDI and LSP version).

• Nortel IPsec VPN client (formerly the Contivity VPN client). Not

supported on the ASA 310, ASA 310-FIPS and ASA 410 hardware models.

• Net Direct installable client.

User Authentication

User authentication is supported using the following methods:

• RADIUS (including Challenge/Response)

•

LDAP (including Microsoft Active Directory)

• NTLM (Windows NT Domain, including Microsoft Active Directory)

•

Secure Computing SafeWord (RADIUS)

•

Netegrity SiteMinder

•

RSA SecurID (native or through RADIUS)

• RSA ClearTrust

•

ActivCard (RADIUS)

•

Novell NDS/eDirectory (LDAP)

•

Client certificate authentication

• Local database authentication

User Authorization

User authorization is controlled through the user’s group membership. Two different authorization profile types are supported:

• The base profile defines a group member’s access rights to networks,

services and paths.

• The extended profile (optional) also defines a group member’s access

rights depending on conditions related to the user’s connection, for example, source network, authentication method, access method, client certificate installed and/or Tunnel Guard checks passed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Client Security

• Tunnel Guard. Feature for checking the security aspects of the remote

PC client, that is, installed antivirus software, DLLs, executables and so on.

• WholeSecurity support. Lets you enable a scan of the client PC before

the remote user is allowed to log in to the VPN.

• User session auto-logoff.

•

Cache and browser history automatically cleared (only for Internet Explorer).

Accounting and Auditing

•

Support for logging user session start and stop messages to a syslog or RADIUS accounting server. The messages can include VPN ID, user name, gateway address, session ID, session time and cause of termination.

• Support for logging CLI and Web User Interface operations (for

example, login, logout and executed operation) to a syslog or RADIUS accounting server.

Software Features 21

Networking

•

Supports creating multiple interfaces within a cluster, for example, to separate client traffic and management traffic. (Not supported on the Nortel Application Switch 2424-SSL).

•

Support for clustering over multiple subnets.

•

Supports assigning two physical network ports to one interface, to create a port failover (high availability) solution where one VPN Gateway is attached to two Nortel Application Switches.

Secure Service Partitioning

The NVG software provides the ability to partition a cluster of VPN Gateways into separate VPNs. This gives service providers (ISPs) the possibility to host multiple VPN end-customers on a shared Remote Access Services (RAS) platform. Requires a license.

• Supports hosting of up to 250 public termination points for

end-customer SSL and IPsec VPNs.

• Secure VPN binding. Each VPN is bound to a private IP interface.

VLAN tagging can be used when private IP address spaces overlap.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

22 Introducing the VPN Gateway

• Private network authentication. Existing authentication servers within

the customer’s private network can be used.

• Access control. Unique access rules can be specified for each user

group in the various VPNs.

• Private network name resolution. If desired, private network DNS

servers can be mapped to the VPN.

• Split administration. VPN Portal management is enabled for each

VPN customer through a web interface, without exposing global administration access.

• High availability. The Secure Service Partitioning solution is compatible

with the NVG cluster’s high availability solutions.

Branch Office Tunnels

The NVG software provides the ability to configure IPsec-based branch office tunnels. Several peer-to-peer branch office tunnels can be

configured for each virtual private network (VPN). The following number of branch office tunnels can be configured per

hardware model:

•

NVG 3070: 2500

•

NVG 3050: 1000

•

Nortel 2424-SSL Application Switch: 500

For example, a cluster of two NVG 3070s support 5000 branch office tunnels.

Portal Guard

Feature used to "convert" an existing HTTP site to generate HTTPS links, secure cookies and so on. The VPN Gateway will not only handle the SSL processing but also see to it that all existing web links are rewritten to HTTPS. This eliminates the need to rewrite each link manually. Requires a license.

SSL Acceleration

The NVG software also includes features for SSL acceleration. Note that these features in some cases require interoperation with a Nortel Application Switch.

• Supports accelerated SSL processing by offloading SSL encryption

and decryption from backend servers.

• Supports load balancing of encrypted and unencrypted traffic for up

to 256 backend servers, with health checking and persistent client connections.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

• Ability to create multiple clusters of VPN Gateways, each capable of

serving its own group of real servers.

• Supports rewriting of client requests.

•

Ability to transmit additional information to the backend servers.

• Supports end-to-end encryption.

• Compatible with all Nortel Application Switches, Nortel Web Switches

and comparable switches from other vendors.

SSL Acceleration is covered in the Application Guide for SSL Acceleration.

Scalability and Redundancy

• Support for 256 VPN Gateways per cluster

•

Support for 256 virtual SSL servers

• Provides dynamic plug and play – VPN Gateways can be added to or

removed from a cluster dynamically without disrupting network traffic

• Provides a single system image (SSI) – all VPN Gateways in a given

cluster are configured as a single system

Software Features 23

•

High level of redundancy in the master/slave cluster design; even if three master VPN Gateways in a cluster would fail, additional slave NVGs will still be operational and can accept configuration changes

Certificate and Key Management

•

Server and client authentication

•

Generation and revocation of client certificates

•

Automatic retrieval of certificate revocation lists (CRLs)

•

Validation of private keys and certificates

•

Generation of certificate signing requests (CSRs)

•

Generation of self-signed certificates

Public Key Infrastructure

• RSA pair key generation

• Server certificate enrollment

• Server key and certificate import/export

• Key and certificate renewal

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

24 Introducing the VPN Gateway

Supported Key and Certificate Formats

• PEM

• DER

•

NET

• PKCS12

• PKCS8

• KEY(MS IIS4.0)

Supported Handshake Protocols

• SSL versions 2.0, 3.0

•

TLS version 1.0

Hash Algorithms

• Message Digest 5 (MD5)

•

SHA1

Cipher Suites

All ciphers covered by SSL version 2.0, 3.0 and TLS version 1.0, except the IDEA and FORTEZZA ciphers. Also see “Supported Ciphers” (page

177).

Management

•

Web User Interface (HTTP or HTTPS).

•

Command Line Interface (CLI) access through Telnet/SSH or serial port.

•

SNMP version 1, version 2c and version 3.

• RADIUS authentication of CLI/BBI administrator users (including

console access).

Statistics

• Statistics can be viewed per access method (SSL or IPsec) for the

whole cluster as well as for specific VPN Gateways, SSL servers and VPNs.

• Support for histograms, for example, to measure transactions per

second (TPS) and throughput.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Virtual Desktop

Symantec On-Demand Agent (SODA) provides a Virtual Desktop environment to secure Web-based applications and services. Virtual Desktop is a Java application that provides protection against lost or theft of sensitive information. Files created while in the virtual desktop are encrypted as they are saved to a hard drive or removable media. Integrating Virtual Desktop with NVG will provide a secure environment for end users while accessing confidential information.

Secure Portable Office (SPO) Client

The SPO client provides VPN access from portable storage such as USB compliant flash memory and CD ROM.

The SPO client provides enhanced mobility, portability, and security compared to traditional VPN access methods. The SPO client can be deployed and managed from the NVG server thus simplifying SPO client maintenance and updates.

For more information about Secure Portal Office Client, see Configuration Secure Portable Client Guide.

Software Features 25

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

26 Introducing the VPN Gateway

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Introducing the ASA 310-FIPS

This section provides information about the ASA 310-FIPS model, which comes installed with the HSM (Hardware Security Module) card. The HSM card complies with all the security requirements specified by the Federal Information Processing Standard (FIPS) 140-1, Level 3 standards. Each ASA 310-FIPS device is equipped with two identical HSM cards.

Note: When using the ASA 310-FIPS device in a cluster, remember

that all NVG devices in the cluster must be of the ASA 310-FIPS model.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

28 Introducing the ASA 310-FIPS

HSM Overview

The HSM card found on the ASA 310-FIPS model is an SSL accelerator, just like the ordinary CryptoSwift card found on the regular ASA 410 model. In addition to cryptographic acceleration, the HSM card brings extra security to sensitive operations and is designed to withstand physical tampering.

•

The HSM card provides a secure storage area for cryptographic key information. The storage area is secured by a constantly monitored tamper detection circuit. If tampering is detected, the battery backup power to memory circuits on the card is removed. Critical security parameters, such as private keys that are in the storage area, will then be destroyed and rendered useless to the intruder.

• Any sensitive information that is transferred between two HSM cards

within the same ASA 310-FIPS, or between any number of HSM cards within a cluster of ASA 310-FIPS devices, is encrypted using a shared secret stored (also known as a wrap key) on the HSM card.

• Some user operations require a two-phase authentication, which

involves using both hardware tokens (called iKeys) and an associated password to provide an extra layer of security. For example, if the ASA 310-FIPS is power cycled (as in the case of theft), no SSL traffic is processed until the operator logs in to the HSM card using both an iKey and the correct password.

•

All cryptographic requests, such as generating private keys or performing encryption, are automatically routed to the HSM card by the NVG application and performed on the HSM card only.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can choose to initialize the HSM cards in either Extended mode or FIPS mode. Extended mode is the default selection, and is appropriate whenever your security policy does 140-1, Level 3 standard (see the following for more information).

The main difference between Extended mode and FIPS mode involves how private keys are handled. For both modes, all private keys are stored encrypted in the database on the ASA 310 FIPS. When the HSM card is initialized in Extended mode, the encrypted private key needed to perform a specific operation is transferred to the HSM card over the PCI bus. The private key is then decrypted on the HSM card itself, using the wrap key that was generated during the initialization and because stored on the card. The private key is thus never exposed in plain text outside the HSM card.

When the HSM card is initialized in FIPS mode, the encrypted private key needed to perform a specific operation is read from the database into RAM, together with the wrap key from the HSM card. The private key is then decrypted in RAM, where it remains accessible for subsequent operations.

not explicitly require that you conform to the FIPS

FIPS140-1 Level 3 Security 29

Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys must be generated on the ASA 310-FIPS device itself. Importing private keys, or certificate files that contain private keys, is not allowed due to the FIPS security requirements. This means that certain CLI commands that are used for importing certificates and keys through a copy and paste operation, or through TFTP/FTP/SCP/SFTP, cannot be used when the ASA 310-FIPS is initialized in FIPS mode.

FIPS140-1 Level 3 Security

The HSM card contains all of the security requirements specified by the FIPS 140-1, Level 3 standards. FIPS 140-1 is a U.S. government standard for implementations of cryptographic modules, that is, hardware or software that encrypts and decrypts data or performs other cryptographic operations (such as creating or verifying digital signatures).

FIPS 140-1 is binding on U.S. government agencies deploying applications that use cryptography to secure sensitive but unclassified (SBU) information, unless those agencies have been specifically exempted from compliance by the relevant U.S. laws referenced in the standard.

For more information about the FIPS specification, visit http://csrc.nist.gov/ publications/fips/index.htmland scroll down to "FIPS 140-1".

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

30 Introducing the ASA 310-FIPS

The Concept of iKey Authentication

Access to sensitive data on a ASA 310-FIPS is protected by a combination of hardware tokens (called iKeys), passwords, and encryption procedures.

The iKey is a cryptographic token that is used as part of the authentication process for certain operations involving the HSM cards. Whenever you perform an operation on the ASA 310-FIPS calling for iKey authentication, you are prompted by the Command Line Interface to insert the requested iKey into the USB port on the appropriate HSM card. (When prompted for a particular iKey, a flashing LED always directs you to the correct HSM card.)

Types of iKeys

For each HSM card there are two unique iKeys used for identity-based authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of these iKeys define the two user roles available: Security Officer and User. A password must be defined for each user role, and the passwords are directly associated with the corresponding iKey. The ASA 310-FIPS is equipped with two HSM cards, and you therefore need to maintain two pairs of HSM-SO and HSM-USER iKeys with their associated passwords for each single ASA 310-FIPS device.

After a HSM card has been initialized, that card will only accept the HSM-SO and HSM-USER iKeys that were used when initializing that particular card. You cannot create backup copies of the associated HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER password cannot be retrieved. It is therefore extremely important that you establish routines for how the iKeys are handled.

Wrap Keys for ASA 310-FIPS Clusters

In addition to the HSM-SO and HSM-USER iKeys specific for each HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be maintained for each cluster of ASA 310-FIPS units.

Note: You are strongly recommended to label two of the black

HSM-CODE iKeys "CODE-SO" and "CODE-USER" respectively; these iKeys will be referred to as such both in the documentation and in the Command Line Interface.

During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is automatically generated. The wrap key is a secret shared among all ASA 310-FIPS in the cluster. It encrypts and decrypts sensitive information that is sent over the PCI bus within an ASA 310-FIPS, and over the network among the ASA 310-FIPS devices in the cluster. By inserting the CODE-SO iKey and the CODE-USER iKey in turns when requested

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Available Operations and iKeys Required 31

by the Setup utility, the wrap key is split onto these two iKeys. When adding an additional ASA 310-FIPS to the cluster, the CODE-SO and the CODE-USER iKeys are used to transfer the wrap key to the HSM cards on NVG device(s) that have been added. Once the wrap key has been transferred, all synchronization of sensitive information within the cluster takes place transparently to the user.

No passwords are associated with the CODE-SO and CODE-USER iKeys. However, for all operations that involves using the CODE-SO and CODE-USER iKeys, these keys are used in and HSM-USER iKeys (which in turn require the correct passwords for successful authentication).

CAUTION

If you enter the wrong password for the HSM-USER fifteen (15) times in a row, the HSM-USER iKey will be rendered unusable. This is due to the strict security specifications placed on the ASA 310-FIPS.

Available Operations and iKeys Required

For information about the type of iKeys required to perform a specific operation, see Table 2 "Available Operations and iKeys Required" (page

31).

addition to the HSM-SO

Table 2 Available Operations and iKeys Required

Type of iKey Required

Operation Performed HSM-SO HSM-US

Installing a new ASA 310-FIPS in a new cluster

Adding an ASA 310-FIPS to an existing cluster

Logging in to the HSM card Splitting the wrap key onto a

pair of CODE iKeys

CODE-SO and

CODE-USER

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

32 Introducing the ASA 310-FIPS

Table 2 Available Operations and iKeys Required (cont’d.)

Type of iKey Required

Operation Performed HSM-SO HSM-US

Changing the HSM-SO iKey password Note: To resume normal operations after having changed the HSM-SO iKey password, the HSM-USER iKey is required to re-login to the HSM card.

Changing the HSM-USER iKey password

CODE-SO and

CODE-USER

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Additional HSM Information

• For detailed information about installing a new ASA 310-FIPS in a

new cluster or adding an ASA 310-FIPS in an existing cluster, see “

Installing an ASA 310-FIPS” (page 58).

• For detailed information about how to log in to the HSM card after a

reboot, see “An ASA 310-FIPS Stops Processing Traffic” (page 153).

• For information about how to split the wrap key onto a backup set of

CODE-SO and CODE-USER iKeys, or how to change an HSM-SO or HSM-USER iKey password, see the Hardware Security Module Menu under the Maintenance Menu in the

• For information about how to reset the HSM cards, see “Resetting

HSM Cards on the ASA 310-FIPS” (page 155).

•

For information about HSM card LED status, see Chapter 1 of the Hardware Installation Guide.

•

For information about the HSM card’s security policy, see “HSM

Security Policy” (page 233) .

Available Operations and iKeys Required 33

User’s Guide.

•

To view the HSM card’s FIPS 140-1 validation certificate, see Appendix B, "FIPS 140-1 Validation Certificate" in the Hardware Installation

Guide

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

34 Introducing the ASA 310-FIPS

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Initial Setup

This chapter covers the basic setup and initialization process for the Nortel VPN Gateway (NVG ). It introduces the concept of clusters, and provides detailed instructions for reinstalling the VPN Gateway software, should it become necessary.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

36 Initial Setup

Clusters

All VPN Gateways are members of a cluster. A cluster can consist of one single VPN Gateway or a group of NVGs that share the same configuration parameters. There can be more than one NVG cluster in the network, each with its own set of parameters and services. If the VPN Gateway is used for SSL Acceleration, each cluster can be set up to serve different real servers.

New and Join

Each time you perform an initial setup of an VPN Gateway and select new in the Setup menu, you create a new cluster which initially only has one single member. You can add one or more VPN Gateways to any existing cluster by performing an initial setup and select join in the Setup menu.

Conﬁguration is Replicated among Master NVGs

The configuration parameters are stored in a database, which is replicated among the VPN Gateways designated as masters in a cluster. By default, the first four VPN Gateways in a given cluster are set up as masters. Additional NVGs are automatically set up as slaves, which means they depend on a master NVG in the same cluster for proper configuration. However, even if three of the masters fail, the remaining NVG(s) are still operational and can have configuration changes made to them. Note that one master at a minimum has to be functional to be able to make configuration changes. If all masters have failed, the slaves will still be capable of processing SSL traffic.

Clustering Over Multiple Subnets

The SSL VPN software supports clustering over multiple subnets. If more than one VPN Gateway is required and the VPN Gateway you wish to join to the cluster is installed in a different subnet, the new NVG must be configured as a slave. Master NVGs cannot exist on different intranet subnets.

Nortel VPN Gateway

NN46120-104 02.01 Standard

User Guide

14 April 2008

IP Address Types

When configuring the VPN Gateway you will come across quite a number of IP address types. Following are the most commonly used:

Host IP Address

Each VPN Gateway can be assigned one or several host (machine) IP addresses for network connectivity. You will be asked to enter a host IP address when performing the initial setup.

Management IP Address (MIP)

When you create a new cluster you will be prompted for a Management IP (MIP) address, which is an IP alias to one of the VPN Gateways in the cluster. The MIP address identifies the cluster and is used when making configuration changes through Telnet or SSH or when configuring the system using the Browser-Based Management Interface (BBI). The MIP always resides on a master VPN Gateway. If the master NVG that currently holds the MIP should fail, the MIP automatically migrates to a functional master NVG.

Real Server IP Address (RIP) 37

Virtual IP Address (VIP)

When the VPN Gateway is used in conjunction with a Nortel Application Switch, e.g. for SSL acceleration, the client connects to the VIP on the Nortel Application Switch. The VIP is used by the Nortel Application Switch to load balance particular service requests (like HTTP) to other servers.

Portal IP Address

When the VPN Gateway is used to set up a web Portal, the Portal IP address is the address that is assigned to the VPN Gateway’s portal server. To display the web Portal, the remote user should enter the Portal IP address or the corresponding domain name in the available browser.

Real Server IP Address (RIP)

When the VPN Gateway is used for SSL Acceleration, the RIP is the IP address of the real server, sometimes called the backend server. It is the IP address that the Nortel Application Switch load balances to when requests are made to a virtual server IP address (VIP). The VPN Gateway’s host IP address will in fact be one of the switch’s RIPs.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

38 Initial Setup

Ports

When installing a VPN Gateway (or any of the other supported hardware models) in a new cluster, or adding a VPN Gateway to an existing cluster, you are asked to specify a port number by the Setup utility.

The port number you specify refers to a physical port on the Network Interface Card (NIC) of a particular hardware model.

Depending on your model, the Setup utility will automatically detect the number of available ports and display the valid range within square brackets when prompting for a port number.

•

The VPN Gateway 3050 has four copper port NICs (numbered as 1-4).

•

The VPN Gateway 3070 comes in two versions:

—

One with four copper port NICs (numbered as 1-4).

—

One with two copper port NICs (number as 1-2) and two fiber-optic ports (numbered as 3-4).

•

The ASA 410 Copper NIC has two copper port NICs (numbered as 1-2).

•

The ASA 410 Fiber NIC has two copper port NICs (numbered as 1-2) and one Gigabit fiber-optic port NIC for Gigabit Ethernet (numbered as 3).

•

The ASA 310-FIPS has two copper port NICs (numbered as 1-2).

•

The SSL Processor on the Nortel Application Switch 2424-SSL has only one port that is internally connected to the Switch through back-to-back Gigabit interfaces.

Each port should be marked with the appropriate number on the device. If not, see the Alteon SSL Accelerator 310, 310-FIPS, 410 Hardware Installation Guide and the VPN 3050/3070 Hardware Installation Guide respectively.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Interfaces

During the initial setup procedure (see “Configuration at Boot Up” (page

41)), you will be asked if you want to set up a one-armed configuration or

a two-armed configuration.

One-Armed Conﬁguration

In a one-armed configuration, only one interface is configured. It acts as both a public interface (facing the Internet) and a private interface (facing the intranet).

The interface (Interface 1) on the SSL VPN will handle public traffic, that is, client traffic from and to the Internet, as well as private traffic, that is, connecting the SSL VPN to internal resources and configuring the SSL VPN from a management station.

Figure 1 One-Armed Configuration without Application Switch

Two-Armed Configuration 39

Two-Armed Conﬁguration

In a two-armed configuration, two separate interfaces are configured on the VPN Gateway.

Interface 1 will handle private traffic (between the SSL VPN and the trusted intranet), that is, connecting the SSL VPN to internal resources and configuring the SSL VPN from a management station.

Interface 2 will handle public traffic, that is, client traffic from and to the Internet.

A two-armed configuration is considered more secure.

NN46120-104 02.01 Standard

Nortel VPN Gateway

User Guide

14 April 2008

40 Initial Setup

Figure 2 Two-Armed Configuration without Application Switch

Note: Two-armed configuration is not available for the Application

Switch 2424-SSL.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Conﬁguration at Boot Up

When starting a VPN Gateway for the very first time, you need to do the following:

•

Connect the device’s uplink port(s) to the appropriate network device(s). During the initial setup you will be asked to configure the desired ports for network connectivity.

—

To use the VPN Gateway with a Nortel Application Switch, for example, for SSL Acceleration, connect the uplink port to a compatible port on a Nortel Application Switch.

•

Connect a computer to the VPN Gateway’s console port through serial cable.

• Use a terminal application (for example, TeraTerm) to configure the

VPN Gateway. For more information, see “Connecting to the VPN Gateway” (page

136).

•

Press the power-on button on the VPN Gateway.

The Setup Menu 41

•

Wait until you get a login prompt.

•

Note: If you have the ASA 310-FIPS model, see the instructions from “

Installing an ASA 310-FIPS” (page 58) page 54 and onwards.

The Setup Menu

When you log in after having started the VPN Gateway the first time, you will enter the Setup menu. After selecting new or join, you will be prompted for the information required to make the VPN Gateway operational.

Table 3 The Setup Menu

[Setup Menu]

join - Join an existing iSD cluster

new - Initialize iSD as a new installation

boot - Boot menu

Info - Information menu

exit - Exit [global command, always available]

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

42 Initial Setup

Installing an NVG in a New Cluster

When you are installing a VPN Gateway as the first (or only) member in a new cluster, you can either create a one-armed or a two-armed configuration.

Setting Up a One-Armed Conﬁguration

In a one-armed configuration, only one interface is configured. It is used as both the public (traffic) and the private (management) interface. See figure on “Two-Armed Configuration” (page 39).

Step Action 1 Choose new from the Setup menu.

[Setup Menu]

join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot menu info - Information menu

exit - Exit [global command, always available] >> Setup# new Setup will guide you through the initial configuration.

2 Specify the port you want to use for network connectivity.

Enter port number for the management interface [1-4]: 1

This port will be assigned to Interface 1. As you are currently configuring a one-armed setup, this interface will be used for both private traffic (for example, SSL VPN management and connections to intranet resources) and public traffic (for example, client connections from the Internet).

3 Specify the current host IP address of the VPN Gateway.

Enter IP address for this machine (on management interface): <IP address>

This IP address must be unique on your network and be within the same network address range as the Management IP address. The host IP address will be assigned to Interface 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Setting Up a One-Armed Configuration 43

You can later use the /cfg/sys/host 1/interface 1 command to view the resulting settings for Interface 1.

Note: If needed, you can later create a two-armed configuration by adding a new interface to the cluster, exclusively used for client traffic, and assign an unused port to that interface. For information about how to add a new interface, see the

"Interface Configuration " section under Configuration Menu>System Configuration in the Command Reference. For information about how to assign ports to an

interface, see the "Interface Ports Configuration " section in the same chapter.

4 Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]: <Press ENTER if correct> Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag id or ENTER>

Specify the desired network mask or accept the suggested value by pressing ENTER. If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

5 Press ENTER to continue with creating a one-armed

configuration.

Setup a two armed configuration (yes/no) [no]: <Press ENTER>

6 Enter a default gateway address.

Enter default gateway IP address (or blank to skip):

Enter a default gateway IP address that is within the same network address range as the host IP address configured in step

7 Enter a Management IP address (MIP).

Enter a unique Management IP address (MIP) that is within the same network address range as the host IP address and the default gateway IP address.

Enter the Management IP (MIP) address: <IP address> Making sure the MIP does not exist...ok Trying to contact gateway...ok

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

44 Initial Setup

Complete the new setup by following the instructions in the section “Complete the New Setup” (page 46).

Setting Up a Two-Armed Conﬁguration

In a two-armed configuration, two separate interfaces are configured on the VPN Gateway, one private interface for NVG management and intranet connections and one public interface for Internet connections. Also see figure on “Two-Armed Configuration” (page 39).

Step Action 1 Choose new from the Setup menu.

[Setup Menu]

join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot menu info - Information menu

exit - Exit [global command, always available] >> Setup# new Setup will guide you through the initial configuration of the iSD.

--End--

2 Configure the management interface port number.

Enter port number for the management interface [1-4]: 1

Specify the port you want to use for NVG management and other private traffic between the VPN Gateway and the intranet. This port will be assigned to the private interface (Interface 1).

3 Specify the host IP address for the current VPN Gateway.

Enter IP address for this machine (on management interface): <IP address>

Specify a host IP address on the management (private) interface. This IP address must be unique on the network and be within the same network address range as the Management IP address (see Step 10). The management interface host IP address is assigned to Interface 1.

4 Enter network mask and VLAN tag ID.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Setting Up a Two-Armed Configuration 45

Enter network mask [255.255.255.0]: <Press ENTER if correct> Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag id or ENTER>

Specify the desired network mask for the host IP address on the management interface or accept the suggested value by pressing ENTER. If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

5 Enter yes and press ENTER to continue with creating a

two-armed configuration.

Setup a two armed configuration (yes/no) [no]: yes

6 Specify a new port number for the traffic interface.

Enter port number for the traffic interface [1-4]: 2

The traffic (public) interface port number will automatically be assigned to Interface 2.

7 Specify a host IP address on the traffic (public) interface.

Enter IP address for this machine (on traffic interface): <IP address>

This IP address will be assigned to Interface 2 on the VPN Gateway, that is, the public interface.

8 Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]:

Enter VLAN tag id (or zero for no VLAN) [0]:

Specify the desired network mask for the host IP address on the traffic interface or accept the suggested value by pressing ENTER. If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

9 Enter a default gateway address on the traffic interface.

Enter default gateway IP address (on the traffic interface): <gateway IP address>

Specify a default gateway IP address that is within the same network address range as the host IP address on the traffic (public) interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

46 Initial Setup

10 Enter a Management IP address (MIP) on the management

interface.

Enter the Management IP (MIP) address: <IP address> Making sure the MIP does not exist...ok Trying to contact gateway...ok

Finally enter a unique Management IP address (MIP) that is within the same network address range as the host IP address on the management (private) interface.

Complete the section, "Complete the New Setup".

Complete the New Setup

Step Action 1 Configure the time zone and NTP and DNS server settings.

If you don’t have access to the IP address of an NTP server at this point, you can configure this item after the initial setup is completed. See the "NTP Servers Configuration " section under

Configuration menu>System Configuration in the Command Reference.

( new setup, continued)

Enter a timezone or ’select’ [select]: <Press ENTER to select> Select a continent or ocean: <Continent or ocean by number>

Select a country: <Country by number> Select a region: <Region by number, if applicable> Selected timezone: <Suggested timezone, based on your

selections>

Enter the current date (YYYY-MM-DD) [2006-03-01]:

<Press ENTER if correct> Enter the current time (HH:MM:SS) [09:26:16]: <Press ENTER if correct> Enter NTP server address (or blank to skip): <IP address> Enter DNS server address: <IP address>

new setup by following the instructions in the next

--End--

2 Generate new SSH host keys and define a password for the

admin user.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Complete the New Setup 47

To maintain a high level of security when accessing the VPN Gateway through an SSH connection, it is recommended that you accept the default choice to generate new SSH host keys.

Make sure you remember the password you define for the admin user. You will need to provide the correct admin user password when logging in to the cluster for configuration purposes, and also when adding another VPN Gateway to the cluster by performing a join in the Setup menu.

( new setup, continued)

Generate new SSH host keys (yes/no) [yes]: <Press ENTER

to accept>

This may take a few seconds...ok Enter a password for the "admin" user: Re-enter to confirm:

3 If you will be using the VPN feature, run the VPN quick setup

wizard to set up a working VPN for SSL access in a few steps.

The VPN quick setup wizard creates all the settings required to enable a fully functional Portal for testing purposes. You can later let your test Portal evolve to a fully operative Portal.

Run VPN quick setup wizard [yes]: <press ENTER to run the wizard>

Creating default networks under /cfg/vpn

1/aaa/network

Creating default services under /cfg/vpn 1/aaa/service Enter VPN Portal IP address: <IP address> Is this VPN device used in combination with an Alteon switch? [no]: Enter comma separated DNS search list

(eg company.com,intranet.company.com): example.com Create HTTP to HTTPS redirect server [yes]: <press

ENTER to accept> Create a trusted portal account [yes]: <press ENTER to create the account>

User name: john User password: password

Creating group ’trusted’ with secure access.

Creating user ’john’ in group ’trusted’. Creating empty portal linkset ’base-links’ for group

trusted.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

48 Initial Setup

• VPN Portal IP address. Used by remote users to connect to

the VPN.

•

DNS search list. Enables use of short names on the Portal, for example, inside to connect the server

inside.example.com.

•

HTTP to HTTPS redirection. Automatically redirects requests made with HTTP to the proper HTTPS server configured for the VPN, for example, http://vpn.example.com gets redirected to https://vpn.example.com.

To view all settings created by the VPN quick setup wizard, see

“Settings Created by the VPN Quick Setup Wizard” (page 49).

4 To configure IPsec access in your VPN, run the IPsec quick

setup wizard.

With IPsec access enabled, remote users can access the VPN through a secure IPsec tunnel using the Nortel IPsec VPN client (formerly Contivity).

Setup IPsec [no]: yes

Creating default IKE profile under ipsec/ikeprof 1 Creating default user tunnel profile under

ipsec/utunprof 1

Configuring IPsec Group login under aaa/group trusted/ipsec Do you want to use IPsec Group login [no]: yes Enter IPsec secret: secret

Enter Lower IP address in pool range: 10.10.10.1Pub _newline ?> Enter Upper IP address in pool range:

10.10.20.99

Enter Network mask for the pool range: [255.255.255.0] : 16

Creating IP pool 1

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Settings Created by the VPN Quick Setup Wizard 49

• IPsec group login and secret. Enables IPsec access for the

trusted group, if this group was created with the VPN quick setup wizard (see Step 3).

• Lower/upper IP address in pool range. Lets you specify an

IP address range for use in the unencrypted connection between the VPN Gateway and the destination host.

•

Network mask for IP pool range. Lets you enter a custom network mask if the default network mask does not cover the pool range.

Note: The IPsec quick setup wizard is only displayed if the VPN quick setup wizard has been run and if the VPN Gateway has a default IPsec license (not available on the ASA 310 models).

5 When the Setup utility has finished you can continue with

the configuration.

If you wish to continue configuring the system through the command line interface (CLI), log in as the admin user with the password you defined in , and the Main menu is displayed. For more information about the CLI, see Step 2.

If you rather configure the system through the Browser-Based Management Interface (BBI), see the

BBI Quick Guide for

instructions.

Initializing system......ok

Setup successful. Relogin to configure. login:

For instructions on how to deploy a pure VPN solution, continue with the "VPN Introduction" chapter in the Application Guide for VPN. For instructions on how to deploy the SSL acceleration feature, continue with the "Basic Applications" chapter in the Application Guide for SSL Acceleration.

To join an additional VPN Gateway to the cluster, see “Joining a

VPN Gateway to an Existing Cluster” (page 52).

--End--

Settings Created by the VPN Quick Setup Wizard

If you ran the VPN quick setup wizard during the initial setup, a large number of settings were configured automatically.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

50 Initial Setup

Basic VPN Setup

The following settings have been created:

•

A VPN. The VPN is typically defined for access to an intranet, parts of an intranet or to an extranet.

• A virtual SSL server of the portal type. A portal IP address is assigned

to it, to which the remote user should connect to access the Portal. If you chose to use the VPN feature without a Nortel Application Switch, the portal server is set to standalone mode.

• A test certificate has been installed and mapped to the portal server.

• The authentication method is set to Local database and you have one

test user configured. The test user belongs to a group called trusted, whose access rules allow access to all networks, services and paths.

• One or several domain names are added to the DNS search list,

which means that the remote user can enter a short name in the Portal’s various address fields (for example,

inside.example.com if example.com is added to the search list).

inside instead of

• If you chose to enable HTTP to HTTPS redirection, an additional

server of the HTTP type was created to redirect requests made with HTTP to HTTPS, because the portal server requires an SSL connection.

Default Network

The wizard also creates a default network definition called intranet.In short, network definitions are used to limit a remote user’s access rights to different networks. Once a network definition has been created it can be referenced in an access rule. The access rule states whether access to the referenced network should be rejected or allowed.

Network definitions can be created, viewed or edited using the /cfg/vpn #/aaa/network command. See the "Groups, Access Rules and Profiles" chapter in the Application Guide for VPN for a full explanation of network definitions in conjunction with access rules.

The intranet network definition is configured as Network 1. The subnets included in intranet are based on private IP address space reservations as defined in the RFC 1918 document:

• Network address: 192.168.0.0 Network mask: 255.255.0.0

• Network address: 10.0.0.0 Network mask: 255.0.0.0

• Network address: 172.16.0.0 Network mask: 255.240.0.0

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Default Services

The following service definitions were configured automatically. Service definitions can be referenced in access rules to allow or deny access to a specific application or protocol. Service definitions can be viewed or edited using the

See the "Groups, Access Rules and Profiles" chapter in the Application Guide for VPN for a full explanation of service definitions.

• http. Uses TCP port 80.

• https. Uses TCP port 443.

• web. Uses TCP ports 20, 21, 80 and 443.

• smtp. Uses TCP port 25.

•

pop3. Uses TCP port 110.

• imap. Uses TCP port 143.

•

email. Uses TCP ports 25, 110 and 443.

•

telnet. Uses TCP port 23.

Settings Created by the VPN Quick Setup Wizard 51

/cfg/vpn #/aaa/service command.

• ssh. Uses TCP port 22.

•

ftp. Uses TCP ports 20 and 21.

•

smb. Uses TCP port 139.

•

fileshare. Uses TCP ports 20, 21 and 139.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

52 Initial Setup

Joining a VPN Gateway to an Existing Cluster

After having installed the first VPN Gateway in a cluster, additional NVGs may be added to the same cluster by specifying the Management IP address (MIP) that identifies the cluster. When you are installing the VPN Gateway to join an existing cluster, less information is needed because the new VPN Gateway will fetch most of the configuration from the other NVG(s) in the cluster.

The following applies when joining a new VPN Gateway to an existing cluster:

• If the VPN Gateway you are about to join is installed on a different

subnet than existing NVGs, this new device must be configured as a slave. Master NVGs cannot exist on different subnets.

•

If the Access list consists of entries (for example, IP addresses for control of Telnet and SSH access), also add the cluster’s MIP, the existing VPN Gateway’s host IP address on Interface 1, and the host IP address you have in mind for the new NVG to the Access list. This must be done otherwise the devices will not be able to communicate. Use the /cfg/sys/accesslist command. If the Access list is empty, this step is not required.

before joining the new VPN Gateway,

•

If the VPN Gateway you are about to join has a different software version than existing NVGs, install the preferred software version on the new VPN Gateway before joining it (see “Reinstalling the Software”

(page 70)) or upgrade the whole cluster to the same software version

as the new VPN Gateway (see “Performing Minor/Major Release

Upgrades” (page 74)). Use the /boot/software/cur command to

check the currently installed software version.

Setting up a One-Armed Conﬁguration

If the currently installed VPN Gateway(s) in the cluster are set up for a one-armed configuration you probably want the new VPN Gateway to be set up similarly.

When you log in after having started the VPN Gateway the first time, you will enter the Setup menu.

Step Action 1 Choose join from the Setup menu to add a VPN Gateway to

an existing cluster.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Setting up a One-Armed Configuration 53

[Setup Menu]

join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot menu info - Information menu

exit - Exit [global command, always available] >> Setup# Setup will guide you through the initial configuration of the iSD.

join

2 Specify the port to be used for network connectivity.

Enter port number for the management interface [1-4]: 1

This port will automatically be assigned to Interface 1. As you are currently configuring a one-armed configuration, this interface will be used for both management traffic (coming from the private intranet) and client traffic (coming from the public Internet).

If you have configured port 1 as the management interface port for existing VPN Gateways, it is recommended (for consistency) that you configure port 1 for the NVG you are joining as well.

3 Enter the VPN Gateway ’s host IP address.

Enter IP address for this machine (on management interface): <IP address>

This IP address should be within the same network address range as the cluster’s Management IP address.

4 Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]: <Press ENTER if correct> Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag id or ENTER>

Specify the desired network mask or accept the suggested value by pressing ENTER. If a connected router or switch attaches VLAN tag IDs to incoming packets, specify the VLAN tag ID used.

5 Press ENTER to continue with creating a one-armed

configuration.

Setup a two armed configuration (yes/no) [no]: <Press ENTER>

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

54 Initial Setup

6 Enter the Management IP address (MIP) of the existing

cluster.

The system is initialized by connecting to the management server on an existing iSD, which must be operational and initialized. Enter the Management IP (MIP) address:

Provide the Management IP address of the cluster to which you want to join the current VPN Gateway. To check the Management IP of an existing cluster, connect to the cluster and use the

/cfg/sys/cur command.

Complete the join setup by following the instructions in the section “Complete the Join Setup” (page 56).

Setting up a Two-Armed Conﬁguration

If the currently installed VPN Gateway(s) in the cluster are set up for a two-armed configuration you probably want the new VPN Gateway to be set up like the previously installed NVG(s).

--End--

To set up a two-armed configuration, proceed as follows:

Step Action 1 Choose join from the Setup menu.

[Setup Menu]

join - Join an existing iSD cluster

new - Initialize iSD as a new installation

boot - Boot menu

info - Information menu

exit - Exit [global command, always available] >> Setup# join Setup will guide you through the initial configuration of the iSD.

2 Configure the management interface port number.

Enter port number for the management interface [1-4]: 1

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Setting up a Two-Armed Configuration 55

Specify the port you want to use for management traffic. This port will be assigned to an interface for management purposes only (Interface 1).

3 Specify a host IP address on the management interface for

the current VPN Gateway.

Enter IP address for this machine (on management interface): <IP address>

This IP address must be unique on the network and be within the same network address range as the Management IP address (see Step 9). The management interface host IP address will be assigned to Interface 1.

4 Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]: <Press ENTER if correct> Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag id or ENTER>

5 Enter yes and press ENTER to continue with creating a

two-armed configuration.

Setup a two armed configuration (yes/no) [no]: yes

6 Specify a new port number for the traffic interface.

Enter port number for the traffic interface [1-4]: 2

The traffic interface port number will automatically be assigned to Interface 2.

7 Specify a host IP address and network mask on the traffic

interface for the current VPN Gateway.

Enter IP address for this machine (on traffic interface): <IP address> Enter network mask [255.255.255.0]: <press ENTER to

accepts>

In a two-armed configuration, the traffic interface host IP address will be assigned to Interface 2.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

56 Initial Setup

8 If a connected router or switch attaches VLAN tag IDs to

incoming packets, specify the VLAN tag ID used.

Enter VLAN tag id (or zero for no VLAN) [0]:

9 Enter the Management IP address (MIP) of the existing

cluster.

The system is initialized by connecting to the management server on an existing iSD, which must be operational and initialized. Enter the Management IP (MIP) address:

Provide the Management IP address of the cluster to which you want to join the current VPN Gateway. To check the Management IP of an existing cluster, connect to the cluster and use the

/cfg/sys/cur command.

10 Enter the default gateway on the traffic interface.

Enter default gateway IP address (on the traffic interface): <IP addr>

The default gateway IP address should be within the same network address range as the host IP address on the traffic interface.

Complete the join setup by following the instructions in the next section, "Complete the Join Setup".

Complete the Join Setup

Step Action 1 Provide the correct admin user password.

Type the correct password for the admin user.

( join setup, continued)

Enter the existing admin user password:

2 Specify the VPN Gateway type.

When adding up to three additional master NVGs to a cluster containing a single VPN Gateway, you may configure each additional NVG as either master or slave. For up to three additional NVGs, the default setting is master. When adding one

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Complete the Join Setup 57

or more VPN Gateways to a cluster that already contains four master NVGs, each additional NVG is automatically configured as slave.

It is recommended that there are 2-4 master NVGs in each cluster, so in most cases there is no need to change the default setting. If needed, you can always reconfigure a VPN Gateway by changing the Type setting after the initial setup. For more information, see the

type command in the "iSD Host Configuration" section under Configuration Menu>System Configuration in the Command Reference.

Enter the type of this iSD (master/slave) [master]:

......ok

3 Wait until the Setup utility has finished.

Setup successful. login:

The setup is now finished. The VPN Gateway that has been joined to the cluster will automatically pick up all configuration data from one of the already installed NVG(s) in the cluster. After a short while you will get a login prompt.

If needed, you can now continue with the configuration of the NVG cluster using the Command Line Interface (CLI) or the Browser-Based Management Interface (BBI). Log in as the admin user.

For more information about the CLI, see “The Command Line

Interface” (page 135).

For more information about the BBI, see the SSL VPN BBI Quick Guide.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

58 Initial Setup

Installing an ASA 310-FIPS

The ASA 310-FIPS model is an where the ordinary SSL accelerator card has been replaced by the HSM (Hardware Security Module) SSL accelerator card. For more information about the ASA 310-FIPS model, see “Introducing the ASA 310-FIPS” (page 27).

After having installed the first ASA 310-FIPS, additional ASA 310-FIPS units can be added to the same cluster by specifying the Management IP (MIP) address that identifies the cluster. For more information about adding an ASA 310-FIPS to an existing cluster, see “Adding an ASA

310-FIPS to an Existing Cluster” (page 63).

Before installing or adding an ASA 310-FIPS, make sure that you have fully understood the concept of iKeys. You might also want to decide the labeling scheme you want to use for identifying which iKey is used to initialize a certain HSM card, and also label two of the black cluster-specific iKeys "CODE-SO" and "CODE-USER" respectively in advance. For more information about the concept of iKeys and the ASA 310-FIPS model in general, see “Introducing the ASA 310-FIPS” (page

27). You should also decide a password scheme because you will define

passwords not only for the admin user, but also for the HSM-SO iKeys, the HSM-USER iKeys, and possibly a secret passphrase (when selecting FIPS mode).

Installing an ASA 310-FIPS in a New Cluster

When you log in as the admin user after having started the ASA 310-FIPS the first time, the Setup menu is displayed.

Step Action 1 Choose new from the Setup menu to install the ASA

310-FIPS as the first member in a new cluster.

[Setup Menu]

join - Join an existing iSD cluster new - Initialize iSD as a new installation boot - Boot menu info - Information menu

exit - Exit [global command, always available] >> Setup# new Setup will guide you through the initial configuration of the iSD.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Installing an ASA 310-FIPS in a New Cluster 59

2 Follow the instructions for installing a VPN Gateway in a

new cluster.

Read the sections starting with “Installing an NVG in a New

Cluster” (page 42). When the basic setup is completed, new

prompts for configuring an ASA 310-FIPS will automatically appear.

3 Choose the appropriate security mode for the ASA 310-FIPS

cluster.

Decide which security mode to use for the new ASA 310-FIPS cluster—FIPS mode or Extended Security mode. The default Extended Security mode should be used whenever your security policy does not explicitly require conforming to the FIPS 140-1, Level 3 standard.

For more information about the FIPS mode and the Extended Security mode, see “Introducing the ASA 310-FIPS” (page 27).

( new setup, continued)

Use FIPS or Extended Security Mode? (fips/extended) [extended]: <Press ENTER to accept the default

extended mode, or change the security mode to fips>

4 Initialize HSM card 0 by inserting the first pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Step 4and Step 5 are related to initializing the HSM cards that

your ASA 310-FIPS is equipped with. The Setup utility will identify the first HSM card as card 0, and the second HSM card as card 1. Each HSM card is initialized by inserting the proper iKeys and defining a password for each user role. To successfully initialize both HSM cards, you need to have the following iKeys:

• One pair of iKeys to be used for initializing HSM card 0.

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER". Label these iKeys and HSM card 0 in a way so that the

connection between them is obvious. After HSM card 0 has been initialized, this card will only accept the HSM-SO and HSM-USER iKeys that were used when initializing this particular HSM card. Even if you choose to use the same HSM-SO and HSM-USER passwords when you initialize card 1 as the passwords you defined when initializing card 0, the HSM-SO and HSM-USER iKeys for card 1 are not interchangeable with the HSM-SO and HSM-USER iKeys for card 0.

• One pair of iKeys to be used for initializing HSM card 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

60 Initial Setup

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER". Label these iKeys and HSM card 1 in a way so that the

connection between them is obvious. If you will use more than one ASA 310-FIPS device in the cluster, you must also take steps to identify which pair of iKeys is used on which HSM card on which

device in the cluster.

You also need to make sure that you can easily access the USB ports on the HSM cards, located on the rear of the ASA 310-FIPS device. When an operation requires inserting an HSM iKey, a flashing LED will direct you to the USB port on the correct HSM card.

( new setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED). Hit enter when done. Enter a new HSM-SO password for card 0: <define an

HSM-SO password>

Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Enter a new HSM-USER password for card 0: <define an HSM-USER password> Re-enter to confirm: The HSM-USER iKey has been updated. Card 0 successfully initialized.

5 Initialize HSM card 1 by inserting the second pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization.

Note: For more information about iKeys, see “The Concept of

iKey Authentication” (page 30).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Installing an ASA 310-FIPS in a New Cluster 61

( new setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). Hit enter when done. Enter a new HSM-SO password for card 1:

HSM-SO password, or use the same HSM-SO password as for card 0>

Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Enter a new HSM-USER password for card 1: <define a new

HSM-USER password, or use the same HSM-USER password as for card 0>

Re-enter to confirm: The HSM-USER iKey has been updated. Card 1 successfully initialized.

<define a new

6 Split the wrap key from HSM card 0 onto the CODE-SO and

CODE-USER iKeys.

This step is related to splitting the software wrap key used internally in the cluster, and then loading the split wrap key onto the two black CODE-SO and CODE-USER iKeys. These iKeys will then be used to transfer the cluster wrap key onto another HSM card either within the same ASA 310-FIPS device (as in

Step 7), or to HSM cards in an ASA 310-FIPS device that is

added to the current cluster. Each ASA 310-FIPS device is shipped with four black CODE

iKeys. However, you will only need to use two of these in one given cluster. The extra two black iKeys can be used to create a pair of backup CODE iKeys. For more information about how to create a pair of backup CODE iKeys, see the splitkey command on the HSM menu (described under

Maintenance Menu in the

Command Reference).

To successfully split and load the cluster wrap key onto the correct iKeys, you need the following:

• Two black CODE iKeys, supposedly labeled "CODE-SO" and

"CODE-USER" respectively.

If the black iKeys are not already labeled CODE-SO and CODE-USER respectively, you are recommended to do so before inserting them. Whenever the cluster wrap key needs to be transferred onto an initialized HSM card, you will be prompted for the specific CODE iKey, in turns. Having each iKey properly

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

62 Initial Setup

labeled CODE-SO and CODE-USER respectively will make this procedure easier.

( new setup, continued)

Should new or existing CODE iKeys be used? (new/existi ng) [new]:

Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 0 (with flashing LED). Hit enter when done. Wrap key successfully split from card 0.

Note: Unlike the HSM-SO and the HSM-USER iKeys, the CODE-SO and CODE-USER iKeys are not specific for each HSM card. Instead, the CODE-SO and CODE-USER iKeys are specific for each cluster of ASA 310-FIPS units. Therefore, if you have more than one cluster of ASA 310-FIPS units, you need to take steps so that you can identify to which cluster a pair of CODE-SO and CODE-USER iKeys is associated.

7 Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys onto HSM card 1.

( new setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 1 (with flashing LED). Hit enter when done. Wrap key successfully combined to card 1.

8 If you have selected FIPS mode as the security mode, define

a passphrase.

If you selected FIPS mode prior to initializing HSM card 0 (Step

3 ), you will also be asked to define a passphrase. Make sure

you remember the passphrase as you will be prompted for the same passphrase when adding other ASA 310-FIPS units to the

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding an ASA 310-FIPS to an Existing Cluster 63

same cluster. When selecting Extended Security mode, this step will not appear.

( new setup, continued)

Enter a secret passphrase (it will be used during addition of new iSDs to the cluster): Re-enter to confirm:

9 When the Setup utility has finished, log in to the ASA

310-FIPS again and continue with the configuration.

( new setup, continued) Initializing system......ok

Setup successful. Relogin to configure.

The setup is now finished, and after a short while you will get a login prompt. Log in as the admin user with the password you defined during the initial setup. The Main menu is then displayed. You can now continue with the configuration of the ASA 310-FIPS using the command line interface (CLI). For more information about the CLI, see “The Command Line Interface”

(page 135).

Note: After successfully having initialized the HSM cards, you are automatically logged in to each HSM card as USER. You can verify the current HSM card login status by using the /info/hsm command. After a reboot has occurred (whether intentionally invoked, or due to a power failure), you must manually log in to the HSM cards for the ASA 310-FIPS device to resume normal operations. For more information about logging in to the HSM cards after a reboot, see “An ASA

310-FIPS Stops Processing Traffic” (page 153).

--End--

Adding an ASA 310-FIPS to an Existing Cluster

You add additional ASA 310-FIPS units to an existing cluster by selecting join from the Setup menu in the ASA 310-FIPS, after it has booted.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

64 Initial Setup

The following applies when joining a new ASA 310-FIPS to an existing cluster:

•

If the ASA 310-FIPS you are about to join is installed on a different subnet than existing units, this new ASA must be configured as a slave. Master ASAs cannot exist on different subnets.

• If the Access list consists of entries (for example, IP addresses for

control of Telnet and SSH access), also add the cluster’s MIP, the existing ASA’s host IP address on Interface 1, and the host IP address you have in mind for the new ASA to the Access list. This must be

before joining the new ASA, otherwise the ASAs will not be able

done to communicate. Use the /cfg/sys/accesslist command. If the Access list is empty, this step is not required.

• If the ASA you are about to join has a different software version than

existing ASAs, install the preferred software version on the new ASA before joining it (see “Reinstalling the Software” (page 70)) or upgrade the whole cluster to the same software version as the new ASA (see

“Performing Minor/Major Release Upgrades” (page 74)). Use the

/boot/software/cur command to check the currently installed software version.

When you log in as the admin user after having started the ASA 310-FIPS the first time, the Setup menu is displayed.

Step Action 1 Choose join from the Setup menu to add the ASA 310-FIPS

to an existing cluster.

[Setup Menu]

join - Join an existing iSD cluster

new - Initialize iSD as a new installation

boot - Boot menu

info - Information menu

exit - Exit [global command, always available] >> Setup# join Setup will guide you through the initial configuration of the iSD.

2 Follow the instructions for joining a VPN Gateway to an

existing cluster.

Read the sections starting with “Joining a VPN Gateway to an

Existing Cluster” (page 52). When the basic setup is completed,

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding an ASA 310-FIPS to an Existing Cluster 65

new prompts for configuring the ASA 310-FIPS will automatically appear (see Step 3).

3 Initialize HSM card 0 by inserting the first pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Step 3 and Step 4 are related to initializing the HSM cards

that your ASA 310-FIPS is equipped with. The Setup utility will identify the first HSM card as card 0, and the second HSM card as card 1. Make sure you have the required iKeys before proceeding. To successfully initialize both HSM cards, you need to have the following iKeys:

•

One pair of iKeys to be used for initializing HSM card 0. — The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER". Label these iKeys and HSM card 0 in a way so that the

connection between them is obvious. After HSM card 0 has been initialized, this card will only accept the HSM-SO and HSM-USER iKeys used when initializing this particular HSM card. Even if you choose to use the same HSM-SO and HSM-USER passwords when you initialize card 1 as the passwords you defined when initializing card 0, the HSM-SO and HSM-USER iKeys for card 1 are not interchangeable with the HSM-SO and HSM-USER iKeys for card 0.

•

One pair of iKeys to be used for initializing HSM card 1. — The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER". Label these iKeys and HSM card 1 in a way so that the

connection between them is obvious. Because you will have more than one ASA 310-FIPS device in the cluster, you must also take steps to identify which pair of iKeys is used on which HSM card on which

device in the cluster.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

66 Initial Setup

( join setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 0 (with flashing LED). <insert the HSM-SO iKey specific for this HSM card> Hit enter when done. Enter a new HSM-SO password for card 0: <define an HSM-SO password> Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). <insert the HSM-USER iKey specific

for this HSM card>

Hit enter when done. Enter a new HSM-USER password for card 0: <define an HSM-USER password> Re-enter to confirm: The HSM-USER iKey has been updated. Card 0 successfully initialized.

Note: For more information about iKeys, see “The Concept of

iKey Authentication” (page 30).

4 Initialize HSM card 1 by inserting the second pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Remember to take steps to label each pair of HSM-SO and HSM-USER iKeys and the HSM card to which each set of iKeys is associated during the initialization. Because each ASA 310-FIPS device in the cluster will have two HSM cards, you must also take steps to identify to which ASA 310-FIPS device each pair of iKeys are associated. Your labeling must ensure that the connection is obvious between a pair of HSM-SO/HSM-USER iKeys, the HSM card that was initialized by using those iKeys, and the ASA 310-FIPS device holding that particular HSM card.

( join setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 1 (with flashing LED). <insert the HSM-SO iKey specific

for this HSM card>

Hit enter when done. Enter a new HSM-SO password for card 1: <define a new

HSM-SO password, or use the same HSM-SO password as for card 0>

Re-enter to confirm: The HSM-SO iKey has been updated. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). <insert the HSM-USER iKey specific

for this HSM card>

Hit enter when done.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding an ASA 310-FIPS to an Existing Cluster 67

Enter a new HSM-USER password for card 1: <define a new HSM-USER password, or use the same HSM-USER password as for card 0>

Re-enter to confirm: The HSM-USER iKey has been updated. Card 1 successfully initialized.

5 Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys onto HSM card 0.

Step 5 and Step 6 are related to transferring the cluster wrap key

onto the two HSM cards in the ASA 310-FIPS you are adding to the cluster. The wrap key is transferred onto each HSM card in two steps, where each half of the cluster wrap key stored on the two black CODE-SO and CODE-USER iKeys is loaded and combined on the HSM card in the new ASA 310-FIPS cluster member.

To successfully load and combine the cluster wrap key onto the HSM cards, you need the following:

• The two black HSM Code iKeys, labeled "CODE-SO" and

"CODE-USER" respectively, that you used when installing the first ASA 310-FIPS in the cluster.

If you have more than one cluster of ASA 310-FIPS units, make sure that you can identify to which cluster the pair of CODE iKeys are associated. The cluster wrap key that is split and stored on the two CODE iKeys is specific for each cluster of ASA 310-FIPS units.

( join setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 0 (with flashing LED). <insert the same CODE-SO iKey that

you used when installing the first ASA 310-FIPS in the

cluster>

Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 0 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 0 (with flashing LED). <insert the same CODE-USER

iKey that you used when installing the very first ASA 310-FIPS in the cluster>

Hit enter when done. Wrap key successfully combined to card 0.

6 Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys onto HSM card 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

68 Initial Setup

( join setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 1 (with flashing LED). <insert the same CODE-SO iKey that

you used in Step 5 >

Hit enter when done. Verify that HSM-USER iKey (blue) is inserted in card 1 (with flashing LED). Hit enter when done. Verify that CODE-USER iKey (black) is inserted in card 1 (with flashing LED). <insert the same CODE-USER iKey

that you used in Step 5 >

Hit enter when done. Wrap key successfully combined to card 1.

7 If you selected FIPS mode when installing the first ASA

310-FIPS in the cluster, provide the correct passphrase.

If you selected FIPS mode when installing the first ASA 310-FIPS in the cluster, you will also be asked to provide the passphrase you defined at that time. If you selected Extended Security mode, this step will not appear.

( join setup, continued)

Enter the secret passphrase (as given during initialization of the first iSD in the cluster):

8 Wait until the Setup utility has finished.

( join setup, continued)

Setup successful.

The setup utility is now finished. The ASA 310-FIPS that has now been added to the cluster will automatically pick up all configuration data from one of the already installed ASA 310-FIPS units in the cluster. After a short while you will get a login prompt.

310-FIPS Stops Processing Traffic” (page 153).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding an ASA 310-FIPS to an Existing Cluster 69

If needed, you can now continue with the configuration of the ASA 310-FIPS units using the command line interface (CLI). Log in as the

admin user, and the Main menu is displayed. For more information about the CLI, see “The Command Line Interface”

(page 135).

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

70 Initial Setup

Reinstalling the Software

When adding a new VPN Gateway to an existing cluster, and the software version on the new VPN Gateway is different from the NVGs in the cluster, you will need to reinstall the software on the new VPN Gateway. Otherwise, reinstalling the software is seldom required except in case of serious malfunction.

When you log in as the boot user and perform a reinstallation of the software, the VPN Gateway is reset to its factory default configuration. All configuration data and current software is wiped out, including old software image versions or upgrade packages that may be stored in the flash memory card or on the hard disk. Also note that a reinstall must be performed on each VPN Gateway through a console connection.

Note:

settings). Therefore you should first save all configuration data to a file on a TFTP/FTP/SCP/SFTP server. Using the ptcfg command, installed keys and certificates are included in the configuration data, and can later be restored by using the gtcfg command. For more information about these commands, see the Command Reference. If you prefer to make backup copies of your keys and certificates separately, you can use the display or export command. For more information about these commands, see the

"Certificate Management Configuration " section under Configuration Menu>SSL Configuration Menu in the Command Reference.

To reinstall a VPN Gateway you will need the following:

A reinstall wipes out all configuration data (including network

"Configuration Menu " chapter in the

• Access to the VPN Gateway through a console connection.

•

An install image, loaded on a FTP/SCP/SFTP server on your network.

• The IP address of the FTP/SCP/SFTP server.

•

The name of the install image.

•

When performing a reinstallation of the NVG software, access to the VPN Gateways must be accomplished through the console port.

Step Action 1 Log in as the boot user and provide the correct password.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding an ASA 310-FIPS to an Existing Cluster 71

*** Reinstall Upgrade Procedure *** If you proceed beyond this point, the active network configuration will be reset, requiring a reboot to restore any current settings. However, no permanent changes will be done until the boot image has been downloaded. Continue (y/n)? [y]: <Press ENTER to continue>

2 Confirm the network port setting, and the IP network

settings.

(reinstall procedure, continued)

Select a network port (1-4, or i for info) [1]: <Press ENTER if correct, or change to the port you are using for network connectivity> Enter VLAN tag id (or zero for no VLAN tag) [0]: <VLAN tag id or ENTER>

Enter IP address for this iSD [192.168.128.185]:

<Press ENTER if the IP address displayed within square brackets is correct.> Enter network mask [255.255.255.0]: <Press ENTER if correct.> Enter gateway IP address [192.168.128.1]: <Press ENTER if correct.>

3 Select a download method, specify the server IP address,

and the boot image file name.

Note: If the VPN Gateway has not been configured for network access previously, or if you have deleted the VPN Gateway from the cluster by using the /boot/delete command, you must provide information about network settings such as interface port, IP address, network mask, and gateway IP address. No suggested values related to a previous configuration will be presented within square brackets.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

72 Initial Setup

(reinstall procedure, continued)

Select protocol (ftp/scp/sftp) [ftp]: ftp Enter FTP server address: 10.0.0.1 Enter file name of boot image: SSL-7.0.x-boot.img Enter FTP Username [anonymous]: john Password: password Downloading boot image... Installing new boot image... Done

If the FTP server does not support anonymous login, enter the required FTP user name and password. Anonymous login is the default option.

4 Log in to the VPN Gateway as the admin user, after the

device has rebooted on the newly installed boot image.

(reinstall procedure, continued) Restarting...

Restarting system. Alteon WebSystems,I nc. 0004004C Booting...

After the new boot image has been installed, the VPN Gateway will reboot and you can log in again when the login prompt appears. This time, log in as the admin user to enter the Setup menu. For more information about the Setup menu.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Upgrading the NVG Software

The Nortel VPN Gateway (NVG) software image is the executable code running on the VPN Gateway. A version of the image ships with the VPN Gateway, and comes pre-installed on the device. As new versions of the image are released, you can upgrade the software running on your VPN Gateway. Before upgrading, check the accompanying release notes for any specific actions to take for the particular software upgrade package or install image.

There are two types of upgrades:

• Minor release upgrade: This is typically a bug fix release. Usually

this kind of upgrade can be done without the VPN Gateway rebooting. Thus, the normal operation and traffic flow is maintained. All configuration data is retained. When performing a minor upgrade, you should connect to the Management IP address of the cluster you want to upgrade.

•

Major release upgrade: This kind of release may contain both bug fixes as well as feature enhancements. The VPN Gateway may automatically reboot after a major upgrade, because the operating system may have been enhanced with new features. All configuration data is retained. When performing a major upgrade, you should connect to the Management IP address of the cluster you want to upgrade.

•

Upgrading from software version 2.0 to software version 3.0.7:

This upgrade needs to be performed in two steps, due to the new database format and software management introduced in version

3.0.7. The procedures are described in detail in "Upgrading iSD-SSL Software from Version 2.0.x to Version 3.x"

Upgrading the software on your VPN Gateway requires the following:

• Loading the new software upgrade package or install image onto a

FTP/SCP/SFTP server on your network.

• Downloading the new software from the FTP/SCP/SFTP server to your

VPN Gateway.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

74 Upgrading the NVG Software

Performing Minor/Major Release Upgrades

The following description applies to a minor or a major release upgrade. To upgrade the VPN Gateway you will need the following:

• Access to one of your VPN Gateways through a remote connection

(Telnet or SSH), or a console connection.

• The software upgrade package, loaded on a FTP/SCP/SFTP server

on your network.

•

The host name or IP address of the FTP/SCP/SFTP server. If you choose to specify the host name, note that the DNS parameters must have been configured. For more information, see the "

Servers Configuration " section under Configuration Menu>System Configuration in the Command Reference.

•

The name of the software upgrade package (upgrade packages are identified by the .pkg file name extension).

It is important to realize that the set of installed VPN Gateways you are running in a cluster are cooperating to give you a single system view. Thus, when performing a minor or a major release upgrade, you only need to be connected to the Management IP address of the cluster. The upgrade will automatically be executed on all the VPN Gateways in operation at the time of the upgrade. All configuration data is retained. For a minor upgrade, normal operations are usually unaffected, whereas a major upgrade may cause the VPN Gateway to reboot.

DNS

Access to the Management IP address can be accomplished through a Telnet connection or SSH (Secure Shell) connection. Note however that Telnet and SSH connections to the VPN Gateway are disabled by default, after the initial setup has been performed. For more information about enabling Telnet and SSH connections, see “Connecting to the

VPN Gateway” (page 136). When you have gained access to the VPN

Gateway, use the following procedure.

Step Action 1 To download the software upgrade package, enter the

following command at the Main menu prompt. Then select whether to download the software upgrade package from a FTP/SCP/SFTP server.

>> Main# boot/software/download Select protocol (ftp/scp/sftp) [ftp]: ftp

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Activating the Software Upgrade Package 75

2 Enter the host name or IP address of the server.

Enter hostname or IP address of server: <server host name or IP>

3 Enter the file name of the software upgrade package to

download.

If needed, the file name can be prefixed with a search path to the directory on the FTP/SCP/SFTP server.

If you are using anonymous mode when downloading the software package from an FTP server, the following string is used as the password (for logging purposes): admin@hostname/IP.isd.

Enter filename on server: <filename.pkg> FTP User (anonymous): <username or press ENTER for

anonymous mode> Password: <password or press ENTER for default password in anonymous mode>

Received 28200364 bytes in 4.0 seconds

Unpacking... ok

>> Software Management#

Activating the Software Upgrade Package

The VPN Gateway can hold up to two software versions simultaneously. To view the current software status, use the /boot/software/cur command. When a new version of the software is downloaded to the VPN Gateway, the software package is decompressed automatically and marked as (which may cause the VPN Gateway to reboot), the software version is marked as permanent. The software version previously marked as

permanent will then be marked as old.

unpacked. After you activate the unpacked software version

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

76 Upgrading the NVG Software

For minor and major releases, the software upgrade will take part synchronously among the set of VPN Gateways in a cluster. If one or more VPN Gateways are not operational when the software is upgraded, they will automatically pick up the new version when they are started.

Note:

If more than one software upgrade has been performed to a cluster while a VPN Gateway has been out of operation, the VPN Gateway must be reinstalled with the software version currently in use in that cluster. For more information about how to perform a reinstall, see “Reinstalling the Software” (page 70).

When you have downloaded the software upgrade package, you can inspect its status with the /boot/software/cur command.

Step Action 1 At the Software Management# prompt, enter the following

command:

>> Software Management# cur

Version Name Status

------- ---- ------

7.0.1 SSL unpacked

5.1.5 SSL permanent

The downloaded software upgrade package is indicated with the status unpacked. The software versions can be marked with one out of four possible status values. The meaning of these status values are:

• unpacked means that the software upgrade package has

•

• current means that a software version marked as old or

To activate the unpacked software upgrade package, use the activate command.

2 At the Software Management# prompt, enter:

been downloaded and automatically decompressed.

permanent means that the software is operational and will

survive a reboot of the system.

old means the software version has been permanent but is not currently operational. If a software version marked old is available, it is possible to switch back to this version by

activating it again.

unpacked has been activated. As soon as the system has

performed the necessary health checks, the current status changes to permanent.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Activating the Software Upgrade Package 77

>> Software Management# activate 7.0.1 Confirm action ’activate’? [y/n]: y

Activate ok, relogin <you are logged out

here>

Restarting system.

Note: Activating the unpacked software upgrade package may cause the command line interface (CLI) software to be upgraded as well. Therefore, you will be logged out of the system, and will have to log in again. Wait until the prompt appears. This may take up to 2 minutes, depending on your type of hardware platform and whether the system reboots.

3 After having logged in again, verify the new software

version:

>> Main# boot/software/cur Version Name Status

------- ---- ------

7.0.1 SSL permanent

5.1.5 SSL old

In this example, version 7.0.1 is now operational and will survive a reboot of the system, while the software version previously indicated as permanent is marked as old.

Note: If you encounter serious problems while running the new software version, you can revert to the previous software version (now indicated as old). To do this, activate the software version indicated as old. When you log in again after having activated the old software version, its status is indicated as current for a short while. After about one minute, when the system has performed the necessary health checks, the current status is changed to permanent.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

78 Upgrading the NVG Software

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Managing Users and Groups

This chapter describes the rules that govern administrator/operator user rights, how to add or delete users from the system, how to set or change group assignments, and how to change login passwords.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

80 Managing Users and Groups

User Rights and Group Membership

Group membership dictates user rights, according to User Rights and Group Membership. When a user is a member of more than one group, user rights accumulate. The all four groups, therefore has the same user rights as granted to members in the certadmin and oper group, in addition to the specific user rights granted by the admin group membership. The most permissive user rights become the effective user rights when a user is a member of more than one group. For more information about default user groups and related access levels, see also “Accessing the NVG Cluster” (page 140).

admin user, who by default is a member of

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding a New User

To add a new user to the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

In this configuration example, a Certificate Administrator user is added to the system, and then assigned to the certadmin group. The Certificate Administrator is supposed to specialize in managing certificates and private keys, without the possibility to change system parameters or configure virtual SSL servers. A user who is a member of the certadmin group can therefore access the Certificate menu ( the SSL Server menu (/cfg/ssl/server). Access to the System menu (/cfg/sys) is limited, and entails access only to the User Access Control submenu (/cfg/sys/user).

Step Action 1 Log in to the NVG cluster as the admin user.

/cfg/cert), but not

Password: ( admin user password)

2 Access the User Menu.

>> Main#

------------------------------------------------------------

[User Menu]

passwd - Change own password

expire - Set password expire time interval

list - List all users

del - Delete a user

add - Add a new user

edit - Edit a user

caphrase - Certadmin export passphrase

/cfg/sys/user

3 Add the new user and designate a user name.

The maximum length for a user name is 255 characters. No spaces are allowed. Each time the new user logs in to the NVG cluster, the user must enter the name you designate as the user name in this step.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

82 Managing Users and Groups

>> User# add

Name of user to add: cert_admin (maximum 255 characters,

no spaces)

4 Assign the new user to a user group.

You can only assign a user to a group in which you yourself are a member. When this criteria is met, users can be assigned to one or more of the following groups:

• oper

• admin

•

• tunnelguard

By default, the admin user is a member of all preceding groups, and can therefore assign a new or existing user to any of these groups. The group assignment of a user dictates the user rights and access levels to the system.

certadmin

>> User# edit cert_admin >> User cert_admin# groups/add Enter group name: certadmin

5 Verify and apply the group assignment.

When typing the list command, the current and pending group assignment of the user being edited is listed by index number and group name. Because the cert_admin user is a new user, the current group assignment listed by Old: is empty.

>> Groups# list Old: Pending: 1: certadmin >> Groups# apply Changes applied successfully.

6 Define a login password for the user.

When the user logs in to the NVG cluster the first time, the user will be prompted for the password you define in this step. When successfully logged in, the user can change his or her own password. The login password is case sensitive and can contain spaces.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

>> Groups# /cfg/sys/user >> User# edit cert_admin >> User cert_admin# password

Enter admin’s current password: ( admin user password) Enter new password for cert_admin: ( cert_admin user

password) Re-enter to confirm: (reconfirm cert_admin user password)

7 Apply the changes.

>> User cert_admin# apply Changes applied successfully.

8 Let the Certificate Administrator user define an export

passphrase.

This step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. If the admin user is removed from the certadmin group, a Certificate Administrator export passphrase (caphrase) must be defined.

As long as the admin user is a member of the certadmin group (the default configuration), the admin user is prompted for an export passphrase each time a configuration backup that contains private keys is sent to a TFTP/FTP/SCP/SFTP server (command:

/cfg/ptcfg). When the admin user is not a member of the certadmin group, the export passphrase defined by the Certificate Administrator is used instead to encrypt private keys in the configuration backup. The encryption of private keys using the export passphrase defined by the Certificate Administrator is performed transparently to the user, without prompting. When the configuration backup is restored, the Certificate Administrator must enter the correct export passphrase.

Note 1: If the export passphrase defined by the Certificate Administrator is lost, configuration backups made by the

admin user while he or she was not a member of the certadmin group cannot be restored.

Note 2: When using the /cfg/ptcfg command on an ASA 310-FIPS, private keys are always encrypted using the wrap key that was generated when the first HSM card in the cluster was initialized.

The export passphrase defined by the Certificate Administrator remains the same until changed by using the /cfg/sys/user/caphrase command. For users who are not members of the certadmin group, the caphrase command in the User menu is hidden. Only users who are members of

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

84 Managing Users and Groups

the certadmin group should know the export passphrase. The export passphrase can contain spaces and is case sensitive.

>> User cert_admin# ../caphrase Enter new passphrase: Re-enter to confirm: Passphrase changed.

9 Remove the admin user from the certadmin group.

Again, this step is only necessary if you want to fully separate the Certificate Administrator user role from the Administrator user role. Note however, once the admin user is removed from the

certadmin group, only a user who is already a member of the certadmin group can grant the admin user certadmin group

membership. When the admin user is removed from the certadmin group,

only the Certificate Administrator user can access the Certificate menu (/cfg/cert).

>> User# edit admin >> User admin# groups/list

>> Groups# del 4

1: tunnelguard 2: admin 3: oper 4: certadmin

10 Verify and apply the changes.

>> Groups# list Old:

Pending:

Note: It is critical that a Certificate Administrator user is created and assigned certadmin group membership before the admin user is removed from the certadmin group. Otherwise there is no way to assign certadmin group membership to a new user, or to restore certadmin group membership to the admin user, should it become necessary.

1: tunnelguard 2: admin 3: oper 4: certadmin

1: tunnelguard

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

2: admin 3: oper

>> Groups# apply

Adding Users through RADIUS

The RADIUS system administrator can add VPN Gateway administrator users to the RADIUS configuration without being an administrator of the NVG, because the users do not need to be configured locally on the NVG. By assigning suitable administrator groups to these users in RADIUS, the users can be given the desired access rights to the CLI/BBI.

When the user logs in to the CLI/BBI and is successfully authenticated, the RADIUS server returns the groups to which the user belongs. The groups are compared to the fixed administrator groups on the VPN Gateway, that

tunnelguard, admin, oper and certadmin. If a match is found, the

is, logged on user is given the administration rights pertaining to matching group(s). Otherwise, the user is denied access.

Adding Users through RADIUS 85

--End--

See the /cfg/sys/adm/auth/group command in the User’s Guide.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

86 Managing Users and Groups

Changing a Users Group Assignment

Only users who are members of the admin group can remove other users from a group. All users can add an existing user to a group, but only to a group in which the "granting" user is already a member. The

admin user, who by default is a member of all four groups (admin, oper, tunnelguard and certadmin) can therefore add users to any of these

groups.

Step Action 1 Log in to the NVG cluster.

In this example the cert_admin user, who is a member of the certadmin group, will add the admin user to the certadmin

group. The example assumes that the admin user previously removed himself or herself from the certadmin group, to fully separate the Administrator user role from the Certificate Administrator user role.

Password: ( cert_admin user password)

2 Access the User Menu.

>> Main#

[User Menu]

------------------------------------------------------------

passwd - Change own password

expire - Set password expire time interval

list - List all users

del - Delete a user

add - Add a new user

edit - Edit a user

caphrase - Certadmin export passphrase

/cfg/sys/user

3 Assign the admin user certadmin user rights by adding the

admin user to the certadmin group.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

>> User# edit admin

>> User admin# groups/add Enter group name: certadmin

Note: A user must be assigned to at least one group at any given time. If you want to replace a user’s single group assignment, you must therefore always first add the user to the desired new group, then remove the user from the old group.

4 Verify and apply the changes.

>> Groups# list Old:

1: tunnelguard 2: admin 3: oper

Pending:

1: tunnelguard 2: admin 3: oper 4: certadmin

>> Groups# apply

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

88 Managing Users and Groups

Changing a Users Password

Changing Your Own Password

All users can change their own password. Login passwords are case sensitive and can contain spaces.

Step Action 1 Log in to the NVG cluster by entering your user name and

current password.

Password: ( cert_admin user password)

2 Access the User Menu.

>> Main#

[User Menu]

------------------------------------------------------------

passwd - Change own password

expire - Set password expire time interval

list - List all users

del - Delete a user

add - Add a new user

edit - Edit a user

caphrase - Certadmin export passphrase

/cfg/sys/user

3 Type the passwd command to change your current

password.

When your own password is changed, the change takes effect immediately without having to use the apply command.

>> User# passwd

Enter cert_admin’s current password: (current cert_admin

user password) Enter new password: (new cert_admin user password)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Re-enter to confirm: (reconfirm new cert_admin user password)

Password changed.

Changing Another Users Password

Only the admin user can change another user’s password, and also only if the admin user is a member of the other user’s first group, i.e the group that is listed first for the user with the <username>/groups/list command. Login passwords are case sensitive and can contain spaces.

Step Action 1 Log in to the NVG cluster as the admin user.

Password: ( admin user password)

Changing Another Users Password 89

--End--

/cfg/sys/user/edit

2 Access the User Menu.

>> Main#

------------------------------------------------------------

[User Menu]

passwd - Change own password

expire - Set password expire time interval

list - List all users

del - Delete a user

add - Add a new user

edit - Edit a user

caphrase - Certadmin export passphrase

/cfg/sys/user

3 Specify the user name of the user whose password you

want to change.

>> User# edit Name of user to edit: cert_admin

4 Type the password command to initialize the password

change.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

90 Managing Users and Groups

>> User cert_admin# password

Enter admin’s current password: ( admin user password) Enter new password for cert_admin: (new password for user

being edited) Re-enter to confirm: (confirm new password for user being edited)

5 Apply the changes.

>> User cert_admin# apply Changes applied successfully.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Deleting a User

To delete a user from the system, you must be a member of the admin group. By default, only the admin user is a member of the admin group.

Note: Remember that when a user is deleted, that user’s group

assignment is also deleted. If you are deleting a user who is the sole member of a group, none of the remaining users on the system can then be added to that group. Existing users can only be added to a group by a user who is already a member of that group. Before deleting a user, you may therefore want to verify that the user is not the sole member of a group.

Step Action 1 Log in to the NVG cluster as the admin user.

Password: ( admin user password)

2 Access the User Menu.

>> Main#

-----------------------------------

-------------------------

[User Menu]

passwd - Change own password

expire - Set password expire time interval

list - List all users

del - Delete a user

add - Add a new user

edit - Edit a user menu

caphrase - Certadmin export passphrase

/cfg/sys/user

3 Specify the user name of the user you want to remove from

the system configuration.

In this example, the cert_admin user is removed from the system. To list all users that are currently added to the system configuration, use the list command.

>> User# del cert_admin

4 Verify and apply the changes.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

92 Managing Users and Groups

The imminent removal of the cert_admin user is indicated as a pending configuration change by the minus sign (-). To cancel a configuration change that has not yet been applied, use the

revert command.

>> User# list

>> User# apply

oper root admin

-cert_admin

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Certiﬁcates and Client Authentication

This chapter describes common tasks involving certificates and client authentication. The chapter also provides detailed step-by-step instructions for generating certificate signing requests, adding certificates to the Nortel VPN Gateway (NVG), generating and revoking client certificates, as well as configuring the VPN Gateway to require client certificates.

The VPN Gateway supports importing certificates in the PEM, NET, DER, PKSCS7, and PKCS12 formats. The certificates must conform to the X.509 standard. You can create a new certificate, or use an existing certificate. The VPN Gateway supports using up to 1500 certificates. The basic steps to create a new certificate using the command line interface of the VPN Gateway are:

• Generate a Certificate Signing Request (CSR) and send it to a

Certificate Authority (CA, such as Entrust or VeriSign) for certification.

• Add the signed certificate to the VPN Gateway.

Note: Even though the VPN Gateway supports keys and certificates

created by using Apache-SSL, OpenSSL, or Stronghold SSL, the preferred method from a security point of view is to create keys and generate certificate signing requests from within the VPN Gateway by using the command line interface. This way, the encrypted private key never leaves the VPN Gateway, and is invisible to the user.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

94 Certificates and Client Authentication

Generating and Submitting a CSR Using the CLI

Step Action 1 Initiate requesting a certificate signing request (CSR), and

provide the necessary information.

Note: When specifying a certificate number, make sure not to use a number currently used by an existing certificate. To view basic information about all configured certificates, use the /info/certs command. The information displayed lists all configured certificates by their main attributes, including the certificate number (in the Certificate Menu line, such as "Certificate Menu 1:").

Explanations for the requested units of information: Note that you do not have to complete all fields. Only one of Common Name and E-mail Address is strictly required.

• Country Name: The two-letter ISO code for the

country where the Web server is located. For current information about ISO country codes, visit for example

ttp://www.iana.org/.

• State or Province Name: This is the name of the state or

province where the head office of the organization is located. Enter the full name of the state or province.

• Locality Name: The name of the city where the head office

of the organization is located.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

• Organization Name: The registered name of the

organization. This organization must own the domain name that appears in the common name of the Web server.

Do not abbreviate the organization name and do not use any of the following characters:

<>~! @#$%^*/\()?

•

Organizational Unit Name: The name of the department or group that uses the secure Web server.

•

Common Name: The name of the Web server as it appears in the URL. This name must be the same as the domain name of the Web server that is requesting a certificate. If the Web server name does not match the common name in the certificate, some browsers will refuse a secure connection with your site. Do not enter the protocol specifier (http://) or any port numbers or path names in the common name. Wildcards (such as * or ?) and IP address are not allowed.

• E-mail Address: Enter the user’s e-mail address.

•

Subject Alternative Name: Comma-separated list of URI:<uri>, DNS:<fqdn>, IP:<IP address>, email:<e-mail address>. Example:

URI:http://www.example.com,email:john@example .com,IP:10.1.2.3

• Generate new key pair [y]: In most cases you will want to

generate a new key pair for a CSR. However, if a configured certificate is approaching its expiration date and you want to renew it without replacing the existing key, answering no (n) is appropriate. The CSR will then be based on the existing key (for the specified certificate number) instead.

•

Key size [1024]: Specify the key length of the generated key. The default value is 1024.

•

Request a CA certificate (y/n) [n]: Lets you specify whether to request a CA certificate to use for client authentication. Requesting a CA certificate is appropriate if you plan to issue your own server certificates or client certificates, generating them from the requested CA certificate. The default value is to not request a CA certificate.

• Specify challenge password (y/n) [n]:

2 Generate the CSR.

Press ENTER after you have provided the requested information. The CSR is generated and displayed on screen:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

96 Certificates and Client Authentication

3 Apply your changes.

>> Certificate 1# apply Changes applied successfully.

4 Save the CSR to a file.

Copy the entire CSR, including the "-----BEGIN

CERTIFICATE REQUEST----- " and "-----END

CERTIFICATE REQUEST----- " lines, and paste it into a text

editor. Save the file with a .csr extension. The name you define can indicate the server on which the certificate is to be used.

5 Save the private key to a file.

Note: Provided you intend to use the same certificate number when adding the certificate returned to you (after the CSR has been processed by a certificate authority), this step is only necessary if you want to create a backup copy of the private key. When generating a CSR, the private key is created and stored (encrypted) on the VPN Gateway using the specified certificate number. When you receive the certificate (containing the corresponding public key) and add it to the VPN Gateway, make sure you specify the same certificate number that is used for storing the private key. Otherwise, the private key and the public key in the certificate will not match.

Type the display command and press ENTER. Choose to encrypt the private key, and specify a password phrase. Make sure to remember the password phrase.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Copy the private key, including the "-----BEGIN RSA PRIVATE

KEY----- " and "-----END RSA PRIVATE KEY----- "

lines, and paste it into a text editor. Save the file with a .key extension. Preferably, use the same file name that you defined for the .csr file, so the connection between the two files becomes obvious. The name you define can indicate the server on which the certificate and the corresponding private key is to be used.

After you have received the processed CSR from a CA, make sure to create a backup copy of the certificate as well.

6 Open and copy the CSR.

In a text editor, open the .csr file you created in Step 4.It should appear similar to the following:

Note: When using an ASA 310-FIPS, the private key is protected by the HSM card and cannot be exported.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

98 Certificates and Client Authentication

Copy the entire CSR, including the "-----BEGIN

CERTIFICATE REQUEST----- " and "-----END

CERTIFICATE REQUEST----- " lines.

7 Submit the CSR to Verisign, Entrust, or any other CA.

The process for submitting the CSR varies with each CA. Use your Web browser to access your CA’s Web site and follow the online instructions. When prompted, paste the CSR into the space provided on the CA’s online request process. If the CA requires that you specify a server software vendor whose software you supposedly used to generate the CSR, specify Apache.

The CA will return the signed certificate for installation. The certificate is then ready to be added into the VPN Gateway.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Adding Certiﬁcates to the NVG

Using the encryption capabilities of the VPN Gateway requires adding a key and certificate that conforms to the X.509 standard to the VPN Gateway. If you have more than one VPN Gateway in a cluster, the key and certificate need only be added to one of the devices. As with configuration changes, the information is automatically propagated to all other devices in the cluster.

Note:

key associated with a certificate cannot be imported. All private keys must be generated on the HSM card itself due to the FIPS security requirements.

There are two ways to install a key and certificate into the VPN Gateway :

•

Copy-and-paste the key/certificate.

When using an ASA 310-FIPS running in FIPS mode, the private

• Download the key/certificate from a TFTP/FTP/SCP/SFTP server.

The VPN Gateway supports importing certificates and keys in these fromats:

•

PEM

•

NET

•

DER

• PKCS7 (certificate only)

•

PKCS8 (keys only, used in WebLogic)

•

PKCS12 (also known as PFX)

Besides these formats, keys in the proprietary format used in MS IIS 4 can be imported by the VPN Gateway, as wells as keys from Netscape Enterprise Server or iPlanet Server. Importing keys from Netscape Enterprise Server or iPlanet Server however, require that you first use a conversion tool. For more information about the conversion tool, contact Nortel. See “How to Get Help” (page 14) for contact information.

When it comes to exporting certificates and keys from the VPN Gateway, you can specify to save in the PEM, NET, DER, or PKCS12 format when using the export command. If you choose to use the display command (which requires a copy-and-paste operation), you are restricted to saving certificates and keys in the PEM format only.

Note: When performing a copy-and-paste operation to add a certificate

or key, you must always use the PEM format.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

100 Certificates and Client Authentication

Copy-and-Paste Certiﬁcates

The following steps demonstrate how to add a certificate using the copy-and-paste method.

Note:

If you connect to one of the VPN Gateways in the cluster by using a console connection,note that HyperTerminal under Microsoft Windows may be slow to complete copy-and-paste operations. If your security policy permits enabling Telnet or SSH access to the VPN Gateway, use a Telnet or SSH client and connect to the Management IP address instead.

Step Action 1 Type the following command from the Main menu prompt

to start adding a certificate.

>> Main# cfg/cert

Enter certificate number: (1-) <number of the

certificate you want to configure>

>> Certificate 1# cert

Paste the certificate, press Enter to create a new line,

and then type "..." (without the quotation marks) to

terminate.

In most cases you should specify the same certificate number as the certificate number you used when generating the CSR. By doing so, you do not have to add the private key because this key remains connected to the certificate number that you used when you generated the CSR.

If you have obtained a key and a certificate by other means than generating a CSR using the Gateway, specify a certificate number not used by a configured certificate before pasting the certificate. If the private key and the certificate are not in the same file, use the key or import command to add the corresponding private key.

To view basic information about configured certificates, use the /info/certs command. The information displayed lists all configured certificates by their main attributes.

2 Copy the contents of your certificate file.

Open the certificate file you have received from a CA in a text editor and copy the entire contents. Make sure the selected text includes the " -----BEGIN CERTIFICATE----- " and "

-----END CERTIFICATE----- " lines.

request command on the VPN

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Nortel Networks NN46120-104 User Manual

Specifications and Main Features

Frequently Asked Questions

User Manual

Export

Licensing

Contents

Preface

Who Should Use This Book

Related documentation

Product Names

How This Book Is Organized

Users Guide

Appendices

Typographic Conventions

How to Get Help

Getting help from the Nortel Web site

Getting help over the phone from a Nortel Solutions Center

Getting help from a specialist by using an Express Routing Code

Getting help through a Nortel distributor or reseller

Introducing the VPN Gateway

SSL Acceleration

Hardware Platforms

Feature List

Software Features

Web Portal

Transparent Mode Access

User Authentication

User Authorization

Client Security

Accounting and Auditing

Networking

Secure Service Partitioning

Branch Office Tunnels

Portal Guard

SSL Acceleration

Scalability and Redundancy

Certificate and Key Management

Public Key Infrastructure

Supported Key and Certificate Formats

Supported Handshake Protocols

Hash Algorithms

Cipher Suites

Management

Statistics

Virtual Desktop

Secure Portable Office (SPO) Client

Introducing the ASA 310-FIPS

HSM Overview

Extended Mode vs. FIPS Mode

FIPS140-1 Level 3 Security

The Concept of iKey Authentication

Types of iKeys

Wrap Keys for ASA 310-FIPS Clusters

Available Operations and iKeys Required

Additional HSM Information

Initial Setup

Clusters

New and Join

Clustering Over Multiple Subnets

IP Address Types

Host IP Address

Management IP Address (MIP)

Virtual IP Address (VIP)

Portal IP Address

Real Server IP Address (RIP)

Ports

Interfaces

Two-Armed Configuration 39

The Setup Menu

Installing an NVG in a New Cluster

Complete the New Setup

Settings Created by the VPN Quick Setup Wizard

Basic VPN Setup

Default Network

Default Services

Joining a VPN Gateway to an Existing Cluster

Complete the Join Setup

Installing an ASA 310-FIPS

Installing an ASA 310-FIPS in a New Cluster