Nortel Networks Network Router NN46120 104 User Manual

Nortel VPN Gateway

User Guide

Release: 7.1

Document Revision: 02.01

www.nortel.com

NN46120-104

216368-G

Download from Www.Somanuals.com. All Manuals Search And Download.

Contents

Preface

Who Should Use This Book

Related documentation

For full documentation on installing and using the many features available

in the VPN Gateway software, see the following manuals:

•

VPN Gateway 7.1 Command Reference

(part number 216369-F, April 2008)

Describes each command in detail. The commands are listed per

menu, according to the order they appear in the Command Line

Interface (CLI).

•

VPN Gateway 6.0 Application Guide for SSL Acceleration

(part number 216370-D, April 2008)

Provides examples on how to configure SSL Acceleration through the

CLI.

VPN Gateway 7.1 CLI Application Guide for VPN

(part number 216371-F, April 2008)

Provides examples on how to configure VPN deployment through the

CLI.

VPN Gateway 7.1 BBI Application Guide for VPN

(part number 217239-E, April 2008)

Provides examples on how to configure VPN deployment through the

BBI (Browser-Based Management Interface).

VPN Gateway 7.1 VPN Administrator Guide

(part number 217238-E, April 2008)

VPN management guide intended for end-customers in a Secure

Service Partitioning configuration.

VPN Gateway 3050/3070 Hardware Installation Guide

(part number 216213-B, March 2005)

Describes installation of the VPN Gateway 3050 and 3070 hardware

models.

•

VPN Gateway 7.1 Configuration-Secure Portable Office Client

(part number 324637-A, April 2008

VPN Gateway 7.1 Troubleshooting Guide

(part number 324371-B, April 2008)

Describes the prerequisites and various tools used to troubleshoot the

Nortel VPN Gateway (NVG).

•

VPN Gateway 7.1 Release Notes

(part number 216372-W, April 2008)

Lists new features available in version 7.1 and provides up-to-date

product information.

The preceding manuals are available for download (see “How to Get Help”

(page 14).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

10 Preface

Product Names

The software described in this manual runs on several different hardware

models. Whenever the generic terms Nortel VPN Gateway, VPN gateway

or NVG are used in the documentation, the following hardware models

are implied:

•

Nortel VPN Gateway 3050 (NVG 3050)

Nortel VPN Gateway 3070 (NVG 3070)

Nortel SSL VPN Module 1000 (SVM 1000)

Nortel SSL Accelerator 310-FIPS (ASA 310-FIPS)

The integrated SSL Accelerator (SSL processor) on the Nortel

2424-SSL switch

•

Nortel VPN Gateway Universal Serial Bus

Similarly, all references to the old product name – iSD-SSL or iSD – in

commands or screen outputs should be interpreted as applying to the

preceding hardware models.

Note: Manufacturing of the Nortel SSL Accelerator (formerly Alteon

SSL Accelerator) has been discontinued.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

How This Book Is Organized

The chapters in this book are organized as follows:

Users Guide

“Introducing the VPN Gateway” (page 15) provides an overview of the

major features of the VPN Gateway, including its physical layout and the

basic concepts of its operation.

“Introducing the ASA 310-FIPS” (page 27) provides information about

the ASA 310 equipped with HSM cards, as well as information about the

available security modes and the concept of iKey authentication.

“Initial Setup” (page 35) describes how to install the NVG in a new cluster,

and how to add an NVG to an existing cluster. The chapter also provides

information about the concept of NVG clusters, as well as the usage and

configuration of ports and networks within a cluster. A section describing

how to reinstall the software is also included.

“Upgrading the NVG Software” (page 73) describes how to upgrade the

NVG software for a minor release upgrade, and a major release upgrade,

as well as upgrading from software versions earlier than 2.0.11.16 to

version 3.0.7.

“Managing Users and Groups” (page 79) describes the management

of users, groups, and passwords. The chapter also explains how the

Administrator user role can be fully separated from the Certificate

Administrator user role.

“Certificates and Client Authentication” (page 93) describes how to

generate and prepare keys and certificates for use with the NVG.

“The Command Line Interface” (page 135) describes how to connect to the

NVG and access the information and configuration menus.

“Troubleshooting the NVG” (page 145) provides suggestions for

troubleshooting basic problems. Information about performing system

diagnostics on the NVG is also included, as well as some operations

related to the ASA 310-FIPS model.

Appendices

provides a list of ciphers supported in this product.

“The SNMP Agent” (page 183) provides information about the SNMP

agent on the NVG, and which MIBs (Management Information Bases) are

supported.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

12 Preface

“Syslog Messages” (page 191), contains a list of all syslog messages

that can be sent to a syslog server that is added to the NVG system

configuration.

“License Information” (page 223) provides licensing information for the

software used in this product.

“HSM Security Policy” (page 233) provides detailed information about the

security policy of the CryptoSwift^®HSM card that comes installed in the

ASA 310-FIPS.

“Definition of Key Codes” (page 253) provides information about how

to compile a keycode definition file to be used with the Terminal applet

available on the Telnet/SSH tab (located under the Portal’s Advanced tab).

“SSH host keys” (page 257) provides information about the purpose of

SSH host keys and how they are used to protect the connection between

the SSH client and the VPN Gateway.

“Adding User Preferences Attribute to Active Directory” (page

261) provides step-by-step instructions on how to add the User

Preferences attribute to Active Directory. This is required to support

storage of Portal bookmarks in Active Directory.

“Using the Port Forwarder API” (page 271) provides instructions on how to

perform the tasks needed when using the Port Forwarder API. The Port

Forwarder API is used to provide tunnels through the Nortel VPN Gateway

(NVG) without the user having to start any applets from the Portal.

“Glossary” (page 285) includes definitions of terminology used throughout

this document.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Typographic Conventions

The following table describes the typographic styles used in this book.

Table 1

Typographic Conventions

Typeface or

Symbol

Meaning

Example

This type is used for names of

commands, files, and directories used

within the text.

View the readme.tx

t file.

AaBbCc123

Main#

It also depicts on-screen computer

output and prompts.

This bold type appears in command

examples. It shows text that must be

typed in exactly as shown.

AaBbCc123

Main# sys

<AaBbCc123

This italicized type appears in

To establish a Telnet

session, enter:

host# telnet <IP

address>

command examples as a parameter

placeholder. Replace the indicated

text with the appropriate real name or

value when using the command. Do

not type the brackets.

This also shows book titles, special

terms, or words to be emphasized.

Read your User’s

Guide thoroughly.

[ ]

Command items shown inside

brackets are optional and can be used

or excluded as the situation demands.

Do not type the brackets.

host# ls[-a]

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

14 Preface

How to Get Help

This section explains how to get help for Nortel products and services.

Getting help from the Nortel Web site

The best way to get technical support for Nortel products is from the Nortel

Technical Support Web site: https://www.nortel.com/support/

This site provides quick access to software, documentation, bulletins, and

tools to address issues with Nortel products. From this site, you can:

•

download software, documentation, and product bulletins for answers

to technical issues

for Nortel equipment

open and manage technical support cases

Getting help over the phone from a Nortel Solutions Center

If you do not find the information you require on the Nortel Technical

Support web site, and have a Nortel support contract, you can also get

help over the phone from a Nortel Solutions Center. In North America,

call 1-800-4NORTEL (1-800-466-7835). Outside North America, go

to the following web site to obtain the phone number for your region:

www.nortel.com/callus

Getting help from a specialist by using an Express Routing Code

An Express Routing Code (ERC) is available for many Nortel products and

services. When you use an ERC, your call is routed to a technical support

person who specializes in supporting that product or service. To locate the

ERC for your product or service, go to: http://www.nortel.com/erc/

Getting help through a Nortel distributor or reseller

If you purchased a service contract for your Nortel product from a

distributor or authorized reseller, contact the technical support staff for that

distributor or reseller.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Introducing the VPN Gateway

The Nortel VPN Gateway (NVG) software includes two major functionality

groups:

•

SSL Acceleration

VPN

These features can be used separately or be combined. This User’s Guide

covers the basic tasks that need to be completed irrespective of which

feature you wish to deploy.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

16 Introducing the VPN Gateway

SSL Acceleration

The VPN Gateway can function as a peripheral Secure Sockets Layer

(SSL) offload platform that attaches to a Nortel Application Switch or a

comparable switch from another vendor. (The VPN Gateway can also

operate in standalone mode, i.e. without being connected to a switch.)

The VPN Gateway performs a TCP three-way handshake with the client

through the Nortel Application Switch and performs all the SSL encryption

and decryption for the session. Combined with the load balancing

features of the Nortel Application Switch, the VPN Gateway offloads SSL

encryption/decryption functions from back-end servers.

For examples on how to configure the VPN Gateway for SSL Acceleration,

see the Application Guide for SSL Acceleration.

For more information about the basic operations of the VPN Gateway, see

the "Public Key Infrastructure and SSL" chapter in the Application Guide

for SSL Acceleration.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Getting help through a Nortel distributor or reseller 17

VPN

The VPN feature supports remote access to intranet or extranet resources

(applications, mail, files, intranet web pages) through a secure connection.

What information should be accessible to the remote user after login is

determined by access rules (ACLs).

The intranet’s resources can be accessed in clientless mode, transparent

mode or both:

•

From any computer connected to the Internet (clientless mode). The

remote user connects to the VPN Gateway through a secure SSL

connection through the web browser. When successfully authenticated,

the user can access services and resources on the intranet from a

Web Portal provided by the VPN Gateway. Clientless mode also

enables download of the Net Direct client, a simple and secure method

for accessing intranet resources through the remote user’s native

applications.

•

From a computer with the Nortel IPsec VPN client (formerly Contivity

VPN client) or the Nortel SSL VPN client installed (transparent mode).

For examples on how to configure the VPN Gateway for VPN deployment,

see the Application Guide for VPN.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

18 Introducing the VPN Gateway

Hardware Platforms

The VPN Gateway software is supported on the following hardware

platforms:

•

Nortel VPN Gateway 3050 and 3070

Nortel SSL VPN Module 1000

Nortel SSL Accelerator 310 and 410

Nortel SSL Accelerator 310-FIPS, with FIPS-compliant Hardware

Security Module (HSM). See “Introducing the ASA 310-FIPS” (page

27).

•

Nortel 2424-SSL Application Switch

For a detailed technical specification of the hardware platforms, see the

"Specifications" appendix in the VPN Gateway 3050/3070 Hardware

Installation Guide and the Alteon SSL Accelerator Hardware Installation

Guide respectively.

No hardware installation is required for the Nortel Application Switch

2424-SSL. The VPN Gateway software resides on the SSL Processor

which is mounted inside the switch chassis.

Note: Manufacturing of the Nortel SSL Accelerator (formerly Alteon

SSL Accelerator) has been discontinued.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Software Features 19

Feature List

Software Features

Web Portal

•

Web Portal interface for remote users accessing the VPN Gateway in

clientless mode, that is, through the browser.

Corporate resources available to users as preconfigured group links or

accessible through the Portal tabs.

Support for native Telnet and SSH (including X11 forwarding) access

to intranet servers through terminal Java applet (available on the

Portal’s Advanced tab).

•

Support for handling plugins, Flash and Java applets using HTTP

proxy Java applet (available on the Portal’s Advanced tab).

Support for application tunneling (port forwarding) through SOCKS

encapsulated in SSL (available on the Portal’s Advanced tab).

API provided for developing a custom application that automatically

logs in the user to the desired VPN and executes a previously

configured port forwarder link

•

Support for customizing the Web Portal, for example, color, logo,

language and company name.

Three user views available (novice, medium and advanced) to limit

access to Portal tabs.

Support for automatic redirection of requests to another URL (Portal

pass-through).

•

Support for Portal bookmarks.

Ability to specify domains for which single sign-on is allowed.

Net Direct client (SSL). VPN client temporarily downloaded from the

Portal and removed when the user exits the session. On Windows, Net

Direct is also available as an installable client (setup.exe file).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

20 Introducing the VPN Gateway

Transparent Mode Access

Access to intranet resources in transparent mode, that is, without going

through the Web Portal, is accomplished using Windows VPN clients

installed on the client PCs. In this mode, remote users will experience

network access as if sitting within the local area network. The following

VPN clients are available:

•

Nortel SSL VPN client (TDI and LSP version).

Nortel IPsec VPN client (formerly the Contivity VPN client). Not

supported on the ASA 310, ASA 310-FIPS and ASA 410 hardware

models.

•

Net Direct installable client.

User Authentication

User authentication is supported using the following methods:

•

RADIUS (including Challenge/Response)

LDAP (including Microsoft Active Directory)

NTLM (Windows NT Domain, including Microsoft Active Directory)

Secure Computing SafeWord (RADIUS)

Netegrity SiteMinder

RSA SecurID (native or through RADIUS)

RSA ClearTrust

ActivCard (RADIUS)

Novell NDS/eDirectory (LDAP)

Client certificate authentication

Local database authentication

User Authorization

User authorization is controlled through the user’s group membership. Two

different authorization profile types are supported:

•

The base profile defines a group member’s access rights to networks,

services and paths.

•

The extended profile (optional) also defines a group member’s access

rights depending on conditions related to the user’s connection, for

example, source network, authentication method, access method,

client certificate installed and/or Tunnel Guard checks passed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Software Features 21

Client Security

•

Tunnel Guard. Feature for checking the security aspects of the remote

PC client, that is, installed antivirus software, DLLs, executables and

so on.

•

WholeSecurity support. Lets you enable a scan of the client PC before

the remote user is allowed to log in to the VPN.

•

User session auto-logoff.

Cache and browser history automatically cleared (only for Internet

Explorer).

Accounting and Auditing

•

Support for logging user session start and stop messages to a syslog

or RADIUS accounting server. The messages can include VPN ID,

user name, gateway address, session ID, session time and cause of

termination.

•

Support for logging CLI and Web User Interface operations (for

example, login, logout and executed operation) to a syslog or RADIUS

accounting server.

Networking

•

Supports creating multiple interfaces within a cluster, for example, to

separate client traffic and management traffic. (Not supported on the

Nortel Application Switch 2424-SSL).

•

Support for clustering over multiple subnets.

Supports assigning two physical network ports to one interface, to

create a port failover (high availability) solution where one VPN

Gateway is attached to two Nortel Application Switches.

Secure Service Partitioning

The NVG software provides the ability to partition a cluster of VPN

Gateways into separate VPNs. This gives service providers (ISPs) the

possibility to host multiple VPN end-customers on a shared Remote

Access Services (RAS) platform. Requires a license.

•

Supports hosting of up to 250 public termination points for

end-customer SSL and IPsec VPNs.

•

Secure VPN binding. Each VPN is bound to a private IP interface.

VLAN tagging can be used when private IP address spaces overlap.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

22 Introducing the VPN Gateway

•

Private network authentication. Existing authentication servers within

the customer’s private network can be used.

Access control. Unique access rules can be specified for each user

group in the various VPNs.

Private network name resolution. If desired, private network DNS

servers can be mapped to the VPN.

Split administration. VPN Portal management is enabled for each

VPN customer through a web interface, without exposing global

administration access.

•

High availability. The Secure Service Partitioning solution is compatible

with the NVG cluster’s high availability solutions.

Branch Office Tunnels

The NVG software provides the ability to configure IPsec-based branch

office tunnels. Several peer-to-peer branch office tunnels can be

configured for each virtual private network (VPN).

The following number of branch office tunnels can be configured per

hardware model:

•

NVG 3070: 2500

NVG 3050: 1000

Nortel 2424-SSL Application Switch: 500

For example, a cluster of two NVG 3070s support 5000 branch office

tunnels.

Portal Guard

Feature used to "convert" an existing HTTP site to generate HTTPS links,

secure cookies and so on. The VPN Gateway will not only handle the SSL

processing but also see to it that all existing web links are rewritten to

HTTPS. This eliminates the need to rewrite each link manually. Requires a

license.

SSL Acceleration

The NVG software also includes features for SSL acceleration. Note

that these features in some cases require interoperation with a Nortel

Application Switch.

•

Supports accelerated SSL processing by offloading SSL encryption

and decryption from backend servers.

•

Supports load balancing of encrypted and unencrypted traffic for up

to 256 backend servers, with health checking and persistent client

connections.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Software Features 23

•

Ability to create multiple clusters of VPN Gateways, each capable of

serving its own group of real servers.

•

Supports rewriting of client requests.

Ability to transmit additional information to the backend servers.

Supports end-to-end encryption.

Compatible with all Nortel Application Switches, Nortel Web Switches

and comparable switches from other vendors.

SSL Acceleration is covered in the Application Guide for SSL Acceleration.

Scalability and Redundancy

Support for 256 VPN Gateways per cluster

•

Support for 256 virtual SSL servers

Provides dynamic plug and play – VPN Gateways can be added to or

removed from a cluster dynamically without disrupting network traffic

•

Provides a single system image (SSI) – all VPN Gateways in a given

cluster are configured as a single system

High level of redundancy in the master/slave cluster design; even if

three master VPN Gateways in a cluster would fail, additional slave

NVGs will still be operational and can accept configuration changes

Certificate and Key Management

•

Server and client authentication

Generation and revocation of client certificates

Automatic retrieval of certificate revocation lists (CRLs)

Validation of private keys and certificates

Generation of certificate signing requests (CSRs)

Generation of self-signed certificates

Public Key Infrastructure

•

RSA pair key generation

Server certificate enrollment

Server key and certificate import/export

Key and certificate renewal

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

24 Introducing the VPN Gateway

Supported Key and Certificate Formats

PEM

DER

•

NET

PKCS12

PKCS8

KEY(MS IIS4.0)

Supported Handshake Protocols

•

SSL versions 2.0, 3.0

TLS version 1.0

Hash Algorithms

•

Message Digest 5 (MD5)

SHA1

Cipher Suites

All ciphers covered by SSL version 2.0, 3.0 and TLS version 1.0, except

the IDEA and FORTEZZA ciphers. Also see “Supported Ciphers” (page

177).

Management

Web User Interface (HTTP or HTTPS).

•

Command Line Interface (CLI) access through Telnet/SSH or serial

port.

•

SNMP version 1, version 2c and version 3.

RADIUS authentication of CLI/BBI administrator users (including

console access).

Statistics

•

Statistics can be viewed per access method (SSL or IPsec) for the

whole cluster as well as for specific VPN Gateways, SSL servers and

VPNs.

•

Support for histograms, for example, to measure transactions per

second (TPS) and throughput.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Software Features 25

Virtual Desktop

Symantec On-Demand Agent (SODA) provides a Virtual Desktop

environment to secure Web-based applications and services. Virtual

Desktop is a Java application that provides protection against lost or

theft of sensitive information. Files created while in the virtual desktop

are encrypted as they are saved to a hard drive or removable media.

Integrating Virtual Desktop with NVG will provide a secure environment for

end users while accessing confidential information.

Secure Portable Office (SPO) Client

The SPO client provides VPN access from portable storage such as USB

compliant flash memory and CD ROM.

The SPO client provides enhanced mobility, portability, and security

compared to traditional VPN access methods. The SPO client can be

deployed and managed from the NVG server thus simplifying SPO client

maintenance and updates.

For more information about Secure Portal Office Client, see Configuration -

Secure Portable Client Guide.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

26 Introducing the VPN Gateway

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Introducing the ASA 310-FIPS

This section provides information about the ASA 310-FIPS model, which

comes installed with the HSM (Hardware Security Module) card. The HSM

card complies with all the security requirements specified by the Federal

Information Processing Standard (FIPS) 140-1, Level 3 standards. Each

ASA 310-FIPS device is equipped with two identical HSM cards.

Note: When using the ASA 310-FIPS device in a cluster, remember

that all NVG devices in the cluster must be of the ASA 310-FIPS model.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

28 Introducing the ASA 310-FIPS

HSM Overview

The HSM card found on the ASA 310-FIPS model is an SSL accelerator,

just like the ordinary CryptoSwift card found on the regular ASA 410

model. In addition to cryptographic acceleration, the HSM card brings

extra security to sensitive operations and is designed to withstand physical

tampering.

•

The HSM card provides a secure storage area for cryptographic key

information. The storage area is secured by a constantly monitored

tamper detection circuit. If tampering is detected, the battery backup

power to memory circuits on the card is removed. Critical security

parameters, such as private keys that are in the storage area, will then

be destroyed and rendered useless to the intruder.

•

Any sensitive information that is transferred between two HSM cards

within the same ASA 310-FIPS, or between any number of HSM cards

within a cluster of ASA 310-FIPS devices, is encrypted using a shared

secret stored (also known as a wrap key) on the HSM card.

Some user operations require a two-phase authentication, which

involves using both hardware tokens (called iKeys) and an associated

password to provide an extra layer of security. For example, if the

ASA 310-FIPS is power cycled (as in the case of theft), no SSL traffic

is processed until the operator logs in to the HSM card using both an

iKey and the correct password.

•

All cryptographic requests, such as generating private keys or

performing encryption, are automatically routed to the HSM card by the

NVG application and performed on the HSM card only.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

FIPS140-1 Level 3 Security 29

Extended Mode vs. FIPS Mode

When installing the very first ASA 310-FIPS into a new cluster, you can

choose to initialize the HSM cards in either Extended mode or FIPS mode.

Extended mode is the default selection, and is appropriate whenever your

security policy does not explicitly require that you conform to the FIPS

140-1, Level 3 standard (see the following for more information).

The main difference between Extended mode and FIPS mode involves

how private keys are handled. For both modes, all private keys are stored

encrypted in the database on the ASA 310 FIPS. When the HSM card is

initialized in Extended mode, the encrypted private key needed to perform

a specific operation is transferred to the HSM card over the PCI bus. The

private key is then decrypted on the HSM card itself, using the wrap key

that was generated during the initialization and because stored on the

card. The private key is thus never exposed in plain text outside the HSM

card.

When the HSM card is initialized in FIPS mode, the encrypted private key

needed to perform a specific operation is read from the database into

RAM, together with the wrap key from the HSM card. The private key

is then decrypted in RAM, where it remains accessible for subsequent

operations.

Also, when the ASA 310-FIPS is initialized in FIPS mode, all private keys

must be generated on the ASA 310-FIPS device itself. Importing private

keys, or certificate files that contain private keys, is not allowed due to

the FIPS security requirements. This means that certain CLI commands

that are used for importing certificates and keys through a copy and paste

operation, or through TFTP/FTP/SCP/SFTP, cannot be used when the

ASA 310-FIPS is initialized in FIPS mode.

FIPS140-1 Level 3 Security

The HSM card contains all of the security requirements specified by the

FIPS 140-1, Level 3 standards. FIPS 140-1 is a U.S. government standard

for implementations of cryptographic modules, that is, hardware or

software that encrypts and decrypts data or performs other cryptographic

operations (such as creating or verifying digital signatures).

FIPS 140-1 is binding on U.S. government agencies deploying applications

that use cryptography to secure sensitive but unclassified (SBU)

information, unless those agencies have been specifically exempted from

compliance by the relevant U.S. laws referenced in the standard.

For more information about the FIPS specification, visit http://csrc.nist.gov/

publications/fips/index.htmland scroll down to "FIPS 140-1".

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

30 Introducing the ASA 310-FIPS

The Concept of iKey Authentication

Access to sensitive data on a ASA 310-FIPS is protected by a combination

of hardware tokens (called iKeys), passwords, and encryption procedures.

The iKey is a cryptographic token that is used as part of the authentication

process for certain operations involving the HSM cards. Whenever you

perform an operation on the ASA 310-FIPS calling for iKey authentication,

you are prompted by the Command Line Interface to insert the requested

iKey into the USB port on the appropriate HSM card. (When prompted for

a particular iKey, a flashing LED always directs you to the correct HSM

card.)

Types of iKeys

For each HSM card there are two unique iKeys used for identity-based

authentication: the HSM-SO iKey, and the HSM-USER iKey. Each of

these iKeys define the two user roles available: Security Officer and User.

A password must be defined for each user role, and the passwords are

directly associated with the corresponding iKey. The ASA 310-FIPS is

equipped with two HSM cards, and you therefore need to maintain two

pairs of HSM-SO and HSM-USER iKeys with their associated passwords

for each single ASA 310-FIPS device.

After a HSM card has been initialized, that card will only accept the

HSM-SO and HSM-USER iKeys that were used when initializing that

particular card. You cannot create backup copies of the associated

HSM-SO iKey and HSM-USER iKey, and a lost HSM-SO or HSM-USER

password cannot be retrieved. It is therefore extremely important that you

establish routines for how the iKeys are handled.

Wrap Keys for ASA 310-FIPS Clusters

In addition to the HSM-SO and HSM-USER iKeys specific for each

HSM card, one pair of iKeys (the black HSM-CODE iKeys) need also be

maintained for each cluster of ASA 310-FIPS units.

Note: You are strongly recommended to label two of the black

HSM-CODE iKeys "CODE-SO" and "CODE-USER" respectively; these

iKeys will be referred to as such both in the documentation and in the

Command Line Interface.

During the initialization of the first ASA 310-FIPS in a cluster, a wrap key is

automatically generated. The wrap key is a secret shared among all ASA

310-FIPS in the cluster. It encrypts and decrypts sensitive information

that is sent over the PCI bus within an ASA 310-FIPS, and over the

network among the ASA 310-FIPS devices in the cluster. By inserting

the CODE-SO iKey and the CODE-USER iKey in turns when requested

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Available Operations and iKeys Required 31

by the Setup utility, the wrap key is split onto these two iKeys. When

adding an additional ASA 310-FIPS to the cluster, the CODE-SO and the

CODE-USER iKeys are used to transfer the wrap key to the HSM cards

on NVG device(s) that have been added. Once the wrap key has been

transferred, all synchronization of sensitive information within the cluster

takes place transparently to the user.

No passwords are associated with the CODE-SO and CODE-USER

iKeys. However, for all operations that involves using the CODE-SO and

CODE-USER iKeys, these keys are used in addition to the HSM-SO

and HSM-USER iKeys (which in turn require the correct passwords for

successful authentication).

CAUTION

If you enter the wrong password for the HSM-USER fifteen (15) times in a row,

the HSM-USER iKey will be rendered unusable. This is due to the strict security

specifications placed on the ASA 310-FIPS.

Available Operations and iKeys Required

For information about the type of iKeys required to perform a specific

operation, see Table 2 "Available Operations and iKeys Required" (page

31).

Table 2

Available Operations and iKeys Required

Type of iKey Required

Operation Performed

HSM-SO

HSM-US

CODE-SO and

CODE-USER

Installing a new ASA

310-FIPS in a new cluster

Adding an ASA 310-FIPS to

an existing cluster

Logging in to the HSM card

Splitting the wrap key onto a

pair of CODE iKeys

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

32 Introducing the ASA 310-FIPS

Table 2

Available Operations and iKeys Required (cont’d.)

Type of iKey Required

Operation Performed

HSM-SO

HSM-US

CODE-SO and

CODE-USER

Changing the HSM-SO iKey

password

Note: To resume normal

operations after having

changed the HSM-SO iKey

password, the HSM-USER

iKey is required to re-login to

the HSM card.

Changing the HSM-USER

iKey password

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Available Operations and iKeys Required 33

Additional HSM Information

•

For detailed information about installing a new ASA 310-FIPS in a

new cluster or adding an ASA 310-FIPS in an existing cluster, see “

Installing an ASA 310-FIPS” (page 58).

•

For detailed information about how to log in to the HSM card after a

reboot, see “An ASA 310-FIPS Stops Processing Traffic” (page 153).

For information about how to split the wrap key onto a backup set of

CODE-SO and CODE-USER iKeys, or how to change an HSM-SO or

HSM-USER iKey password, see the Hardware Security Module Menu

under the Maintenance Menu in the User’s Guide.

•

For information about how to reset the HSM cards, see “Resetting

HSM Cards on the ASA 310-FIPS” (page 155).

For information about HSM card LED status, see Chapter 1 of the

Hardware Installation Guide.

For information about the HSM card’s security policy, see “HSM

Security Policy” (page 233) .

To view the HSM card’s FIPS 140-1 validation certificate, see Appendix

B, "FIPS 140-1 Validation Certificate" in the Hardware Installation

Guide

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

34 Introducing the ASA 310-FIPS

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Initial Setup

This chapter covers the basic setup and initialization process for the Nortel

VPN Gateway (NVG ). It introduces the concept of clusters, and provides

detailed instructions for reinstalling the VPN Gateway software, should it

become necessary.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

36 Initial Setup

Clusters

All VPN Gateways are members of a cluster. A cluster can consist

of one single VPN Gateway or a group of NVGs that share the same

configuration parameters. There can be more than one NVG cluster in the

network, each with its own set of parameters and services. If the VPN

Gateway is used for SSL Acceleration, each cluster can be set up to serve

different real servers.

New and Join

Each time you perform an initial setup of an VPN Gateway and select new

in the Setup menu, you create a new cluster which initially only has one

single member. You can add one or more VPN Gateways to any existing

cluster by performing an initial setup and select join in the Setup menu.

Conﬁguration is Replicated among Master NVGs

The configuration parameters are stored in a database, which is replicated

among the VPN Gateways designated as masters in a cluster. By default,

the first four VPN Gateways in a given cluster are set up as masters.

Additional NVGs are automatically set up as slaves, which means they

depend on a master NVG in the same cluster for proper configuration.

However, even if three of the masters fail, the remaining NVG(s) are still

operational and can have configuration changes made to them. Note

that one master at a minimum has to be functional to be able to make

configuration changes. If all masters have failed, the slaves will still be

capable of processing SSL traffic.

Clustering Over Multiple Subnets

The SSL VPN software supports clustering over multiple subnets. If more

than one VPN Gateway is required and the VPN Gateway you wish to

join to the cluster is installed in a different subnet, the new NVG must be

configured as a slave. Master NVGs cannot exist on different intranet

subnets.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Real Server IP Address (RIP) 37

IP Address Types

When configuring the VPN Gateway you will come across quite a number

of IP address types. Following are the most commonly used:

Host IP Address

Each VPN Gateway can be assigned one or several host (machine) IP

addresses for network connectivity. You will be asked to enter a host IP

address when performing the initial setup.

Management IP Address (MIP)

When you create a new cluster you will be prompted for a Management

IP (MIP) address, which is an IP alias to one of the VPN Gateways in

the cluster. The MIP address identifies the cluster and is used when

making configuration changes through Telnet or SSH or when configuring

the system using the Browser-Based Management Interface (BBI). The

MIP always resides on a master VPN Gateway. If the master NVG that

currently holds the MIP should fail, the MIP automatically migrates to a

functional master NVG.

Virtual IP Address (VIP)

When the VPN Gateway is used in conjunction with a Nortel Application

Switch, e.g. for SSL acceleration, the client connects to the VIP on the

Nortel Application Switch. The VIP is used by the Nortel Application Switch

to load balance particular service requests (like HTTP) to other servers.

Portal IP Address

When the VPN Gateway is used to set up a web Portal, the Portal IP

address is the address that is assigned to the VPN Gateway’s portal

server. To display the web Portal, the remote user should enter the Portal

IP address or the corresponding domain name in the available browser.

Real Server IP Address (RIP)

When the VPN Gateway is used for SSL Acceleration, the RIP is the

IP address of the real server, sometimes called the backend server. It

is the IP address that the Nortel Application Switch load balances to

when requests are made to a virtual server IP address (VIP). The VPN

Gateway’s host IP address will in fact be one of the switch’s RIPs.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

38 Initial Setup

Ports

When installing a VPN Gateway (or any of the other supported hardware

models) in a new cluster, or adding a VPN Gateway to an existing cluster,

you are asked to specify a port number by the Setup utility.

The port number you specify refers to a physical port on the Network

Interface Card (NIC) of a particular hardware model.

Depending on your model, the Setup utility will automatically detect the

number of available ports and display the valid range within square

brackets when prompting for a port number.

•

The VPN Gateway 3050 has four copper port NICs (numbered as 1-4).

The VPN Gateway 3070 comes in two versions:

— One with four copper port NICs (numbered as 1-4).

— One with two copper port NICs (number as 1-2) and two fiber-optic

ports (numbered as 3-4).

•

The ASA 410 Copper NIC has two copper port NICs (numbered as

1-2).

The ASA 410 Fiber NIC has two copper port NICs (numbered as 1-2)

and one Gigabit fiber-optic port NIC for Gigabit Ethernet (numbered

as 3).

•

The ASA 310-FIPS has two copper port NICs (numbered as 1-2).

The SSL Processor on the Nortel Application Switch 2424-SSL

has only one port that is internally connected to the Switch through

back-to-back Gigabit interfaces.

Each port should be marked with the appropriate number on the device.

If not, see the Alteon SSL Accelerator 310, 310-FIPS, 410 Hardware

Installation Guide and the VPN 3050/3070 Hardware Installation Guide

respectively.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Two-Armed Configuration 39

Interfaces

During the initial setup procedure (see “Configuration at Boot Up” (page

41)), you will be asked if you want to set up a one-armed configuration or

a two-armed configuration.

One-Armed Conﬁguration

In a one-armed configuration, only one interface is configured. It acts as

both a public interface (facing the Internet) and a private interface (facing

the intranet).

The interface (Interface 1) on the SSL VPN will handle public traffic, that

is, client traffic from and to the Internet, as well as private traffic, that is,

connecting the SSL VPN to internal resources and configuring the SSL

VPN from a management station.

Figure 1

One-Armed Configuration without Application Switch

Two-Armed Conﬁguration

In a two-armed configuration, two separate interfaces are configured on

the VPN Gateway.

Interface 1 will handle private traffic (between the SSL VPN and the

trusted intranet), that is, connecting the SSL VPN to internal resources and

configuring the SSL VPN from a management station.

Interface 2 will handle public traffic, that is, client traffic from and to the

Internet.

A two-armed configuration is considered more secure.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

40 Initial Setup

Figure 2

Two-Armed Configuration without Application Switch

Note: Two-armed configuration is not available for the Application

Switch 2424-SSL.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

The Setup Menu 41

Conﬁguration at Boot Up

When starting a VPN Gateway for the very first time, you need to do the

following:

•

Connect the device’s uplink port(s) to the appropriate network

device(s). During the initial setup you will be asked to configure the

desired ports for network connectivity.

— To use the VPN Gateway with a Nortel Application Switch, for

example, for SSL Acceleration, connect the uplink port to a

compatible port on a Nortel Application Switch.

•

Connect a computer to the VPN Gateway’s console port through serial

cable.

Use a terminal application (for example, TeraTerm) to configure the

VPN Gateway.

For more information, see “Connecting to the VPN Gateway” (page

136).

•

Press the power-on button on the VPN Gateway.

Wait until you get a login prompt.

Note: If you have the ASA 310-FIPS model, see the instructions from “

Installing an ASA 310-FIPS” (page 58) page 54 and onwards.

The Setup Menu

When you log in after having started the VPN Gateway the first time,

you will enter the Setup menu. After selecting new or join, you will

be prompted for the information required to make the VPN Gateway

operational.

Table 3

The Setup Menu

[Setup Menu]

join

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

new

boot

Info

- Information menu

exit

- Exit [global command, always available]

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

42 Initial Setup

Installing an NVG in a New Cluster

When you are installing a VPN Gateway as the first (or only) member

in a new cluster, you can either create a one-armed or a two-armed

configuration.

Setting Up a One-Armed Conﬁguration

In a one-armed configuration, only one interface is configured. It is used

as both the public (traffic) and the private (management) interface. See

figure on “Two-Armed Configuration” (page 39).

Step

Action

Choose new from the Setup menu.

[Setup Menu]

join

new

boot

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

info

- Information menu

exit

- Exit [global command, always

available]

>> Setup# new

Setup will guide you through the initial configuration.

Specify the port you want to use for network connectivity.

Enter port number for the management interface [1-4]: 1

This port will be assigned to Interface 1. As you are currently

configuring a one-armed setup, this interface will be used for

both private traffic (for example, SSL VPN management and

connections to intranet resources) and public traffic (for example,

client connections from the Internet).

Specify the current host IP address of the VPN Gateway.

Enter IP address for this machine (on management

interface): <IP address>

This IP address must be unique on your network and be within

the same network address range as the Management IP

address. The host IP address will be assigned to Interface 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Setting Up a One-Armed Configuration 43

You can later use the /cfg/sys/host 1/interface 1

command to view the resulting settings for Interface 1.

Note: If needed, you can later create a two-armed

configuration by adding a new interface to the cluster,

exclusively used for client traffic, and assign an unused port

to that interface. For information about how to add a new

interface, see the "Interface Configuration " section under

Configuration Menu>System Configuration in the Command

Reference. For information about how to assign ports to an

interface, see the "Interface Ports Configuration " section in

the same chapter.

Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]: <Press ENTER if

correct>

Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag

id or ENTER>

Specify the desired network mask or accept the suggested value

by pressing ENTER. If a connected router or switch attaches

VLAN tag IDs to incoming packets, specify the VLAN tag ID

used.

Press ENTER to continue with creating a one-armed

configuration.

Setup a two armed configuration (yes/no) [no]: <Press

ENTER>

Enter a default gateway address.

Enter default gateway IP address (or blank to skip):

Enter a default gateway IP address that is within the same

network address range as the host IP address configured in step

Enter a Management IP address (MIP).

Enter a unique Management IP address (MIP) that is within the

same network address range as the host IP address and the

default gateway IP address.

Enter the Management IP (MIP) address: <IP address>

Making sure the MIP does not exist...ok

Trying to contact gateway...ok

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

44 Initial Setup

Complete the new setup by following the instructions in the

section “Complete the New Setup” (page 46).

--End--

Setting Up a Two-Armed Conﬁguration

In a two-armed configuration, two separate interfaces are configured on

the VPN Gateway, one private interface for NVG management and intranet

connections and one public interface for Internet connections. Also see

figure on “Two-Armed Configuration” (page 39).

Step

Action

Choose new from the Setup menu.

[Setup Menu]

join

new

boot

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

info

- Information menu

exit

- Exit [global command, always

available]

>> Setup# new

Setup will guide you through the initial configuration

of the iSD.

Configure the management interface port number.

Enter port number for the management interface [1-4]: 1

Specify the port you want to use for NVG management and other

private traffic between the VPN Gateway and the intranet. This

port will be assigned to the private interface (Interface 1).

Specify the host IP address for the current VPN Gateway.

Enter IP address for this machine (on management

interface): <IP address>

Specify a host IP address on the management (private) interface.

This IP address must be unique on the network and be within

the same network address range as the Management IP address

(see Step 10). The management interface host IP address is

assigned to Interface 1.

Enter network mask and VLAN tag ID.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Setting Up a Two-Armed Configuration 45

Enter network mask [255.255.255.0]: <Press ENTER if

correct>

Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag

id or ENTER>

Specify the desired network mask for the host IP address on

the management interface or accept the suggested value by

pressing ENTER. If a connected router or switch attaches VLAN

tag IDs to incoming packets, specify the VLAN tag ID used.

Enter yes and press ENTER to continue with creating a

two-armed configuration.

Setup a two armed configuration (yes/no) [no]: yes

Specify a new port number for the traffic interface.

Enter port number for the traffic interface [1-4]: 2

The traffic (public) interface port number will automatically be

assigned to Interface 2.

Specify a host IP address on the traffic (public) interface.

Enter IP address for this machine (on traffic

interface): <IP address>

This IP address will be assigned to Interface 2 on the VPN

Gateway, that is, the public interface.

Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]:

Enter VLAN tag id (or zero for no VLAN) [0]:

Specify the desired network mask for the host IP address on

the traffic interface or accept the suggested value by pressing

ENTER. If a connected router or switch attaches VLAN tag IDs

to incoming packets, specify the VLAN tag ID used.

Enter a default gateway address on the traffic interface.

Enter default gateway IP address (on the traffic

interface): <gateway IP address>

Specify a default gateway IP address that is within the same

network address range as the host IP address on the traffic

(public) interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

46 Initial Setup

Enter a Management IP address (MIP) on the management

interface.

Enter the Management IP (MIP) address: <IP address>

Making sure the MIP does not exist...ok

Trying to contact gateway...ok

Finally enter a unique Management IP address (MIP) that is

within the same network address range as the host IP address

on the management (private) interface.

Complete the new setup by following the instructions in the next

section, "Complete the New Setup".

--End--

Complete the New Setup

Step

Action

Configure the time zone and NTP and DNS server settings.

If you don’t have access to the IP address of an NTP server

at this point, you can configure this item after the initial setup is

completed. See the "NTP Servers Configuration " section under

Configuration menu>System Configuration in the Command

Reference.

( new setup, continued)

Enter a timezone or ’select’ [select]: <Press ENTER to

select>

Select a continent or ocean: <Continent or ocean by

number>

Select a country: <Country by number>

Select a region: <Region by number, if applicable>

Selected timezone: <Suggested timezone, based on your

selections>

Enter the current date (YYYY-MM-DD) [2006-03-01]:

Enter the current time (HH:MM:SS) [09:26:16]: <Press

ENTER if correct>

Enter NTP server address (or blank to skip): <IP

address>

Enter DNS server address: <IP address>

Generate new SSH host keys and define a password for the

admin user.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Complete the New Setup 47

To maintain a high level of security when accessing the VPN

Gateway through an SSH connection, it is recommended that

you accept the default choice to generate new SSH host keys.

Make sure you remember the password you define for the

admin user. You will need to provide the correct admin user

password when logging in to the cluster for configuration

purposes, and also when adding another VPN Gateway to the

cluster by performing a join in the Setup menu.

( new setup, continued)

Generate new SSH host keys (yes/no) [yes]: <Press ENTER

to accept>

This may take a few seconds...ok

Enter a password for the "admin" user:

Re-enter to confirm:

If you will be using the VPN feature, run the VPN quick setup

wizard to set up a working VPN for SSL access in a few

steps.

The VPN quick setup wizard creates all the settings required to

enable a fully functional Portal for testing purposes. You can

later let your test Portal evolve to a fully operative Portal.

Run VPN quick setup wizard [yes]: <press ENTER to run

the wizard>

Creating default networks under /cfg/vpn

1/aaa/network

Creating default services under /cfg/vpn

1/aaa/service

Enter VPN Portal IP address: <IP address>

Is this VPN device used in combination with an Alteon

switch? [no]: Enter comma separated DNS search list

(eg company.com,intranet.company.com): example.com

Create HTTP to HTTPS redirect server [yes]: <press

ENTER to accept>

Create a trusted portal account [yes]: <press ENTER to

create the account>

User name: john

User password: password

Creating group ’trusted’ with secure access.

Creating user ’john’ in group ’trusted’.

Creating empty portal linkset ’base-links’ for group

trusted.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

48 Initial Setup

• VPN Portal IP address. Used by remote users to connect to

the VPN.

• DNS search list. Enables use of short names on the

Portal, for example, inside to connect the server

inside.example.com.

• HTTP to HTTPS redirection. Automatically redirects requests

made with HTTP to the proper HTTPS server configured for

the VPN, for example, http://vpn.example.com gets

redirected to https://vpn.example.com.

To view all settings created by the VPN quick setup wizard, see

“Settings Created by the VPN Quick Setup Wizard” (page 49).

To configure IPsec access in your VPN, run the IPsec quick

setup wizard.

With IPsec access enabled, remote users can access the VPN

through a secure IPsec tunnel using the Nortel IPsec VPN client

(formerly Contivity).

Setup IPsec [no]: yes

Creating default IKE profile under ipsec/ikeprof 1

Creating default user tunnel profile under

ipsec/utunprof 1

Configuring IPsec Group login under aaa/group

trusted/ipsec

Do you want to use IPsec Group login [no]: yes

Enter IPsec secret: secret

Enter Lower IP address in pool range: 10.10.10.1Pub

_newline ?> Enter Upper IP address in pool range:

10.10.20.99

Enter Network mask for the pool range: [255.255.255.0]

: 16

Creating IP pool 1

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Settings Created by the VPN Quick Setup Wizard 49

• IPsec group login and secret. Enables IPsec access for the

trusted group, if this group was created with the VPN quick

setup wizard (see Step 3).

• Lower/upper IP address in pool range. Lets you specify an

IP address range for use in the unencrypted connection

between the VPN Gateway and the destination host.

• Network mask for IP pool range. Lets you enter a custom

network mask if the default network mask does not cover the

pool range.

Note: The IPsec quick setup wizard is only displayed if the

VPN quick setup wizard has been run and if the VPN Gateway

has a default IPsec license (not available on the ASA 310

models).

When the Setup utility has finished you can continue with

the configuration.

If you wish to continue configuring the system through the

command line interface (CLI), log in as the admin user with the

password you defined in , and the Main menu is displayed. For

more information about the CLI, see Step 2.

If you rather configure the system through the Browser-Based

Management Interface (BBI), see the BBI Quick Guide for

instructions.

Initializing system......ok

Setup successful. Relogin to configure.

For instructions on how to deploy a pure VPN solution, continue

with the "VPN Introduction" chapter in the Application Guide for

VPN. For instructions on how to deploy the SSL acceleration

feature, continue with the "Basic Applications" chapter in the

Application Guide for SSL Acceleration.

To join an additional VPN Gateway to the cluster, see “Joining a

VPN Gateway to an Existing Cluster” (page 52).

--End--

Settings Created by the VPN Quick Setup Wizard

If you ran the VPN quick setup wizard during the initial setup, a large

number of settings were configured automatically.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

50 Initial Setup

Basic VPN Setup

The following settings have been created:

•

A VPN. The VPN is typically defined for access to an intranet, parts of

an intranet or to an extranet.

•

A virtual SSL server of the portal type. A portal IP address is assigned

to it, to which the remote user should connect to access the Portal. If

you chose to use the VPN feature without a Nortel Application Switch,

the portal server is set to standalone mode.

•

A test certificate has been installed and mapped to the portal server.

The authentication method is set to Local database and you have one

test user configured. The test user belongs to a group called trusted,

whose access rules allow access to all networks, services and paths.

•

One or several domain names are added to the DNS search list,

which means that the remote user can enter a short name in the

Portal’s various address fields (for example, inside instead of

inside.example.com if example.com is added to the search list).

If you chose to enable HTTP to HTTPS redirection, an additional

server of the HTTP type was created to redirect requests made

with HTTP to HTTPS, because the portal server requires an SSL

connection.

Default Network

The wizard also creates a default network definition called intranet. In

short, network definitions are used to limit a remote user’s access rights to

different networks. Once a network definition has been created it can be

referenced in an access rule. The access rule states whether access to

the referenced network should be rejected or allowed.

Network definitions can be created, viewed or edited using the /cfg/vpn

#/aaa/network command. See the "Groups, Access Rules and Profiles"

chapter in the Application Guide for VPN for a full explanation of network

definitions in conjunction with access rules.

The intranet network definition is configured as Network 1. The subnets

included in intranet are based on private IP address space reservations as

defined in the RFC 1918 document:

•

Network address: 192.168.0.0

Network address: 10.0.0.0

Network address: 172.16.0.0

Network mask: 255.255.0.0

Network mask: 255.0.0.0

Network mask: 255.240.0.0

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Settings Created by the VPN Quick Setup Wizard 51

Default Services

The following service definitions were configured automatically. Service

definitions can be referenced in access rules to allow or deny access to a

specific application or protocol. Service definitions can be viewed or edited

using the /cfg/vpn #/aaa/service command.

See the "Groups, Access Rules and Profiles" chapter in the Application

Guide for VPN for a full explanation of service definitions.

•

http. Uses TCP port 80.

https. Uses TCP port 443.

web. Uses TCP ports 20, 21, 80 and 443.

smtp. Uses TCP port 25.

pop3. Uses TCP port 110.

imap. Uses TCP port 143.

email. Uses TCP ports 25, 110 and 443.

telnet. Uses TCP port 23.

ssh. Uses TCP port 22.

ftp. Uses TCP ports 20 and 21.

smb. Uses TCP port 139.

fileshare. Uses TCP ports 20, 21 and 139.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

52 Initial Setup

Joining a VPN Gateway to an Existing Cluster

After having installed the first VPN Gateway in a cluster, additional NVGs

may be added to the same cluster by specifying the Management IP

address (MIP) that identifies the cluster. When you are installing the VPN

Gateway to join an existing cluster, less information is needed because

the new VPN Gateway will fetch most of the configuration from the other

NVG(s) in the cluster.

The following applies when joining a new VPN Gateway to an existing

cluster:

•

If the VPN Gateway you are about to join is installed on a different

subnet than existing NVGs, this new device must be configured as a

slave. Master NVGs cannot exist on different subnets.

•

If the Access list consists of entries (for example, IP addresses for

control of Telnet and SSH access), also add the cluster’s MIP, the

existing VPN Gateway’s host IP address on Interface 1, and the

host IP address you have in mind for the new NVG to the Access

list. This must be done before joining the new VPN Gateway,

otherwise the devices will not be able to communicate. Use the

/cfg/sys/accesslist command. If the Access list is empty, this

step is not required.

•

If the VPN Gateway you are about to join has a different software

version than existing NVGs, install the preferred software version on

the new VPN Gateway before joining it (see “Reinstalling the Software”

(page 70)) or upgrade the whole cluster to the same software version

as the new VPN Gateway (see “Performing Minor/Major Release

Upgrades” (page 74)). Use the /boot/software/cur command to

check the currently installed software version.

Setting up a One-Armed Conﬁguration

If the currently installed VPN Gateway(s) in the cluster are set up for a

one-armed configuration you probably want the new VPN Gateway to be

set up similarly.

When you log in after having started the VPN Gateway the first time, you

will enter the Setup menu.

Step

Action

Choose join from the Setup menu to add a VPN Gateway to

an existing cluster.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Setting up a One-Armed Configuration 53

[Setup Menu]

join

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

new

boot

info

- Information menu

exit

- Exit [global command, always

available]

>> Setup# join

Setup will guide you through the initial configuration

of the iSD.

Specify the port to be used for network connectivity.

Enter port number for the management interface [1-4]: 1

This port will automatically be assigned to Interface 1. As you

are currently configuring a one-armed configuration, this interface

will be used for both management traffic (coming from the private

intranet) and client traffic (coming from the public Internet).

If you have configured port 1 as the management interface port

for existing VPN Gateways, it is recommended (for consistency)

that you configure port 1 for the NVG you are joining as well.

Enter the VPN Gateway ’s host IP address.

Enter IP address for this machine (on management

interface): <IP address>

This IP address should be within the same network address

range as the cluster’s Management IP address.

Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]: <Press ENTER if

correct>

Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag

id or ENTER>

Specify the desired network mask or accept the suggested value

by pressing ENTER. If a connected router or switch attaches

VLAN tag IDs to incoming packets, specify the VLAN tag ID

used.

Press ENTER to continue with creating a one-armed

configuration.

Setup a two armed configuration (yes/no) [no]: <Press

ENTER>

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

54 Initial Setup

Enter the Management IP address (MIP) of the existing

cluster.

The system is initialized by connecting to the

management server

on an existing iSD, which must be operational and

initialized.

Enter the Management IP (MIP) address: <IP address>

Provide the Management IP address of the cluster to which

you want to join the current VPN Gateway. To check the

Management IP of an existing cluster, connect to the cluster and

use the /cfg/sys/cur command.

Complete the join setup by following the instructions in the

section “Complete the Join Setup” (page 56).

--End--

Setting up a Two-Armed Conﬁguration

If the currently installed VPN Gateway(s) in the cluster are set up for a

two-armed configuration you probably want the new VPN Gateway to be

set up like the previously installed NVG(s).

To set up a two-armed configuration, proceed as follows:

Step

Action

Choose join from the Setup menu.

[Setup Menu]

join

new

boot

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

info

- Information menu

exit

- Exit [global command, always

available]

>> Setup# join

Setup will guide you through the initial configuration

of the iSD.

Configure the management interface port number.

Enter port number for the management interface [1-4]: 1

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Setting up a Two-Armed Configuration 55

Specify the port you want to use for management traffic. This

port will be assigned to an interface for management purposes

only (Interface 1).

Specify a host IP address on the management interface for

the current VPN Gateway.

Enter IP address for this machine (on management

interface): <IP address>

This IP address must be unique on the network and be within

the same network address range as the Management IP address

(see Step 9). The management interface host IP address will be

assigned to Interface 1.

Enter network mask and VLAN tag ID.

Enter network mask [255.255.255.0]: <Press ENTER if

correct>

Enter VLAN tag id (or zero for no VLAN) [0]: <VLAN tag

id or ENTER>

Specify the desired network mask for the host IP address on

the management interface or accept the suggested value by

pressing ENTER. If a connected router or switch attaches VLAN

tag IDs to incoming packets, specify the VLAN tag ID used.

Enter yes and press ENTER to continue with creating a

two-armed configuration.

Setup a two armed configuration (yes/no) [no]: yes

Specify a new port number for the traffic interface.

Enter port number for the traffic interface [1-4]: 2

The traffic interface port number will automatically be assigned

to Interface 2.

Specify a host IP address and network mask on the traffic

interface for the current VPN Gateway.

Enter IP address for this machine (on traffic

interface): <IP address>

Enter network mask [255.255.255.0]: <press ENTER to

accepts>

In a two-armed configuration, the traffic interface host IP address

will be assigned to Interface 2.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

56 Initial Setup

If a connected router or switch attaches VLAN tag IDs to

incoming packets, specify the VLAN tag ID used.

Enter VLAN tag id (or zero for no VLAN) [0]:

Enter the Management IP address (MIP) of the existing

cluster.

The system is initialized by connecting to the

management server on an existing iSD, which must be

operational and initialized.

Enter the Management IP (MIP) address: <IP address>

Provide the Management IP address of the cluster to which

you want to join the current VPN Gateway. To check the

Management IP of an existing cluster, connect to the cluster and

use the /cfg/sys/cur command.

Enter the default gateway on the traffic interface.

Enter default gateway IP address (on the traffic

interface): <IP addr>

The default gateway IP address should be within the same

network address range as the host IP address on the traffic

interface.

Complete the join setup by following the instructions in the next

section, "Complete the Join Setup".

--End--

Complete the Join Setup

Step

Action

Provide the correct admin user password.

Type the correct password for the admin user.

( join setup, continued)

Enter the existing admin user password:

Specify the VPN Gateway type.

When adding up to three additional master NVGs to a cluster

containing a single VPN Gateway, you may configure each

additional NVG as either master or slave. For up to three

additional NVGs, the default setting is master. When adding one

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Complete the Join Setup 57

or more VPN Gateways to a cluster that already contains four

master NVGs, each additional NVG is automatically configured

as slave.

It is recommended that there are 2-4 master NVGs in each

cluster, so in most cases there is no need to change the

default setting. If needed, you can always reconfigure a VPN

Gateway by changing the Type setting after the initial setup.

For more information, see the type command in the "iSD

Host Configuration" section under Configuration Menu>System

Configuration in the Command Reference.

Enter the type of this iSD (master/slave) [master]:

......ok

Wait until the Setup utility has finished.

Setup successful.

The setup is now finished. The VPN Gateway that has been

joined to the cluster will automatically pick up all configuration

data from one of the already installed NVG(s) in the cluster. After

a short while you will get a login prompt.

If needed, you can now continue with the configuration of the

NVG cluster using the Command Line Interface (CLI) or the

Browser-Based Management Interface (BBI). Log in as the

admin user.

For more information about the CLI, see “The Command Line

Interface” (page 135).

For more information about the BBI, see the SSL VPN BBI Quick

Guide.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

58 Initial Setup

Installing an ASA 310-FIPS

The ASA 310-FIPS model is an where the ordinary SSL accelerator

card has been replaced by the HSM (Hardware Security Module) SSL

accelerator card. For more information about the ASA 310-FIPS model,

see “Introducing the ASA 310-FIPS” (page 27).

After having installed the first ASA 310-FIPS, additional ASA 310-FIPS

units can be added to the same cluster by specifying the Management

IP (MIP) address that identifies the cluster. For more information about

adding an ASA 310-FIPS to an existing cluster, see “Adding an ASA

310-FIPS to an Existing Cluster” (page 63).

Before installing or adding an ASA 310-FIPS, make sure that you

have fully understood the concept of iKeys. You might also want to

decide the labeling scheme you want to use for identifying which iKey

is used to initialize a certain HSM card, and also label two of the black

cluster-specific iKeys "CODE-SO" and "CODE-USER" respectively in

advance. For more information about the concept of iKeys and the ASA

310-FIPS model in general, see “Introducing the ASA 310-FIPS” (page

27). You should also decide a password scheme because you will define

passwords not only for the admin user, but also for the HSM-SO iKeys,

the HSM-USER iKeys, and possibly a secret passphrase (when selecting

FIPS mode).

Installing an ASA 310-FIPS in a New Cluster

When you log in as the admin user after having started the ASA 310-FIPS

the first time, the Setup menu is displayed.

Step

Action

Choose new from the Setup menu to install the ASA

310-FIPS as the first member in a new cluster.

[Setup Menu]

join

new

boot

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

info

- Information menu

exit

- Exit [global command, always

available]

>> Setup# new

Setup will guide you through the initial configuration

of the iSD.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Installing an ASA 310-FIPS in a New Cluster 59

Follow the instructions for installing a VPN Gateway in a

new cluster.

Read the sections starting with “Installing an NVG in a New

Cluster” (page 42). When the basic setup is completed, new

prompts for configuring an ASA 310-FIPS will automatically

appear.

Choose the appropriate security mode for the ASA 310-FIPS

cluster.

Decide which security mode to use for the new ASA 310-FIPS

cluster—FIPS mode or Extended Security mode. The default

Extended Security mode should be used whenever your security

policy does not explicitly require conforming to the FIPS 140-1,

Level 3 standard.

For more information about the FIPS mode and the Extended

Security mode, see “Introducing the ASA 310-FIPS” (page 27).

( new setup, continued)

Use FIPS or Extended Security Mode? (fips/extended)

[extended]: <Press ENTER to accept the default

extended mode, or change the security mode to fips>

Initialize HSM card 0 by inserting the first pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Step 4and Step 5 are related to initializing the HSM cards that

your ASA 310-FIPS is equipped with. The Setup utility will

identify the first HSM card as card 0, and the second HSM

card as card 1. Each HSM card is initialized by inserting the

proper iKeys and defining a password for each user role. To

successfully initialize both HSM cards, you need to have the

following iKeys:

• One pair of iKeys to be used for initializing HSM card 0.

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER".

Label these iKeys and HSM card 0 in a way so that the

connection between them is obvious. After HSM card 0

has been initialized, this card will only accept the HSM-SO

and HSM-USER iKeys that were used when initializing this

particular HSM card. Even if you choose to use the same

HSM-SO and HSM-USER passwords when you initialize

card 1 as the passwords you defined when initializing card

0, the HSM-SO and HSM-USER iKeys for card 1 are not

interchangeable with the HSM-SO and HSM-USER iKeys for

card 0.

• One pair of iKeys to be used for initializing HSM card 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

60 Initial Setup

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER".

Label these iKeys and HSM card 1 in a way so that the

connection between them is obvious. If you will use more

than one ASA 310-FIPS device in the cluster, you must also

take steps to identify which pair of iKeys is used on which

HSM card on which device in the cluster.

You also need to make sure that you can easily access the

USB ports on the HSM cards, located on the rear of the ASA

310-FIPS device. When an operation requires inserting an

HSM iKey, a flashing LED will direct you to the USB port on the

correct HSM card.

( new setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 0

(with flashing LED).

Hit enter when done.

Enter a new HSM-SO password for card 0: <define an

HSM-SO password>

Re-enter to confirm:

The HSM-SO iKey has been updated.

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED).

Hit enter when done.

Enter a new HSM-USER password for card 0: <define an

HSM-USER password> Re-enter to confirm:

The HSM-USER iKey has been updated.

Card 0 successfully initialized.

Note: For more information about iKeys, see “The Concept of

iKey Authentication” (page 30).

Initialize HSM card 1 by inserting the second pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Remember to take steps to label each pair of HSM-SO and

HSM-USER iKeys and the HSM card to which each set of iKeys

is associated during the initialization.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Installing an ASA 310-FIPS in a New Cluster 61

( new setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 1

(with flashing LED).

Hit enter when done.

Enter a new HSM-SO password for card 1: <define a new

HSM-SO password, or use the same HSM-SO password as for

card 0>

Re-enter to confirm:

The HSM-SO iKey has been updated.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED).

Hit enter when done.

Enter a new HSM-USER password for card 1: <define a new

HSM-USER password, or use the same HSM-USER password as

for card 0>

Re-enter to confirm:

The HSM-USER iKey has been updated.

Card 1 successfully initialized.

Split the wrap key from HSM card 0 onto the CODE-SO and

CODE-USER iKeys.

This step is related to splitting the software wrap key used

internally in the cluster, and then loading the split wrap key onto

the two black CODE-SO and CODE-USER iKeys. These iKeys

will then be used to transfer the cluster wrap key onto another

HSM card either within the same ASA 310-FIPS device (as in

Step 7), or to HSM cards in an ASA 310-FIPS device that is

added to the current cluster.

Each ASA 310-FIPS device is shipped with four black CODE

iKeys. However, you will only need to use two of these in one

given cluster. The extra two black iKeys can be used to create a

pair of backup CODE iKeys. For more information about how to

create a pair of backup CODE iKeys, see the splitkey command

on the HSM menu (described under Maintenance Menu in the

Command Reference).

To successfully split and load the cluster wrap key onto the

correct iKeys, you need the following:

• Two black CODE iKeys, supposedly labeled "CODE-SO" and

"CODE-USER" respectively.

If the black iKeys are not already labeled CODE-SO and

CODE-USER respectively, you are recommended to do so

before inserting them. Whenever the cluster wrap key needs to

be transferred onto an initialized HSM card, you will be prompted

for the specific CODE iKey, in turns. Having each iKey properly

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

62 Initial Setup

labeled CODE-SO and CODE-USER respectively will make this

procedure easier.

( new setup, continued)

Should new or existing CODE iKeys be used? (new/existi

ng) [new]:

Verify that CODE-SO iKey (black) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card 0

(with flashing LED).

Hit enter when done.

Wrap key successfully split from card 0.

Note: Unlike the HSM-SO and the HSM-USER iKeys, the

CODE-SO and CODE-USER iKeys are not specific for each

HSM card. Instead, the CODE-SO and CODE-USER iKeys

are specific for each cluster of ASA 310-FIPS units. Therefore,

if you have more than one cluster of ASA 310-FIPS units, you

need to take steps so that you can identify to which cluster a

pair of CODE-SO and CODE-USER iKeys is associated.

Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys onto HSM card 1.

( new setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card 1

(with flashing LED).

Hit enter when done.

Wrap key successfully combined to card 1.

If you have selected FIPS mode as the security mode, define

a passphrase.

If you selected FIPS mode prior to initializing HSM card 0 (Step

3 ), you will also be asked to define a passphrase. Make sure

you remember the passphrase as you will be prompted for the

same passphrase when adding other ASA 310-FIPS units to the

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding an ASA 310-FIPS to an Existing Cluster 63

same cluster. When selecting Extended Security mode, this step

will not appear.

( new setup, continued)

Enter a secret passphrase (it will be used during

addition of new iSDs to the cluster):

Re-enter to confirm:

When the Setup utility has finished, log in to the ASA

310-FIPS again and continue with the configuration.

( new setup, continued) Initializing system......ok

Setup successful. Relogin to configure.

The setup is now finished, and after a short while you will get

a login prompt. Log in as the admin user with the password

you defined during the initial setup. The Main menu is then

displayed. You can now continue with the configuration of the

ASA 310-FIPS using the command line interface (CLI). For more

information about the CLI, see “The Command Line Interface”

(page 135).

Note: After successfully having initialized the HSM cards,

you are automatically logged in to each HSM card as USER.

You can verify the current HSM card login status by using the

/info/hsm command. After a reboot has occurred (whether

intentionally invoked, or due to a power failure), you must

manually log in to the HSM cards for the ASA 310-FIPS

device to resume normal operations. For more information

about logging in to the HSM cards after a reboot, see “An ASA

310-FIPS Stops Processing Traffic” (page 153).

--End--

Adding an ASA 310-FIPS to an Existing Cluster

You add additional ASA 310-FIPS units to an existing cluster by selecting

join from the Setup menu in the ASA 310-FIPS, after it has booted.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

64 Initial Setup

The following applies when joining a new ASA 310-FIPS to an existing

cluster:

•

If the ASA 310-FIPS you are about to join is installed on a different

subnet than existing units, this new ASA must be configured as a

slave. Master ASAs cannot exist on different subnets.

•

If the Access list consists of entries (for example, IP addresses for

control of Telnet and SSH access), also add the cluster’s MIP, the

existing ASA’s host IP address on Interface 1, and the host IP address

you have in mind for the new ASA to the Access list. This must be

done before joining the new ASA, otherwise the ASAs will not be able

to communicate. Use the /cfg/sys/accesslist command. If the

Access list is empty, this step is not required.

•

If the ASA you are about to join has a different software version than

existing ASAs, install the preferred software version on the new ASA

before joining it (see “Reinstalling the Software” (page 70)) or upgrade

the whole cluster to the same software version as the new ASA (see

“Performing Minor/Major Release Upgrades” (page 74)). Use the

/boot/software/cur command to check the currently installed

software version.

When you log in as the admin user after having started the ASA 310-FIPS

the first time, the Setup menu is displayed.

Step

Action

Choose join from the Setup menu to add the ASA 310-FIPS

to an existing cluster.

[Setup Menu]

join

new

boot

- Join an existing iSD cluster

- Initialize iSD as a new installation

- Boot menu

info

- Information menu

exit

- Exit [global command, always

available]

>> Setup# join

Setup will guide you through the initial configuration

of the iSD.

Follow the instructions for joining a VPN Gateway to an

existing cluster.

Read the sections starting with “Joining a VPN Gateway to an

Existing Cluster” (page 52). When the basic setup is completed,

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding an ASA 310-FIPS to an Existing Cluster 65

new prompts for configuring the ASA 310-FIPS will automatically

appear (see Step 3).

Initialize HSM card 0 by inserting the first pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Step 3 and Step 4 are related to initializing the HSM cards

that your ASA 310-FIPS is equipped with. The Setup utility will

identify the first HSM card as card 0, and the second HSM

card as card 1. Make sure you have the required iKeys before

proceeding. To successfully initialize both HSM cards, you need

to have the following iKeys:

• One pair of iKeys to be used for initializing HSM card 0.

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER".

Label these iKeys and HSM card 0 in a way so that the

connection between them is obvious. After HSM card 0 has

been initialized, this card will only accept the HSM-SO and

HSM-USER iKeys used when initializing this particular HSM

card. Even if you choose to use the same HSM-SO and

HSM-USER passwords when you initialize card 1 as the

passwords you defined when initializing card 0, the HSM-SO

and HSM-USER iKeys for card 1 are not interchangeable with

the HSM-SO and HSM-USER iKeys for card 0.

• One pair of iKeys to be used for initializing HSM card 1.

— The purple HSM Security Officer iKey, embossed with

"HSM-SO".

— The blue HSM User iKey, embossed with "HSM-USER".

Label these iKeys and HSM card 1 in a way so that the

connection between them is obvious. Because you will have

more than one ASA 310-FIPS device in the cluster, you must

also take steps to identify which pair of iKeys is used on

which HSM card on which device in the cluster.

You also need to make sure that you can easily access the

USB ports on the HSM cards, located on the rear of the ASA

310-FIPS device. When an operation requires inserting an

HSM iKey, a flashing LED will direct you to the USB port on the

correct HSM card.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

66 Initial Setup

( join setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 0

(with flashing LED). <insert the HSM-SO iKey specific

for this HSM card> Hit enter when done.

Enter a new HSM-SO password for card 0: <define an

HSM-SO password> Re-enter to confirm:

The HSM-SO iKey has been updated.

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED). <insert the HSM-USER iKey specific

for this HSM card>

Hit enter when done.

Enter a new HSM-USER password for card 0: <define an

HSM-USER password> Re-enter to confirm:

The HSM-USER iKey has been updated.

Card 0 successfully initialized.

Note: For more information about iKeys, see “The Concept of

iKey Authentication” (page 30).

Initialize HSM card 1 by inserting the second pair of HSM-SO

and HSM-USER iKeys, and by defining passwords.

Remember to take steps to label each pair of HSM-SO and

HSM-USER iKeys and the HSM card to which each set of

iKeys is associated during the initialization. Because each

ASA 310-FIPS device in the cluster will have two HSM cards,

you must also take steps to identify to which ASA 310-FIPS

device each pair of iKeys are associated. Your labeling must

ensure that the connection is obvious between a pair of

HSM-SO/HSM-USER iKeys, the HSM card that was initialized by

using those iKeys, and the ASA 310-FIPS device holding that

particular HSM card.

( join setup, continued)

Verify that HSM-SO iKey (purple) is inserted in card 1

(with flashing LED). <insert the HSM-SO iKey specific

for this HSM card>

Hit enter when done.

Enter a new HSM-SO password for card 1: <define a new

HSM-SO password, or use the same HSM-SO password as for

card 0>

Re-enter to confirm:

The HSM-SO iKey has been updated.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED). <insert the HSM-USER iKey specific

for this HSM card>

Hit enter when done.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding an ASA 310-FIPS to an Existing Cluster 67

Enter a new HSM-USER password for card 1: <define a new

HSM-USER password, or use the same HSM-USER password as

for card 0>

Re-enter to confirm:

The HSM-USER iKey has been updated.

Card 1 successfully initialized.

Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys onto HSM card 0.

Step 5 and Step 6 are related to transferring the cluster wrap key

onto the two HSM cards in the ASA 310-FIPS you are adding

to the cluster. The wrap key is transferred onto each HSM card

in two steps, where each half of the cluster wrap key stored on

the two black CODE-SO and CODE-USER iKeys is loaded and

combined on the HSM card in the new ASA 310-FIPS cluster

member.

To successfully load and combine the cluster wrap key onto the

HSM cards, you need the following:

• The two black HSM Code iKeys, labeled "CODE-SO" and

"CODE-USER" respectively, that you used when installing the

first ASA 310-FIPS in the cluster.

If you have more than one cluster of ASA 310-FIPS units, make

sure that you can identify to which cluster the pair of CODE

iKeys are associated. The cluster wrap key that is split and

stored on the two CODE iKeys is specific for each cluster of ASA

310-FIPS units.

( join setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 0

(with flashing LED). <insert the same CODE-SO iKey that

you used when installing the first ASA 310-FIPS in the

cluster>

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card

0 (with flashing LED). <insert the same CODE-USER

iKey that you used when installing the very first ASA

310-FIPS in the cluster>

Hit enter when done.

Wrap key successfully combined to card 0.

Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys onto HSM card 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

68 Initial Setup

( join setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 1

(with flashing LED). <insert the same CODE-SO iKey that

you used in Step 5 >

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card

1 (with flashing LED). <insert the same CODE-USER iKey

that you used in Step 5 >

Hit enter when done.

Wrap key successfully combined to card 1.

If you selected FIPS mode when installing the first ASA

310-FIPS in the cluster, provide the correct passphrase.

If you selected FIPS mode when installing the first ASA

310-FIPS in the cluster, you will also be asked to provide the

passphrase you defined at that time. If you selected Extended

Security mode, this step will not appear.

( join setup, continued)

Enter the secret passphrase (as given during

initialization of the first iSD in the cluster):

Wait until the Setup utility has finished.

( join setup, continued)

Setup successful.

The setup utility is now finished. The ASA 310-FIPS that

has now been added to the cluster will automatically pick up

all configuration data from one of the already installed ASA

310-FIPS units in the cluster. After a short while you will get a

Note: After successfully having initialized the HSM cards,

you are automatically logged in to each HSM card as USER.

You can verify the current HSM card login status by using the

/info/hsm command. After a reboot has occurred (whether

intentionally invoked, or due to a power failure), you must

manually log in to the HSM cards for the ASA 310-FIPS

device to resume normal operations. For more information

about logging in to the HSM cards after a reboot, see “An ASA

310-FIPS Stops Processing Traffic” (page 153).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding an ASA 310-FIPS to an Existing Cluster 69

If needed, you can now continue with the configuration of the

ASA 310-FIPS units using the command line interface (CLI). Log

in as the admin user, and the Main menu is displayed. For more

information about the CLI, see “The Command Line Interface”

(page 135).

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

70 Initial Setup

Reinstalling the Software

When adding a new VPN Gateway to an existing cluster, and the software

version on the new VPN Gateway is different from the NVGs in the

cluster, you will need to reinstall the software on the new VPN Gateway.

Otherwise, reinstalling the software is seldom required except in case of

serious malfunction.

When you log in as the boot user and perform a reinstallation of the

software, the VPN Gateway is reset to its factory default configuration.

All configuration data and current software is wiped out, including old

software image versions or upgrade packages that may be stored in the

flash memory card or on the hard disk. Also note that a reinstall must be

performed on each VPN Gateway through a console connection.

Note: A reinstall wipes out all configuration data (including network

settings). Therefore you should first save all configuration data to a file

on a TFTP/FTP/SCP/SFTP server. Using the ptcfg command, installed

keys and certificates are included in the configuration data, and can

later be restored by using the gtcfg command. For more information

about these commands, see the "Configuration Menu " chapter in the

Command Reference. If you prefer to make backup copies of your

keys and certificates separately, you can use the display or export

command. For more information about these commands, see the

"Certificate Management Configuration " section under Configuration

Menu>SSL Configuration Menu in the Command Reference.

To reinstall a VPN Gateway you will need the following:

•

Access to the VPN Gateway through a console connection.

An install image, loaded on a FTP/SCP/SFTP server on your network.

The IP address of the FTP/SCP/SFTP server.

The name of the install image.

When performing a reinstallation of the NVG software, access to the VPN

Gateways must be accomplished through the console port.

Step

Action

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding an ASA 310-FIPS to an Existing Cluster 71

Password: ForgetMe

*** Reinstall Upgrade Procedure ***

If you proceed beyond this point, the active network

configuration will be reset, requiring a reboot to

restore any current settings. However, no permanent

changes will be done until the boot image has been

downloaded.

Continue (y/n)? [y]: <Press ENTER to continue>

Confirm the network port setting, and the IP network

settings.

(reinstall procedure, continued)

Select a network port (1-4, or i for info) [1]: <Press

ENTER if correct, or change to the port you are using for

network connectivity>

Enter VLAN tag id (or zero for no VLAN tag) [0]: <VLAN

tag id or ENTER>

Enter IP address for this iSD [192.168.128.185]:

<Press ENTER if the IP address displayed within square

brackets is correct.>

Enter network mask [255.255.255.0]: <Press ENTER if

correct.>

Enter gateway IP address [192.168.128.1]: <Press ENTER

if correct.>

Note: If the VPN Gateway has not been configured for

network access previously, or if you have deleted the VPN

Gateway from the cluster by using the /boot/delete

command, you must provide information about network

settings such as interface port, IP address, network mask,

and gateway IP address. No suggested values related to

a previous configuration will be presented within square

brackets.

Select a download method, specify the server IP address,

and the boot image file name.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

72 Initial Setup

(reinstall procedure, continued)

Select protocol (ftp/scp/sftp) [ftp]: ftp

Enter FTP server address: 10.0.0.1

Enter file name of boot image: SSL-7.0.x-boot.img

Enter FTP Username [anonymous]: john

Password: password

Downloading boot image...

Installing new boot image...

Done

If the FTP server does not support anonymous login, enter the

required FTP user name and password. Anonymous login is the

default option.

device has rebooted on the newly installed boot image.

(reinstall procedure, continued) Restarting...

Restarting system.

Alteon WebSystems,I nc.

Booting...

0004004C

After the new boot image has been installed, the VPN Gateway

will reboot and you can log in again when the login prompt

appears. This time, log in as the admin user to enter the Setup

menu. For more information about the Setup menu.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Upgrading the NVG Software

The Nortel VPN Gateway (NVG) software image is the executable code

running on the VPN Gateway. A version of the image ships with the VPN

Gateway, and comes pre-installed on the device. As new versions of the

image are released, you can upgrade the software running on your VPN

Gateway. Before upgrading, check the accompanying release notes for

any specific actions to take for the particular software upgrade package

or install image.

There are two types of upgrades:

•

Minor release upgrade: This is typically a bug fix release. Usually

this kind of upgrade can be done without the VPN Gateway rebooting.

Thus, the normal operation and traffic flow is maintained. All

configuration data is retained. When performing a minor upgrade, you

should connect to the Management IP address of the cluster you want

to upgrade.

•

Major release upgrade: This kind of release may contain both

bug fixes as well as feature enhancements. The VPN Gateway may

automatically reboot after a major upgrade, because the operating

system may have been enhanced with new features. All configuration

data is retained. When performing a major upgrade, you should

connect to the Management IP address of the cluster you want to

upgrade.

•

Upgrading from software version 2.0 to software version 3.0.7:

This upgrade needs to be performed in two steps, due to the new

database format and software management introduced in version

3.0.7. The procedures are described in detail in "Upgrading iSD-SSL

Software from Version 2.0.x to Version 3.x"

Upgrading the software on your VPN Gateway requires the following:

•

Loading the new software upgrade package or install image onto a

FTP/SCP/SFTP server on your network.

•

Downloading the new software from the FTP/SCP/SFTP server to your

VPN Gateway.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

74 Upgrading the NVG Software

Performing Minor/Major Release Upgrades

The following description applies to a minor or a major release upgrade.

To upgrade the VPN Gateway you will need the following:

•

Access to one of your VPN Gateways through a remote connection

(Telnet or SSH), or a console connection.

The software upgrade package, loaded on a FTP/SCP/SFTP server

on your network.

The host name or IP address of the FTP/SCP/SFTP server. If you

choose to specify the host name, note that the DNS parameters

must have been configured. For more information, see the "DNS

Servers Configuration " section under Configuration Menu>System

Configuration in the Command Reference.

•

The name of the software upgrade package (upgrade packages are

identified by the .pkg file name extension).

It is important to realize that the set of installed VPN Gateways you are

running in a cluster are cooperating to give you a single system view.

Thus, when performing a minor or a major release upgrade, you only

need to be connected to the Management IP address of the cluster.

The upgrade will automatically be executed on all the VPN Gateways in

operation at the time of the upgrade. All configuration data is retained. For

a minor upgrade, normal operations are usually unaffected, whereas a

major upgrade may cause the VPN Gateway to reboot.

Access to the Management IP address can be accomplished through

a Telnet connection or SSH (Secure Shell) connection. Note however

that Telnet and SSH connections to the VPN Gateway are disabled by

default, after the initial setup has been performed. For more information

about enabling Telnet and SSH connections, see “Connecting to the

VPN Gateway” (page 136). When you have gained access to the VPN

Gateway, use the following procedure.

Step

Action

To download the software upgrade package, enter the

following command at the Main menu prompt. Then select

whether to download the software upgrade package from a

FTP/SCP/SFTP server.

>> Main# boot/software/download

Select protocol (ftp/scp/sftp) [ftp]: ftp

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Activating the Software Upgrade Package 75

Enter the host name or IP address of the server.

Enter hostname or IP address of server: <server host

name or IP>

Enter the file name of the software upgrade package to

download.

If needed, the file name can be prefixed with a search path to the

directory on the FTP/SCP/SFTP server.

If you are using anonymous mode when downloading the

software package from an FTP server, the following string is

used as the password (for logging purposes):

admin@hostname/IP.isd.

Enter filename on server: <filename.pkg>

FTP User (anonymous): <username or press ENTER for

anonymous mode>

Password: <password or press ENTER for default

password in anonymous mode>

Received 28200364 bytes in 4.0 seconds

Unpacking...

>> Software Management#

--End--

Activating the Software Upgrade Package

The VPN Gateway can hold up to two software versions simultaneously.

To view the current software status, use the /boot/software/cur

command. When a new version of the software is downloaded to the

VPN Gateway, the software package is decompressed automatically and

marked as unpacked. After you activate the unpacked software version

(which may cause the VPN Gateway to reboot), the software version

is marked as permanent. The software version previously marked as

permanent will then be marked as old.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

76 Upgrading the NVG Software

For minor and major releases, the software upgrade will take part

synchronously among the set of VPN Gateways in a cluster. If one or

more VPN Gateways are not operational when the software is upgraded,

they will automatically pick up the new version when they are started.

Note: If more than one software upgrade has been performed to a

cluster while a VPN Gateway has been out of operation, the VPN

Gateway must be reinstalled with the software version currently in use

in that cluster. For more information about how to perform a reinstall,

see “Reinstalling the Software” (page 70).

When you have downloaded the software upgrade package, you can

inspect its status with the /boot/software/cur command.

Step

Action

At the Software Management# prompt, enter the following

command:

>> Software Management# cur

Version Name Status

------- ---- ------

7.0.1 SSL unpacked

5.1.5 SSL permanent

The downloaded software upgrade package is indicated with the

status unpacked. The software versions can be marked with

one out of four possible status values. The meaning of these

status values are:

•

unpacked means that the software upgrade package has

been downloaded and automatically decompressed.

permanent means that the software is operational and will

survive a reboot of the system.

old means the software version has been permanent but

is not currently operational. If a software version marked old

is available, it is possible to switch back to this version by

activating it again.

•

current means that a software version marked as old or

unpacked has been activated. As soon as the system has

performed the necessary health checks, the current status

changes to permanent.

To activate the unpacked software upgrade package, use the

activate command.

At the Software Management# prompt, enter:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Activating the Software Upgrade Package 77

>> Software Management# activate 7.0.1

Confirm action ’activate’? [y/n]: y

Activate ok, relogin

here>

<you are logged out

Restarting system.

Note: Activating the unpacked software upgrade package

may cause the command line interface (CLI) software to be

upgraded as well. Therefore, you will be logged out of the

system, and will have to log in again. Wait until the login

prompt appears. This may take up to 2 minutes, depending

on your type of hardware platform and whether the system

reboots.

After having logged in again, verify the new software

version:

>> Main# boot/software/cur

Version

-------

7.0.1

Name

----

Status

------

permanent

old

SSL

5.1.5

In this example, version 7.0.1 is now operational and will survive

a reboot of the system, while the software version previously

indicated as permanent is marked as old.

Note: If you encounter serious problems while running the

new software version, you can revert to the previous software

version (now indicated as old). To do this, activate the

software version indicated as old. When you log in again

after having activated the old software version, its status is

indicated as current for a short while. After about one minute,

when the system has performed the necessary health checks,

the current status is changed to permanent.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

78 Upgrading the NVG Software

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Managing Users and Groups

This chapter describes the rules that govern administrator/operator user

rights, how to add or delete users from the system, how to set or change

group assignments, and how to change login passwords.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

80 Managing Users and Groups

User Rights and Group Membership

Group membership dictates user rights, according to User Rights and

Group Membership. When a user is a member of more than one group,

user rights accumulate. The admin user, who by default is a member of

all four groups, therefore has the same user rights as granted to members

in the certadmin and oper group, in addition to the specific user rights

granted by the admin group membership. The most permissive user rights

become the effective user rights when a user is a member of more than

one group. For more information about default user groups and related

access levels, see also “Accessing the NVG Cluster” (page 140).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding a New User

To add a new user to the system, you must be a member of the admin

group. By default, only the admin user is a member of the admin group.

In this configuration example, a Certificate Administrator user is added to

the system, and then assigned to the certadmin group. The Certificate

Administrator is supposed to specialize in managing certificates and

private keys, without the possibility to change system parameters or

configure virtual SSL servers. A user who is a member of the certadmin

group can therefore access the Certificate menu (/cfg/cert), but not

the SSL Server menu (/cfg/ssl/server). Access to the System menu

(/cfg/sys) is limited, and entails access only to the User Access Control

submenu (/cfg/sys/user).

Step

Action

Password: ( admin user password)

Access the User Menu.

>> Main#

/cfg/sys/user

------------------------------------------------------------

[User Menu]

passwd

expire

list

- Change own password

- Set password expire time interval

- List all users

del

- Delete a user

add

- Add a new user

edit

- Edit a user

caphrase

- Certadmin export passphrase

Add the new user and designate a user name.

The maximum length for a user name is 255 characters. No

spaces are allowed. Each time the new user logs in to the NVG

cluster, the user must enter the name you designate as the user

name in this step.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

82 Managing Users and Groups

>> User# add

Name of user to add: cert_admin (maximum 255 characters,

no spaces)

Assign the new user to a user group.

You can only assign a user to a group in which you yourself are

a member. When this criteria is met, users can be assigned to

one or more of the following groups:

• oper

• admin

• certadmin

• tunnelguard

By default, the admin user is a member of all preceding groups,

and can therefore assign a new or existing user to any of these

groups. The group assignment of a user dictates the user rights

and access levels to the system.

>> User# edit cert_admin

>> User cert_admin# groups/add

Enter group name: certadmin

Verify and apply the group assignment.

When typing the list command, the current and pending group

assignment of the user being edited is listed by index number

and group name. Because the cert_admin user is a new user,

the current group assignment listed by Old: is empty.

>> Groups# list

Old:

Pending:

1: certadmin

>> Groups# apply

Changes applied successfully.

Define a login password for the user.

When the user logs in to the NVG cluster the first time, the user

will be prompted for the password you define in this step. When

successfully logged in, the user can change his or her own

password. The login password is case sensitive and can contain

spaces.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

>> Groups# /cfg/sys/user

>> User# edit cert_admin

>> User cert_admin# password

Enter admin’s current password: ( admin user password)

Enter new password for cert_admin: ( cert_admin user

password)

Re-enter to confirm: (reconfirm cert_admin user password)

Apply the changes.

>> User cert_admin# apply

Changes applied successfully.

Let the Certificate Administrator user define an export

passphrase.

This step is only necessary if you want to fully separate the

Certificate Administrator user role from the Administrator user

role. If the admin user is removed from the certadmin group,

a Certificate Administrator export passphrase (caphrase) must

be defined.

As long as the admin user is a member of the certadmin

group (the default configuration), the admin user is prompted

for an export passphrase each time a configuration backup

that contains private keys is sent to a TFTP/FTP/SCP/SFTP

server (command: /cfg/ptcfg). When the admin user is not

a member of the certadmin group, the export passphrase

defined by the Certificate Administrator is used instead to

encrypt private keys in the configuration backup. The encryption

of private keys using the export passphrase defined by the

Certificate Administrator is performed transparently to the user,

without prompting. When the configuration backup is restored,

the Certificate Administrator must enter the correct export

passphrase.

Note 1: If the export passphrase defined by the Certificate

Administrator is lost, configuration backups made by the

admin user while he or she was not a member of the

certadmin group cannot be restored.

Note 2: When using the /cfg/ptcfg command on an ASA

310-FIPS, private keys are always encrypted using the wrap

key that was generated when the first HSM card in the cluster

was initialized.

The export passphrase defined by the Certificate

Administrator remains the same until changed by using

the /cfg/sys/user/caphrase command. For users who are

not members of the certadmin group, the caphrase command

in the User menu is hidden. Only users who are members of

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

84 Managing Users and Groups

the certadmin group should know the export passphrase. The

export passphrase can contain spaces and is case sensitive.

>> User cert_admin# ../caphrase

Enter new passphrase:

Re-enter to confirm:

Passphrase changed.

Remove the admin user from the certadmin group.

Again, this step is only necessary if you want to fully separate

the Certificate Administrator user role from the Administrator user

role. Note however, once the admin user is removed from the

certadmin group, only a user who is already a member of the

certadmin group can grant the admin user certadmin group

membership.

When the admin user is removed from the certadmin group,

only the Certificate Administrator user can access the Certificate

menu (/cfg/cert).

>> User# edit admin

>> User admin# groups/list

1: tunnelguard

2: admin

3: oper

4: certadmin

>> Groups# del 4

Note: It is critical that a Certificate Administrator user is

created and assigned certadmin group membership before

the admin user is removed from the certadmin group.

Otherwise there is no way to assign certadmin group

membership to a new user, or to restore certadmin group

membership to the admin user, should it become necessary.

Verify and apply the changes.

>> Groups# list

Old:

1: tunnelguard

2: admin

3: oper

4: certadmin

Pending:

1: tunnelguard

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding Users through RADIUS 85

2: admin

3: oper

>> Groups# apply

--End--

Adding Users through RADIUS

The RADIUS system administrator can add VPN Gateway administrator

users to the RADIUS configuration without being an administrator of the

NVG, because the users do not need to be configured locally on the NVG.

By assigning suitable administrator groups to these users in RADIUS, the

users can be given the desired access rights to the CLI/BBI.

When the user logs in to the CLI/BBI and is successfully authenticated, the

RADIUS server returns the groups to which the user belongs. The groups

are compared to the fixed administrator groups on the VPN Gateway, that

is, tunnelguard, admin, oper and certadmin. If a match is found, the

logged on user is given the administration rights pertaining to matching

group(s). Otherwise, the user is denied access.

See the /cfg/sys/adm/auth/group command in the User’s Guide.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

86 Managing Users and Groups

Changing a Users Group Assignment

Only users who are members of the admin group can remove other

users from a group. All users can add an existing user to a group, but

only to a group in which the "granting" user is already a member. The

admin user, who by default is a member of all four groups (admin, oper,

tunnelguard and certadmin) can therefore add users to any of these

groups.

Step

Action

In this example the cert_admin user, who is a member of the

certadmin group, will add the admin user to the certadmin

group. The example assumes that the admin user previously

removed himself or herself from the certadmin group, to

fully separate the Administrator user role from the Certificate

Administrator user role.

Password: ( cert_admin user password)

Access the User Menu.

>> Main#

/cfg/sys/user

[User Menu]

------------------------------------------------------------

passwd

expire

list

- Change own password

- Set password expire time interval

- List all users

del

- Delete a user

add

- Add a new user

edit

- Edit a user

caphrase

- Certadmin export passphrase

Assign the admin user certadmin user rights by adding the

admin user to the certadmin group.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

>> User# edit admin

>> User admin# groups/add

Enter group name: certadmin

Note: A user must be assigned to at least one group at any

given time. If you want to replace a user’s single group

assignment, you must therefore always first add the user to the

desired new group, then remove the user from the old group.

Verify and apply the changes.

>> Groups# list

Old:

1: tunnelguard

2: admin

3: oper

Pending:

1: tunnelguard

2: admin

3: oper

4: certadmin

>> Groups# apply

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

88 Managing Users and Groups

Changing a Users Password

Changing Your Own Password

All users can change their own password. Login passwords are case

sensitive and can contain spaces.

Step

Action

current password.

Password: ( cert_admin user password)

Access the User Menu.

>> Main#

/cfg/sys/user

[User Menu]

------------------------------------------------------------

passwd

expire

list

- Change own password

- Set password expire time interval

- List all users

del

- Delete a user

add

- Add a new user

edit

- Edit a user

caphrase

- Certadmin export passphrase

Type the passwd command to change your current

password.

When your own password is changed, the change takes effect

immediately without having to use the apply command.

>> User# passwd

Enter cert_admin’s current password: (current cert_admin

user password)

Enter new password: (new cert_admin user password)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Changing Another Users Password 89

Re-enter to confirm: (reconfirm new cert_admin user

password)

Password changed.

--End--

Changing Another Users Password

Only the admin user can change another user’s password, and also

only if the admin user is a member of the other user’s first group, i.e

the group that is listed first for the user with the /cfg/sys/user/edit

<username>/groups/list command. Login passwords are case

sensitive and can contain spaces.

Step

Action

Password: ( admin user password)

Access the User Menu.

>> Main#

/cfg/sys/user

------------------------------------------------------------

[User Menu]

passwd

expire

list

- Change own password

- Set password expire time interval

- List all users

del

- Delete a user

add

- Add a new user

edit

- Edit a user

caphrase

- Certadmin export passphrase

Specify the user name of the user whose password you

want to change.

>> User# edit

Name of user to edit: cert_admin

Type the password command to initialize the password

change.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

90 Managing Users and Groups

>> User cert_admin# password

Enter admin’s current password: ( admin user password)

Enter new password for cert_admin: (new password for user

being edited)

Re-enter to confirm: (confirm new password for user being

edited)

Apply the changes.

>> User cert_admin# apply

Changes applied successfully.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Deleting a User

To delete a user from the system, you must be a member of the admin

group. By default, only the admin user is a member of the admin group.

Note: Remember that when a user is deleted, that user’s group

assignment is also deleted. If you are deleting a user who is the sole

member of a group, none of the remaining users on the system can

then be added to that group. Existing users can only be added to a

group by a user who is already a member of that group. Before deleting

a user, you may therefore want to verify that the user is not the sole

member of a group.

Step

Action

Password: ( admin user password)

Access the User Menu.

>> Main#

/cfg/sys/user

-----------------------------------

-------------------------

[User Menu]

passwd

expire

list

- Change own password

- Set password expire time interval

- List all users

del

- Delete a user

add

- Add a new user

edit

- Edit a user menu

caphrase

- Certadmin export passphrase

Specify the user name of the user you want to remove from

the system configuration.

In this example, the cert_admin user is removed from the

system. To list all users that are currently added to the system

configuration, use the list command.

>> User# del cert_admin

Verify and apply the changes.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

92 Managing Users and Groups

The imminent removal of the cert_admin user is indicated as

a pending configuration change by the minus sign (-). To cancel

a configuration change that has not yet been applied, use the

revert command.

>> User# list

oper

root

admin

-cert_admin

>> User# apply

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Certiﬁcates and Client Authentication

This chapter describes common tasks involving certificates and

client authentication. The chapter also provides detailed step-by-step

instructions for generating certificate signing requests, adding certificates

to the Nortel VPN Gateway (NVG), generating and revoking client

certificates, as well as configuring the VPN Gateway to require client

certificates.

The VPN Gateway supports importing certificates in the PEM, NET, DER,

PKSCS7, and PKCS12 formats. The certificates must conform to the

X.509 standard. You can create a new certificate, or use an existing

certificate. The VPN Gateway supports using up to 1500 certificates. The

basic steps to create a new certificate using the command line interface of

the VPN Gateway are:

•

Generate a Certificate Signing Request (CSR) and send it to a

Certificate Authority (CA, such as Entrust or VeriSign) for certification.

•

Add the signed certificate to the VPN Gateway.

Note: Even though the VPN Gateway supports keys and certificates

created by using Apache-SSL, OpenSSL, or Stronghold SSL, the

preferred method from a security point of view is to create keys and

generate certificate signing requests from within the VPN Gateway by

using the command line interface. This way, the encrypted private key

never leaves the VPN Gateway, and is invisible to the user.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

94 Certificates and Client Authentication

Generating and Submitting a CSR Using the CLI

Step

Action

Initiate requesting a certificate signing request (CSR), and

provide the necessary information.

Note: When specifying a certificate number, make sure not

to use a number currently used by an existing certificate. To

view basic information about all configured certificates, use

the /info/certs command. The information displayed lists

all configured certificates by their main attributes, including

the certificate number (in the Certificate Menu line, such as

"Certificate Menu 1:").

Explanations for the requested units of information: Note that

you do not have to complete all fields. Only one of Common

Name and E-mail Address is strictly required.

•

Country Name: The two-letter ISO code for the

country where the Web server is located. For current

information about ISO country codes, visit for example

http://www.iana.org/.

• State or Province Name: This is the name of the state or

province where the head office of the organization is located.

Enter the full name of the state or province.

• Locality Name: The name of the city where the head office

of the organization is located.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

• Organization Name: The registered name of the

organization. This organization must own the domain name

that appears in the common name of the Web server.

Do not abbreviate the organization name and do not use any

of the following characters:

< > ~ ! @ # $ % ^ * / \ ( ) ?

• Organizational Unit Name: The name of the department or

group that uses the secure Web server.

• Common Name: The name of the Web server as it appears

in the URL. This name must be the same as the domain

name of the Web server that is requesting a certificate. If the

Web server name does not match the common name in the

certificate, some browsers will refuse a secure connection

with your site. Do not enter the protocol specifier (http://)

or any port numbers or path names in the common name.

Wildcards (such as * or ?) and IP address are not allowed.

• E-mail Address: Enter the user’s e-mail address.

• Subject Alternative Name: Comma-separated list of

URI:<uri>, DNS:<fqdn>, IP:<IP address>, email:<e-mail

address>.

Example:

URI:http://www.example.com,email:john@example

.com,IP:10.1.2.3

• Generate new key pair [y]: In most cases you will want to

generate a new key pair for a CSR. However, if a configured

certificate is approaching its expiration date and you want to

renew it without replacing the existing key, answering no (n)

is appropriate. The CSR will then be based on the existing

key (for the specified certificate number) instead.

• Key size [1024]: Specify the key length of the generated key.

The default value is 1024.

• Request a CA certificate (y/n) [n]: Lets you specify whether

to request a CA certificate to use for client authentication.

Requesting a CA certificate is appropriate if you plan to issue

your own server certificates or client certificates, generating

them from the requested CA certificate. The default value is

to not request a CA certificate.

• Specify challenge password (y/n) [n]:

Generate the CSR.

Press ENTER after you have provided the requested information.

The CSR is generated and displayed on screen:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

96 Certificates and Client Authentication

Apply your changes.

>> Certificate 1# apply

Changes applied successfully.

Save the CSR to a file.

Copy the entire CSR, including the "-----BEGIN

CERTIFICATE REQUEST----- " and "-----END

CERTIFICATE REQUEST----- " lines, and paste it into a text

editor. Save the file with a .csr extension. The name you

define can indicate the server on which the certificate is to be

used.

Save the private key to a file.

Note: Provided you intend to use the same certificate number

when adding the certificate returned to you (after the CSR

has been processed by a certificate authority), this step is

only necessary if you want to create a backup copy of the

private key. When generating a CSR, the private key is

created and stored (encrypted) on the VPN Gateway using the

specified certificate number. When you receive the certificate

(containing the corresponding public key) and add it to the

VPN Gateway, make sure you specify the same certificate

number that is used for storing the private key. Otherwise, the

private key and the public key in the certificate will not match.

Type the display command and press ENTER. Choose to

encrypt the private key, and specify a password phrase. Make

sure to remember the password phrase.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Copy the private key, including the "-----BEGIN RSA PRIVATE

KEY----- " and "-----END RSA PRIVATE KEY----- "

lines, and paste it into a text editor. Save the file with a .key

extension. Preferably, use the same file name that you defined

for the .csr file, so the connection between the two files

becomes obvious. The name you define can indicate the server

on which the certificate and the corresponding private key is to

be used.

Note: When using an ASA 310-FIPS, the private key is

protected by the HSM card and cannot be exported.

After you have received the processed CSR from a CA, make

sure to create a backup copy of the certificate as well.

Open and copy the CSR.

In a text editor, open the .csr file you created in Step 4. It

should appear similar to the following:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

98 Certificates and Client Authentication

Copy the entire CSR, including the "-----BEGIN

CERTIFICATE REQUEST----- " and "-----END

CERTIFICATE REQUEST----- " lines.

Submit the CSR to Verisign, Entrust, or any other CA.

The process for submitting the CSR varies with each CA. Use

your Web browser to access your CA’s Web site and follow

the online instructions. When prompted, paste the CSR into

the space provided on the CA’s online request process. If the

CA requires that you specify a server software vendor whose

software you supposedly used to generate the CSR, specify

Apache.

The CA will return the signed certificate for installation. The

certificate is then ready to be added into the VPN Gateway.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Adding Certiﬁcates to the NVG

Using the encryption capabilities of the VPN Gateway requires adding

a key and certificate that conforms to the X.509 standard to the VPN

Gateway. If you have more than one VPN Gateway in a cluster, the

key and certificate need only be added to one of the devices. As with

configuration changes, the information is automatically propagated to all

other devices in the cluster.

Note: When using an ASA 310-FIPS running in FIPS mode, the private

key associated with a certificate cannot be imported. All private keys

must be generated on the HSM card itself due to the FIPS security

requirements.

There are two ways to install a key and certificate into the VPN Gateway :

•

Copy-and-paste the key/certificate.

Download the key/certificate from a TFTP/FTP/SCP/SFTP server.

The VPN Gateway supports importing certificates and keys in these

fromats:

•

PEM

NET

DER

PKCS7 (certificate only)

PKCS8 (keys only, used in WebLogic)

PKCS12 (also known as PFX)

Besides these formats, keys in the proprietary format used in MS IIS 4

can be imported by the VPN Gateway, as wells as keys from Netscape

Enterprise Server or iPlanet Server. Importing keys from Netscape

Enterprise Server or iPlanet Server however, require that you first use a

conversion tool. For more information about the conversion tool, contact

Nortel. See “How to Get Help” (page 14) for contact information.

When it comes to exporting certificates and keys from the VPN Gateway,

you can specify to save in the PEM, NET, DER, or PKCS12 format when

using the export command. If you choose to use the display command

(which requires a copy-and-paste operation), you are restricted to saving

certificates and keys in the PEM format only.

Note: When performing a copy-and-paste operation to add a certificate

or key, you must always use the PEM format.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

100 Certificates and Client Authentication

Copy-and-Paste Certiﬁcates

The following steps demonstrate how to add a certificate using the

copy-and-paste method.

Note: If you connect to one of the VPN Gateways in the cluster by

using a console connection,note that HyperTerminal under Microsoft

Windows may be slow to complete copy-and-paste operations. If your

security policy permits enabling Telnet or SSH access to the VPN

Gateway, use a Telnet or SSH client and connect to the Management

IP address instead.

Step

Action

Type the following command from the Main menu prompt

to start adding a certificate.

>> Main# cfg/cert

Enter certificate number: (1-) <number of the

certificate you want to configure>

>> Certificate 1# cert

Paste the certificate, press Enter to create a new line,

and then type "..." (without the quotation marks) to

terminate.

In most cases you should specify the same certificate number as

the certificate number you used when generating the CSR. By

doing so, you do not have to add the private key because this

key remains connected to the certificate number that you used

when you generated the CSR.

If you have obtained a key and a certificate by other means than

generating a CSR using the request command on the VPN

Gateway, specify a certificate number not used by a configured

certificate before pasting the certificate. If the private key and

the certificate are not in the same file, use the key or import

command to add the corresponding private key.

To view basic information about configured certificates, use the

/info/certs command. The information displayed lists all

configured certificates by their main attributes.

Copy the contents of your certificate file.

Open the certificate file you have received from a CA in a text

editor and copy the entire contents. Make sure the selected

text includes the " -----BEGIN CERTIFICATE----- " and "

-----END CERTIFICATE----- " lines.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Copy-and-Paste Certificates 101

Paste the contents of the certificate file at the command

prompt.

Now, paste the certificate at the command line interface prompt,

press ENTER to create a new empty line, and then type " ... "

(without the quotation marks). Press ENTER again to complete

the installation of the certificate.

Your screen output should now resemble the following example:

Note: Depending on the type of certificate the CA generates

(registered or chain), your certificate may appear substantially

different from the one shown before. Be sure to copy and

paste the entire contents of the certificate file.

Apply your changes.

>> Certificate 1# apply

Changes applied successfully.

If you have used the request command on the VPN Gateway to

generate a CSR, and have specified the same certificate number

as the CSR when pasting the contents of the certificate file, your

certificate is now fully installed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

102 Certificates and Client Authentication

If you have obtained a certificate by other means, however, you

must also add the corresponding private key.

--End--

Copy-and-Paste Private Key

Step

Action

Type the following command from the Main menu prompt

to start adding a private key.

Make sure you specify the same certificate number as when

pasting the certificate.

>> Main# cfg/cert

Enter certificate number: (1-) <number of the

certificate you want to configure>

>> Certificate 1# key

Paste the key, press Enter to create a new line, and then

type "..." (without the quotation marks) to terminate.

Copy the contents of your private key file.

Locate the file containing your private key. Make sure the key file

corresponds with the certificate file you have received from a CA.

The public key in the certificate works in concert with the related

private key when handling SSL transactions.

Open the key file in a text editor and copy the entire contents.

Make sure the selected text includes the " -----BEGIN

RSA PRIVATE KEY----- " and " -----END RSA PRIVATE

KEY----- " lines.

Paste the contents of the key file at the command prompt.

Now, paste the private key at the command line interface

prompt. Press ENTER to create a new row, and then type " ... "

(without the quotation marks). Press ENTER again to complete

the installation of the key.

You may be prompted for a password phrase after having

completed the paste operation. The password phrase you are

requested to type is the one you specified when creating (or

exporting) the private key.

Your screen output should now resemble the following example.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Using TFTP/FTP/SCP/SFTP to add Certificates and Keys 103

Apply your changes.

>> Certificate 1# apply

Changes applied successfully.

Your certificate and private key is now fully installed and ready to

be taken into use.

If the NVG software is used for SSL acceleration purposes, the

certificate should be mapped to the virtual SSL server, using the

/cfg/ssl/server #/ssl/cert command.

If the NVG software is used for deployment of a VPN solution,

the certificate should be mapped to the portal server of the

desired VPN, using the /cfg/vpn #/server/ssl /cert

command.

To view basic information about configured certificates, use the

/cfg/cur cert command.

--End--

Using TFTP/FTP/SCP/SFTP to add Certiﬁcates and Keys

The following is an example of how to input a certificate into the VPN

Gateway using TFTP, FTP, SCP, or SFTP.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

104 Certificates and Client Authentication

Step

Action

Put the certificate file and key file on your TFTP/FTP/SCP/

SFTP server.

Note: You may arrange to include your private key in the

certificate file. When the specified certificate file is retrieved

from the TFTP/FTP/SCP/SFTP server, the NVG software will

analyze the contents and automatically add the private key,

if present (the screen output appears "Certificate added" and

"Key added" in this case). If the private key is included, you

do not have to perform step 5.

Initiate the process of adding a certificate using

TFTP/FTP/SCP/SFTP.

Type the command /cfg/cert and press ENTER. Specify an

unused certificate index number, and then type the command

import.

Make sure to specify a certificate number not in use by an

existing certificate. To view basic information about all configured

certificates, use the /info/certs command.

>> Main# cfg/cert

Enter certificate number: (1-) <number of the

certificate you want to configure>

>> Certificate 1# import

Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp

Enter host name or IP address of server: <server host

name or IP address>

Enter the desired file name.

Enter filename on server: <filename.crt>

Retrieving VIP_1.crt from 192.168.128.58

If you are importing the file from an FTP server you are

prompted for a user name.

anonymous mode, the following string is used as the password

(for logging purposes): admin@hostname/IP.isd.

You may also be prompted for a password phrase (if specified

when creating or exporting the private key)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Using TFTP/FTP/SCP/SFTP to add Certificates and Keys 105

FTP User (anonymous): <username or press ENTER for

anonymous mode>

Password: <password or press ENTER for default

password in anonymous mode>

received 2392 bytes

Enter pass phrase:

Provided the operation was successful and the certificate file

includes your private key, your screen output should resemble

the following example:

Key added.

Certificate added.

Use ’apply’ to activate changes.

Add your private key (if in a separate file).

This step is only required if the certificate file does not include

the private key. You may be prompted for a password phrase (if

specified when creating or exporting the private key).

>> Certificate 1# import

Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp

Enter host name or IP address of server: <server host

name or IP address>

Enter filename on server: <filename.key>

Retrieving VIP_1.key from 192.168.128.58 FTP User

(anonymous): <username or press ENTER for anonymous

mode>

Password: <password or press ENTER for default

password in anonymous mode>

received 392 bytes

Enter pass phrase:

Key added.

Use ’apply’ to activate changes.

Apply your changes.

>> Certificate 1# apply

Changes applied successfully.

If the NVG software is used for SSL acceleration purposes, the

certificate should be mapped to the virtual SSL server, using the

/cfg/ssl/server #/ssl/certcommand.

If the NVG software is used for deployment of a VPN solution,

the certificate should be mapped to the portal server of the

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

106 Certificates and Client Authentication

desired VPN, using the /cfg/vpn #/server/ssl /cert

command.

To view basic information about configured certificates, use the

/cfg/cur cert command.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create a New Certificate 107

Update Existing Certiﬁcate

Whenever you wish to substitute an existing certificate for a new

certificate, you should keep the existing certificate until it is verified that the

new certificate works as designed.

Create a New Certiﬁcate

Step

Action

Check the certificate numbers currently in use.

>> Main# cfg/cur cert

If for example, two different certificates exist as Certificate 1 and

Certificate 2, create Certificate 3 for your new certificate.

Add a certificate with a new certificate number.

>> Configuration# cert

Enter certificate number: (1-1500) 3

Creating Certificate 3

Add the new certificate according to the instructions in

“Adding Certificates to the NVG” (page 99).

Map the new certificate to the desired servers.

The following example refers to a virtual SSL server used for

SSL acceleration. To map the certificate to a portal server in a

VPN, use the /cfg/vpn #/server/ssl/cert command.

>> Configuration# ssl/server

Enter virtual server number: (1-256) 1

>> Server 1# ssl

>> SSL Settings# cert

Current value:

Enter certificate number: (1-1500) 3

After you have tested that the new certificate works fine you may

delete the old certificate(s).

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

108 Certificates and Client Authentication

Conﬁgure a Virtual SSL Server to Require a Client

Certiﬁcate

This section describes how to configure client certificate authentication

when the VPN Gateway is used for SSL acceleration.

Note: For information about how to configure client certificate

authentication in conjunction with VPN deployment, see the

"Authentication Methods" chapter in the Application Guide for VPN.

As explained previously in this chapter, each virtual SSL server on

the VPN Gateway should be configured to use a server certificate

to authenticate itself towards the clients. Besides, the server can be

configured to require client certificates to authenticate clients before

granting access to the requested service.

When a server is set to require client certificates, a CertificateRequest

message is sent from the server to the client during the SSL handshake.

The client responds by sending its public key certificate in a Certificate

message. After that, the client will send a CertificateVerify message to the

server. The CertificateVerify message is signed by using the clients private

key, and contains important information about the SSL session known

to both the client and the server. Upon receiving the CertificateVerify

message, the virtual SSL server will use the public key from the client

certificate to authenticate the client’s identity.

The virtual SSL server will also check if the certificate the client presents

is signed by an accepted certificate authority (CA). Accepted certificate

authorities are defined by the CA certificates you have listed on the virtual

SSL server. The certificate you use for generating client certificates must

therefore also be specified as a CA certificate on the virtual SSL server.

In addition, the virtual SSL server checks if the client certificate should be

revoked, by comparing the serial number of the presented client certificate

with entries in the certificate revocation list.

The following steps demonstrate how to configure a virtual SSL server to

require client certificates for authentication purposes.

Step

Action

Display information about current virtual SSL servers.

This command displays information about all virtual SSL servers

on the VPN Gateway, including installed certificate. Based on

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create a New Certificate 109

the information displayed, decide which virtual SSL server to

configure for client authentication.

>> Main# cfg/cur ssl

Configure the chosen virtual SSL server to require client

certificates.

The client must send its client certificate to the virtual SSL

server during the SSL handshake. If the client does not have

a certificate, the client will respond with a NoCertificateAlert

message. At that point, the session will be terminated.

>> SSL# server 1

>> Server 1# ssl

>> SSL Settings# verify

Current value: none

Certificate verification (none/optional/require):

require

Specify which CA certificates to use for client

authentication.

Specify which CA certificates you want the virtual SSL server

to use for authenticating client certificates. Only those client

certificates that are issued by a certificate authority whose

CA certificate you specify, will be accepted. Note that the CA

certificates you specify by index number must be available on

the VPN Gateway itself.

To authenticate client certificates issued within your own

organization, the CA certificate used for generating the issued

client certificates must be specified as a CA certificate.

>> SSL Settings# cacerts

Current value: ""

Enter certificate numbers (separated by comma): <CA

certificates by index number>

To view basic information about all certificates currently added to

the VPN Gateway, use the /info/certs command.

Apply your settings.

>> SSL Settings# apply

Changes applied successfully.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

110 Certificates and Client Authentication

Generating client certiﬁcates

Before issuing client certificates, you should establish the means of

validating the identities of the users. The credentials users need to present

to obtain a client certificate may vary, depending on the type of service, the

size of your organization, and so on.

Step

Action

Specify a CA certificate by index number to use for

generating a client certificate, and generate the client

certificate.

In this example certificate number 1 is specified for generating a

client certificate. The private key corresponding with the public

key in the certificate you specify is used for signing the client

certificate.

>> Main# cfg/cert

Enter certificate number: (1-) 1

>> Certificate 1# gensigned

Type of certificate (server/client) [client]: <press

ENTER for client certificate>

The combined length of the following parameters may not

exceed 225 bytes.

Country Name (2 letter code):

State or Province Name (full name):

Locality Name (e.g., city):

Organization Name (e.g., company):

Organizational Unit Name (e.g., section):

Common Name (e.g., your name or your server’s

hostname):

Email Address:

Subject alternative name (blank or comma separated list

URI:<uri>, DNS:<fqdn>, IP:<ip-address>, email:<email

-address>):

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create a New Certificate 111

To view basic information about all available certificates, use the

/info/certs command.

Note: Only certificates having the basic constraint CA:TRUE

can be used for generating client certificates. When generating

a client certificate, the VPN Gateway automatically checks

that the current certificate has this constraint. To perform

this check yourself, use the /cfg/cert #/show command

and look for lines containing the text X509v3 Basic

Constraints:CA:TRUE|FALSE in the screen output.

When prompted, provide the following information to

include in the client certificate:

Note that you do not have to complete all fields. Only one of

Common Name and E-mail Address is strictly required.

• Country Name (2 letter code): The two-letter ISO code for

the country in which the subject resides. With subject is

meant the person for whom the client certificate is created.

For current information about ISO country codes, visit for

example http://www.iana.org/.

• State or Province Name (full name): The full name of the

state or province in which the subject resides.

• Locality Name (for example, city): The name of the city or

town where the subject resides.

• Organization Name (for example., company): The registered

name of the organization to which the subjects belongs. Do

not abbreviate the organization name and do not use the

following characters: < > ~ ! @ # $ % ^ * / \ ( ) ?

• Organizational Unit Name (for example,, section): The unit

name of the organization to which the subject belongs.

• Common Name (for example,, the subject’s name): The full

name of the subject.

• E-mail Address: The full e-mail address of the subject.

• Subject alternative name: Comma-separated list of URI:<uri>,

DNS:<fqdn>, IP:<ip address>, email:<e-mail address>.

Example:

URI:http://www.example.com,email:john@example

.com,IP:10.1.2.3

Specify the validity period, key size, and serial number.

After having provided information about the subject, you are now

ready to specify information relating to the client certificate itself.

Decide how many days the client certificate should be valid. By

default, each new client certificate is set to be valid for 365 days.

Also decide which key size should be used. The default key

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

112 Certificates and Client Authentication

size is set to 512 bits, which is appropriate in most cases. Note

that export versions of Internet Explorer 4.x (40-bit encryption)

and Internet Explorer 5 (56-bit encryption) cannot import client

certificates with a larger key size than 512.

Assign a serial number to the client certificate, or accept the

suggested number. When generating a new client certificate, the

lowest available serial number is displayed in square brackets

and will be used unless you specify a different number. As you

generate more client certificates, the proposed serial number

increments automatically.

>> Certificate 1#

Valid for days [365]:

Key size (512/1024) [512]:

Serial number of client certificate [1]:

Decide whether to save the client certificate and define a

pass phrase for the private key.

You should save the client certificate and assign a certificate

index number to it. The lowest available index number available

is displayed in square brackets and will be used unless you

specify a different number.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create a New Certificate 113

By saving the certificate, you can later easily access the

certificate by specifying the assigned index number at the cert

prompt. After having specified the assigned index number, you

can use the display or export command to prepare for the

transfer of the client certificate to the subject. To view basic

information about all saved certificates, use the /info/certs

command.

If you choose to not save the client certificate, you will need to

save the private key and the certificate to a file by performing a

copy-and-paste operation to a text editor. The private key and

the certificate are displayed on screen as soon as you reconfirm

the chosen password phrase. The private key and the certificate

are combined and saved in the PEM format when using a

copy-and-paste operation.

The requested pass phrase is a word or code that you need to

define. The pass phrase protects the encrypted key against

illegitimate use. When the intended user installs the client

certificate into a Web browser or e-mail client, the correct pass

phrase (which you defined) is required to unlock the certificate.

Verify that the certificate you used for generating the client

certificate is specified as a CA certificate for the appropriate

virtual SSL server.

>> Main# cfg/ssl/server

Enter virtual server number: (1-) 1

>> Server 1# ssl

>> SSL Settings# cacerts

Current value:

Enter certificate numbers (separated by comma):

To successfully validate the client certificate on authentication,

you need to verify that the certificate you used for generating

the client certificate is also specified as a CA certificate for the

appropriate virtual SSL server. In the sample screen preceding

output, the certificate has already been defined as a CA

certificate. This is observable by the line

Current value: 1, where number 1 is the index number

of the certificate that was used when generating the client

certificate. If the certificate index number representing the

certificate you used when generating client certificates is not

listed by Current value:, type the certificate index number and

apply your changes.

If the correct certificate index number is already listed by

Current value:, press ENTER and answer no to the question

if you want to clear the list.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

114 Certificates and Client Authentication

Export Client Certiﬁcate

Before you transfer the private key and client certificate to the subject,

you should save the key and the certificate to a file using the export or

display command on the Certificate menu. The export command (see

following instruction) is recommended, as this provides you with the option

to select the PKCS12 file format (also known as PFX). Most Web browsers

accept importing a combined key and certificate file in the PKCS12 format.

This is how to export the client certificate to a TFTP/FTP/SCP/SFTP

server.

Step

Action

Specify the number of the certificate you wish to export.

When you generated the client certificate you had the option to

save it with a new certificate number. In the previous example

(Step 4), the client certificate was saved as certificate number

2. Enter this certificate number when prompted, then use the

export command to export the certificate as a file.

>> Main# cfg/cert

Enter certificate number: (1-) 2

>> Certificate 1# export

Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp

Enter hostname or IP address of server: ftp.example.

com

Select the desired export format, enter a pass phrase and

specify the name of the output file.

Enter export format (pem/der/net/pkcs12): pkcs12

Enter export pass phrase: <passphrase>

Reconfirm export pass phrase: <passphrase once again>

Enter name of combined key and certificate file on

remote host:

cert.pfx

FTP User (anonymous): <FTP user name>

Password: <password>

sent 2392 bytes

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Transmit Private Key and Certificate to User 115

Transmit Private Key and Certiﬁcate to User

Transmit the client certificate and the pass phrase protected private key

to the user in a secure manner. Never send the password phrase in an

e-mail message.

The user will then need to import the received client certificate into his or

her Web browser or e-mail program. For more information about importing

certificates, refer to the help system of the destination Web browser or

e-mail program.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

116 Certificates and Client Authentication

Managing Revocation of Client Certiﬁcates

Certificate revocation lists (CRLs) are maintained by certificate authorities

to recall client certificates that are no longer considered trustworthy. The

reasons for this can be that the client certificate may have been issued by

mistake, or that the subject accidentally has revealed the private key.

By keeping a certificate revocation list on your SSL server, client

certificates sent to the server are checked against the CRL. If a match is

found, the SSL session is terminated. This mode of operation requires,

first of all, that you have configured the virtual SSL server to always

require client certificates. (For more information, see “Configure a Virtual

SSL Server to Require a Client Certificate” (page 108)). You must also

regularly check with the certificate authorities you trust for their latest

CRLs.

Moreover, if you take on the role of a certificate authority by issuing your

own client certificates, you will also need to maintain your own certificate

revocation lists. This can be done by listing the serial numbers of the client

certificates you want to revoke in an ASCII file. You may also specify the

serial number of a particular client certificate directly in the command line

interface by using the add command in the Revocation menu.

Revoking Client Certiﬁcates Issued by an External CA

Step

Action

Specify the CA certificate, to which you want to add a CRL.

The certificate you specify must be a CA certificate from the

same certificate authority that published the CRL you are about

to add. To view basic information about available certificates,

use the /info/certs command.

>> Main# cfg/cert

Enter certificate number: (1-) 1 (example)

>> Certificate 1# revoke

Download and add a CRL from a TFTP/FTP/SCP/SFTP

server.

Specify the host name or IP address of the TFTP/FTP/SCP/S

FTP server, and provide the file name of the CRL. The CRL is

retrieved and added to Certificate 1 (used as an example).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Revoking Client Certificates Issued within your Own Organization 117

>> Revocation# import

Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp

Enter host or IP address of server: 192.168.128.20

(example)

Enter name of file on server (PEM, DER or ASCII format):

crl.der

Retrieving crl.der from 192.168.128.20

Received 12628 bytes in 0.1 seconds

Certificate revocation list found in der format

Revocation list added.

Use ’apply’ to activate changes.

Apply your changes.

>> Revocation# apply

Changes applied successfully.

--End--

Revoking Client Certiﬁcates Issued within your Own Organization

Step

Action

Specify the CA certificate, to which you want to add a CRL.

Specify the certificate number that represents the CA certificate

of the certificate used for generating the client certificate you

want to revoke. To view basic information about available

certificates, use the /info/certs command.

>> Main# cfg/cert

Enter certificate number: (1-) 1 (example)

>> Certificate 1# revoke

Add the serial number of a specific client certificate to

revoke.

>> Revocation# add

Enter serial number to revoke:

To add serial numbers in hexadecimal form, enter addx instead

of add.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

118 Certificates and Client Authentication

Repeat this step for each serial number you want to add. To

display the serial number (along with subject information) for a

saved client certificate, use the /info/certs command.

Or, download and add your own CRL in ASCII format from a

remote machine.

>> Revocation# import

Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp

Enter host or IP address of server: 192.168.128.20

(example)

Enter name of file on server (PEM, DER or ASCII format):

crl.ascii

Retrieving crl.ascii from 192.168.128.20

Received 12628 bytes in 0.1 seconds

Certificate revocation list found in ascii format

Revocation list added.

Use ’apply’ to activate changes.

If you have added serial numbers for particular client certificates

by using the add command prior to using the import command,

you will be asked if you want to merge those serial numbers to

the CRL in ASCII format. If the CRL does not already include

those serial numbers, choose to merge them. However, make

sure that you update the original CRL with the merged serial

numbers before the next download, as you will otherwise lose

them. For more information about how to build your own CRL,

see “Creating Your Own Certificate Revocation List” (page 119).

Verify that the serial numbers of the client certificates you

want to revoke have been added.

>> Revocation# list

Revoked certificates:

Apply your changes.

>> Revocation# apply

Changes applied successfully.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Creating Your Own Certificate Revocation List 119

Creating Your Own Certiﬁcate Revocation List

You can easily build and manage certificate revocation lists for client

certificates issued within your own organization. The CRL can then be

added by using TFTP/FTP/SCP/SFTP. For more information about how to

accomplish this, see “Revoking Client Certificates Issued within your Own

Organization” (page 117).

Step

Action

Open a text editor and create a new file.

Decide if you want to add serial numbers in decimal form, or

in hexadecimal form.

If you choose to add serial numbers for client certificates to

revoke in decimal form, add a paragraph in the text document

that reads:

ASCII revocation

Or, if you choose to add serial numbers in hexadecimal form,

add a paragraph in the text document that reads:

HEX ASCII revocation

Note: You can add comments to a CRL ASCII file by

preceding your comments with the # character. Each new line

of comments must begin with the # character. Comments can

be used for providing information about the date of issue or

last update, for example. You can cancel the revocation of a

client certificate by inserting the # character at the beginning

of the line containing the desired serial number.

Add the serial numbers of the client certificates you want

to revoke.

For a CRL in decimal format, simply list the serial numbers the

ASCII revocation paragraph. For example:

# CRL for CA certificate 1

# Issued first: 2005-01-01

# Last update: 2005-02-01

ASCII revocation

500

501

590

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

120 Certificates and Client Authentication

Or, for a CRL in hexadecimal format, list the serial numbers

by their hexadecimal values below the HEX ASCII revocation

paragraph. For example:

# CRL for CA certificate 1

# Issued first: 2005-01-01

# Last update: 2005-02-01

HEX ASCII revocation

1F4

1F5

24E

Save the file, and upload it to a TFTP/FTP/SCP/SFTP server

that can be accessed from your VPN Gateway(s).

--End--

Automatic CRL Retrieval

Automatic CRL retrieval is used for configuring access to a server

containing CRLs (certificate revocation lists), and retrieving such lists at

regular intervals to automate the task of keeping the CRL up-to-date.

Note: When enabling automatic retrieval of certificate revocation lists,

any existing revocation list is overwritten.

You can use LDAP, HTTP, or TFTP to retrieve CRLs from the appropriate

server (for LDAP, the server must support LDAP v3). When using LDAP,

a bind operation to the specified LDAP server is performed each time a

CRL retrieval occurs. The bind operation uses the specified distinguished

name and password. Directly after a successful bind operation, a search

for the CRL attribute specified in the URL is performed on the LDAP

server. For more information about the implementation details behind

these operations, see RFC 2251.

Step

Action

Specify the URL from which the CRL list should be

retrieved.

This step sets the complete URL for retrieving a CRL using

LDAP, HTTP, or TFTP. If you are not using the default TCP port

of the respective protocol, the TCP port number must also be

included in the URL.

If you want to retrieve CRLs from an LDAP server, you need

to provide the distinguished name of the specific object on the

LDAP server, together with the attribute that holds the CRL (all in

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Automatic CRL Retrieval 121

accordance with RFC 2255).

Example:

ldap://10.42.128.30:389/cn=VeriSign CRL,o=Your

Organization?

CertificateDiscHyphenRevocationList;binary

Note: RFC 2255 states that entering host information is

optional. The NVG software’s implementation of the CRL

retrieval feature however requires that host information is

specified.

Using HTTP or TFTP, the URL you specify must include the

specific file name you want to access. The recognized URL

syntax is a subset of RFC 1738, and can be defined as:

<proto>://<host>[:<port>]/<path>.

Example:

http://10.42.128.30/server.crl

>> Main /cfg/cert 1/revoke/automatic

>> Automatic CRL# url

Current value: ""

Enter URL to retrieve from:

Set the distinguished name used for binding and

authenticating the initiated LDAP session on the specified

LDAP server.

Check your LDAP server documentation for details on binding,

authentication, and access control.

Example: cn=Bill Smith,o=Your Organization

By setting the /cfg/cert #/revoke/automatic/anonymous

command to true, you can enable anonymous binding for

automatic CRL retrieval through LDAP. In this case, the authDN

and passwd commands (see the following sections) can be set

to anything, including an empty string.

When using HTTP or TFTP to retrieve a CRL, you do not need

to provide a distinguished name for binding and authentication.

>> Automatic CRL# authDN

Current value: ""

Enter DN:

Set the password used for binding and authenticating the

initiated LDAP session on the specified LDAP server.

Check your LDAP server documentation for details on binding,

authentication, and access control.

When using HTTP or TFTP to retrieve a CRL, you don’t need to

provide a password for binding and authentication.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

122 Certificates and Client Authentication

>> Automatic CRL# passwd

Current value: ""

Enter password:

Set the time interval for retrieving CRLs from the resource

you have specified using the url command.

If you want to specify a time interval in minutes, hours or days,

enter an integer directly followed by the letter m, h, or d.

The default interval is 1 day (1d). The shortest time interval

allowed is 601 seconds (10 minutes and 1 second).

>> Automatic CRL# interval

Current value: 1d

Enter refresh interval:

Specify which CA certificates are valid signers of the

certificate revocation lists you retrieve.

To get an overview over all available certificates, enter the

/info/certs command.

When specifying more than one certificate, use commas to

separate the corresponding index numbers. Example: 1,2,5

To clear all specified CA certificates, press ENTER when asked

to enter certificate numbers, then answer yes to the question if

you want to clear the list.

>> Automatic CRL# cacert

Current value: ""

Enter certificate numbers (separated by comma):

Enable automatic retrieval of CRLs.

>> Automatic CRL# ena

When using the apply command the first time after having

enabled automatic retrieval of CRLs, a first retrieval is invoked

immediately. After that, retrievals will occur at the specified time

interval (where the default value is once every 24 hours).

Apply the changes.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Automatic CRL Retrieval 123

Client certiﬁcate support

Authentication with NVG server can be done through NDIC using client

certificates.

Follow these steps to authenticate using client certificates:

Step

Action

Indicate whether client certificate authentication is needed

for NDIC connection profile.

If connection is required, then NDIC hides the user name and

password fields and replaces it with a message indicating, client

certificate is required to connect.

Click Connect.

The MSCAPI window appears.

Select the certificate in the MSCAPI window.

If secondary authentication is not required, then you can

connect using NetDirect.

If secondary authentication is required, then NVG extracts

the user name. The user name will be based on ‘useroid’ in

NVG.

The NDIC login screen is displayed with disabled pre-filled user

name.

Enter the password in the NDIC login screen.

Click Connect.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

124 Certificates and Client Authentication

Signing CSRs

This feature is primarily used when you have configured the virtual SSL

server to perform end to end encryption, and you want to sign a CSR

(Certificate Signing Request) generated on a backend web server by using

a CA certificate on the VPN Gateway.

Step

Action

Specify the CA certificate that you want to use for signing

the CSR.

>> Main# cfg/cert 1

>> Certificate 1# sign

Paste the CSR.

Open the CSR file in a text editor and copy the entire contents,

including the text "-----BEGIN CERTIFICATE REQUEST-----"

and "-----END CERTIFICATE REQUEST-----". Having pasted the

CSR, press ENTER to create a new line and type three periods

(...). Finally press ENTER once again.

Apply the changes.

In the preceding example, the newly signed certificate is saved

as certificate number 3. Use the export command to export the

signed certificate to a file. The signed CSR can then be installed

on the backend web server as a server certificate.

Specify the certificate you used for signing the CSR is

specified as a CA certificate on the virtual SSL server.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Automatic CRL Retrieval 125

>> Main# cfg/ssl/server #/adv/sslconnect/verify/cacer

Current value: ""

Enter certificate numbers (separated by comma): 1

Apply the changes.

The CSR is signed using the private key associated with the

currently selected certificate.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

126 Certificates and Client Authentication

Generate Test Certiﬁcate

If needed, you can generate a self-signed certificate and private key for

testing purposes. After providing the requested information, the certificate

and key are generated immediately.

Step

Action

Specify an unused certificate number.

If a certificate and key already exist for the current certificate

index number, they are overwritten when you execute the apply

command. You should therefore always choose an unused

certificate index number before creating a test certificate.

>> Main# cfg/cert 4

Creating Certificate 4

>> Certificate 4# test

Provide the requested information.

For a more detailed explanation of the requested information,

see “Generating and Submitting a CSR Using the CLI” (page

94).

The combined length of the following parameters may

not exceed 225

bytes.

Country Name (2 letter code):

State or Province Name (full name):

Locality Name (eg, city):

Organization Name (eg, company):

Organizational Unit Name (eg, section):

Common Name (eg, your name or your server’s hostname

Email Address:

Subject alternative name (blank or comma separated l

ist of

URI:<uri>, DNS:<fqdn>, IP:<ip-address>, email:<email

-address>):

Valid for days [365]:

Key size (512/1024/2048/4096) [1024]:

Test key and certificate added.

Use ’apply’ to activate.

Apply the changes.

The test certificate is now ready to be mapped to an SSL server.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Automatic CRL Retrieval 127

If the NVG software is used for SSL acceleration purposes, the

certificate should be mapped to the virtual SSL server, using the

/cfg/ssl/server #/ssl/cert command.

If the NVG software is used for deployment of a VPN solution,

the certificate should be mapped to the portal server of the

desired VPN, using the /cfg/vpn #/server/ssl /cert

command.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

128 Certificates and Client Authentication

General Commands

This section includes examples on how to use some general Certificate

menu commands.

Show Certiﬁcate Information

The info command is used to show brief information about the selected

certificate.

>> Certificate 1# info

Serial number: 0 (0x0)

Expire: Nov 29 12:42:17 2006 GMT

Certificate subject:

C=US

ST=Texas

L=Dallas

O=Nortel

OU=Switching

CN=John/[email protected]

Show Subject Information

The subject command is used to view the subject information adhering

to the selected certificate. Parts of a client certificate’s subject information

can be used extract to user name and password. For usage examples,

see the "Client Certificate Authentication" section in the "Authentication

Methods" chapter in the CLI/BBI Application Guide for VPN.

>> Certificate 1# subject

Certificate subject:

C/countryName (2.5.4.6)

= US

ST/stateOrProvinceName (2.5.4.8)

L/localityName (2.5.4.7)

O/organizationName (2.5.4.10)

= Texas

= Dallas

= Nortel

OU/organizationalUnitName (2.5.4.11)

CN/commonName (2.5.4.3) = John

= Switching

emailAddress/emailAddress (1.2.840.113549.1.9.1) =

[email protected]

Check if Key and Certiﬁcate Match

To check if the private key matches the public key in the selected

certificate, use the following command:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Show Key Information 129

>> Certificate 1# validate

Validate: key and certificate match.

Show Key Size

This command is used to show the size of the private key in the selected

certificate:

>> Certificate 1# keysize

Key is of size 1024.

Show Key Information

This command provides information about how the private key associated

to the currently selected certificate is protected.

For the VPN Gateways without the HSM card, private keys are protected

by the cluster.

For the ASA FIPS, private keys are protected by the HSM card. However,

when generating a client certificate, the associated private key is protected

by the cluster and not by the HSM card. This is necessary to transfer

both the certificate and the private key to the client using the export

command.

>> Certificate 1# keyinfo

The key is protected by the iSD Cluster.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

130 Certificates and Client Authentication

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

131

Virtual Desktop

Symantec On-Demand Agent (SODA) provides a Virtual Desktop

environment to secure Web-based applications and services. Therefore,

you can access confidential information in a secure environment.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

132 Virtual Desktop

Running the Virtual Desktop on Client Computers

The Virtual Desktop runs on computers meeting the following

specifications:

•

Pentium 633MHz or faster

128 MB RAM

25 MB MINIMUM available hard disk space required for Agent to

download

Note: More space may be required for your system to run smoothly

after Agent is downloaded, because user data files must be virtualized

for successful launch of certain applications.

•

Windows Server 2003, Windows 2000 Pro, Windows 2000 Server,

Windows XP, Windows NT4 (SP6).

Browser: Internet Explorer 5.0 or later, Netscape 6.0 or later, Opera

7.2 or later, FireFox 1.0 and later.

Java Runtime Environment (JRE) version 1.4.2 or later, or Microsoft

Java Virtual Machine (JVM) version 5.0 and later.

Licensing vdesktop

Your copy of Symantec On-Demand Manager is licensed with vdesktop.

Following software bundles with vdesktop are available:

•

Symantec™ On-Demand - Security Edition

Symantec™ On-Demand - Protection Solution

To activate the virtual desktop feature, you need to paste the license key

for the same.

Step

Action

Logon as admin.

Click on Config tab.

In the system tree view, select Host(s).

Click on SSL VPN Host name.

System Information screen is displayed.

Click on Licenses tab.

Paste the contents of the license.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Launch Vdesktop from Portal 133

Click Save.

--End--

Launch Vdesktop from Portal

Follow these steps to launch virtual desktop from portal:

Step

Action

Open the internet explorer.

Enter the Protocol, IP address, and Port.

For example: http://10.127.232.45:1234

Enter the user name and password.

Click on Home.

Click on the virtual desktop link.

The virtual desktop is launched.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

134 Virtual Desktop

Virtual Desktop Operations

Once the vdesktop license is installed, you can perform the following tasks:

•

Print and copy information to removable USB media.

Work only within the Virtual Desktop (Enable Automatic Switch).

Work with copies of the files rather than the ‘real’ versions (Enable File

Separation).

The vdesktop session may get terminated when the browser session is

terminated to ensure that the Virtual Desktop session does not remain

active indefinitely on halted or shared machines.

Note: If you want to enable or disable some of the options in this,

contact your system administrator.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

135

The Command Line Interface

This chapter explains how to access the Nortel VPN Gateway (NVG)

through the command line interface (CLI).

The NVG software provides means for accessing, configuring, and

viewing information and statistics about the NVG configuration. By using

the built-in, text-based command line interface and menu system, you

can access and configure the VPN Gateway or cluster either through a

local console connection (using a computer running terminal emulation

software), or through a remote session using either a Telnet client or an

SSH client.

When using a Telnet client or SSH client to connect to a cluster of VPN

Gateways, always connect to the IP address of the MIP (Management IP).

Configuration changes are automatically propagated to all members of the

cluster. However, when using the halt, reboot, or delete commands

(available in the Boot menu), you should connect to the IP address of the

particular VPN Gateway on which you want to perform these commands,

or connect to that VPN Gateway through a console connection.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

136 The Command Line Interface

Connecting to the VPN Gateway

You can access the command line interface in two ways:

•

Using a console connection through the console port

Using a Telnet connection or SSH connection over the network.

Establishing a Console Connection

A console connection is required when performing the initial setup, and

when reinstalling the NVG software as the boot user. When logging in as

root user for advanced troubleshooting purposes, a console connection

is also required.

Requirements

To establish a console connection with the VPN Gateway, you will need

the following:

•

An ASCII terminal or a computer running terminal emulation software

set to the parameters shown in the following table:

Table 4

Console Configuration Parameters

Parameter

Baud Rate

Data Bits

Parity

Value

9600

None

Stop Bits

Flow Control

None

•

A serial cable with a female DB-9 connector. (For more specific

information, see the "Connecting to the VPN Gateway " chapter in the

Hardware Installation Guide.)

Procedure

Step

Action

Connect the terminal to the Console port using the correct

serial cable.

When connecting to a VPN Gateway, use a serial cable with a

female DB-9 connector (shipped with the VPN Gateway).

Power on the terminal.

To establish the connection, press ENTER on your terminal.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Establishing a Telnet Connection 137

You will next be required to log in by entering a user name and a

password. For more information about user accounts and default

passwords, see “Accessing the NVG Cluster” (page 140).

--End--

Establishing a Telnet Connection

A Telnet connection offers the convenience of accessing the NVG cluster

from any workstation connected to the network. Telnet access provides

the same options for user access and administrator access as those

available through the console port.

To configure the NVG cluster for Telnet access, you need to have a

device with Telnet client software located on the same network as the

VPN Gateway(s). The VPN Gateway must have an IP address and a

Management IP address. If you have already performed the initial setup by

selecting new or join in the Setup menu, the assignment of IP addresses

is complete.

When making configuration changes to a cluster of NVGs through Telnet, it

is recommended that you connect to the IP address of the MIP. However,

if you want to halt or reboot a particular VPN Gateway in a cluster, or reset

all configuration to the factory default settings, you must connect to the IP

address of the particular VPN Gateway. This also applies when using an

SSH connection instead of a Telnet connection. To view the IP addresses

of all VPN Gateways in a cluster, use the /info/isdlist command.

Enabling and Restricting Telnet Access

Telnet access to the NVG cluster is disabled by default, for security

reasons. However, depending on the severity of your security policy, you

may want to enable Telnet access. You may also restrict Telnet access

to one or more specific machines.

For more information about how to enable Telnet access, see the telnet

command in the "Administrative Applications Configuration" section under

Configuration Menu>System Configuration in the Command Reference.

For more information about how to restrict Telnet access to one or

more specific machines, see the add command in the "System Access

Configuration " section in the same chapter.

Running Telnet

Once the IP parameters on the VPN Gateway are configured and Telnet

access is enabled, you can access the CLI using a Telnet connection.

To establish a Telnet connection with the VPN Gateway, run the Telnet

program on your workstation and issue the Telnet command, followed by

the VPN Gateway ’s IP address.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

138 The Command Line Interface

telnet <IP address>

You will then be prompted to enter a valid user name and password. For

more information about different user accounts and default passwords, see

“Accessing the NVG Cluster” (page 140).

Establishing a Connection Using SSH (Secure Shell)

When accessing the VPN Gateway from a workstation connected to the

network using a Telnet connection, it is important to keep in mind that

the communication channel is not secure. All data flowing back and forth

between the Telnet client and the VPN Gateway is sent unencrypted

(including the password), and there is no server host authentication.

By using an SSH client to establish a connection over the network, the

following benefits are achieved:

•

Server host authentication

Encryption of passwords for user authentication

Encryption of all traffic that is transmitted over the network when

configuring or collecting information from the VPN Gateway

Enabling and Restricting SSH Access

SSH access to the VPN Gateway is disabled by default. However,

depending on the severity of your security policy, you may want to enable

SSH access. You may also restrict SSH access to one or more specific

machines.

For more information about how to enable SSH access, see the ssh

command in the "Administrative Applications Configuration " section

under Configuration Menu>System Configuration in the Command

Reference. For more information about how to restrict SSH access to one

or more specific machines, see the add command in the "System Access

Configuration " section in the same chapter.

Running an SSH Client

Connecting to the VPN Gateway using a SSH client is similar to

connecting through Telnet. As with Telnet, the IP parameters on the

VPN Gateway need to be configured in advance and SSH access

must be enabled. After providing a valid user name and password, the

command line interface in the VPN Gateway is accessible the same

way as when using a Telnet client. However, because a secured and

encrypted communication channel is set up even before the user name

and password is transmitted, all traffic sent over the network while

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Establishing a Connection Using SSH (Secure Shell) 139

configuring or collecting information from the VPN Gateway is encrypted.

For information about different user accounts and default passwords, see

“Accessing the NVG Cluster” (page 140).

During the initial setup of the VPN Gateway(s), you are provided with

the choice to generate new SSH host keys. It is recommended that you

do so, to maintain a high level of security when connecting to the VPN

Gateway using a SSH client. If you fear that your SSH host keys have

been compromised, you can create new host keys at any time by using the

/cfg/sys/adm/sshkeys/generate command. When reconnecting to

the VPN Gateway after having generated new host keys, your SSH client

will display a warning that the host identification (or host keys) has been

changed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

140 The Command Line Interface

Accessing the NVG Cluster

To enable better NVG management and user accountability, five

categories of users can access the NVG cluster:

•

Operator is only granted read access to the menus and information

appropriate to this user access level. The Operator cannot make any

changes to the configuration.

Administrator can make any changes to the NVG configuration. Thus,

the Administrator has read and write access to all menus, information

and configuration commands in the NVG software.

A Certificate Administrator is a member of the certadmin group, and

has sufficient user rights to manage certificates and private keys. By

default, only the Administrator user is a member of the certadmin

group. To separate the Certificate Administrator user role from the

Administrator user role, the Administrator user can add a new user

account to the system, assign the new user to the certadmin group,

and then remove himself or herself from the certadmin group. For

more information, see “Adding a New User” (page 81).

•

Boot user can only perform a reinstallation. For security reasons, it

is only possible to log in as the Boot user through the console port

using terminal emulation software. The Boot user password cannot be

changed from the default ForgetMe.

Root user is granted full access to the underlying Linux operating

system. For security reasons, it is only possible to log in as the Root

user through the console port using terminal emulation software. Root

user access should mainly be reserved for advanced troubleshooting

purposes, under guidance from Nortel customer support.

For more information, see “How to Get Help” (page 14).

Access to the NVG command line interface and settings is controlled

through the use of four predefined user accounts and passwords. Once

you are connected to the VPN Gateway through a console connection

or remote connection (Telnet or SSH), you are prompted to enter a user

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Establishing a Connection Using SSH (Secure Shell) 141

account name and the corresponding password. The default user accounts

and passwords for each access level are listed in Table 5 "User Access

Levels" (page 141).

Note: The default Administrator user password can be changed during

the initial configuration. For the Operator user, the Boot user, and the

Root user however, the default passwords are used even after the initial

configuration. It is therefore recommended that you change the default

NVG passwords soon after the initial configuration, and as regularly as

required under your network security policies. For more information

about how to change a user account password, see “Changing a Users

Password” (page 88).

Table 5

User Access Levels

User

Account Group

User

Access Level Description

Default

Passwo

oper

The Operator is allowed read access

to some of the menus and information

available in the CLI.

admin

oper

certadmin

The Administrator is allowed both read and

write access to all menus, information and

configuration commands.

The Administrator can add users to all

groups in which the Administrator himself

or herself is a member. The Administrator

can delete a user from any of the three

built-in groups.

certadmin

By default, only the Administrator is a

member of the certadmin group.

Certadmin group rights are sufficient for

administrating certificates and keys on the

VPN Gateway. A certificate administrator

user has no access to the SSL Server

menu, and only limited access to the

System menu.

ForgetM

boot

root

The boot user can only perform a

reinstallation of the software, and only

through a console connection.

ForgetM

The root user has full access to the

underlying Linux operating system, but

only through a console connection.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

142 The Command Line Interface

CLI vs. Setup

Once the Administrator user password is verified, you are given complete

access to the VPN Gateway. If the VPN Gateway is still set to its factory

default configuration, the system will run Setup (see “Installing an NVG

in a New Cluster” (page 42)), a utility designed to help you through the

first-time configuration process. If the VPN Gateway has already been

configured, the Main menu of the CLI is displayed instead.

The following figure shows the Main menu with administrator privileges.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Establishing a Connection Using SSH (Secure Shell) 143

Command Line History and Editing

For a description of global commands, shortcuts, and command line

editing functions, see the Command Reference.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

144 The Command Line Interface

Idle Timeout

The VPN Gateway will disconnect your local console connection

or remote connection (Telnet or SSH) after 10 minutes of inactivity.

This value can be changed to a maximum value of 1 hour using the

/cfg/sys/adm/clitimeout command.

If you have unapplied configuration changes when automatically

disconnected after the specified idle timeout value, the unapplied

configuration changes will be lost. Therefore, make sure to save your

configuration changes regularly by using the global apply command.

If you have unapplied configuration changes when using the global exit

command to log out from the command line interface, you will be prompted

to view the pending configuration changes by using the global diff

command. After verifying the pending configuration changes, you can

either remove the changes or apply them. For more information about

pending configuration changes, see the "Viewing, Applying and Removing

Changes " section under Configuration Menu in the Command Reference.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

145

Troubleshooting the NVG

This chapter provides troubleshooting tips for the following problems:

•

Cannot connect to the Nortel VPN Gateway (NVG) through Telnet or

SSH, on “Cannot Connect to VPN Gateway through Telnet or SSH”

(page 146).

•

Cannot add the VPN Gateway to an existing cluster, on “Cannot Add

an NVG to a Cluster” (page 148).

Cannot contact the Management IP Address (MIP) on “Cannot Contact

the MIP” (page 149).

The VPN Gateway stops responding, on “The NVG Stops Responding”

(page 151).

•

A user password is lost, on .

An ASA 310-FIPS does not process any SSL traffic, on “A User

Password is Lost” (page 152).

•

Resetting the HSM cards on the ASA 310-FIPS, on “An ASA 310-FIPS

Stops Processing Traffic” (page 153).

An NVG cluster configuration needs to be reconstructed onto new

devices, on “AnASA 310-FIPS Cluster Must be Reconstructed onto

New Devices” (page 158).

•

User fails to connect to the VPN, on “A User Fails to Connect to the

VPN” (page 163).

User unable to connect to the VPN Gateway through the Net Direct

client, on “User Unable to Connect to the VPN Gateway through the

Net Direct Client” (page 168).

•

Unable to download NetDirect from VPN server.

Cannot download the NetDirect Zipped file from client PC.

The chapter also provides a section on performing system diagnostics, on

“System Diagnostics” (page 172).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

146 Troubleshooting the NVG

Cannot Connect to VPN Gateway through Telnet or

SSH

Verify the Current Conﬁguration

Connect through a console connection and check that Telnet or SSH

access to the VPN Gateway is enabled. By default, remote connections

to the NVG are disabled for security reasons. Type the command

/cfg/sys/adm/cur to see whether remote access through Telnet or

SSH is enabled.

>> # /cfg/sys/adm/cur Collecting data, please wait...

Administrative Applications:

CLI idle timeout = 1h

Telnet CLI access = off

SSH CLI access = off

Enable Telnet or SSH Access

If your security policy affords enabling remote connections to the VPN

Gateway, type the command /cfg/sys/adm/telnet to enable Telnet

access, or the command /cfg/sys/adm/ssh to enable SSH access.

Apply your configuration changes.

>> # /cfg/sys/adm/ssh

Current value: off

Allow SSH CLI access (on/off): on

>> Administrative Applications# apply

Changes applied successfully.

Check the Access List

If you find that Telnet or SSH access is enabled but you still can’t

connect to the VPN Gateway using a Telnet or SSH client, check whether

any hosts have been added to the Access List. Type the command

/cfg/sys/accesslist/list to view the current Access List.

>> # /cfg/sys/accesslist/list

1: 192.168.128.78, 255.255.255.0

When Telnet or SSH access is enabled, only those hosts listed in the

Access List are allowed to access the VPN Gateway over the network. If

no hosts have been added to the Access List, this means that any host

is allowed to access the VPN Gateway over the network (assuming that

Telnet or SSH access is enabled).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Check the IP Address Configuration 147

Check the IP Address Conﬁguration

If your host is allowed to access the VPN Gateway over the network

according to the Access List, check that you have configured the correct IP

addresses on the VPN Gateway. Make sure you ping the host IP address

of the VPN Gateway, and not the Management IP (MIP) of the cluster in

which the VPN Gateway is a member. Type the command /cfg/cur sys

to view IP address information for all VPN Gateways in the cluster.

If the IP address assigned to the VPN Gateway seems to be correct, you

may have a routing problem. Try to run traceroute (a global command

available at any menu prompt) or the tcpdump command (or some other

network analysis tool) to locate the problem. For more information about

the tcpdump command, see the "Network Traffic Dump Commands

" section under Configuration Menu>SSL Configuration Menu in the

Command Reference.

If this does not help you to solve the problem, contact Nortel for technical

support. See “How to Get Help” (page 14).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

148 Troubleshooting the NVG

Cannot Add an NVG to a Cluster

When trying to add a VPN Gateway to a cluster by selecting join in the

Setup menu, you may receive an error message stating that the system

is running an incompatible software version. The incompatible software

version referred to in the error message is the software that is running on

the NVG device you are trying to add to the cluster. This error message is

displayed whenever the NVG you are trying to add has a different software

version from the NVG(s) already in the cluster. In this situation you need

to do one of the following:

•

Adjust the software version on the NVG device you are trying to add

to the cluster, to synchronize it with the software version running on

the NVG(s) already in the cluster. You can verify software versions by

typing the command /boot/software/cur, where the active version

is indicated as permanent. Adjusting the software version on the

NVG device you want to add to the cluster implies either upgrading

to a newer software version, or reverting to an older software

version. In either case you will need to perform the steps described

in “Reinstalling the Software” (page 70). After having adjusted the

software version, log in as the Administrator user and select join from

the Setup menu.

•

Upgrade the software version running on the NVG(s) in the cluster to

the same version as running on the VPN Gateway you want to add to

the cluster. Perform the steps described in “Performing Minor/Major

Release Upgrades” (page 74). Then add the NVG device by selecting

join from the Setup menu.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Add Interface 1 IP Addresses and MIP to Access List 149

Cannot Contact the MIP

When trying to add a VPN Gateway to a cluster by selecting join in the

Setup menu, you may receive an error message stating that the system is

unable to contact the Management IP address (MIP).

This could be the case if you are trying to join a VPN Gateway to a cluster

and there are existing entries in the Access list. Typically, the Access list

contains valid IP addresses for Telnet or SSH management. If the Access

list contains entries, you have to add the Interface 1 IP addresses of both

VPN Gateways and the Management IP address (MIP) to the Access list

before joining the VPN Gateway.

If the Access list is empty, communication should be working fine.

Check the Access List

On the master VPN Gateway, check if there are entries in the Access list.

Type the command /cfg/sys/accesslist/list to view the current

Access list.

>> # /cfg/sys/accesslist/list

1: 192.168.128.78, 255.255.255.0

Add Interface 1 IP Addresses and MIP to Access List

Use the /cfg/sys/cluster/cur command to view the Host Interface 1

IP address for the existing VPN Gateway. Then add this IP address, the

intranet IP address you had in mind for the new VPN Gateway and the

Management IP address (MIP) to the Access list.

To add the IP addresses to the Access list, type the command

/cfg/sys/accesslist/add.

>> # /cfg/sys/accesslist/add

Enter network address: <IP address>

Enter netmask: <network mask>

Try adding the VPN Gateway to the cluster using the join command in

the Setup menu.

If a software version earlier than 2.0.11.16 is running in the cluster, and

software version 3.1 or later is installed on the VPN Gateway you want

to join, perform the steps described in “Reinstalling the Software” (page

70). If there is still a difference in software version after this, you need to

adjust the software version on the VPN Gateway you want to add as well.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

150 Troubleshooting the NVG

After having upgraded the software version in the cluster, log in to the VPN

Gateway you want to add as the Administrator user and select join from

the Setup menu.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Console Connection 151

The NVG Stops Responding

Telnet or SSH Connection to the Management IP Address

When you are connected to a cluster of VPN Gateways through a Telnet

or SSH connection to the Management IP address, your connection to the

cluster can be maintained as long as at least one master VPN Gateway in

the cluster is up and running. However, if the particular VPN Gateway that

currently is in control of the Management IP stops responding while you

are connected, you need to close down your Telnet or SSH connection

and reconnect to the Management IP address.

After doing so, you can view the operational status of all VPN Gateways in

the cluster by typing the command /info/isdlist. If you find that one

of the NVG ’s operational status is indicated as down, you should reboot

that machine. On the VPN Gateway, press the Power button on the back

panel to turn the machine off, wait until the fan comes to a standstill, and

then press the Power button again to turn the machine on.

the operational status again.

Console Connection

If you are connected to a particular VPN Gateway through a console

connection, and that NVG stops responding, you should first try pressing

the key combination CTRL+ ^ and press ENTER. This will take you

back to the login prompt. Log in as the Administrator user and check

the operational status of the VPN Gateway. Type the command

/info/isdlist and see if the operational status is indicated as up.

If the operational status is indicated as up, the VPN Gateway should

continue to process SSL traffic without the need of a reboot.

If the operational status of the VPN Gateway is indicated as down, try

rebooting the device by typing the command /boot/reboot. You will be

asked to confirm your action before the actual reboot is performed. Log in

as the Administrator user and check if the operational status of the VPN

Gateway is now up.

If the operational status of the VPN Gateway still is down, reboot the

machine. On the device, press the Power button on the back panel to turn

the machine off, wait until the fan comes to a standstill, and then press the

Power button again to turn the machine on. Log in as the Administrator

user when the login prompt appears.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

152 Troubleshooting the NVG

A User Password is Lost

Administrator User Password

If you have lost the Administrator user password there is only one way to

regain access to the VPN Gateway as the Administrator user: reinstalling

the software through a console connection as the Boot user.

For more information, see “Reinstalling the Software” (page 70).

Operator User Password

If you have lost the Operator user password, log in as the Administrator

user and define a new Operator user password. Only the Administrator

user can change the Operator user password.

For more information, see the edit command in the "User Access

Configuration " section under Configuration Menu>System Configuration in

the Command Reference.

Root User Password

If you have lost the Root user password, log in as the Administrator user

and define a new Root user password. Only the Administrator user can

change the Root user password. For more information, see the edit

command in the "User Access Configuration " section under Configuration

Menu>System Configuration in the Command Reference.

Boot User Password

The default Boot user password cannot be changed, and can therefore

never really be "lost". If you have forgotten the Boot user password, see

“Accessing the NVG Cluster” (page 140).

If the Boot user password could be changed and you have lost both the

Administrator password and the Boot user password, the VPN Gateway be

rendered completely inaccessible to all users except the Operator, whose

access level does not permit any changes being made to the configuration

of the NVG.

The fact that the Boot user password cannot be changed should not imply

a security issue, because the Boot user can only access the VPN Gateway

through a console connection using a serial cable, and the VPN Gateway

presumably is set up in a server room with restricted access.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Boot User Password 153

An ASA 310-FIPS Stops Processing Trafﬁc

Whenever an ASA 310-FIPS has undergone a reboot (whether

intentionally invoked by the user, or due to a power failure), the device

stops processing SSL traffic. This behavior is perfectly normal, and is due

to the high security demands placed on the ASA 310-FIPS.

To make an ASA 310-FIPS start processing SSL traffic again, log in to the

HSM cards using the HSM-USER iKey associated to each card. Logging

in to the HSM cards will clear the alarms that were set during the reboot,

and the ASA 310-FIPS will accept SSL traffic again.

Follow these steps to log in to the HSM cards:

Step

Action

reboot as the admin or oper user.

Password: <enter the admin user password>

Alteon iSD SSL

Software version 7.1

When connecting to the ASA 310-FIPS, you can use a console

connection, or a remote connection (Telnet or SSH, if enabled in

the system configuration).

Note: It is important that you log in to the particular ASA

310-FIPS on which a reboot has occurred, and not to the

Management IP address (MIP) of the cluster.

correct HSM-USER iKey and providing the associated

password.

Remember that each HSM card requires inserting the specific

HSM-USER iKey that was used when initializing that particular

HSM card. This holds true even if you use the same password

for both HSM-USER iKeys.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

154 Troubleshooting the NVG

>> Main# maint/hsm/login

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED).

Hit enter when done.

Enter the current HSM-USER password for card 0: <enter

the password associated with the HSM-USER iKey for card

Successful login on card 0.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED).

Hit enter when done.

Enter the current HSM-USER password for card 1: <enter

the password associated with the HSM-USER iKey for card

Successful login on card 1.

Note: If you enter the wrong password for the HSM-USER

fifteen (15) times in a row, the HSM-USER iKey will be

rendered unusable. This is due to the strict security

specifications placed on the ASA 310-FIPS.

Verify that the alarms that caused the ASA 310-FIPS to stop

processing SSL traffic have been cleared.

>> # /info/events/alarms

** (alarm) Active Alarm List *************************

**************

The hsm_not_logged_in alarms that were triggered during the

reboot should now be cleared from the active alarm list, after the

successful login to both HSM cards. The ASA 310-FIPS is now

ready to process SSL traffic again.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Boot User Password 155

Resetting HSM Cards on the ASA 310-FIPS

When removing an ASA 310-FIPS device from a cluster, you have the

option to reset (or de-initialize) the HSM cards.

When an ASA 310-FIPS device that has been removed from a cluster is

installed in a new cluster, or added to an existing cluster, the cards will be

initialized again. This is done by performing a series of steps as part of

the setup procedure of the ASA 310-FIPS device itself. If the Setup utility

detects that the cards have not been reset, you will be prompted to reset

the HSM cards at that time. The HSM cards must be reset before they can

be initialized. You may therefore choose to reset the cards already when

removing the ASA 310-FIPS device from the cluster. Resetting the HSM

cards will clear all sensitive cryptographic information stored on the cards.

Until the cards are initialized again, they will remain in that state.

To reset the HSM cards, you need the following:

•

The two pairs of HSM-SO and HSM-USER iKeys, where each pair is

associated with a particular HSM card on the ASA 310-FIPS device

you want to delete from the cluster

•

The HSM-SO password associated with each HSM-SO iKey

want to delete

If the ASA 310-FIPS device will be used in a different department or

organization after it has been deleted from the cluster, you may want to

change the current password for the HSM-SO iKey and the HSM-USER

iKey before you reset the HSM cards. The user who performs the initial

setup of the ASA 310-FIPS device must then provide the "transient"

passwords known by both parties when initializing the HSM cards, but can

directly change to new HSM-SO and HSM-USER passwords within the

normal initialization procedure.

To change the current password for the HSM-SO iKey before resetting

the HSM cards, use the /maint/hsm/changepass command. For more

information about this command, see the "HSM Menu " section under

Maintenance Menu in the Command Reference.

Note: When moving the ASA 310-FIPS device to a different location,

make sure to maintain the connection between each pair of HSM-SO

and HSM-USER iKeys and the particular HSM card to which they

are associated. To initialize the HSM cards when installing or adding

the device in a cluster, the correct HSM-SO and HSM-USER iKeys

are required, as well as the corresponding HSM-SO and HSM-USER

passwords.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

156 Troubleshooting the NVG

Step

Action

cluster.

In this step it is important that you connect to the particular ASA

310-FIPS that you want to delete from the cluster. To do that,

you can use either a console connection, or a remote connection

(through Telnet or SSH) using the IP address assigned to

the specific ASA 310-FIPS device. Do not connect through a

remote connection using the Management IP (MIP) address of

the ASA cluster. To view the IP addresses assigned to each

ASA 310-FIPS device in the cluster, use the /info/isdlist

command.

Password: <enter the admin user password>

Alteon iSD SSL

Software version 7.1

Delete the ASA 310-FIPS (iSD) and choose to reset the HSM

cards.

>> Main# /boot/delete

Are you sure you want delete the iSD? (y/n) y

Do you want to clear the HSM card(s) as well? (y/n) [y]:

(press ENTER to accept resetting the HSM cards)

Insert the HSM-SO iKey associated with HSM card 0 in the

card with flashing LED and provide the correct password.

Remember that each HSM card requires inserting the specific

HSM-SO iKey that was used when initializing that particular HSM

card. This holds true even if you use the same password for both

HSM-SO iKeys that are used on one ASA 310-FIPS device.

(continued)

Verify that HSM-SO iKey (purple) is inserted in card 0

(with flashing LED).

Hit enter when done.

Enter the current HSM-SO password for card 0:

Insert the HSM-SO iKey associated with HSM card 1 in the

card with flashing LED and provide the correct password.

Again, make sure that you insert the correct HSM-SO iKey, as

each HSM card requires the specific iKey that was used when

the card was first initialized.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Boot User Password 157

(continued)

Verify that HSM-SO iKey (purple) is inserted in card 1

(with flashing LED).

Hit enter when done.

Enter the current HSM-SO password for card 1:

iSD 192.168.128.185 deleted. Logging out.

The ASA 310-FIPS device is now removed from the cluster and

reset to its factory default settings. Both HSM cards are also

reset, which means that all sensitive cryptographic information

stored on the cards is deleted. The next time a user turns on

the ASA 310-FIPS device, the Setup menu will be displayed

after having logged in as the admin user through a console

connection.

When selecting new or join in the Setup menu, you will be

prompted to insert the HSM-SO iKey and HSM-USER iKey

associated with each HSM card, and provide the current

password stored on the respective iKey. This is required to

initialize the HSM card anew. After you have provided the correct

password for the iKey being requested by the Setup utility, a new

passwords can be defined for that iKey.

For more information about installing and adding ASA 310-FIPS

device in a cluster, see “ Installing an ASA 310-FIPS” (page 58).

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

158 Troubleshooting the NVG

AnASA 310-FIPS Cluster Must be Reconstructed

onto New Devices

If your cluster of ASA 310-FIPS devices has been damaged beyond repair

(by fire, for example) you can reconstruct the complete cluster, including

certificates, private keys, and wrap keys. However, this requires that you

have access to the following:

•

A new set of ASA 310-FIPS devices, replacing the cluster of damaged

devices.

•

A backup configuration file, saved to an FTP/TFTP/SCP/SFTP server

as a precautionary measure by using the /cfg/ptcfg command in

the former cluster. For more information about the ptcfg command,

see the "Configuration Menu " chapter in the Command Reference.

•

The black CODE-SO and CODE-USER iKeys that were used when

the now damaged cluster of ASA 310-FIPS devices was first created.

The black CODE iKeys are needed to transfer the wrap key used

in the former cluster onto the HSM cards in the new ASA 310-FIPS

devices, as well as for decrypting private key information in the backup

configuration file.

The secret passphrase that was defined in the former cluster when first

initialized (Provided your former cluster was running in FIPS mode).

To reconstruct the cluster configuration, certificates, private keys, and wrap

keys used in the former cluster onto a new set of ASA 310-FIPS devices,

follow these steps:

Step

Action

Install the first ASA 310-FIPS in a new cluster by following the

instructions on “ Installing an ASA 310-FIPS” (page 58) up to and

including Step 5.

Note: When asked to use FIPS or Extended Security Mode,

select the same mode that was used in the former cluster.

When both HSM cards have been initialized, you will be

asked if you want to use new or existing HSM-CODE iKeys.

Type existing and press ENTER.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Boot User Password 159

(new setup, continued)

Card 1 successfully initialized.

Should new or existing CODE iKeys be used? (new/existi

ng) [new]:

existing

Transfer the cluster wrap key from the existing CODE-SO

and CODE-USER iKeys to card 0.

Make sure you use the same pair of CODE-SO and

CODE-USER iKeys that were used in the former cluster of ASA

310-FIPS devices.

(new setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card 0

(with flashing LED).

Hit enter when done.

Wrap key successfully combined to card 0.

Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys to card 1.

(new setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card 1

(with flashing LED).

Hit enter when done.

Wrap key successfully split combined to card 1.

If you selected FIPS mode as the security mode, specify the

passphrase.

Enter the same secret passphrase as was defined in the former

cluster running in FIPS mode. This step only appears if you

selected FIPS mode when initializing the HSM cards.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

160 Troubleshooting the NVG

(new setup, continued)

Enter the old secret passphrase (it is used during

addition of new iSDs to the cluster):

<Enter the same secret passphrase as was used in the

former cluster.>

Re-enter to confirm:

Wait for the initial setup of the first ASA 310-FIPS in the

cluster to finish.

(new setup, continued) Initializing system......ok

Setup successful. Relogin to configure.

Add an additional ASA 310-FIPS to the newly created

cluster by following the instructions on page“Adding an ASA

310-FIPS to an Existing Cluster” (page 63) up to and including

Step 4.

Transfer the cluster wrap key from the CODE-SO and

CODE-USER iKeys to card 0.

When asked to insert the CODE-SO and the CODE-USER

iKeys, make sure to use the same CODE iKeys as you did in

Step 3 and Step 4.

(join setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 0

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card 0

(with flashing LED).

Hit enter when done.

Wrap key successfully combined to card 0.

Transfer the cluster wrap key to card 1.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Boot User Password 161

(join setup, continued)

Verify that CODE-SO iKey (black) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that HSM-USER iKey (blue) is inserted in card 1

(with flashing LED).

Hit enter when done.

Verify that CODE-USER iKey (black) is inserted in card 1

(with flashing LED).

Hit enter when done.

Wrap key successfully split combined to card 1.

If you selected FIPS mode as the security mode, specify the

secret passphrase.

Enter the same secret passphrase as you specified in Step

5. This step only appears if you selected FIPS mode when

initializing the HSM cards.

(join setup, continued)

Enter the secret passphrase (as given during

initialization of the first iSD in the cluster): <Enter

the same secret passphrase as was used in the former

cluster.>

If you chose FIPS mode when initializing the first HSM card in

the cluster, you will be asked to enter the secret passphrase.

Enter the same secret passphrase as when initializing the first

HSM card in the cluster.

Wait for the setup of the added ASA 310-FIPS to finish.

(join setup, continued)

Setup successful.

to and restore the configuration file of the former cluster

from an FTP/TFTP/SCP/SFTP server.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

162 Troubleshooting the NVG

Password:

Alteon iSD SSL

Software version 7.1

>> Main# cfg/gtcfg

Select protocol (tftp/ftp/scp/sftp) [tftp]: ftp

Enter hostname or IP address of server: <server IP

address>

Enter name of file on server: <name of saved

configuration file>

FTP User (anonymous): <press ENTER if anonymous mode is

supported>

Password:

Received 4960 bytes in 0.1 seconds

Password for importing private keys in cfg: <password

as defined when saving the configuration file to an

FTP/TFTP/SCP/SFTP server>

Configuration loaded.

>> Configuration#

The configuration information is now automatically propagated

and applied to all ASA 310-FIPS devices in the cluster. The

information includes certificates and encrypted private keys.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

aaa 163

A User Fails to Connect to the VPN

There can be different reasons for why a user is having difficulty

authenticating to the VPN or why a client connection cannot be

established: the user name or password is wrong, the configured

authentication server cannot be reached, the group name retrieved from

the authentication server does not exist on the VPN Gateway and so on.

To trace the different steps involved in a specific process, for example,

authorization, enter the following command.

>> Main# maint/starttrace

Enter tags (list of all,aaa,dns,ike,ipsec,ippool,ssl,tg,pptp,

upref, ftp,smb,netdirect,netdirect_packet) [all]: aaa,ssl

Enter VPN (or 0 for all VPNs) [0]:

Output mode (interactive/tftp/ftp/sftp) [interactive]:

Enter the desired tag(s) separated by comma, for example, aaa,ssl

to trace the user authorization and SSL handshake processes, or press

ENTER to trace all processes. To limit tracing to a specific VPN, enter the

desired VPN ID, or press ENTER to view trace information for all domains.

Select the desired output mode.

•

interactive. The result is displayed directly in the CLI.

tftp/ftp/sftp. The result is exported as a file to the specified

TFTP/FTP/SFTP server.

When starttrace is on, different steps in the selected process (tag) is

logged. For sample outputs, see “aaa” (page 163).

To disable tracing, press ENTER to display the prompt, then enter

stoptrace.

>> Maintenance# stoptrace

aaa

The aaa tag logs authentication method, user name, timeouts, group and

profile (base or extended).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

164 Troubleshooting the NVG

The output first shows groups received from configured authentication

databases. In the preceding example the trusted group is returned from

the local user database. If an external authentication database is used, all

groups returned from that database will be shown.

Final groups for the user are all groups where a match is found between

groups returned from configured authentication databases and groups

configured on the VPN Gateway. Matching groups are listed in the order

they are configured on the VPN Gateway. This is also the order in which

the groups will be applied. <base> implies that the group’s base profile

will be used.

TTL for user shows the idle timeout (15m (15 minutes) in the preceding

example) and the maximum session length (infinity in the example).

For detailed information about groups, profiles and so on, see the chapter

"Groups, Access Rules and Profiles" in the CLI/BBI Application Guide for

VPN.

dns

ike

The dns tag logs failed DNS lookups made during a VPN session.

The ike tag logs any output that is produced by the IKE daemon, e.g. all

messages related to actual ISAKMP negotiations between the client and

the IKE daemon.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

tg 165

ipsec

The ipsec tag logs any AAA-related output concerning the establishment

of an IPsec tunnel.

ippool

The ippool tag logs messages related to the allocation of IP addresses

from the IP pool (applies to Net Direct and IPsec).

ssl

The ssl tag logs information related to the SSL handshake procedure,

e.g. used cipher.

The tg tag logs information related to a TunnelGuard check, e.g. access

method, user name, user source IP, TunnelGuard session status and SRS

rule check result.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

166 Troubleshooting the NVG

upref

The upref tag shows information related to retrieval and storage of user

preferences, e.g. Portal bookmarks. For more information about how to

enable this feature, see the section "The Tools tab, Edit Bookmarks" in

the chapter "The Portal from an End-User Perspective" in the CLI/BBI

Application Guide for VPN.

smb

The smb tag shows information related to SMB (Windows file share)

sessions initiated through the Portal’s Files tab.

ftp

The ftp tag shows information related to FTP sessions initiated through

the Portal’s Files tab.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

netdirect_packet 167

netdirect

The netdirect tag logs information pertaining to the Net Direct client

connection, e.g. that a connection has been requested and that it has

been accepted or rejected.

netdirect_packet

The netdirect_packet tag logs information about packets being sent

and received when the user has initiated a connection to a host.

Because of the large amount of information, we recommend logging to

a TFTP/FTP/SFTP server.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

168 Troubleshooting the NVG

User Unable to Connect to the VPN Gateway

through the Net Direct Client

Start by verifying on your own PC that Net Direct works towards the same

VPN Gateway as the end-user’s device.

Then check the following in the specified order:

Step

Action

Is the user logged in to the Portal? Check in the CLI.

You can choose to limit the output of logged in users to a

particular VPN by providing the VPN number as a modifier

to the users command. To limit the output further, you can

also provide one or more initial letters of a user name, directly

followed by an asterisk (*).

>> Information# users 1 s*

If the user is not logged in, make sure the user can log into the

Portal at all. See “A User Fails to Connect to the VPN” (page

163).

Is Net Direct enabled and configured correctly?

See the "Net Direct" chapter in the Application Guide for VPN for

instructions on how to enable Net Direct and how to configure

an IP pool.

Is the Net Direct link visible to the end-user on the Portal’s

Home tab?

If not, the user may belong to a group that does not have access

to the linkset where the Net Direct link is included. See the "Net

Direct" chapter in the Application Guide for VPN for instructions

on how to configure a Net Direct link and map the linkset to the

desired group.

For Windows, is the Net Direct ActiveX control present on

the end-user’s PC?

Let the end-user check the following: In Internet Explorer, on

the Tools menu, select Internet options. On the General tab,

Under Temporary Internet Files, click Settings. Click View

objects. Verify that the Net Direct control is installed and that

the version corresponds to the VPN Gateway ’s version.

If the ActiveX control cannot be started, Net Direct tries to start

the Java applet instead.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

netdirect_packet 169

For Linux and Mac (and Windows), is the Java applet

window displayed properly?

If an X is displayed in the Java applet window, check the Java

Console Window (select Java Console on the Tools menu).

Let the end-user log into the Portal again.

Make sure that the end-user allows ActiveX controls and

scripting of ActiveX controls (Windows only).

The warning dialogue might be hidden in the IE info field in XP

SP2.

When the end user has logged in and clicked on a Net Direct

link, is the Net Direct splash screen (progress bar) shown?

Notice any error message in the splash screen (progress bar)

and act accordingly.

On Windows, is the Nortel Net Direct icon visible on the

system tray (next to the clock bottom right)?

If the end user is using Windows, make sure Windows XP or

Windows 2000 and Internet Explorer 5.0 or later is used.

On Linux and Mac, is the message "Net Direct started"

displayed in the Net Direct Java applet window?

Verify that the maximum number of users for the license

currently loaded to the VPN Gateway has not been reached.

If required, user’s can be logged out from the VPN through the

/info/kick command. To accommodate more users in the

VPN, you may have to purchase a license valid for a larger

number of users.

Ask the end-user to send (e.g. through e-mail) the Net Direct

error log file for inspection.

An error log file is written to the root of the System Drive if Net

Direct cannot be activated. On Windows, the usual location

/name is C:\Documents and Settings\<user>\Local

Settings\Temp\NetDirectError.log. On Linux and

Macintosh, the NetDirectError.log file is created under

/tmp on the client machine.

On Windows, when the end user double-clicks the Net Direct

icon in the system tray, what settings are shown?

Verify that the settings shown corresponds to the settings you

have made in the CLI/BBI. For example, the IP address used

should be from the IP pool.

On Linux and Mac, click the Advanced button in the Net

Direct Java applet window.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

170 Troubleshooting the NVG

Verify that the settings shown corresponds to the settings you

have made in the CLI/BBI. For example, the IP address used

should be from the IP pool.

On Windows, when the end user starts a new instance of

Internet Explorer from the Start menu and points to a site

you know should be tunneled – does the Net Direct icon on

the system tray blink green?

Does it ever blink green? Check (using /maint/starttrace

and the netdirect_packet tag) that traffic is flowing from

and to the client machine. If no traffic flows, verify on your own

machine that Net Direct works. For more information about the

starttrace command see the section “A User Fails to Connect

to the VPN” (page 163).

On Linux and Mac, are sent and received bytes displayed in

the Net Direct Java applet window?

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

netdirect_packet 171

Cannot download the NetDirect Zipped ﬁle from

client PC

Follow these steps to download the NetDirect_Zip file:

Step

Action

Download the NetDirect_Setup.zip file using the portal.

https://vpn-ip/nortel_cacheable/NetDirect_Setup.zip.

Customize the Netdirect_setup file and save as

SetDirect_Setup_Custom.zip

Place the NetDirect_Setup_Custom.zip file in a folder named

nortel_cacheable and zip the nortel _cacheable folder.

This is because after imported into the NVG the top directory will

be unzipped in the NVG.

Import the customized file (nortel_cacheable.zip) into the

NVG through BBI/CLI .

cfg/vpn #/portal/content/import

/config/isd/user_content/docroot1.

You can access <https://vpn-ip/nortel_cacheable/NetDirect_Set

up_Custom.zip>.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

172 Troubleshooting the NVG

System Diagnostics

A few system diagnostics can be performed on the VPN Gateway.

Installed Certiﬁcates and Virtual SSL Servers

To view the currently installed certificates, type the following command:

>> # /info/certs

To view detailed information about a specific certificate, access the

Certificate menu and specify the desired certificate by its index number:

>> # /cfg/cert

Enter certificate number: (1-) <certificate number by index>

>> Certificate 1# show

To view the configured virtual SSL servers, type the following command:

>> # /info/servers

The screen output provides information about which certificate (indicated

by certificate index number) is used by each configured SSL server.

Network Diagnostics

To check if the VPN Gateway is able to contact configured gateways,

routes, DNS servers, authentication servers, and IP addresses/domain

names specified in group links, use the following command:

>> # /maint/chkcfg

The screen output provides information about each configured item (e.g.

gateway, DNS server etc.) and shows whether the network test was

successful or not. Besides checking the connection, the method (e.g. ping)

for checking each item is displayed.

To check various network settings for a specific VPN Gateway, access the

iSD Host menu by typing the following commands:

>> # /cfg/sys/host

Enter iSD host number: (1-) <iSD host by index number>

>> iSD Host 1# cur

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Network Diagnostics 173

The screen output provides information about the type of iSD (master

or slave), IP address, network mask, and gateway address for the VPN

Gateway you have specified (by host number).

To check general network settings related to the cluster to which you have

connected, type the following command:

>> # /cfg/sys/cur

The screen output provides information about the management IP address

(MIP) of the NVG cluster, DNS servers, iSD hosts in the cluster, Syslog

servers, and NTP servers.

To check if the VPN Gateway(s) is getting network traffic, type the

following command:

>> # /stats/dump

The screen output provides information about currently active request

sessions, total completed request sessions, as well as SSL statistics for

configured virtual SSL servers.

To check statistics for the local Ethernet network interface card, type the

following command::

>> # /info/ethernet

The screen output provides information about the total number of received

and transmitted packets, the number of errors when receiving and

transmitting packets, as well as the type of error such as dropped packets,

overrun packets, malformed packets, packet collisions, and lack of carrier.

To check if a virtual server (on the Nortel Application Switch) is working,

type the following command at any menu prompt:

>> # ping <IP address of virtual server>

To capture and analyze TCP traffic sent from a virtual SSL server to the

backend server, type the following command (where you replace "#" with

the index number of the desired virtual SSL server):

>> # /cfg/ssl/server #/trace/tcpdump

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

174 Troubleshooting the NVG

To capture and analyze decrypted SSL traffic sent between a client and a

virtual SSL server, type the following command (where you replace "#"

with the index number of the desired virtual SSL server):

>> # /cfg/ssl/server #/trace/ssldump

Active Alarms and the Events Log File

To view an alarm that has been triggered and is active, type the following

command:

>> # /info/events/alarms

In the current software version of the NVG, an alarm is only triggered when

a hardware failure in an SSL accelerator card is detected.

To save the events log file to an FTP/TFTP/SFTP server, type the

following command:

>> # /info/events/download

You need to provide the IP address or host name of the FTP/TFTP/SFTP

server, as well as a file name. After the events log file has been saved,

connect to the FTP/TFTP/SFTP server and examine the contents of the

file.

Error Log Files

Provided you have configured the VPN Gateway to use a Syslog server,

the VPN Gateway will send log messages to the specified Syslog server.

For more information about how to configure a UNIX Syslog daemon,

see the Syslog manpages under UNIX. For more information about how

to configure the VPN Gateway to use a Syslog server, see the "Syslog

Servers Configuration " section under Configuration Menu>System

Configuration in the Command Reference.

Another option is to use the /maint/dumplogs command. It collects

system log file information from the VPN Gateway you are connected to

(or optionally, all NVGs in the cluster) and sends the information to a file

in the gzip compressed tar format on the TFTP/FTP/SFTP server you

have specified. The information can then be used for technical support

purposes. The file sent to the TFTP/FTP/SFTP server does not contain

any sensitive information related to the system configuration, such as

certificates, private keys, and so on.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Unable to download NetDirect from VPN server 175

Unable to download NetDirect from VPN server

After installing NetDirect v1.0.2.3+ as a result of upgrading to code

releases v5.1.3.4 or higher and subsequently downgrading the portal

software to v5.1.3.3 or earlier, the NetDirect client fails to load and

produces an error.

To use the NetDirect with v5.1.3.4 or earlier release, you need to manually

remove the NetDirect and relaunch the portal and earlier NetDirect. To

remove the NetDirect, follow these steps:

Step

Action

Open Windows Explorer to C:\WINNT\Downloaded Program

Files.

Right click on NetDirect.OCX ActiveX control.

Select Remove.

NetDirect is uninstalled.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

176 Troubleshooting the NVG

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

177

Appendix

Supported Ciphers

The Nortel VPN Gateway (NVG) supports SSL version 2.0, SSL version

3.0, and TLS version 1.0. All ciphers covered in these versions of SSL are

supported, except the IDEA and FORTEZZA ciphers and ciphers using

DH or DSS authentication.

Table 6

Supported Ciphers

Cipher Name

SSL

Protoc

Key Exchange

Algorithm,

Encryption

Algorithm

MAC Digest

Algorithm

Authentication

DHE-RSA-AES256-SHA

AES256-SHA

SSLv3

DH, RSA

RSA, RSA

DH, RSA

AES (256)

3DES (168)

SHA1

EDH-RSA-DES-CBC3-

SHA

DES-CBC3-SHA

DES-CBC3-MD5

DHE-RSA-AES128-SHA

AES128-SHA

SSLv3

SSLv2

SSLv3

SSLv2

SSLv3

RSA, RSA

DH, RSA

3DES (168)

AES (128)

RC4 (128)

RC2 (128)

RC4 (128)

RC4 (64)

SHA1

MD5

SHA1

RSA, RSA

RSA(1024), RSA

SHA1

RC4-SHA

SHA1

RC4-MD5

MD5

RC2-CBC-MD5

MD5

RC4-MD5

MD5

RC4-64-MD5

MD5

EXP1024-RC4-SHA

EXP1024-DES-CBC-SHA

EXP1024-RC2-CBC-MD5

EXP1024-RC4-MD5

EDH-RSA-DES-CBC-SHA

RC4 (56)

SHA1 EXPORT

MD5 EXPORT

SHA1

RSA (1024), RSA DES (56)

RSA (1024), RSA RC2 (56)

RSA (1024), RSA RC4 (56)

DH, RSA

DES (56)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

178 Supported Ciphers

Table 6

Supported Ciphers (cont’d.)

Cipher Name

SSL

Protoc

Key Exchange

Algorithm,

Encryption

Algorithm

MAC Digest

Algorithm

Authentication

DES-CBC-SHA

DES-CBC-MD5

SSLv3

SSLv2

SSLv3

RSA, RSA

DES (56)

DES (40)

SHA1

RSA, RSA

MD5

EXP-EDH-RSA-DES-CBC-

DH (512), RSA

SHA1 EXPORT

SHA

EXP-DES-CBC-SHA

EXP-RC2-CBC-MD5

EXP-RC4-MD5

SSLv3

SSLv2

SSLv3

RSA (512), RSA

DH, NONE

DES (40)

RC2 (40)

RC4 (40)

RC2 (40)

RC4 (40)

AES (256)

3DES (168)

AES (128)

RC4 (128)

DES (56)

DES (40)

RC4 (40)

SHA1 EXPORT

MD5 EXPORT

SHA1

EXP-RC2-CBC-MD5

EXP-RC4-MD5

ADH-AES256-SHA

ADH-DES-CBC3-SHA

ADH-AES128-SHA

ADH-RC4-MD5

DH, NONE

SHA1

DH, NONE

SHA1

DH, None

MD5

ADH-DES-CBC-SHA

EXP-ADH-DES-CBC-SHA

EXP-ADH-RC4-MD5

DH, NONE

SHA1

DH (512), None

SHA1 EXPORT

MD5 EXPORT

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Unable to download NetDirect from VPN server 179

Cipher List Formats

The cipher list you specify for a virtual SSL server consists of one or more

cipher strings separated by colons (e.g. RC4:+RSA:+ALL:!NULL:!DH:!EX

PORT@STRENGTH). Lists of ciphers can be combined using a logical

and operation (+) (e.g. SHA1+DES represents all cipher suites containing

the SHA1 and the DES algorithms).

In the colon-separated list, any cipher string can be preceded by the

characters !, - or +. These characters serve as modifiers, with the following

meanings:

•

! permanently deletes the ciphers from the list (e.g. !RSA).

- deletes the ciphers from the list, but the ciphers can be added again

by later options.

•

+ moves the ciphers to the end of the list. This option doesn’t add any

new ciphers it just moves matching existing ones.

@STRENGTH is placed at the end of the cipher list, and sorts the list in

order of encryption algorithm key length.

The default cipher list used for all virtual SSL servers on the VPN Gateway

is ALL@STRENGTH.

A cipher list consisting of the string RC4:ALL:!DH translates into a

preferred list of ciphers that begins with all ciphers using RC4 as the

encryption algorithm, followed by all cipher suites except the eNULL

ciphers (ALL). The final !DH string means that all cipher suites containing

the DH (Diffie-Hellman) cipher are removed from the list. (Few of the major

web browsers support these ciphers.)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

180 Supported Ciphers

Modifying a Cipher List

Starting from the RC4:ALL:!DH cipher list, an example of a slightly

modified cipher list can be: RC4:ALL:!EXPORT:!DH

This example will remove all EXPORT ciphers, besides the DH related

cipher suites. Removing the EXPORT ciphers means that all ciphers using

either 40 or 56 bits symmetric ciphers are removed from the list. This

means that browsers running export controlled crypto software cannot

access the server.

Using the OpenSSL command line tool (on a UNIX machine), it is possible

to check which cipher suites a particular cipher list corresponds to. The

preceding example yields the following output:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Unable to download NetDirect from VPN server 181

Supported Cipher Strings and Meanings

The following table lists each supported cipher string alias and its

significance.

Table 7

Cipher Strings and Meanings

Cipher String Aliases

DEFAULT

Meaning

The default cipher list, which corresponds to

ALL@STRENGTH.

ALL

All cipher suites except the eNULL ciphers,

which must be explicitly enabled.

HIGH

Cipher suites with key lengths larger than 128

bits.

MEDIUM

LOW

Cipher suites using 128 bit encryption.

Includes cipher suites using 64 or 56 bit

encryption, but excludes export cipher suites.

EXPORT

Includes cipher suites using 40 and 56 bit

encryption.

EXPORT40

EXPORT56

eNULL, NULL

Cipher suites using 40 bit export encryption

only.

Cipher suites using 56 bit export encryption

only.

Cipher suites that do not offer any encryption

at all. Because the use of such ciphers pose

a security threat, they are disabled unless

explicitly included.

aNULL

Cipher suites that do not offer authentication,

like anonymous DH algorithms. The use

of such cipher suites is not recommended,

because they facilitate man-in-the-middle

attacks.

kRSA, RSA

kEDH

Cipher suites using RSA key exchange.

Cipher suites using ephemeral Diffie-Hellman

key agreement.

aRSA

Cipher suites using RSA authentication, which

implies that the certificates carry RSA keys.

SSLv3, SSLv2

SSL version 3.0 and SSL version 2.0 cipher

suites, respectively.

Cipher suites using DH encryption algorithms,

including anonymous DH.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

182 Supported Ciphers

Table 7

Cipher Strings and Meanings (cont’d.)

ADH

Cipher suites using anonymous DH encryption

algorithms.

AES

Cipher suites using AES encryption algorithms.

3DES

Cipher suites using triple DES encryption

algorithms.

Cipher String Aliases

DES

Meaning

Cipher suites using DES encryption algorithms,

but not triple DES.

RC4

RC2

MD5

Cipher suites using RC4 encryption algorithms.

Cipher suites using RC2 encryption algorithms.

Cipher suites using MD5 encryption

algorithms.

SHA1, SHA

Cipher suites using SHA1 encryption

algorithms.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

183

Appendix

The SNMP Agent

There is one SNMP agent on each Nortel VPN Gateway (NVG), and the

agent listens to the IP address of that particular device. On the VPN

Gateway that currently holds the cluster’s Management IP address (MIP),

the SNMP agent also listens to the MIP.

The SNMP agent supports SNMP version 1, version 2c and version 3.

Notification targets (the SNMP managers receiving trap messages sent by

the agent) can be configured to use either SNMP v1, v2c and v3 (with the

default being SNMP v2c). Users may specify any number of notification

targets on the VPN Gateway.

For more information about the commands used to configure the SNMP

agent in a cluster, see the "SNMP Management Configuration " section

under Configuration Menu>System Configuration in the Command

Reference.

For detailed information about the MIB (Management Information Base)

definitions that are currently implemented for the SNMP agent, do one of

the following:

•

Go to http://www.nortel.com/. Under Support & Training,

select Software Downloads>VPN Gateway>VPN Gateway

3050/3070>Software

•

Connect to the Browser-Based Management Interface (BBI) In the

System tree view, expand Administration and SNMP. Finally select

the MIBs form.

The file ALTEON-SSL-CAP.mib contains an AGENT-CAPABILITIES

statement, which formally specifies which MIBs are implemented.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

184 The SNMP Agent

Supported MIBs

The VPN Gateway supports the following MIBs:

•

SNMPv2-MIB

SNMP-MPD-MIB

SNMP-FRAMEWORK-MIB

SNMP-TARGET-MIB

SNMP-NOTIFICATION-MIB

SNMP-VIEW-BASED-ACM-MIB

SNMP-USER-BASED-SM-MIB

SYNOPTICS-ROOT-MIB

S5-TCS-MIB

S5-ROOT-MIB

S5-ETH-MULTISEG-TOPOLOGY-MIB

IF-MIB

IP-MIB

IP-FORWARD-MIB

ENTITY-MIB

DISMAN-EVENT-MIB

ALTEON-ISD-PLATFORM-MIB

ALTEON-ISD-SSL-MIB

ALTEON-SSL-VPN-MIB

ALTEON-ROOT-MIB

IANAifType-MIB

SNMPv2-MIB

The SNMPv2-MIB is a standard MIB implemented by all agents. The

following groups are implemented:

•

snmpGroup

•

snmpSetGroup

systemGroup

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

SNMP-VIEW-BASED-ACM-MIB 185

•

snmpBasicNotificationsGroup

snmpCommunityGroup

SNMP-MPD-MIB

The following group is implemented:

•

snmpMPDGroup

SNMP-FRAMEWORK-MIB

The following group is implemented:

•

snmpEngineGroup

The SNMP-TARGET MIB

The SNMP-TARGET-MIB contains information about where to send

traps. This is also configurable/viewable from the CLI, using the

/cfg/sys/adm/snmp/target command.

The following groups are implemented:

•

snmpTargetCommandResponderGroup

snmpTargetBasicGroup

snmpTargetResponseGroup

Write access to snmpTargetParamsTable is turned off in VACM.

SNMP-NOTIFICATION-MIB

The following group is implemented:

•

snmpNotifyGroup

Write access to all objects in this MIB is turned off in VACM.

SNMP-VIEW-BASED-ACM-MIB

The following group is implemented:

•

vacmBasicGroup

Write access to all objects in this MIB is turned off in VACM.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

186 The SNMP Agent

SNMP-USER-BASED-SM-MIB

The following group is implemented:

•

usmMIBBasicGroup

Write access to all objects in this MIB is turned off in VACM.

S5-ETH-MULTISEG-TOPOLOGY-MIB

This MIB is used when the NVG participates in SONMP. The following

groups are implemented:

•

s5EnMsTopInfo

s5EnMsTopNmm

s5EnMsTopBdg

s5EnMsSrcMac

SYNOPTICS-ROOT-MIB

This MIB provides product IDs and descriptions for SONMP-aware

products. It is required by the S5-ETH-MULTISEG-TOPOLOGY-MIB MIB.

S5-TCS-MIB

This MIB is used when the NVG participates in SONMP. It is required by

theS5-ETH-MULTISEG-TOPOLOGY-MIB MIB.

S5-ROOT-MIB

This MIB is used when the NVG participates in SONMP. It is required by

the S5-ETH-MULTISEG-TOPOLOGY-MIB MIB.

IF-MIB

The following groups are implemented:

•

ifPacketGroup

ifStackGroup

Limitations

The agent does not implement the following objects:

•

ifType

ifSpeed

ifLastChange

ifInUnknownProtos

ifOutNUnicast

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

DISMAN-EVENT-MIB 187

IP-MIB

The following groups are implemented:

•

ipGroup

icmpGroup

IP-FORWARD-MIB

The following group is implemented:

•

ipCidrRouteGroup

ENTITY-MIB

The following groups are implemented:

•

entityPhysicalGroup

entityPhysical2Group

entityGeneralGroup

entityNotificationsGroup

Write access to snmpTargetParamsTable is turned off in VACM.

DISMAN-EVENT-MIB

The DISMAN-EVENT-MIB is a MIB module for defining event

triggers and actions for network management purposes. See the

/cfg/sys/adm/snmp/event command in the Command Reference for

instructions on how to add a monitor as defined in this MIB.

The following groups are implemented:

•

dismanEventResourceGroup

dismanEventTriggerGroup

dismanEventObjectsGroup

dismanEventEventGroup

dismanEventNotificationObjectGroup

dismanEventNotificationGroup

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

188 The SNMP Agent

ALTEON-ISD-PLATFORM-MIB

The ALTEON-ISD-PLATFORM-MIB contains the following groups and

objects:

•

isdClusterGroup

isdResourceGroup

isdAlarmGroup

isdBasicNotificatioObjectsGroup

isdEventNotificationGroup

isdAlarmNotificationGroup

ALTEON-ISD-SSL-MIB

The ALTEON-ISD-SSL-MIB contains objects for monitoring the SSL

gateways. The following groups are implemented:

•

sslBasicGroup

sslEventGroup

ALTEON-SSL-VPN-MIB

The ALTEON-SSL-VPN-MIB contains SSL/IPsec user statistics and

SSL/IPsec license information for all VPNs. It also contains authentication

server statistics. The following groups are implemented:

•

vpnBasicGroup

vpnEventGroup

IANAifType-MIB

Defines the IANAifType Textual Convention, and thus the enumerated

values of the ifType object defined in MIB-II’s ifTable.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

IANAifType-MIB 189

Supported Traps

The following SNMP traps are supported by the VPN Gateway:

Table 8

Traps Supported by the VPN Gateway

Trap Name

Description

alteonISDSSLHs

mNotLoggedIn

Signifies that login to the HSM card is required. Only for

the ASA 310 FIPS model.

alteonISDSSLHs

mTamperedWith

Signifies that the HSM card has been tampered with. Only

for the ASA 310 FIPS model.

alteonISDSSLHw Signifies that the SSL accelerator hardware failed. The

Fail

VPN Gateway will continue to handle traffic, but with

severely degraded performance.

authenticationFai

lure

Sent when the SNMP agent receives an SNMP message

which is not properly authenticated. This trap is disabled

by default. To enable the trap through SNMP, set snmpEn

ableAuthenTraps to enabled or use the CLI command

/cfg/sys/adm/snmp/snmpv2-mib/snmpenable.

Defined in SNMPv2-MIB.

coldStart

Sent when the VPN Gateway reboots.

Defined in SNMPv2-MIB.

isdAlarmCleared

isdDown

Sent when an alarm is cleared.

Signifies that a VPN Gateway in the cluster is down and

out of service.

isdLicense

Sent when the VPN Gateways in the cluster have different

licenses and when a demo license has 7 days left before

expiration.

Defined in ALTEON-ISD-PLATFORM-MIB.

isdLicenseExpired Sent when a license has expired.

isdMipMigration

Signals that the master IP has migrated to another VPN

Gateway.

isdSingleMaster

Signifies that only one master VPN Gateway in the

cluster is up and operational. Only having one master in

a cluster means that the fault tolerance level is severely

degraded—if the last master fails, the system cannot be

reconfigured.

This trap is only sent if more than two VPN Gateways in

the cluster are defined as masters.

linkDown

Sent when the agent detects that one of the links

(interfaces) has gone down.

Defined in IF-MIB.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

190 The SNMP Agent

Table 8

Traps Supported by the VPN Gateway (cont’d.)

Trap Name

Description

linkUp

Sent when the agent detects that one of the links

(interfaces) has gone up. Defined in IF-MIB.

vpnLicenseExhau

sted

Sent when the VPN has run out of SSL or IPsec user

licenses. No more than one event per hour is sent for one

VPN.

Defined in ALTEON-SSL-VPN-MIB.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

191

Appendix

Syslog Messages

This appendix contains a list of the syslog messages that are sent from the

Nortel VPN Gateway (NVG) to a Syslog server (when added to the system

configuration). All the syslog messages follow common specifications.

These messages are compliant with the SYSLOG SRD specifications.

They can be stored locally on the hard disk or in a memory buffer. Syslog

servers are added to the system configuration by using the menu options

in the Syslog Servers menu. To view the menu options, see the "Syslog

Servers Configuration " section under Configuration Menu>System

Configuration in the Command Reference.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

192 Syslog Messages

List of Syslog Messages

This section lists the Syslog messages that can be sent from a VPN

Gateway to a configured Syslog server. The messages are divided into

the following message types:

•

Operating system (OS)

System control

Traffic processing

Startup

Configuration reload

AAA

IPsec

To view a list of syslog messages in alphabetical order, see the section

“Syslog Messages in Alphabetical Order” (page 209).

Operating System (OS) Messages

The OS system messages are divided into three categories:

•

EMERG

CRITICAL

ERROR

EMERG

•

Root filesystem corrupt

The system cannot boot, but stops with a single-user prompt. fsck

failed. Reinstall to recover.

Config filesystem corrupt beyond repair

The system cannot boot, but stops with a single-user prompt. Reinstall

to recover.

Failed to write to config filesystem

Probable hardware error. Reinstall.

CRITICAL

•

Config filesystem re-initialized - reinstall required

Reinstall.

Application filesystem corrupt - reinstall required

Reinstall.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

ALARM 193

ERROR

•

Config filesystem corrupt

Possible loss of configuration. Followed by the message Config

filesystem re-initialized - reinstall required or Config filesystem

restored from backup.

Missing files in config filesystem

Possible loss of configuration. Followed by the message Config

filesystem re-initialized - reinstall required or Config filesystem

restored from backup.

•

Logs filesystem re-initialized

Loss of logs.

Root filesystem repaired - rebooting

fsck found and fixed errors. Probably OK.

Config filesystem restored from backup

Loss of recent configuration changes.

Rebooting to revert to permanent OS version

Happens after Config filesystem re-initialized - reinstall required or

Config filesystem restored from backup if software upgrade is in

progress (that is, if failure at first boot on new OS version).

System Control Process Messages

The System Control Process messages are divided into three categories:

INFO

ALARM

EVENT

•

Both events and alarms are stored in the event log file, which can be

accessed by typing the /info/events/download command. Active

alarms can be viewed by typing the /info/events/alarms command.

INFO

System started [isdssl-<version>]

Sent whenever the system control process has been (re)started.

ALARM

Alarms are sent at a syslog level corresponding to the alarm severity as

shown in the following table:

Alarm Severity

Syslog Level

CRITICAL

ALERT

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

194 Syslog Messages

Alarm Severity

Syslog Level

CRITICAL

ERROR

MAJOR

MINOR

WARNING

ERROR

Alarms are formatted according to the following pattern:

Id: <alarm sequence number>

Severity: <severity>

Name: <name of alarm>

Time. <date and time of the alarm>

Sender: <sender, e.g. system or the VPN Gateway ’s IP address>

Cause: <cause of the alarm>

Extra: <additional information about the alarm>

To simplify finding the desired alarm messages, this section lists alarms

with the name parameter on top.

•

Name: isd_down

Sender: <IP>

Cause: down

Extra:

Severity: critical

A member of the NVG cluster is down. This alarm is only sent if the

cluster contains more than one VPN Gateway.

•

Name: single_master

Sender: system

Cause: down

Extra:

Severity: warning

Only one master VPN Gateway in the cluster is up and running.

Name: log_open_failed

Sender: <IP>, event

Cause and Extra are explanations of the fault.

Severity: major

The event log (where all events and alarms are stored) could not be

opened.

Name: make_software_release_permanent_failed

Sender: <IP>

Cause: file_error | not_installed

Extra: "Detailed info"

Severity: critical

Failed to make a new software release permanent after being

activated. The system will automatically revert to the previous version.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

ALARM 195

•

Name: copy_software_release_failed Sender: <IP>

Cause: copy_failed | bad_release_package | no_release_package |

unpack_failed

Extra: "Detailed info"

Severity: critical

A VPN Gateway failed to install a software release while trying to install

the same version as all other VPN Gateways in the cluster. The failing

VPN Gateway tries to catch up with the other cluster members as it

was not up and running when the new software version was installed.

Name: license

Sender: license_server

Cause: license_not_loaded

Extra: "All iSDs do not have the same license loaded "

Severity: warning

All VPN Gateways in the cluster do not have a license containing

the same set of licensed features. Check loaded licenses using the

/cfg/sys/cur command.

•

Name: license

Sender: <IP>

Cause: license_expire_soon

Extra: "Expires: <TIME> "

Severity: warning

The (demo) license loaded to the local VPN Gateway expires within 7

days. Check loaded licenses using the /cfg/sys/cur command.

Name: ssl_hw_fail

Sender: <IP>

Cause: find_error |init_error

Extra:

Severity: major

The SSL hardware acceleration card could not be found or initiated.

This will cause the VPN Gateway to run with degraded performance.

Name: hsm_not_logged_in

Sender: <IP>, <Token>

Cause: reboot

Extra: "Card<Token> "

Severity: critical

After a reboot, login to the HSM card is required.

•

Name: hsm_tampered_with

Sender: <IP>, <Token>

Cause: hsm_detected

Extra: "Card<Token> "

Severity: critical

Name: slave_not_starting

Sender: <IP>, <SlaveNo>

Cause: start_error | connect_timeout | fdsend | nothidden |

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

196 Syslog Messages

name_resolv | nodename_occupied

Extra:"

Severity: warning

The portal handling subsystem cannot be started.

When an alarm is cleared, one of the following messages are sent:

Alarm Cleared Name="<Name>" Id="<ID>" Sender="<Sender>"

Alarm Cleared Id="<ID>"

EVENT

Events are sent at the NOTICE syslog level. They are formatted according

to the following pattern:

Name: <Name>

Sender: <Sender>

Extra: <Extra>

•

Name: partitioned_network

Sender and Extra is lower level information.

Sent to indicate that a VPN Gateway is recovering from a partitioned

network situation.

•

Name: ssi_mipishere

Sender: ssi

Extra: <IP>

Tells that the MIP (management IP address) is now located at the VPN

Gateway with the <IP> host IP address.

•

Name: license_expire_soon

Sender: <IP>

Indicates that the loaded (demo) license at the <IP> VPN Gateway

expires within 7 days.

Name: aaa_license_exhausted

Sender: <IP>:<VPNIndex>

Extra: ssl | IPsec

This event is sent when the VPN has run out of SSL or IPsec user

licenses. A hysteris mechanism is used so that no more than one

event per hour is sent for one VPN.

If <VPNIndex> is 0, the globally shared license was exhausted.

•

Name: software_configuration_changed

Sender: system

Extra: software release version <VSN> <Status>

Indicates that release <VSN> (version) has been <Status>

(unpacked/installed/permanent).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

ERROR 197

•

Name: software_release_copying

Sender: <IP>

Extra: copy software release <VSN> from other cluster member

Indicates that <IP> is copying the release <VSN> from another cluster

member.

Name: software_release_rebooting

Sender: <IP>

Extra: reboot with release version <VSN>

Indicates that a VPN Gateway (<IP>) is rebooting on a new release

(that is, a VPN Gateway that was not up and running during the normal

installation is now catching up).

•

Name: license_expired

Sender = <IP>

Indicates that the demo license loaded at host <IP> has expired.

Check the loaded licenses with /cfg/sys/cur.

Name: audit

Sender: CLI

Extra: Start <session> <details> Update <session> <details> Stop

Sent when a CLI system administrator enters, exits or updates the CLI

if audit logging is enabled using the /cfg/sys/adm/audit/ena

command.

Trafﬁc Processing Messages

The Traffic Processing Subsystem messages are divided into these

categories:

•

CRITICAL

ERROR

WARNING

INFO

CRITICAL

ERROR

•

DNS alarm: all dns servers are DOWN

All DNS servers are down. The VPN Gateway cannot perform any DNS

lookups.

•

internal error: <no>

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

198 Syslog Messages

An internal error occurred. Contact support with as much information

as possible to reproduce this message.

•

javascript error: <reason> for: <host><path>

JavaScript parsing error encountered when parsing content from

<host><path>. This could be a problem in the NVG JavaScript parser,

but most likely a syntactical error in the JavaScript on that page.

vbscript error: <reason> for: <host><path>

VBScript parsing error encountered when parsing content from

<host><path>. This could be a problem in the NVG VBScript parser,

but most likely a syntactical error in the VBScript on that page.

jscript.encode error: <reason>

Problem encountered when parsing an encoded JavaScript. It may

be a problem with the JavaScript parser in the NVG or it could be a

problem on the processed page.

css error: <reason>

Problem encountered when parsing an style sheet. It may be a

problem with the css parser in the NVG or it could be a problem on

the processed page.

•

Failed to syslog traffic :<reason> -- disabling traf log

Problem occurred when the NVG tried to send traffic logging syslog

messages. Traffic syslogging was disabled as a result.

www_authenticate: bad credentials

The browser sent a malformed WWW-Authenticate: credentials

header. Most likely a broken client.

http error: <reason>, Request="<method> <host><path>"

A problem was encountered when parsing the HTTP traffic. This is

either an indication of a non-standard client/server or an indication

that the NVG ’s HTTP parser has gotten out of sync due to an earlier

non-standard transaction from the client or server on this TCP stream.

•

http header warning cli: <reason> (<header>)

The client sent a bad HTTP header.

http header warning srv: <reason> (<header>)

The server sent a bad HTTP header.

unknown WWW-Authenticate method, closing

Backend server sent unknown HTTP authentication method.

failed to parse Set-Cookie <header>

The NVG got a malformed Set-Cookie header from the backend web

server.

•

failed to locate corresponding portal for portal authenticated http

server

Portal authentication has been configured for an http server, but no

portal using the same VPN can be found. Make sure that there is a

portal running using the same VPN id.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

ERROR 199

•

Bad IP:PORT data <line> in hc script

Bad ip:port found in health check script. Reconfigure the health script.

This should normally be captured earlier by the CLI.

Bad regexp (<expr>) in health check

Bad regular expression found in health check script. Reconfigure. This

should normally be captured earlier by the CLI.

Bad script op found <script op>

Bad script operation found in health check script. Reconfigure. This

should normally be captured earlier by the CLI.

Bad string found <string>

Bad load balancing string encountered. This is normally verified by the

CLI.

•

Unable to use the certificate for <server nr>

Unsuitable certificate configured for server #.

The private key and certificate don’t match for <server nr>

Key and certificate does not match for server #. The certificate has to

be changed.

•

Unable to use client private key for <server #>

Key for doing sslconnect is not valid. Reconfigure.

Unable to find client private key for <server #>

Key for doing sslconnect is not valid. Reconfigure.

Unable to use client certificate for <server #>

Certificate for doing sslconnect is not valid. Reconfigure.

Failed to initialize SSL hardware

Problem initializing SSL acceleration hardware. This will cause the

VPN Gateway to run with degraded performance.

•

Could not find SSL hardware.

Failed to detect SSL acceleration hardware.

Connect failed: <reason>

Connect to backend server failed with <reason>

SSL connect failed: <reason>

SSL connect to backend server failed with <reason>

html error: <reason>

Error encountered when parsing HTML. Probably non-standard HTML.

socks error: <reason>

Error encountered when parsing the socks traffic from the client.

Probably a non-standard socks client.

•

socks request: socks version <version> rejected

Socks request of version <version> received and rejected. Most likely

a non-standard socks client.

Failed to log to CLI:<reason> -- disabling CLI log

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

200 Syslog Messages

Failed to send troubleshooting log to CLI. Disabling CLI troubleshooting

log.

•

Can’t bind to local address: <ip>:<port>: <reason>

Problem encountered when trying to set up virtual server on

<ip>:<port>.

Ignoring DNS packet was not from any of the defined

namesserver <ip>:<port>

NVG received reply for non-configured DNS server.

Proxy connect host name too long: <host>

The host name is too long to perform proxy connect. Make the host

name shorter or remove the domain from the proxy connect mapping.

Certificate CRL handling errors:

— failed to start auto-crl handling

— <Cert#>: syntax error when parsing the CRL-URL

— <Cert#>: automatic retrieval of HTTP-CRL failed - lookup failure

<Host>

— <Cert#>: automatic retrieval of HTTP-CRL failed - parse error

— <Cert#>: auto-crl over HTTP failed, reason: <Reason>

— <Cert#>: automatic retrieval of HTTP-CRL failed

— <Cert#>: failed to create TFTP-CRL temp file

— <Cert#>: parsing of TPFP-CRL URL failed

— <Cert#>: automatic retrieval of TFTP-CRL failed - lookup failure

<Host>

— <Cert#>: failed to read TFTP-CRL temp file

— <Cert#>: automatic retrieval of TFTP-CRL failed

— <Cert#>: automatic retrieval of LDAP-CRL failed - lookup failure

<Host>

— <Cert#>: failed to contact LDAP server at <Host>

— <Cert#>: no CRL (1) found at LDAP server

— <Cert#>: CRL authentication failed

— <Cert#>: no CRL (2) found at LDAP server

— <Cert#>: no CRL (3) found at LDAP server

— <Cert#>: no CRL passwd found

— <Cert#>: no CRL filter was found

— <Cert#>: no CRL interval found for cert

— <Cert#>: CRL revocation failed - <Reason>

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 201

WARNING

•

TPS license limit (<limit>) exceeded

The transactions per second (TPS) limit has been exceeded.

No PortalGuard license loaded: VPN <id> *will* use portal

authentication

The PortalGuard license has not been loaded on the VPN Gateway but

/cfg/vpn # /server/portal/authenticate is set to off.

•

No Secure Service Partitioning loaded: server <id> *will not* use

interface <n>

The Secure Service Partitioning license has not been loaded on the

VPN Gateway but the server is configured to use a specific interface.

•

License expired

The loaded (demo) license on the VPN Gateway has expired. The

VPN Gateway now uses the default license.

Server <id> uses default interface (interface <n> not configured)

A specific interface is configured to be used by the server but this

interface is not configured on the VPN Gateway.

IPSEC server <id> uses default interface (interface <n> not

configured)

A specific interface is configured to be used by the IPsec server but

this interface is not configured on the VPN Gateway.

•

Certificate CRL handling warnings:

— <Cert#>: no CRL-URL specified

— invalid escape sequence in DN, ignoring...

— <Cert#>: Ambiguous CRL configuration, all usage of certificate

<Cert> does not bind to the same interface and/or DNS

environment - using gateway <Gateway> settings

INFO

•

gzip error: <reason>

Problem encountered when processing compressed content.

gzip warning: <reason>

Problem encountered when processing compressed content.

accept() turned off (<nr>) too many fds

The VPN Gateway has temporarily stopped accepting new

connections. This will happen when the VPN Gateway is overloaded.

It will start accepting connections once it has finished processing its

current sessions.

•

No cert supplied by backend server

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

202 Syslog Messages

No certificate supplied by backend server when doing SSL connect.

Session terminated to backend server.

•

No CN supplied in server cert <subject>

No CN found in the subject of the certificate supplied by the backend

server.

Bad CN supplied in server cert <subject>

Malformed CN found in subject of the certificate supplied by the

backend server.

•

Shutting sslproxy down.

Traffic subsystem has been stopped.

Restarting proxy due to <reason>

Traffic subsystem restarted due to <reason>

DNS alarm: dns server(s) are UP

At least one DNS server is now up.

HC: backend <ip>:<port> is down

Backend health check detected backend <ip>:<port> to be down.

HC: backend <ip>:<port> is up again

Backend health check detected backend <ip>:<port> to be up.

Startup Messages

The Traffic Processing Subsystem Startup messages only include the

INFO category.

INFO

•

HSM mode: <mode>

Hardware Security Mode <mode>.

Disabling transparent proxy, non-compatible with pooling

Transparent proxy mode is disabled due to pooling being enabled

(startup message).

•

Set CSWIFT as default

Using CSWIFT SSL hardware acceleration. (startup message).

Using <hwtype> hardware

Using <hwtype> hardware for SSL acceleration. (startup message)

Loaded <ip>:<port>

Initializing virtual server <ip>:<port>.

Because we use clicerts, force adjust totalcache size to: <size>

per server that use clicerts

Generated if the size of the SSL session cache has been modified.

•

No more than <nr> backend supported

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

AAA Subsystem Messages 203

Generated when more than the maximum allowed backend servers

have been configured.

•

TPS license limit: <limit>

TPS limit set to <limit>

No TPS license limit

Unlimited TPS license used.

Started ssl-proxy

Traffic subsystem started.

Found <size> meg of phys mem

Amount of physical memory found on system.

Conﬁguration Reload Messages

The Traffic Subsystem Configuration Reload messages only include the

INFO category.

INFO

•

reload cert config start

Starting reloading of certificates.

reload cert config done

Certificate reloading done.

reload configuration start

Virtual server configuration reloading start.

reload configuration network down

Accepting new sessions are temporarily put on hold.

reload configuration network up

Resuming accepting new sessions after loading new configuration.

reload configuration done

Virtual server configuration reloading done.

AAA Subsystem Messages

The AAA (Authentication, Authorization and Accounting) subsystem

messages are divided into these categories:

•

ERROR

WARNING

INFO

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

204 Syslog Messages

ERROR

LDAP backend(s) unreachable Vpn=\"<id>\" AuthId=\"<authid>\"

In case LDAP server(s) cannot be reached when a user tries to login to

the Portal.

WARNING

INFO

Host <host ip> has been down too long: is no longer accounted for

in the license pool.

The host has been down too long (more than 30 days) and is no longer

accounted for in the license pool.

Host <host ip> is up: accounted for in the license pool.

A host that has been down too long is up again and is now sharing its

licenses in the license pool.

Log functionality

Messages listed are generated if the CLI command /cfg/vpn

#/adv/log is enabled.

If the log value contains login, the following messages can be displayed:

•

VPN LoginSucceeded Vpn="<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" User="<user>" Groups="<groups>"

•

VPN LoginSucceeded Vpn="<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" User="<user>" Groups="<groups>" TunIP="<inner

tunnel ip>"

•

VPN AddressAssigned Vpn="<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" User="<user>" TunIP="<inner tunnel ip>"

VPN LoginFailed Vpn="<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" [User="<user>"] Error=<error>

VPN Logout Vpn="<id>" SrcIp="<ip>" User="<user>"

If the log value contains portal, the following messages can be

displayed:

•

PORTAL Vpn="<id>" User="<user>" Proto="<proto>"

Host="<host>" Share="<share>" Path="<path>"

If the log value contains http, the following messages can be displayed:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

WARNING 205

•

HTTP Vpn="<id>" Host="<host>" User="<user>" SrcIP="<ip>"

Request="<method> <host> <path>"

HTTP NotLoggedIn Vpn="<id>" Host="<host>" SrcIP="<ip>"

Request="<method> <host> <path>"

If the log value contains socks, the following messages can be displayed:

•

SOCKS Vpn="<id>" User="<user>" SrcIP="<ip>" Request="<req

uest>"

This message refers to the features on the Portal’s Advanced tab.

If the log value contains reject, the following messages can be

displayed:

•

HTTP Rejected Vpn="<id>" Host="<host>" User="<user>"

SrcIP="<ip>" Request="<method> <host> <path>"

PORTAL Rejected Vpn="<id>" User="<user>" Proto="<proto>"

Host="<host>" Share="<share>" Path="<path>"

SOCKS Rejected Vpn="<id>" User="<user>" SrcIP="<ip>"

Request="<request>"

IPsec Subsystem Messages

The IPsec subsystem messages are divided into these categories:

ERROR

WARNING

•

NOTICE

INFO

ERROR

There are several ERROR messages that may get sent from the

IPsec subsystem. They all indicate internal errors and thus provide no

meaningful information for troubleshooting.

WARNING

•

CreateSession Failed with sessionId 0

AAA returned failure for creating session.

Can’t find new IKE Profile %s received in Auth Reply

AAA provided new IKE profile as received from RADIUS, but IKE does

not have it.

•

Log off notif for non-existing session id %u

AAA notified about log-off for a non-existing session.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

206 Syslog Messages

•

Quick mode initiation to %s failed, error - %s

Quickmode initiation failed.

All credits are exhausted for Isakmp SA

Maximum number of outstanding ISAKMP SA create requests have

exceeded the limit.

•

All credits are exhausted for IPSec SA

Maximum number of outstanding IPsec SA create requests have

exceeded the limit.

•

Ignoring unauthenticated informational message from %s

Dropping message without the authentication hash.

Dropping unprotected notify message %s from %s

Dropping the clear-text notify message.

IPsec Mobility is disabled. Roaming request denied.

Dropping the roaming request. Mobility is disabled in the configuration.

Malformed ADDRESS_CHANGE notify message received from %s

Dropping invalid ADDRESS_CHANGE (Mobility) request.

Message from %s dropped because SPI is not found

Dropping message because SPI is not found.

Ignoring request to roam from %s to %s due to invalid source.

Expecting %s

Dropping roam request message because mismatch in source in

payload and header.

•

Ignoring request to roam from %s to %s

Dropping roam request because old and new source IP are same.

Error in Diffie-Hellman Setup, group=%u

Error in DH Setup.

No IPsec encryption type selected for %s - terminating

connection attempt

IPsec encryption does not match with the configured value.

•

Diffie-Hellman group mismatch for %s - terminating connection

attempt

Configured Diffie-Hellman Group does not match with the one that the

peer requested.

•

PFS is required but not provided by %s

PFS (Perfect Forward Secrecy) is configured locally, but the peer does

not provide it.

No Secure Service Partitioning license loaded IPSEC server ~s

*will not* use interface ~p

Secure Service Partitioning license not loaded.

IPsec server ~s uses default interface (interface ~p not

configured)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 207

This indicates possible badly configured default gateways on some

Secure Service Partitioning interface.

•

Failed to allocate IP addr from empty pool

The IP address pool is empty and a login attempt was rejected due to

not being able to allocate an IP address from the pool. Note that Net

Direct clients also use IPs from the IP pool.

NOTICE

•

Failed to decode client cert

A client sent a bad client certificate which could not decoded/parsed.

Bad clicert, Can’t find issuer in clicert

A client sent a bad client certificate which did not contain an issuer.

Error while decoding certificate DER Id

A client sent a certificate where the X509 Name portion could not be

extracted from the certificate.

•

Client cert %d revoked

The client certificate with serial number %d was revoked and thus login

failed.

Ike not started due: No license

If no licence can be found (such as on old ASA 310), IKE is not

started.

INFO

•

Using new IKE. IKE Profile %s received in Auth Reply.

Received new IKE profile from AAA (received from RADIUS).

ISAKMP SA Established with %s

ISAKMP SA Established.

IPSec SA Established with %s, IPComp %s, inbound CPI 0x%x

IPsec SA Established.

Closing earlier opened UDP Encap Socket for port : %d

UDP Encap port number changed.

Creating UDP Encap Socket for %d.%d.%d.%d/%d

UDP Encap port number changed.

Received Delete ISAKMP SA message from %s

Received Delete ISAKMP SA message.

Received Delete IPSEC SA message from %s

Received Delete IPsec SA message.

Client %s rejected IPSec SA Proposal, so deleting ISAKMP SA

Client rejected the IPSec SA proposal.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

208 Syslog Messages

•

Deleting the QM replaced by new rekeyed QM

Deleting the old IPsec SA which has been replaced with the new

rekeyed one.

•

No response from %s for maximum retransmission attempts %d

Maximum number of retransmission attempts reached.

ike Connected successfully to erlang

IKE daemon has started and connected to the registry database.

revocation byte length: %d

Loading certificate revocation list of length %d.

Loaded ca certificate %s

Loaded CA certificate with name %s. This certificate is used to verify

client certificates.

•

Loaded server cert %s

Loaded server certificate with name %s. This certificate must be

signed by a trusted CA in the client.

•

Creating Ike Profile %s

Creating/Loading a new IKE profile called %s.

Updating Ike profile %s

A CLI/BBI change in IKE profile %s forces an update of the profile.

Deleting ike profile %s

IKE profile %s has been deleted in the CLI or BBI.

Creating tunnel profile %s

Updating tunnel profile %s.

Deleting tunnel profile %s

Deleting tunnel profile %s.

Bad clientcert, no matching ca cert found

A client tried to login with a client certificate when the corresponding

CA certificate was not loaded in IKE.

•

failed rsa private encrypt

Failure to encrypt data while signing with the CA certificate.

Failed to certificate der encode

Failed to der encode the CA certificate.

Allocated IP .....

An IP address was allocated from the IP pool.

Returned IP .....

An IP address was returned to the IP address pool.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 209

Syslog Messages in Alphabetical Order

This section lists the syslog messages in alphabetical order.

Table 9

Syslog Messages in Alphabetical Order

Message

Severity

Type

Explanation

aaa_license_exhausted

EVENT

System Control

This event is sent when the

VPN has run out of SSL or

IPsec user licenses. A hysteris

mechanism is used so that no

more than one event per hour is

sent for one VPN.

If <VPNIndex> is 0, the globally

shared license was exhausted.

accept() turned off (<nr>) too

many fds

INFO

Traffic

The VPN Gateway has

Processing

temporarily stopped accepting

new connections. This will

happen when the VPN Gateway

is overloaded. It will start

accepting connections once

it has finished processing its

current sessions.

All credits are exhausted for

IPSec SA

WARNING

IPsec

Maximum number of

outstanding IPsec SA create

requests have exceeded the

limit.

All credits are exhausted for

Isakmp SA

Maximum number of

outstanding ISAKMP SA create

requests have exceeded the

limit.

Allocated IP .....

INFO

IPsec

An IP address was allocated

from the IP pool.

Application filesystem corrupt -

reinstall required

CRITICAL

EVENT

Reinstall.

audit

System Control

Sent when a CLI system

administrator enters, enters,

exits or updates the CLI if audit

logging is enabled using the

/cfg/sys/adm/audit /ena

command.

Bad clicert, Can’t find issuer in

clicert

NOTICE

IPsec

A client sent a bad client

certificate which did not contain

an issuer.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

210 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

Bad clientcert, no matching ca

cert found

INFO

IPsec

A client tried to login with a

client certificate when the

corresponding CA certificate

was not loaded in IKE.

Bad CN supplied in server cert

INFO

Traffic

Malformed CN found in subject

of the certificate supplied by the

backend server.

Processing

Bad IP:PORT data <line> in hc

script

ERROR

Traffic

Bad ip:port found in health

check script. Reconfigure

the health script. This should

normally be captured earlier by

the CLI.

Processing

Bad regexp (<expr>) in health

check

ERROR

Traffic

Bad regular expression

found in health check script.

Reconfigure. This should

normally be captured earlier by

the CLI.

Processing

Bad script op found <script op>

Traffic

Bad script operation found

in health check script.

Reconfigure. This should

normally be captured earlier by

the CLI.

Processing

Bad string found <string>

ERROR

WARNING

INFO

Traffic

Bad load balancing string

encountered. This is normally

verified by the CLI.

Processing

Can’t bind to local address:

Traffic

Problem encountered when

trying to set up virtual server on

<ip>:<port>.

Processing

Can’t find new IKE Profile %s

received in Auth Reply

IPsec

AAA provided new IKE profile

as received from RADIUS, but

IKE does not have it.

Client %s rejected IPSec SA

Proposal, so deleting ISAKMP

Client rejected the IPSec SA

proposal.

Client cert %d revoked

NOTICE

INFO

The client certificate with serial

number %d was revoked and

thus login failed.

Closing earlier opened UDP

Encap Socket for port: %d

UDP Encap port number

changed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 211

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

Config filesystem corrupt

ERROR

Possible loss of configuration.

Followed by the message

Config filesystem re-initialized

- reinstall required or Config

filesystem restored from

backup.

Config filesystem corrupt

beyond repair

EMERG

The system cannot boot, but

stops with a single-user prompt.

Reinstall to recover.

Config filesystem re-initialized -

reinstall required

CRITICAL

ERROR

Reinstall.

Config filesystem restored from

backup

Loss of recent configuration

changes.

Connect failed: <reason>

Traffic

Connect to backend server

failed with <reason>.

Processing

copy_software_release_failed

ALARM

System Control

A VPN Gateway failed to install

a software release while trying

to install the same version as

all other VPN Gateway(s) in

the cluster. The failing VPN

Gateway tries to catch up with

the other cluster members as it

was not up and running when

the new software version was

installed.

(CRITICAL)

Could not find SSL hardware.

ERROR

WARNING

INFO

Traffic

Failed to detect SSL

Processing

acceleration hardware.

CreateSession Failed with

sessionId 0

IPsec

AAA returned failure for creating

session.

Creating Ike Profile %s

Creating/Loading a new IKE

profile called %s.

Creating tunnel profile %s

INFO

IPsec

Updating tunnel profile %s.

Creating UDP Encap Socket for

%d.%d.%d.%d/%d

UDP Encap port number

changed.

css error: <reason>

ERROR

Traffic

Problem encountered when

parsing an style sheet. It may

be a problem with the css

parser in the NVG or it could

be a problem on the processed

page.

Processing

Deleting ike profile %s

INFO

IPsec

IKE profile %s has been deleted

in the CLI or BBI.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

212 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

Deleting the QM replaced by

new rekeyed QM

INFO

IPsec

Deleting the old IPsec SA which

has been replaced with the new

rekeyed one.

Deleting tunnel profile %s

INFO

IPsec

Deleting tunnel profile %s.

Diffie-Hellman group mismatch

for %s - terminating connection

attempt

WARNING

Configured DH Group does not

match with the one that the peer

requested.

Disabling transparent proxy,

non-compatible with pooling

INFO

Startup

Transparent proxy mode is

disabled due to pooling being

enabled.

DNS alarm: all dns servers are

DOWN

CRITICAL

Traffic

All DNS servers are down. The

VPN Gateway cannot perform

any DNS lookups.

Processing

DNS alarm: dns server(s) are

INFO

Traffic

At least one DNS server is now

up.

Processing

Dropping unprotected notify

message %s from %s

WARNING

NOTICE

IPsec

Dropping the clear-text notify

message.

Error in Diffie-Hellman Setup,

group=%u

Error in DH Setup.

Error while decoding certificate

DER Id

A client sent a certificate where

the X509 Name portion could

not be extracted from the

certificate.

failed rsa private encrypt

INFO

IPsec

Failure to encrypt data while

signing with the CA certificate.

Failed to allocate IP addr from

empty pool

WARNING

The IP address pool is empty

and a login attempt was

rejected due to not being able

to allocate an IP address from

the pool. Note that Net Direct

clients also use IPs from the IP

pool.

Failed to decode client cert

NOTICE

INFO

IPsec

A client sent a bad client

certificate which could not

decoded/parsed.

Failed to der encode certificate

Failed to DER encode the CA

certificate.

Failed to initialize SSL hardware ERROR

Traffic

Problem initializing SSL

Processing

acceleration hardware. This

will cause the VPN Gateway to

run with degraded performance.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 213

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

failed to locate corresponding

portal for portal authenticated

http server

ERROR

Traffic

Portal authentication has been

configured for an http server,

but no portal using the same

VPN id can be found. Make

sure that there is a portal

Processing

running using the same VPN id.

Failed to log to CLI:<reason> --

disabling CLI log

ERROR

Traffic

Failed to send troubleshooting

log to CLI. Disabling CLI

troubleshooting log.

Processing

failed to parse Set-Cookie

Traffic

The NVG got a malformed

Set-Cookie header from the

backend web server.

Processing

Failed to syslog traffic:<reason>

-- disabling traf log

Traffic

Problem occurred when the

NVG tried to send traffic logging

syslog messages. Traffic

syslogging was disabled as a

result.

Processing

Failed to write to config

filesystem

EMERG

Probable hardware error.

Reinstall.

Found <size> meg of phys mem INFO

Startup

Amount of physical memory

found on system.

gzip error: <reason>

INFO

Traffic

Problem encountered when

Processing

processing compressed content.

gzip warning: <reason>

Traffic

Problem encountered when

Processing

processing compressed content.

HC: backend <ip>:<port> is

down

Traffic

Backend health check detected

backend <ip>:<port> to be

down.

Processing

HC: backend <ip>:<port> is up

again

INFO

Traffic

Backend health check detected

backend <ip>:<port> to be up.

Processing

Host <host ip> has been down

too long: is no longer accounted

for in the license pool.

WARNING

AAA

The host has been down too

long (more than 30 days) and is

no longer accounted for in the

license pool.

Host <host ip> is up: accounted

for in the license pool.

INFO

AAA

A host that has been down

too long is up again and is

now sharing its licenses in the

license pool.

HSM mode: <mode>

Startup

Hardware Security Mode

<mode>.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

214 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

hsm_not_logged_in

ALARM

System Control

After a reboot, login to the HSM

card is required.

(CRITICAL)

hsm_tampered_with

html error: <reason>

ALARM

System Control

The HSM card has been

tampered with.

(CRITICAL)

ERROR

Traffic

Error encountered when parsing

HTML. Probably non-standard

HTML.

Processing

http error: <reason>,

Request="<method>

<host><path>"

ERROR

Traffic

A problem was encountered

when parsing the HTTP traffic.

This is either an indication of a

non-standard client/server or an

indication that the NVG ’s HTTP

parser has gotten out of sync

due to an earlier non-standard

transaction from the client or

server on this TCP stream.

Processing

http header warning cli:

<reason> (<header>)

ERROR

INFO

Traffic

The client sent a bad HTTP

header.

Processing

http header warning srv:

<reason> (<header>)

Traffic

The server sent a bad HTTP

header.

Processing

HTTP NotLoggedIn Vpn="<id>"

Host="<host>" SrcIP="<ip>"

Request="<method> <host>

<path>"

AAA

The remote user was not logged

in to the specified web server

requested from the Portal.

HTTP Rejected Vpn="<id>"

Host="<host>" User="<user>"

SrcIP="<ip>" Request="<metho

d> <host> <path>"

INFO

The remote user failed to

access the specified web server

requested from the Portal.

HTTP Vpn="<id>" Host="<host

>" User="<user>" SrcIP="<ip>"

Request="<method> <host>

<path>"

The remote user has

successfully accessed the

specified web server requested

from the Portal.

Ignoring DNS packet was

not from any of the defined

namesserver <ip>:<port>

ERROR

Traffic

NVG received reply for

Processing

non-configured DNS server.

Ignoring request to roam from

%s to %s

WARNING

IPsec

Dropping roam request because

old and new source IP are

same.

Ignoring request to roam from

%s to %s due to invalid source.

Expecting %s

Dropping roam request

message because mismatch in

source in payload and header.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 215

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

Ignoring unauthenticated

WARNING

IPsec

Dropping message without the

authentication hash.

informational message from %s

ike Connected successfully to

erlang

INFO

IPsec

IKE daemon has started and

connected to the registry

database.

Ike not started due: No license

internal error: <no>

NOTICE

ERROR

If no licence can be found (such

as on old ASA 310), IKE is not

started.

Traffic

An internal error occurred.

Contact support with as much

information as possible to

reproduce this message.

Processing

IPSec Mobility is disabled.

Roaming request denied.

WARNING

IPsec

Dropping the roaming request,

the Mobility is disabled in

configuration.

IPSec SA Established with %s,

IPComp %s, inbound CPI 0x%x

INFO

IPsec

IPsec SA Established.

IPSEC server ~s uses default

interface (interface ~p not

configured)

WARNING

This indicates possible badly

configured default gateways

on some Secure Service

Partitioning interface.

IPSEC server <id> uses default

interface (interface <n> not

configured)

WARNING

Traffic

A specific interface is configured

to be used by the IPsec

server but this interface is

not configured on the VPN

Gateway.

Processing

ISAKMP SA Established with

INFO

IPsec

ISAKMP SA Established.

isd_down

ALARM

System Control

A member of the NVG cluster is

down. This alarm is only sent if

the cluster contains more than

one VPN Gateway.

(CRITICAL)

javascript error: <reason> for:

ERROR

Traffic

JavaScript parsing error

Processing

encountered when parsing

content from <host><path>.

This could be a problem in the

NVG JavaScript parser, but

most likely a syntactical error in

the JavaScript on that page.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

216 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

jscript.encode error: <reason>

ERROR

Traffic

Problem encountered when

parsing an encoded JavaScript.

It may be a problem with the

JavaScript parser in the NVG

or it could be a problem on the

processed page.

Processing

LDAP backend(s)

ERROR

AAA

Shown if LDAP server(s) cannot

be reached when a user tries to

unreachable Vpn=\"<id>\"

AuthId=\"<authid>\"

license

ALARM

System Control

One or several VPN Gateways

in the cluster do not have

the same SSL VPN license

(with reference to number of

concurrent users).

(WARNING)

license

ALARM

System Control

The (demo) license loaded

to the local VPN Gateway

expires within 7 days. Check

loaded licenses using the

/cfg/sys/cur command.

(WARNING)

license_expire_soon

license_expired

EVENT

System Control

Indicates that the loaded

(demo) license at the <IP> VPN

Gateway expires within 7 days.

Indicates that the the demo

license at host <IP> has

expired. Check the loaded

licenses with /cfg/sys/cur.

License expired

WARNING

Traffic

The loaded (demo) license on

the VPN Gateway has expired.

The VPN Gateway now uses

the default license.

Processing

Loaded <ip>:<port>

INFO

Startup

IPsec

Initializing virtual server

<ip>:<port>.

Loaded ca certificate %s

Loaded CA certificate with name

%s. This certificate is used to

verify client certificates.

Loaded server cert %s

INFO

IPsec

Loaded server certificate with

name %s. This certificate must

be signed by a trusted CA in the

client.

Log off notif for non-existing

session id %u

WARNING

AAA notified about log-off for a

non-existing session.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 217

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

log_open_failed

ALARM

System Control

The event log (where all events

and alarms are stored) could

not be opened.

(MAJOR)

Logs filesystem re-initialized

ERROR

Loss of logs.

make_software_release_perma

nent_failed

ALARM

System Control

Failed to make a new software

release permanent after being

activated. The system will

automatically revert to the

previous version.

(CRITICAL)

Malformed ADDRESS_CHANG

E notify message received from

WARNING

IPsec

Dropping invalid

ADDRESS_CHANGE (Mobility)

request.

Message from %s dropped

because SPI is not found

WARNING

ERROR

IPsec

Dropping message because SPI

is not found.

Missing files in config filesystem

Possible loss of configuration.

Followed by the message

"Config filesystem re-initialized -

reinstall required" or "Config

filesystem restored from

backup".

No cert supplied by backend

server

INFO

Traffic

No certificate supplied by

backend server when doing SSL

connect. Session terminated to

backend server.

Processing

No CN supplied in server cert

INFO

Traffic

No CN found in the subject of

the certificate supplied by the

backend server.

Processing

No IPsec encryption type

selected for %s - terminating

connection attempt

WARNING

INFO

IPsec

IPsec encryption does not

match with the configured value.

No more than <nr> backend

supported

Startup

Generated when more than

the maximum allowed backend

servers have been configured.

No PortalGuard license loaded:

VPN <id> *will* use portal

authentication

WARNING

Traffic

The PortalGuard license has

not been loaded on the VPN

Gateway but /cfg/vpn # /ser

ver/portal/authenticate

is set to off.

Processing

No response from %s for

maximum retransmission

attempts %d

INFO

IPsec

Maximum number of

retransmission attempts

reached.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

218 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

No Secure Service Partitioning

license loaded IPSEC server ~s

*will not* use interface ~p

WARNING

IPsec

Secure Service Partitioning

licence not loaded.

No Secure Service Partitioning

loaded: server <id> *will not*

use interface <n>

WARNING

Traffic

The Secure Service Partitioning

license has not been loaded on

the VPN Gateway but the server

is configured to use a specific

interface.

Processing

No TPS license limit

partitioned_network

INFO

Startup

Unlimited TPS license used.

EVENT

System Control

Sent to indicate that a VPN

Gateway is recovering from a

partitioned network situation.

PFS is required but not provided WARNING

by %s

IPsec

AAA

PFS (Perfect Forward Secrecy)

is configured locally, but the

peer does not provide it.

PORTAL Rejected Vpn="<id>"

User="<user>" Proto="<proto>"

Host="<host>" Share="<share>"

Path="<path>"

INFO

The remote user failed

to access the specified

folder/directory on the specified

file server requested from the

Portal’s Files tab.

PORTAL Vpn="<id>"

INFO

AAA

The remote user has

User="<user>" Proto="<proto>"

Host="<host>" Share="<share>"

Path="<path>"

successfully accessed the

specified folder/directory on the

specified file server requested

from the Portal’s Files tab.

Proxy connect host name too

long: <host>

ERROR

Traffic

The host name is too long

to perform proxy connect.

Make the host name shorter or

remove the domain from the

proxy connect mapping.

Processing

Quick mode initiation to %s

failed, error - %s

WARNING

ERROR

IPsec

Quickmode initiation failed.

Rebooting to revert to

permanent OS version

Happens after "Config

filesystem re-initialized -

reinstall required" or "Config

filesystem restored from

backup" if software upgrade

is in progress (i.e. if failure at

first boot on new OS version).

Received Delete IPSEC SA

message from %s

INFO

IPsec

Received Delete IPsec SA

message.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 219

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

Received Delete ISAKMP SA

message from %s

INFO

IPsec

Received Delete ISAKMP SA

message.

reload cert config done

reload cert config start

reload configuration done

INFO

Config Reload

Certificate reloading done.

Starting reloading of certificates.

Virtual server configuration

reloading done.

reload configuration network

down

INFO

Config Reload

Accepting new sessions are

temporarily put on hold.

reload configuration network up

Resuming accepting new

sessions after loading new

configuration.

reload configuration start

INFO

Config Reload

Virtual server configuration

reloading start.

Restarting proxy due to

INFO

Traffic

Traffic subsystem restarted due

to <reason>.

Processing

Returned IP .....

INFO

IPsec

An IP address was returned to

the IP address pool.

revocation byte length: %d

Root filesystem corrupt

INFO

Loading certificate revocation

list of length %d.

EMERG

The system cannot boot, but

stops with a single-user prompt.

fsck failed. Reinstall to recover.

Root filesystem repaired -

rebooting

ERROR

fsck found and fixed errors.

Probably OK.

Server <id> uses default

interface (interface <n> not

configured)

WARNING

Traffic

A specific interface is configured

to be used by the server but this

interface is not configured on

the VPN Gateway.

Processing

Set CSWIFT as default

Shutting sslproxy down.

INFO

Startup

Using CSWIFT SSL hardware

acceleration.

Traffic

Traffic subsystem has been

stopped.

Processing

Because we use clicerts, force

adjust totalcache size to :

<size> per server that use

clicerts

Startup

Generated if the size of the

SSL session cache has been

modified.

single_master

ALARM

System Control

Only one master VPN Gateway

in the cluster is up and running.

(WARNING)

slave_not_starting

ALARM

The portal handling subsystem

cannot be started.

(WARNING)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

220 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

socks error: <reason>

ERROR

Traffic

Error encountered when parsing

the socks traffic from the client.

Probably a non-standard socks

client.

Processing

SOCKS Rejected Vpn="<id>"

User="<user>" SrcIP="<ip>"

Request="<request>"

INFO

AAA

The remote user failed to

perform an operation by using

one of the features available

under the Portal’s Advanced

tab.

socks request: socks version

<version> rejected

ERROR

INFO

Traffic

Socks request of version

<version> received and

rejected. Most likely a

non-standard socks client.

Processing

SOCKS Vpn="<id>"

AAA

The remote user has

User="<user>" SrcIP="<ip>"

Request="<request>"

successfully performed an

operation by using one of the

features available under the

Portal’s Advanced tab.

software_configuration_changed EVENT

System Control

Indicates that release <VSN>

(version) has been <Status>

(unpacked/installed/permanent).

software_release_copying

software_release_rebooting

EVENT

Indicates that <IP> is copying

the release <VSN> from another

cluster member.

Indicates that a VPN Gateway

(<IP>) is rebooting on a new

release (i.e. a VPN Gateway

that was not up and running

during the normal installation is

now catching up).

ssi_mipishere

EVENT

ERROR

System Control

Tells that the MIP (management

IP address) is now located at

the VPN Gateway with the <IP>

host IP address.

SSL connect failed: <reason>

ssl_hw_fail

Traffic

SSL connect to backend server

failed with <reason>.

Processing

ALARM

System Control

The SSL hardware acceleration

card could not be found or

initiated. This will cause the

VPN Gateway to run with

degraded performance.

(MAJOR)

Started ssl-proxy

INFO

Startup

Traffic subsystem started.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

INFO 221

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

System started [isdssl-<version

INFO

System Control

Sent whenever the system

control process has been

(re)started.

The private key and certificate

don’t match for <server nr>

ERROR

Traffic

Key and certificate does

Processing

not match for server #. The

certificate has to be changed.

TPS license limit (<limit>)

exceeded

WARNING

Traffic

The transactions per second

Processing

(TPS) limit has been exceeded.

TPS license limit: <limit>

INFO

Startup

TPS limit set to <limit>.

Unable to find client private key

for <server #>

ERROR

Traffic

Key for doing sslconnect is not

valid. Reconfigure.

Processing

Unable to use client certificate

for <server #>

ERROR

INFO

Traffic

Certificate for doing sslconnect

is not valid. Reconfigure.

Processing

Unable to use client private key

for <server #>

Traffic

Key for doing sslconnect is not

valid. Reconfigure.

Processing

Unable to use the certificate for

Traffic

Unsuitable certificate configured

for server #.

Processing

unknown WWW-Authenticate

method, closing

Traffic

Backend server sent unknown

HTTP authentication method.

Processing

Updating Ike profile %s

IPsec

A CLI/BBI change in IKE profile

%s forces an update of the

profile.

Using <hwtype> hardware

INFO

Startup

IPsec

Using <hwtype> hardware for

SSL acceleration.

Using new IKE. IKE Profile %s

received in Auth Reply.

INFO

Received new IKE profile from

AAA (received from RADIUS).

vbscript error: <reason> for:

ERROR

Traffic

VBScript parsing error

Processing

encountered when parsing

content from <host><path>.

This could be a problem in the

NVG VBScript parser, but most

likely a syntactical error in the

VBScript on that page.

VPN AddressAssigned Vpn=

"<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" User="<user>"

TunIP="<inner tunnel ip>"

INFO

AAA

Source IP address for the

connection between the VPN

Gateway and the destination

address (inner tunnel) has been

allocated.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

222 Syslog Messages

Table 9

Syslog Messages in Alphabetical Order (cont’d.)

Message

Severity

Type

Explanation

VPN LoginFailed Vpn="<id>"

Method=<"ssl"|"ipsec">

SrcIp="<ip>" [User="<user>"]

Error=<error>

INFO

AAA

remote user’s access method,

client IP address and user name

is shown.

VPN LoginSucceeded Vpn=

"<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" User="<user>"

Groups="<groups>"

INFO

AAA

The remote user’s access

method, client IP address, user

name and group membership is

shown.

VPN LoginSucceeded Vpn=

"<id>" Method=<"ssl"|"ipsec">

SrcIp="<ip>" User="<user>"

Groups="<groups>"

The remote user’s access

method, client IP address, user

name and group membership is

shown as well as the IP address

allocated to the connection

between the VPN Gateway and

the destination address (inner

tunnel).

TunIP="<inner tunnel ip>"

VPN Logout Vpn="<id>"

INFO

AAA

Remote user has logged out

from the VPN.

SrcIp="<ip>" User="<user>"

www_authenticate: bad

credentials

ERROR

Traffic

The browser sent a malformed

WWW-Authenticate: credentials

header. Most likely a broken

client.

Processing

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

223

Appendix

License Information

OpenSSL License Issues

The OpenSSL toolkit stays under a dual license, that is, both the

conditions of the OpenSSL License and the original SSLeay license apply

to the toolkit. See the following for the actual license texts. Both licenses

are actually BSD-style Open Source licenses. In case of any license

issues related to OpenSSL contact [email protected].

reserved. Redistribution and use in source and binary forms, with or

without modification, are permitted provided that the following conditions

are met:

1. Redistributions of source code must retain the preceding copyright

notice, this list of conditions, and the following disclaimer.

2. Redistributions in binary form must reproduce the preceding copyright

notice, this list of conditions, and the following disclaimer in the

documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software

must display the following acknowledgment: "This product includes

software developed by the OpenSSL Project for use in the OpenSSL

Toolkit. (http://www.openssl.org/)"

4. The names "OpenSSL Toolkit" and "OpenSSL Project" must not

be used to endorse or promote products derived from this software

without prior written permission. For written permission, contact

[email protected].

5. Products derived from this software may not be called "OpenSSL" nor

may "OpenSSL" appear in their names without prior written permission of

the OpenSSL Project.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

224 License Information

6. Redistributions of any form whatsoever must retain the

following acknowledgment: "This product includes software

developed by the OpenSSL Project for use in the OpenSSL Toolkit

(http://www.openssl.org/)"

THIS SOFTWARE IS PROVIDED BY THE OpenSSL PROJECT "AS IS"

AND ANY EXPRESSED OR IMPLIED WARRANTIES, INCLUDING, BUT

NOT LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY

AND FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN

NO EVENT SHALL THE OpenSSL PROJECT OR ITS CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABILITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE.

This product includes cryptographic software written by Eric Young

([email protected]). This product includes software written by Tim

Hudson ([email protected]).

Original SSLeay License

reserved. This package is an SSL implementation written by Eric Young

([email protected]). The implementation was written so as to conform

with Netscape SSL. This library is free for commercial and non-commercial

use as long as the following conditions are adhered to. The following

conditions apply to all code found in this distribution, be it the RC4,

RSA, lhash, DES, and so on., code; not just the SSL code. The SSL

documentation included with this distribution is covered by the same

the code are not to be removed. If this package is used in a product,

Eric Young should be given attribution as the author of the parts of the

library used. This can be in the form of a textual message at program

startup or in documentation (online or textual) provided with the package.

Redistribution and use in source and binary forms, with or without

modification, are permitted, provided that the following conditions are met:

1. Redistributions of source code must retain the copyright notice, this list

of conditions, and the following disclaimer.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

225

2. Redistributions in binary form must reproduce the preceding copyright

notice, this list of conditions, and the following disclaimer in the

documentation and/or other materials provided with the distribution.

3. All advertising materials mentioning features or use of this software

must display the following acknowledgement: "This product includes

cryptographic software written by Eric Young ([email protected])". The

word "cryptographic" can be left out if the routines from the library being

used are not cryptographic related.

4. If you include any Windows specific code (or a derivative thereof)

from the apps directory (application code), you must include an

acknowledgement: "This product includes software written by Tim Hudson

([email protected])".

THIS SOFTWARE IS PROVIDED BY ERIC YOUNG "AS IS" AND

ANY EXPRESS OR IMPLIED WARRANTIES, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND

FITNESS FOR A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO

EVENT SHALL THE AUTHOR OR CONTRIBUTORS BE LIABLE FOR

ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL, EXEMPLARY, OR

CONSEQUENTIAL DAMAGES (INCLUDING, BUT NOT LIMITED TO,

PROCUREMENT OF SUBSTITUTE GOODS OR SERVICES; LOSS OF

USE, DATA, OR PROFITS; OR BUSINESS INTERRUPTION) HOWEVER

CAUSED AND ON ANY THEORY OF LIABILITY, WHETHER IN

CONTRACT, STRICT LIABILITY, OR TORT (INCLUDING NEGLIGENCE

OR OTHERWISE) ARISING IN ANY WAY OUT OF THE USE OF THIS

SOFTWARE, EVEN IF ADVISED OF THE POSSIBILITY OF SUCH

DAMAGE.

The licence and distribution terms for any publicly available version or

derivative of this code cannot be changed. That is, this code cannot simply

be copied and put under another distribution licence [including the GNU

Public Licence.]

GNU General Public License

Version 2, June 1991

Suite 330, Boston, MA 02111-1307 USA

Everyone is permitted to copy and distribute verbatim copies of this license

document, but changing it is not allowed.

GNU GENERAL PUBLIC LICENSE

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

226 License Information

TERMS AND CONDITIONS FOR COPYING, DISTRIBUTION AND

MODIFICATION

0. This License applies to any program or other work that contains a

notice placed by the copyright holder saying it may be distributed under

the terms of this General Public License. The following Program , refers

to any such program or work. A "work based on the Program" means

either the Program or any derivative work under copyright law: that is,

a work containing the Program or a portion of it, either verbatim or with

modifications and/or translated into another language. (Hereinafter,

translation is included without limitation in the term "modification.") Each

licensee is addressed as "you."

Activities other than copying, distribution and modification are not covered

by this License; they are outside its scope. The act of running the Program

is not restricted, and the output from the Program is covered only if its

contents constitute a work based on the Program (independent of having

been made by running the Program). Whether that is true depends on

what the Program does.

1. You may copy and distribute verbatim copies of the Program’s source

code as you receive it, in any medium, provided that you conspicuously

and appropriately publish on each copy an appropriate copyright notice

and disclaimer of warranty; keep intact all the notices that refer to this

License and to the absence of any warranty; and give any other recipients

of the Program a copy of this License along with the Program.

You may charge a fee for the physical act of transferring a copy, and you

may at your option offer warranty protection in exchange for a fee.

2. You may modify your copy or copies of the Program or any portion of it,

thus forming a work based on the Program, and copy and distribute such

modifications or work under the terms of Section 1, preceding, provided

that you also meet all of these conditions:

a) You must cause the modified files to carry prominent notices stating that

you changed the files and the date of any change.

b) You must cause any work that you distribute or publish in whole or in

part that contains or is derived from the Program or any part thereof, to

be licensed as a whole at no charge to all third parties under the terms

of this License.

c) If the modified program normally reads commands interactively when

run, you must cause it (when started running for such interactive use in

the most ordinary way) to print or display an announcement, including an

appropriate copyright notice and a notice that there is no warranty (or else,

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

227

saying that you provide a warranty), and that users may redistribute the

program under these conditions, and telling the user how to view a copy

of this License. (Exception: If the Program itself is interactive but does not

normally print such an announcement, your work based on the Program is

not required to print an announcement.)

These requirements apply to the modified work as a whole. If identifiable

sections of that work are not derived from the Program and can be

reasonably considered independent and separate works in themselves,

then this License, and its terms, do not apply to those sections when you

distribute them as separate works. But when you distribute the same

sections as part of a whole which is a work based on the Program, the

distribution of the whole must be on the terms of this License, whose

permissions for other licensees extend to the entire whole, and thus to

each and every part regardless of who wrote it.

Thus, it is not the intent of this section to claim rights or contest your rights

to the work written entirely by you; rather, the intent is to exercise the right

to control the distribution of derivative or collective works based on the

Program.

In addition, mere aggregation of another work not based on the Program

with the Program (or with a work based on the Program) on a volume of a

storage or distribution medium does not bring the other work under the

scope of this License.

3. You may copy and distribute the Program (or a work based on it, under

Section 2) in object code or executable form under the terms of Sections 1

and 2, preceding, provided that you also do one of the following:

a) Accompany it with the complete corresponding machine-readable

source code, which must be distributed under the terms of Sections 1 and

2 preceding on a medium customarily used for software interchange; or,

b) Accompany it with a written offer, valid for at least three years, to

give any third party (for a charge no more than your cost of physically

performing source distribution) a complete machine-readable copy of the

corresponding source code, to be distributed under the terms of Sections 1

and 2, preceding, on a medium customarily used for software interchange;

or,

c) Accompany it with the information you received as to the offer to

distribute corresponding source code. (This alternative is allowed only for

noncommercial distribution and only if you received the program in object

code or executable form with such an offer, in accordance with Subsection

b, preceding.)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

228 License Information

The source code for a work means the preferred form of the work for

making modifications to it. For an executable work, complete source code

means all the source code for all modules it contains, plus any associated

interface definition files, plus the scripts used to control compilation and

installation of the executable. However, as a special exception, the source

code distributed need not include anything that is normally distributed

(in either source or binary form) with the major components (compiler,

kernel, and so on) of the operating system on which the executable runs,

unless that component itself accompanies the executable. If distribution

of executable or object code is made by offering access to copy from a

designated place, then offering equivalent access to copy the source

code from the same place counts as distribution of the source code, even

though third parties are not compelled to copy the source along with the

object code.

4. You may not copy, modify, sublicense, or distribute the Program except

as expressly provided under this License. Any attempt otherwise to copy,

modify, sublicense or distribute the Program is void and will automatically

terminate your rights under this License. However, parties who have

received copies, or rights, from you under this License will not have their

licenses terminated so long as such parties remain in full compliance.

5. You are not required to accept this License, because you have not

signed it. However, nothing else grants you permission to modify or

distribute the Program or its derivative works. These actions are prohibited

by law if you do not accept this License. Therefore, by modifying or

distributing the Program (or any work based on the Program), you indicate

your acceptance of this License to do so, and all its terms and conditions

for copying, distributing or modifying the Program or works based on it.

6. Each time you redistribute the Program (or any work based on the

Program), the recipient automatically receives a license from the original

licensor to copy, distribute, or modify the Program subject to these terms

and conditions. You may not impose any further restrictions on the

recipients’ exercise of the rights granted herein. You are not responsible

for enforcing compliance by third parties to this License.

7. If, as a consequence of a court judgment, or allegation of patent

infringement, or for any other reason (not limited to patent issues),

conditions are imposed on you (whether by court order, agreement or

otherwise) that contradict the conditions of this License, they do not

excuse you from the conditions of this License. If you cannot distribute so

as to satisfy simultaneously your obligations under this License and any

other pertinent obligations, then as a consequence you may not distribute

the Program at all. For example, if a patent license not permit royalty-free

redistribution of the Program by all those who receive copies directly or

indirectly through you, then the only way you could satisfy both it and

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

229

this License be to refrain entirely from distribution of the Program. If any

portion of this section is held invalid or unenforceable under any particular

circumstance, the balance of the section is intended to apply and the

section as a whole is intended to apply in other circumstances.

It is not the purpose of this section to induce you to infringe any patents

or other property right claims or to contest validity of any such claims;

this section has the sole purpose of protecting the integrity of the free

software distribution system, which is implemented by public license

practices. Many people have made generous contributions to the wide

range of software distributed through that system in reliance on consistent

application of that system. It is up to the author/donor to decide if he

or she is willing to distribute software through any other system and a

licensee cannot impose that choice. This section is intended to make

thoroughly clear what is believed to be a consequence of the rest of this

License.

8. If the distribution and/or use of the Program is restricted in certain

countries either by patents or by copyrighted interfaces, the original

explicit geographical distribution limitation excluding those countries, so

that distribution is permitted only in or among countries not thus excluded.

In such case, this License incorporates the limitation as if written in the

body of this License.

9. The Free Software Foundation may publish revised and/or new versions

of the General Public License from time to time. Such new versions will be

similar in spirit to the present version, but may differ in detail to address

new problems or concerns. Each version is given a distinguishing version

number. If the Program specifies a version number of this License which

applies to it and "any later version," you have the option of following

the terms and conditions either of that version or of any later version

published by the Free Software Foundation. If the Program does not

specify a version number of this License, you may choose any version

ever published by the Free Software Foundation.

10. If you wish to incorporate parts of the Program into other free

programs in which distribution conditions are different, write to the author

for permission. For software which is copyrighted by the Free Software

Foundation, write to the Free Software Foundation; we sometimes make

exceptions for this. Our decision will be guided by the two goals of

preserving the free status of all derivatives of our free software and of

promoting the sharing and reuse of software generally.

NO WARRANTY

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

230 License Information

11. BECAUSE THE PROGRAM IS LICENSED FREE OF CHARGE,

THERE IS NO WARRANTY FOR THE PROGRAM, TO THE EXTENT

PERMITTED BY APPLICABLE LAW. EXCEPT WHEN OTHERWISE

STATED IN WRITING, THE COPYRIGHT HOLDERS AND/OR OTHER

PARTIES PROVIDE THE PROGRAM "AS IS" WITHOUT WARRANTY OF

ANY KIND, EITHER EXPRESSED OR IMPLIED, INCLUDING, BUT NOT

LIMITED TO, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND

FITNESS FOR A PARTICULAR PURPOSE. THE ENTIRE RISK AS TO

THE QUALITY AND PERFORMANCE OF THE PROGRAM IS WITH YOU.

SHOULD THE PROGRAM PROVE DEFECTIVE, YOU ASSUME THE

COST OF ALL NECESSARY SERVICING, REPAIR, OR CORRECTION.

12. IN NO EVENT, UNLESS REQUIRED BY APPLICABLE LAW OR

AGREED TO IN WRITING, WILL ANY COPYRIGHT HOLDER, OR

ANY OTHER PARTY WHO MAY MODIFY AND/OR REDISTRIBUTE

THE PROGRAM AS PERMITTED ABOVE, BE LIABLE TO YOU FOR

DAMAGES, INCLUDING ANY GENERAL, SPECIAL, INCIDENTAL

OR CONSEQUENTIAL DAMAGES ARISING OUT OF THE USE OR

INABILITY TO USE THE PROGRAM (INCLUDING BUT NOT LIMITED

TO LOSS OF DATA OR DATA BEING RENDERED INACCURATE OR

LOSSES SUSTAINED BY YOU OR THIRD PARTIES OR A FAILURE OF

THE PROGRAM TO OPERATE WITH ANY OTHER PROGRAMS), EVEN

IF SUCH HOLDER OR OTHER PARTY HAS BEEN ADVISED OF THE

POSSIBILITY OF SUCH DAMAGES.

END OF TERMS AND CONDITIONS.

Apache Software License, Version 1.1

Redistribution and use in source and binary forms, with or without

modification, are permitted provided that the following conditions are met:

1. Redistributions of source code must retain the preceding copyright

notice, this list of conditions and the following disclaimer.

2. Redistributions in binary form must reproduce the preceding

documentation and/or other materials provided with the distribution.

3. The end-user documentation included with the redistribution,

if any, must include the following acknowledgment: "This product

includes software developed by the Apache Software Foundation

(http://www.apache.org/)". Alternately, this acknowledgment may appear

in the software itself, if and wherever such third-party acknowledgments

normally appear.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

231

4. The names "Apache" and "Apache Software Foundation" must not

be used to endorse or promote products derived from this software

without prior written permission. For written permission, contact

[email protected].

5. Products derived from this software may not be called "Apache", nor

may "Apache" appear in their name, without prior written permission of

the Apache Software Foundation.

THIS SOFTWARE IS PROVIDED "QAS IS’’ AND ANY EXPRESSED OR

IMPLIED WARRANTIES, INCLUDING, BUT NOT LIMITED TO, THE

IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR

A PARTICULAR PURPOSE ARE DISCLAIMED. IN NO EVENT SHALL

THE APACHE SOFTWARE FOUNDATION OR ITS CONTRIBUTORS

BE LIABLE FOR ANY DIRECT, INDIRECT, INCIDENTAL, SPECIAL,

EXEMPLARY, OR CONSEQUENTIAL DAMAGES (INCLUDING, BUT

NOT LIMITED TO, PROCUREMENT OF SUBSTITUTE GOODS OR

SERVICES; LOSS OF USE, DATA, OR PROFITS; OR BUSINESS

INTERRUPTION) HOWEVER CAUSED AND ON ANY THEORY OF

LIABILITY, WHETHER IN CONTRACT, STRICT LIABIL>ITY, OR TORT

(INCLUDING NEGLIGENCE OR OTHERWISE) ARISING IN ANY WAY

OUT OF THE USE OF THIS SOFTWARE, EVEN IF ADVISED OF THE

POSSIBILITY OF SUCH DAMAGE.

This software consists of voluntary contributions made by many individuals

on behalf of the Apache Software Foundation. For more information about

the Apache Software Foundation, see http://www.apache.org/.

Portions of this software are based upon public domain software originally

written at the National Center for Supercomputing Applications, University

of Illinois, Urbana-Champaign.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

232 License Information

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

233

Appendix

HSM Security Policy

Rainbow Technologies CryptoSwift^®HSM Cryptographic

Accelerator

FIPS 140-1 Non-Proprietary Cryptographic Module Security Policy

Hardware P/N 107316 Firmware version 5.6.27 Ver 25 7/29/01for Level 3

Overall Level 4 for Self-Test Validation

Scope

This document describes the security policy for the HSM cryptographic

accelerator. It is to be used for the FIPS 140-1 validation process. The

board is designed to attain a level 3 overall validation and a level 4

validation in the area of Self-Test. The following table describes the

compliance level for each section of the FIPS 140-1 specification:

Cryptographic Modules:

Module Interfaces:

Level 3

Level N/a

Level 3

Level 4

Roles and Services:

Finite State Machine Model:

Physical Security:

Software Security:

Operating System Security:

Cryptographic Key Management:

Cryptographic Algorithms:

EMI/EMC:

Self-Tests:

If changes are made to the design of the HSM, this document should be

updated to incorporate the changes and reviewed by an NVLAP-accredited

CMT lab.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

234 HSM Security Policy

2.0 Applicable Documents

FIPS PUB 140-1 Federal Information Processing Standard, Security

Requirements for Cryptographic Modules. January, 11, 1994, U.S.

Department of Commerce, National Institute of Standards and Technology

Derived Test Requirements for FIPS PUB 140-1, Security Requirements

for Cryptographic Modules. FINAL, March 1995, Mitre for NIST Contract

50SBNIC6732

FIPS PUB 46-3 and FIPS PUB 81, for information about the Data

Encryption Standard (DES), and Triple DES algorithm. U.S. Department of

Commerce, National Institute of Standards and Technology

FIPS PUB 180-1, Secure Hash Algorithm (SHA-1), U.S. Department

of Commerce, National Institute of Standards and Technology. ANSI

Standard X9.17-1995, Financial Institution Key Management (Wholesale),

American Banking Association, X9 Financial Services, American National

Standards Institute

PKCS #1 RSA Cryptography Standard, Version 2.0,

http://www.rsasecurity.com/

RSA Security .Inc

3.0 Overview

The HSM is a cryptographic module which is used to accelerate

cryptographic processing for network based electronic commerce and

other network based applications. The board has two modes. These are

the non-FIPS140-1 mode and the FIPS140-1 mode. In the FIPS140-1

mode, the board can be used in servers to improve the performance

associated with high rate signing operations. In the non-FIPS140-1

mode, the board can be used to accelerate RSA operations for SSL

connections on web servers. Other uses are limited only by the creativity

of applications developers who can write to standard API’s such as

Cryptoki (PKCS#11).

The HSM is a PCI card. It has a serial port, a Universal Serial Bus

(USB) port, and an LED. The board is shipped with four tokens. These

tokens plug into the USB port. The first token is used for authenticating

the Security Officer to the HSM. The second token is used to for

authenticating the User. The third and fourth tokens are called "code

tokens." One of these is held (controlled) by the Security Officer. The

other held by the User. The code keys are used to move key parts

(also known as "key shares") between two HSM boards. Key parts

transferred by this mechanism are combined within the destination

boards so that a shared secret can exist on one or more boards without

having existed in plaintext outside of a family of HSM boards. The shared

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

4.0 Capabilities 235

secret is a Key-Wrapping-Key. When two or more boards contain the

same Key-Wrapping-Key, they are said to be in the same family. The

Key-Wrapping-Key is used to encrypt other keys. These encrypted keys

can then be transmitted between boards over untrusted paths under the

control of a Rainbow Technologies key management utility. This allows

boards to share keys as be appropriate for load distribution or redundancy

needs.

The key wrapping key also makes it possible for keys to be stored in

encrypted form on backup tapes or hard drives for archival purposes. The

keys encrypted with the Key-Wrapping-Key need never exist in plaintext

form outside of an HSM.

When an operator uses an HSM, he will be assisted by a key management

utility. This utility will prompt the operator when it is time to plug a

particular token into a particular HSM. A particular host system may

contain one or more HSM’s. So that there is no confusion, the key

management utility will control an LED on each HSM to alert the operator

to know where to insert a particular token.

1. The HSM can detect attempts to penetrate its cryptographic envelope.

If it detects a tamper attempt, the HSM will erase all of the critical security

parameters that it contains.

The HSM is controlled through its PCI interface. Commands are entered

through the PCI bus, and status is read from the PCI bus. Also, both

plaintext and encrypted data is transmitted over the PCI interface. The

serial port is disabled in the production version of the HSM. A primary

function of the HSM is to securely generate, store, and use private keys

(particularly for signing operations).

4.0 Capabilities

The HSM is capable of performing a wide variety of cryptographic

calculations including DES, SHA-1, DSA, 3DES, RSA exponentiation, RC4

and HMAC. When in the FIPS 140-1 mode, the board can perform DES,

3DES, RSA Signatures, RSA Signature Verifications and SHA-1 functions.

When in the non-FIPS 140-1 mode, the board can also perform the RSA

exponentiation, RC4, MD5, HMAC (SHA-1 and MD5) and DSA.

The RSA signature and verification implementation is compliant with the

PKCS #1 standard. The following table describes how each cryptographic

algorithm is used by our module while operating in the FIPS 140-1 Mode:

Algorithm

Used in

FIPS 140-1

Mode?

How it is used by the HSM module

DES

The module provides services for encryption/decryption. As currently No

implemented, the plaintext key must be input through the PCI

interface. Therefore, this algorithm is not accessible in the FIPS

140-1 Mode. The self-tests perform a known answer test on this

algorithm in FIPS 140-1 Mode.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

236 HSM Security Policy

Algorithm

Used in

FIPS 140-1

Mode?

How it is used by the HSM module

3DES

Used to generate Pseudo-random numbers using the X9.17

Appendix C PRNG algorithm for the purposes of key generation of

RSA and 3DES keys.

Yes

Encryption/decryption of every key stored in persistence storage

within the module using the Master Key. Wrapping (encryption)

of Private RSA Keys using the Key-Wrapping-Key for archival

purposes. Unwrapping (decryption) of Private RSA Keys using the

Key-Wrapping-Key for the purpose of restoring an archived key.

Note: The 3DES Encrypt and Decrypt services are not available for

this algorithm in FIPS mode because keys are entered in plaintext.

RSA Si

gnature/

Verification

Generation and verification of digital signatures using the RSA

algorithm, in accordance with the PKCS #1 specification. Keys

pairs of modulus size in the range 192 through 1024 bits, in 64

bit increments. Note: The message digest operation of the digital

signature and verification function is performed outside of the

cryptographic boundary for performance reasons. After the digest

is computed outside the module, the module formats and pads the

message digest according to the PKCS #1 standard and then uses

the RSA algorithm to compute the digital signature.

Yes

SHA-1

MD5

Hashing of host-provided data. Hashing for the purpose of verifying

the RSA digital signature of a firmware image. Hashing a 3DES key

for the purpose of checking its integrity after it is split and then the

corresponding shares combined.

Yes

The module provides services to compute an MD5 message digest.

As this algorithm is not FIPS-approved, the corresponding services

are not available in the FIPS 140-1 Mode.

HMAC

(SHA-1)

The module provides a service to compute HMAC using SHA-1. As

currently implemented, the service requires the MAC key to be input

unencrypted through the PCI interface, and therefore this service is

not available in the FIPS 140-1 Mode.

HMAC

(MD5)

The module provides a service to compute HMAC using MD5.

Because MD5 is not a FIPS-approved algorithm, this service is not

available in the FIPS 140-1 Mode.

RC4

DSA

The module provides services for encryption/decryption with RC4.

Because RC4 is not a FIPS-approved algorithm, the corresponding

services are not available in the FIPS 140-1 Mode.

The module provides services for generating and verifying DSA

signatures. As currently implemented, the private key for signature

generation must be input through the PCI interface. Therefore,

this algorithm is not available in the FIPS 140-1 Mode. Keys pairs

of modulus size in the range 512 through 1024 bits, in 64 bit

increments.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

7.1 Module Interfaces 237

5.0 Physical Security

The board is designed to detect tampering attempts and will zeroize critical

security parameters under a variety of prescribed circumstances. These

circumstances include penetration of the module’s cryptographic envelope.

The cryptographic envelope consists of an opaque tamper resistant lid and

circuit board, and will provide clear visual evidence of tampering. The lid

and circuit board are joined to form a contiguous perimeter. This perimeter

encloses module components responsible for the creation, storage and

processing of critical security parameters. The boundary contains intricate

serpentine patterns that are used to detect tamper attempts associated

with a breach of the cryptographic envelope by drilling, sawing or removal

of the tamper lid.

7.1 Module Interfaces

6.1 USB (Universal Serial Bus) Interface

This is the trusted interface of the HSM. It is used for communicating

with iKey1000 tokens. Four tokens are shipped with each HSM. One will

contain a pin used to authenticate the Security Officer. One will contain

a pin used to authenticate the User. One will contain a key-part to be

controlled by the Security Officer.

One will contain a key-part to be controlled by the user. No secrets,

key-parts or critical security parameters are contained within any of the

tokens or within the HSM when these items are shipped from Rainbow

Technologies.

6.2 Status LED (Light Emitting Diode) Interface

The LED can be in four possible states. These are off, green, orange and

red. The meaning associated with each LED state is as follows:

Meaning

LED State

Off

Power off

Green

Orange

Board is on but idle

Board is in the self-test state or performing a

crypto function

Red

Board is in the error state

The true state of the HSM will be obtainable from the status register which

is read by the host over the PCI interface.

6.3 Serial Interface

The serial interface is disabled in the production version of the HSM board.

6.4 PCI Interface

This interface is used to provide data and commands to the HSM board. It

is also used to read data and status from the HSM.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

238 HSM Security Policy

6.5 Backup Battery Interface

The Backup Battery Interface is used to provide backup power to the HSM.

This gives the HSM the capability to maintain and protect secrets should

PCI power become unavailable. The battery is continuously monitored

by the HSM for a voltage low condition. This makes it possible to alert

an operator. The operator may then replace the battery. This can be

done without loss of critical security parameters as long as the battery is

replaced when PCI power is present. If the battery is removed while PCI

power is absent, all critical security parameters contained within the HSM

will be erased.

6.6 PCI Power Interface

The PCI Power Interface will provide the power necessary to perform all

other HSM functions.

7.1 Components

7.1 Bulk Crypto

This component performs cryptographic hashing and symmetric

cryptographic operations.

7.2 Power Management and Tamper Detect

This component monitors battery voltage and the security envelope

to detect conditions that will result in the zeroization of critical security

parameters. Battery voltage is also monitored to determine when it is

necessary to replace the battery.

7.3 FastMap Processor

This component contains a processor and internal SRAM. The processor

executes the software that initially resides in Flash memory and is

eventually loaded into the external SRAM (external to the FastMap

Processor yet still within the cryptographic boundary). The FastMap

Processor also contains large accumulators and a random number

generator. The accumulators are necessary for the acceleration of public

key cryptographic operations. The random number generator generates

truly random numbers through a stochastic process. The output of this

random number generator is used only for seeding the FIPS-approved

ANSI X9.17 Appendix C pseudo-random number generator (PRNG). The

output of the PRNG is used for generating 3DES and RSA keys, as well

as outputting random numbers requested through the Generate Random

Number service.

7.4 Flash

This component is non-volatile memory. The contents of Flash will

maintain its state after PCI power and Battery power have been removed.

The Flash contains the firmware that controls processing within the HSM.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

8.0 Definition of Security Relevant Data Items 239

It also contains public keys and other information that are not considered

dangerous if exposed (certificates, public keys, encrypted data, encrypted

keys and hash values used for authentication).

7.5 SRAM

SRAM is Static Random Access Memory. This memory will be used to

store plaintext data, ciphertext data, symmetric keys, asymmetric keys,

intermediate values, and firmware after it has been loaded from Flash.

7.6 Real Time Clock/Battery Powered RAM (RTC/BBRAM)

This component is used to store values that are to be retained when PCI

power is removed. This includes the master key (MK) that can be used to

decrypt encrypted private keys and symmetric keys stored in Flash. The

RTC is used to provide input to the key generation process so that it is

consistent with FIPS 140-1 key generation requirements.

7.7 Programmable Logic Device (PLD)

This component embodies all additional logic necessary to interface

components contained within the security envelope.

7.8 USB (Universal Serial Bus) Controller

This component allows the board to communicate with an iKey. The iKey

is used to store a Personal Identification

Number PIN that allows for user authentication, or to store key parts for

moving keys from one HSM to another HSM.

7.9 Universal Asynchronous Receiver Transmitter (UART)

This component is disabled in the production version of the HSM board.

7.10 33MHz Clock

This circuitry generates a square wave to provide the primary system clock

and to synchronize the various components of the HSM with the operation

of the FastMap chip.

8.0 Deﬁnition of Security Relevant Data Items

The following are the security relevant data items in this module:

Master Key (MK) = The 3DES3KEY key which encrypts all non-volatile

critical security parameters that are stored within the module (in the flash).

The master key is stored in the BBRAM, and is destroyed when power is

removed from both the PCI interface and the battery, and by the tamper

detection circuitry whenever tampering is detected. The master key is

randomly generated when the board is initialized (the Security Officer

role is created). Security Officer role PIN (SOPIN) = The SO role PIN is

generated randomly when the board is initialized. It is written to an iKey

token through the trusted USB interface. Refer to following section 9.2 for

a description of how this PIN is used for authentication.

User Role PIN (UserPIN) = The User Role PIN is generated randomly

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

240 HSM Security Policy

when the SO invokes the Create User service. It is written to an iKey token

through the trusted USB interface. Refer to following section 9.2 for a

description of how this PIN is used for authentication.

Key-Wrapping-Key (KWK) = A 3DES3KEY key created by either the

SO or User role for the purpose of wrapping private RSA keys. The

Key-Wrapping-Key may be randomly generated using the Generate

Key service, or may be entered into the module using the Combine Key

service, which combines two key shares entered through the trusted USB

interface. In the non-FIPS 140-1 mode, the Key-Wrapping-Key may also

be created through the Derive Key service.

PRNG3DES Key (PRNGKey)= This 3DES2Key is used for seeding the

X9.17 Pseudo-random Number Generator (PRNG). The PRNG 3DES Key

is generated randomly using the hardware random number generator

(RNG) within the FastMap processor. This key is generated every time

a random number is needed for key generation or as a direct request

through the Generate Random Number service. The PRNG 3DES EDE

Key is destroyed after each PRNG is generated.

RSA Public and Private Key Pair (SPK, VPK)= This RSA key pair is

generated by either the SO or User role for the purpose generating RSA

digital signatures through the RSA Sign service, or for verifying the same

through the RSA Verify service. A key pair which is designated by the

user who created it cannot be used for any other purpose such as key

exchanges or encryption/decryption of data. The user may specify through

Boolean attributes whether the private key may be used for Signature

Generation and/or Data Decryption, and whether the public key may be

used for Signature Verification and/or Data Encryption. Hence, a given

key pair may be used for both signatures/verifications as well as data

encryption/decryption. In FIPS 140-1 Mode, data encryption/decryption is

not available.

RSA Encryption/Decryption Public and Private Key Pair (EPK, DPK)=

This key pair is generated by either the SO or User role for the purpose of

encrypting and decrypting data. When creating this key pair, the user may

specify through Boolean attributes whether the private key may be used for

Signature Generation and/or Data Decryption, and whether the public key

may be used for Signature Verification and/or Data Encryption. Hence,

a given key pair may be used for both signatures/verifications as well as

data encryption/decryption. Note that in the FIPS 140-1 Mode, although

Encryption/Decryption key pairs may be generated, the RSA Encrypt and

RSA Decrypt services are not available, and therefore, such keys are not

usable in this mode.

Key-Wrapping-Key Share (KWKShare) = Key share obtained by splitting

the KWK into two shares with the Split Key service. Two corresponding

shares may be combined with the Combine Key service to enter the KWK

into the module.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

9.0 Roles and Services 241

9.0 Roles and Services

9.1 Roles

The HSM supports two roles. These are the User role and the Security

Officer role. Each role has a username and an iKey ID that are selectable

by the security officer. The module must be handled in a secure manner

prior to initialization because authentication is not required to initialize the

module. Cryptographic keys and user-defined data which is created by a

specific authenticated user cannot be deleted or modified by another user,

regardless of the role. For example, a specific user of the User role may

not delete or modify keys or data created by a different user of either the

User or SO roles. The SO and User roles cannot operate simultaneously.

Only one authenticated user is allowed at a time.

9.1.1 User

The User role can perform cryptographic operations using private keys

which are encrypted and stored in flash. The User role cannot create a

user.

9.1.2 Security Officer

The Security Officer role can also perform cryptographic operations using

private keys which are encrypted and stored in flash. Additionally, the

Security Officer may create a user, update the HSM firmware, or command

the HSM to "uninitialize."

9.2 Authentication

The HSM uses identity-based authentication to allow subjects to assume

one of the two roles. Usernames are transmitted to the HSM over the

PCI interface to identify the user. A corresponding personal identification

number (SOPIN or UserPIN as described in section 8.0) is input to the

HSM from an iKey token over the trusted USB interface. This PIN is

hashed and compared with a hash value which is stored in flash and

associated with the user’s name on the HSM. If the two hash values

match, the user is authenticated and assigned a role that is associated

with the user’s name. To increase security in case the iKey token is

compromised, an iKey ID is used to unlock the plaintext PIN that is stored

in the iKey. This plaintext iKey ID is input into the module in plaintext

as part of the Login service. The module provides a SHA-1 of this iKey

ID to the iKey token to unlock the PIN. Because the iKey ID does not

authenticate the user to the module, but rather unlocks the plaintext PIN

from the iKey, the iKey ID is not an SRDI.

9.3 Initialization

The HSM is shipped in an un-initialized state. At this point, it contains

no private or secret keys. The Security Officer initializes the board.

Performing this function generates an internally stored master key,

and generates a random PIN, which is stored in the Security Officer’s

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

242 HSM Security Policy

iKey token. Initialization also creates the Security Officer account and

associates the SHA-1 hash of the random PIN with the Security Officer

account.

9.4 User Creation

Once the board has been initialized, the Security Officer can create a User

account. Creating the User account generates a random PIN, which is

stored in the User’s iKey token. The SHA-1 hash of this random PIN is

associated with the User account.

9.5 Services

The following table describes which services can be performed by which

role, and the SRDI(s) which each service accesses.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

9.0 Roles and Services 243

Service

FIPS140-1 Level 3 Mode

Not auth User

enticated Role

Non- FIPS140-1 Mode

Not auth User

enticated Role

SO Role

YES

SO Role

Yes

SRDIs Access

Modular Exponentiation

using CRT (note 3)

YES

None

Modular Exponentiation

(note 3)

YES

None

RSA Encrypt (note 8)

RSA Decrypt (note 8)

YES

EPK (use)

DPK (use)

None

Digital Signature Standard

Sign (note 1)

YES

Digital Signature Standard

Verification (note 1)

YES

None

Self-test

YES

None

Firmware Update

Generate Random Number

YES

PRNGKey (crea

te, destroy)

Get Configuration

Get Status

YES

Image

YES

None

YES

Verify Firmware

SHA1 Hash

YES

None

SHA1 HMAC (note 1)

MD5 Hash

MD5 HMAC (note 1)

Note 1 =

Note 2 =

Note 3 =

The key for these commands is input through the PCI bus (data input interface)

This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.

The Exponentiation Using CRT and Exponentiation functions are generic math functions; all

parameters are input through the PCI interface (data input interface).

Note 4 =

Note 5 =

When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical

security parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping

Key.

User Login is the process that takes the board from an unauthenticated state to the authenticated

state. Only one user may be authenticated at a particular time. Consequently, the User Login process

cannot be started from the authenticated state. Nonetheless, the User Login process cannot be

completed successfully without authentication.

Note 6 =

Note 7 =

This command is used for generating the key-wrapping-key.

When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize

the board.

Note 8 =

These operations must access stored cryptographic keys. The keys may not be input through the

PCI interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

244 HSM Security Policy

Service

FIPS140-1 Level 3 Mode

Not auth User

enticated Role

Non- FIPS140-1 Mode

Not auth User

enticated Role

SO Role

SRDIs Access

DES Encrypt (note 1)

DES Decrypt (note 1)

Triple DES Encrypt (note 1)

Triple DES Decrypt (note 1)

RC4 Encrypt (note 1)

YES

None

RC4 Decrypt (note 1)

Encrypt SHA1 Hash (DES)

(note 1)

Decrypt SHA1 Hash (DES)

(note 1)

YES

None

Encrypt SHA1 Hash (3DES)

(note 1)

Decrypt SHA1 Hash (3DES)

(note 1)

Encrypt MD5 Hash (RC4)

(note 1)

Decrypt MD5 Hash (RC4)

(note 1)

Generate and Return RSA

Key Pair (note 4)

Note 1 =

Note 2 =

Note 3 =

The key for these commands is input through the PCI bus (data input interface)

This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.

The Exponentiation Using CRT and Exponentiation functions are generic math functions; all

parameters are input through the PCI interface (data input interface).

Note 4 =

Note 5 =

When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical

security parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping

Key.

User Login is the process that takes the board from an unauthenticated state to the authenticated

state. Only one user may be authenticated at a particular time. Consequently, the User Login process

cannot be started from the authenticated state. Nonetheless, the User Login process cannot be

completed successfully without authentication.

Note 6 =

Note 7 =

This command is used for generating the key-wrapping-key.

When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize

the board.

Note 8 =

These operations must access stored cryptographic keys. The keys may not be input through the

PCI interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

9.0 Roles and Services 245

Service

FIPS140-1 Level 3 Mode

Not auth User

enticated Role

Non- FIPS140-1 Mode

Not auth User

enticated Role

SO Role

SRDIs Access

Generate and Store RSA

Key Pair

YES

PRNGKey

(create and

destroy), and

create either

or both of the

following pairs:

(SPK, VPK) or

(EPK, DPK)

Store Public Object (Public

RSA Key, user data object)

YES

Enter and store:

EPK or VPK

Store Vendor-Defined Data

Object

YES

None

Store Private Object (Private NO

RSA Key) (note 4)

Enter and

Store: SPK or

DPK

Get Public Object (RSA

public key, user-defined data

object)

YES

Read: SPK or

DPK

Get Vendor-Defined Data

Object

YES

None

Get Object Information by

Object ID

Get Object Count

Note 1 =

Note 2 =

Note 3 =

The key for these commands is input through the PCI bus (data input interface)

This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.

The Exponentiation Using CRT and Exponentiation functions are generic math functions; all

parameters are input through the PCI interface (data input interface).

Note 4 =

Note 5 =

When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical

security parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping

Key.

User Login is the process that takes the board from an unauthenticated state to the authenticated

state. Only one user may be authenticated at a particular time. Consequently, the User Login process

cannot be started from the authenticated state. Nonetheless, the User Login process cannot be

completed successfully without authentication.

Note 6 =

Note 7 =

This command is used for generating the key-wrapping-key.

When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize

the board.

Note 8 =

These operations must access stored cryptographic keys. The keys may not be input through the

PCI interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

246 HSM Security Policy

Service

FIPS140-1 Level 3 Mode

Not auth User

enticated Role

Non- FIPS140-1 Mode

Not auth User

enticated Role

SO Role

YES

SO Role

YES

SRDIs Access

Get Object Information by

Index

YES

None

Get RSA Key Information by NO

ID (modulus, exponent)

YES

Read: VPK or

EPK

Get RSA Key Information by NO

Index (modulus, exponent)

YES

Read: VPK or

DPK

Change Object ID

Delete Object

YES

None

Destroy

selected key:

KWK, SPK,

VPK, EPK,

DPK.

Delete All Objects

Initialize Card

YES

Destroy all

keys: KWK,

SPK, VPK,

EPK, DPK

YES

MK (create),

SOPIN (create

and write to

trusted path)

Note 1 =

Note 2 =

Note 3 =

The key for these commands is input through the PCI bus (data input interface)

This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.

The Exponentiation Using CRT and Exponentiation functions are generic math functions; all

parameters are input through the PCI interface (data input interface).

Note 4 =

Note 5 =

When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical

security parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping

Key.

User Login is the process that takes the board from an unauthenticated state to the authenticated

state. Only one user may be authenticated at a particular time. Consequently, the User Login process

cannot be started from the authenticated state. Nonetheless, the User Login process cannot be

completed successfully without authentication.

Note 6 =

Note 7 =

This command is used for generating the key-wrapping-key.

When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize

the board.

Note 8 =

These operations must access stored cryptographic keys. The keys may not be input through the

PCI interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

9.0 Roles and Services 247

Service

FIPS140-1 Level 3 Mode

Not auth User

enticated Role

Non- FIPS140-1 Mode

Not auth User

enticated Role

SO Role

SRDIs Access

Uninitialize Card (note 7)

YES

Destroy all of

the following:

MK, SOPIN,

UserPIN, KWK,

SPK, VPK,

EPK, DPK

User Login/Change PIN

(note 5)

YES

UserPIN (read

from trusted

interface)

Create User

YES

UserPIN

(create, write

to trusted

interface)

User Logout

YES

None

Derive Key (note 2)

Wrap Key (note 4)

KWK (create)

YES

KWK (use),

Wrap: SPK,

DPK

Unwrap Key (note 4)

YES

KWK (use),

Unwrap: SPK,

DPK

Modify Object

YES

None

RSA Sign (note 4)

SPK (use)

Note 1 =

Note 2 =

Note 3 =

The key for these commands is input through the PCI bus (data input interface)

This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.

The Exponentiation Using CRT and Exponentiation functions are generic math functions; all

parameters are input through the PCI interface (data input interface).

Note 4 =

Note 5 =

When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical

security parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping

Key.

User Login is the process that takes the board from an unauthenticated state to the authenticated

state. Only one user may be authenticated at a particular time. Consequently, the User Login process

cannot be started from the authenticated state. Nonetheless, the User Login process cannot be

completed successfully without authentication.

Note 6 =

Note 7 =

This command is used for generating the key-wrapping-key.

When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize

the board.

Note 8 =

These operations must access stored cryptographic keys. The keys may not be input through the

PCI interface.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

248 HSM Security Policy

Service

FIPS140-1 Level 3 Mode

Not auth User

enticated Role

Non- FIPS140-1 Mode

Not auth User

enticated Role

SO Role

SRDIs Access

RSA Verify

YES

VPK (use)

Generate Key (note 6)

Split Key

KWK (create)

KWK (split), PR

NGKey (create,

destroy), Two

KWKShares

(created

and written

to trusted

interface)

Combine Key

Set LED State

YES

KWK (created),

two KWKS

hares (read

from trusted

interface)

YES

None.

Note 1 =

Note 2 =

Note 3 =

The key for these commands is input through the PCI bus (data input interface)

This is a PKCS 12 method for deriving a 3DES key from a password, salt and iteration count.

The Exponentiation Using CRT and Exponentiation functions are generic math functions; all

parameters are input through the PCI interface (data input interface).

Note 4 =

Note 5 =

When operating in the FIPS140-1 mode, it is not possible for secret keys, private keys or critical

security parameters to cross the PCI bus without being wrapped (encrypted) using the Key-Wrapping

Key.

User Login is the process that takes the board from an unauthenticated state to the authenticated

state. Only one user may be authenticated at a particular time. Consequently, the User Login process

cannot be started from the authenticated state. Nonetheless, the User Login process cannot be

completed successfully without authentication.

Note 6 =

Note 7 =

This command is used for generating the key-wrapping-key.

When the board is in the zeroized state, it is possible to for an unauthenticated user to uninitialize

the board.

Note 8 =

These operations must access stored cryptographic keys. The keys may not be input through the

PCI interface.

10.0 Key Management

10.1 Key Generation

Random number generation for key generation is accomplished using

the algorithm described by appendix C of ANSI standard X9.17. This

algorithm will use a seed value V (from appendix C) that is generated by

the random number generator in the FastMap chip. Using this algorithm

ensures that the keys generated will be consistent with the requirements

of FIPS 140-1. Performing the key generation in this manner will ensure

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

10.0 Key Management 249

that the generated keys will be random and that the process used for their

construction will be compatible with FIPS 140-1 requirements. Continuous

random number testing is performed on the output of the hardware RNG

(in the Fastmap chip) as well as on the output of the FIPS-approved ANSI

X9.17 PRNG which is seeded by the RNG. For both continuous tests, the

block size of 64 bits.

10.2 Key Storage

Private keys, symmetric keys and other critical security parameters

will be stored in plaintext within the security envelope in RAM. Private

and symmetric keys may also be stored in Flash, but only when first

3DES3KEY encrypted with the Master Key (MK) of the board. BBRAM is

used to store the Master Key.

10.3 Key Entry and Output

When in the FIPS 140-1 mode, private keys and symmetric keys can

only cross the cryptographic boundary when 3DES3KEY encrypted with

a Key-Wrapping-Key. The Key-Wrapping-Key is generated when the "

Generate Key" command is received by the HSM. The command that is

used to encrypt and output a private or symmetric key is the "Wrap Key"

command. The command that is used to enter and decrypt a private or

symmetric key is the "Unwrap Key" command.

10.4 Key Distribution

To distribute a Key-Wrapping-Key between devices, it is split into two

parts. The two parts, when exclusively ORed together, generate the

Key-Wrapping-Key. The key splitting occurs when the "Write Key Split"

command is first issued by the Security Officer. This command will cause

one of the key parts to be written to an iKey controlled by the Security

Officer. The second key part is written to an iKey controlled by the User.

The Security Officer must logout and the User must login before the

second "Write Key Split" can be performed. The two iKey tokens used

for carrying key parts are labeled with the word "CODE". The two key

parts are then physically carried by separate trusted individuals to another

device. If this device is also an HSM, the two parts may loaded into it

using the "Read Key Split" command. Similarly, this command must be

issued twice, once for the Security Officer and once for the User. Separate

authentications are required for each "Read Key Split" command. After

the second "Read Key Split " command has been successfully completed

the destination device will contain the same Key-Wrapping-Key as the

originating device. Once two or more devices that contain the same

Key-Wrapping-Key, they are said to be in the same family. Devices in

the same family may share other secrets. Secrets are moved between

devices under the control of a Rainbow Technologies key management

utility. The key management utility runs on the host, and uses "Wrap Key"

and "Unwrap" commands to move wrapped keys between devices in the

same family.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

250 HSM Security Policy

10.5 Key Destruction

Critical security parameters including plaintext private keys, symmetric

keys and intermediate values will be zeroized according to various

conditions as described in Table 10 "Key Destruction" (page 250). It is

also possible for the security officer to command the board to un-initialize,

which causes the data stored in RAM, FLASH and BBRAM to be erased.

Table 10

Key Destruction

Tamper

Detected

Voltage Applied

Storage

RAM and Other

Retained

Erased

Battery

BRAM

Flash

PCI

YES

Retained

Erased

Retained

YES

Retained

Erased

YES

Erased

YES

Erased

10.6 Key Archiving

Under the control of the Rainbow Technologies key management utility,

it is also possible to archive keys. This may be done so that keys may

be stored on backup media such as tape or hard drives. The Rainbow

Technologies key management utility utilizes the "Wrap Key" command to

perform key archival. All archived keys are 3DES3KEY encrypted. Keys

may only be archived and restored between devices in the same family.

11.0 Modes

The HSM has two operating modes. These are the FIPS140-1 mode and

the non-FIPS140-1 mode. Before the HSM is initialized with the "Initialize

Card" command, it is in the non-FIPS140-1 mode. This command has

an input parameter that specifies the mode of the card after initialization.

Once initialized, the board remains in one of the two modes. If one

wishes to change the operating mode of the card, the card must first be

uninitialized using the "Uninitialize Card" command. Then, the card can be

initialized with a different operating mode. Uninitializing the card removes

all secrets from the card.

11.1 FIPS 140-1 Mode

In the FIPS 140-1 mode, the board may only perform FIPS approved

algorithms.

These are as follows:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

12.0 Self-Tests 251

DES

3DES **

SHA-1

RSA Sign

RSA Verify

See the table in services section to identify the conditions necessary for

performing various HSM commands in the FIPS140-1 mode.

No plaintext private or symmetric keys can cross the cryptographic

boundary when the HSM is in the FIPS140-1 mode.

**The 3DES algorithm is used to secure private or symmetric keys stored

in flash and for the key wrapping and unwrapping functions.

11.2 Non-FIPS 140-1 Mode

In the non-FIPS140-1 mode, the user has greater flexibility in the types of

algorithms that can be performed and the manner that keys are handled.

For example, in the non-FIPS140-1 mode, the board can perform all

the functions of the FIPS140-1 mode plus other functions like MD5 and

RC4. In the non-FIPS140-1 mode, keys may cross the cryptographic

boundary in plaintext form for certain operations (e.g. DES, RSA CRT

exponentiation). It is still possible to store keys on the board so that

they cannot be extracted. These non-extractable keys will be erased if a

tamper attempt is detected. See the table in services section to identify

the conditions necessary for performing various HSM commands in the

non-FIPS140-1 mode.

12.0 Self-Tests

The following table describes all of the cryptographic self-tests performed

by the HSM module. The following abbrethroughtion is used:

KAT = Known Answer Test

When performed

Self-Test

FIPS 140-1

Mode

Non-FIPS

140-1 Mode

RSA Encrypt

/Decrypt and

Yes

Power-up, Self-Test

Service (ondemand)

Sign/Verify KATs

DES KAT

3DES KAT

SHA-1 KAT

DSA KAT

MD5 KAT

Yes

Power-up, Self-Test

Service (ondemand)

Power-up, Self-Test

Service (ondemand)

Power-up, Self-Test

Service (ondemand)

Power-up, Self-Test

Service (ondemand)

Power-up, Self-Test

Service (ondemand)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

252 HSM Security Policy

When performed

Self-Test

FIPS 140-1

Mode

Non-FIPS

140-1 Mode

RC4 KAT

Yes

Power-up, Self-Test

Service (ondemand)

RSA Key Gene

ration Pairwise

Consistency Test

Yes

Generate And Store

RSA Key Pair Service,

Generate And Return

RSA Key Pair Service

Statistical

Yes

Power-up, Self-Test

Service (ondemand)

Random Number

Generator Tests

(Monobit, Poker,

Runs, Long Run)

Continuous

Random Number

Generator Test

Yes

Whenever a pseudorand

om number is generated:

key generation, Generate

Random Number Service

Firmware RSA

Signature

Verification Test

Power-up, Self-Test

Service (ondemand),

Firmware Update, Verify

Firmware Image Service

13.0 Conclusion

The HSM provides FIPS 140-1 Level 3 cryptographic processing,

acceleration and security for RSA signing and verifying functions. In the

non-FIPS140-1 mode, it can also bulk data cryptographic algorithms for

PKI certificate server, firewall and web server equipment. It is suitable for

use in applications requiring up to 200 public key transactions per second

where protecting critical security parameters is a high priority. Industries

requiring this high level of performance and security include (but are

not limited to) banking, telecommunications, e-commerce, and medical

services. In the area of self-test, the HSM provides capabilities consistent

with FIPS 140-1 Level 4.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

253

Appendix

Deﬁnition of Key Codes

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

254 Definition of Key Codes

Syntax Description

When using the Telnet applet available under the Portal’s Advanced tab,

there is an option to specify a keymap URL that points to a key code

definition file. If your application uses a different keyboard layout than the

standard VT320, a key code definition file can be created and uploaded

to the keymap URL. This appendix shows how to create the key code

definition file. Almost all special keys can be defined according to the

following syntax rule:

[SCA] KEY=STRING

The characters enclosed in [ and ] are optional. Only one of the characters

’S’ (SHIFT), ’C’ (CTRL) or ’A’ (ALT) may appear before KEY, which is

a textual representation of the key you wish to redefine (F1, PGUP and

so on.).

The new STRING to be sent when pressing the key should come after

the equals character (=). Hash marks (#) in the file declare the line as a

comment and will be ignored. The following examples explains the syntax

in more detail:

Send the string "test" when pressing the F1 key:

F1 = test

On pressing Control + PGUP, send the string "pgup pressed":

CPGUP = pgup pressed

Redefine the key Alt + F12 to send an escape character:

AF12 = \\e

As can be seen, the string may contain special characters which may be

escaped using the backslash (\).

Allowed Special Characters

The following table includes allowed special characters:

Note: For some of the escape codes you need two backslashes, as

these are specific javassh definitions not known by the Java Property

mechanism.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Redefinable Keys 255

Table 11

Allowed Special Characters

Explanation

Special Character

\\b

Backspace. This character is usually sent by

the <- key (Backspace key).

\\e

Escape. This character is usually sent by the

Esc key.

Newline. This character will move the cursor to

a new line. On UNIX systems, it is equivalent

to carriage return + newline. Usually the Enter

key send this character.

Carriage Return. This key moves the cursor to

the beginning of the line. In conjunction with

Newline, it moves the cursor to the beginning

of a new line.

Tabulator. The tab character is sent by the

TAB key and moves the cursor to the next tab

stop defined by the terminal.

\\v

Vertical Tabulator. Sends a vertical tabulator

character.

\\a

Bell. Sends a terminal bell character which

should make the terminal sound its bell.

\\number

Inserts the character that is defined by this

number in the ISO Latin1 character set. The

number should be a decimal value.

Redeﬁnable Keys

The following table explains which keys may be redefined. As explained

earlier, each of the keys may be prefixed by a character defining the

redefinition that occurs if it is pressed in conjunction with the SHIFT,

CONTROL or ALT keys.

Table 12

Redefinable Keys

Key Representation

F1-F20

Remarks

The Function keys, that is, F1, F2 and so on.

up to F20.

PGUP

The Page Up key.

The Page Down key.

The End key.

PGDOWN

END

The Home (Pos 1) key.

The Insert key.

HOME

INSERT

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

256 Definition of Key Codes

Table 12

Redefinable Keys (cont’d.)

Key Representation

Remarks

REMOVE

The Remove key.

The Cursor Up key.

The Cursor Down key.

The Cursor Left key.

The Cursor Right key.

The numbered Numeric keypad keys.

The Escape key.

DOWN

LEFT

RIGHT

NUMPAD0-NUMPAD9

ESCAPE

BACKSPACE

TAB

The Backspace key.

The Tab key.

Example of a Key Code Deﬁnition File

Following is an example of the keyCodes.at386 key code definition file,

created for an AT-386 Terminal.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

257

Appendix

SSH host keys

SSH host keys serve much the same purpose as server certificates in

SSL/TLS, i.e. they primarily allow clients to authenticate the server,

protecting against e.g. "man in the middle" attacks. As with certificates,

public/private key pairs are used. Unlike certificates, there is no public key

infrastructure and no certificate authorities for the SSH host keys.

Instead, the security of SSH sessions depends on SSH clients keeping

track of the public keys that should be used to authenticate different SSH

server hosts, not silently accepting new keys from previously unknown

server hosts, and refusing or at least strongly warning the user from

proceeding with the connection if there is a key mismatch.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

258 SSH host keys

Methods for Protection

In many environments, it may be reasonable for a SSH client user to

simply accept the key from a previously unknown remote server host when

prompted by the client, but to achieve strict protection against a "man in

the middle" attack against this very first connection, one of these methods

can be used:

•

Verifying the "fingerprint" (as displayed by the client) of the new remote

host key by some out-of-band means (e.g. verbal communication with

the server administrator).

•

Pre-installing the remote host key (previously transferred by some

out-of-band means) in the client’s key storage, i.e. effectively making

the remote host known even before the first connection.

The server administrator also needs to be able to generate new keys

(e.g. at initial configuration, or in case the old ones are believed to be

compromised), and the client user needs to be able to remove remote host

keys that are no longer valid from the client’s key storage (e.g. due to the

server administrator having generated new keys).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Example of a Key Code Definition File 259

The VPN Gateway

The VPN Gateway can act both as SSH server (when a user connects to

the CLI using a SSH client) and as SSH client (when file or data transfers

are initiated from the VPN Gateway using the SCP or SFTP protocols).

The generate and show commands in the /cfg/sys/adm/sshkeys

menu concern the former case, while the knownhosts menu concerns

the latter.

The VPN Gateway supports the use of three different SSH host key types:

SSH protocol version 1 always uses RSA keys, while for SSH protocol

version 2, either RSA or DSA keys can be used. The RSA keys for version

1 differ in form from those for version 2, and are referred to as "RSA1".

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

260 SSH host keys

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

261

Appendix

Adding User Preferences Attribute to

Active Directory

For the remote user to be able to store user preferences on the Nortel

VPN Gateway (NVG), you need to add the isdUserPrefs attribute to Active

Directory. This attribute will contain an opaque data structure, containing

various information that the user may have saved during a Portal session.

This description is based on Windows 2000 Server and Windows

Server 2003. Make sure that your account is a member of the Schema

Administrators group.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

262 Adding User Preferences Attribute to Active Directory

Install All Administrative Tools (Windows 2000 Server)

Step

Action

Open the Control Panel and double-click Add/Remove

Programs.

Select Windows 2000 Administrative Tools and click

Change.

Click Next and select Install All Administrative Tools.

Follow the instructions on how to proceed with the

installation.

--End--

Step

Action

Click Start and select Run.

In the Open field, enter regsvr32 schmmgmt.dll.

Note that there is a space between regsvr32 and schmmgmt.dll.

Click OK.

This command will register schmmgmt.dll on your computer.

--End--

Add the Active Directory Schema Snap-in (Windows 2000 Server

and Windows Server 2003)

Step

Action

Click Start and select Run.

On Windows 2000 Server, enter mmc in the Open field.

On Windows Server 2003, enter mmc /a instead.

Note that there is a space between mmc and /a.

Click OK.

The Console window is displayed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Add the Active Directory Schema Snap-in (Windows 2000 Server and Windows Server 2003) 263

On the File (Console) menu, select Add/Remove Snap-in.

The Add/Remove Snap-in window is displayed.

Click Add.

The Add Standalone Snap-in window is displayed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

264 Adding User Preferences Attribute to Active Directory

Under Snap-in, select Active Directory Schema and click

Add.

Active Directory Schema is added to the Add/Remove Snap-in

window.

Click Close to close the Add Standalone Snap-in window.

The Add/Remove Snap-in window is redisplayed.

Click OK.

The Console window is redisplayed.

To save the console (including the Schema snap-in), go to

the File (Console) menu and select Save.

The Save As windows is displayed.

Save the console in the Windows\System 32 root folder.

As file name, enter schmmgmt.msc.

Click Save.

--End--

Create a Shortcut to the Console Window

Step

Action

Right-click Start, and select Open all Users.

Double-click the Programs and Administrative Tools folders.

On the File menu, point to New, and then select Shortcut.

The Create Shortcut Wizard is displayed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create a New Attribute (Windows 2000 Server and Windows Server 2003) 265

In the Type the location of the item field, type

schmmgmt.msc.

Click Next.

The Select a Title for the Program page is displayed.

In the Type a name for this shortcut field, type Active

Directory Schema.

Click Finish.

--End--

Permit Write Operations to the Schema (Windows 2000 Server)

To allow a domain controller to write to the schema, you must set a

registry entry that permits schema updates.

Step

Action

In the Console window, on the left pane, right-click Active

Directory Schema.

Select Operations Master.

Select the check box The Schema may be modified on this

Domain Controller.

Click OK.

--End--

Create a New Attribute (Windows 2000 Server and Windows Server

2003)

To create the isdUserPrefs attribute, proceed as follows:

Step

Action

In the Console window, on the left pane, expand Active

Directory Schema by clicking the plus (+) sign.

The Attributes and Classes folders are displayed.

Right-click Attributes, point to New and select Attribute.

You will now receive a warning that creating schema objects is a

permanent operation and cannot be undone.

Click Continue.

The Create New Attribute window is displayed.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

266 Adding User Preferences Attribute to Active Directory

Create the isdUserPrefs attribute as shown:

Click OK.

--End--

Create New Class

To create the nortelSSLOffload class, proceed as follows:

Step

Action

In the Console window, right-click Classes, point to New and

select Class.

You will now receive a warning that creating schema classes is a

permanent operation and cannot be undone.

Click Continue.

The Create New Schema Class window is displayed.

Create the nortelSSLOffload class as shown:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create New Class 267

Click Next.

Click Finish.

--End--

Add isdUserPrefs Attribute to nortelSSLOffload Class

Step

Action

In the Console window, on the left pane, expand Classes.

Select the nortelSSLOffload class.

Right-click and select Properties.

The Properties window is displayed.

Select the Attributes tab and click Add.

Add the isdUserPrefs attribute as optional.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

268 Adding User Preferences Attribute to Active Directory

On the Default Security (Security) tab, set read/write

permissions for the group that should have permission to

write user preferences to the attribute.

Click OK.

--End--

Add the nortelSSLOffload Class to the User Class

Step

Action

In the Console window, on the left pane, expand Classes

and select user.

Right-click and select Properties.

The Properties window is displayed.

Select the Relationship tab.

Next to Auxiliary Classes, click Add Class (Add).

Add the nortelSSLOffload class as an auxiliary class as

shown:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create New Class 269

Click OK.

Once you have enabled the User Preferences feature on the

VPN Gateway (using the CLI command /cfg/vpn #/aaa/auth

#/ldap/enauserpre or the BBI setting User Preferences

under VPN Gateway>VPN# >Authentication->Auth

Servers#(Ldap) the remote user should now be able to store

user preferences in Active Directory.

--End--

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

270 Adding User Preferences Attribute to Active Directory

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

271

Appendix

Using the Port Forwarder API

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

272 Using the Port Forwarder API

General

This appendix describes some of the tasks needed when using the Port

Forwarder API. The JavaDoc will give you a more detailed view of the API.

The Port Forwarder API is used to provide tunnels through the Nortel VPN

Gateway (NVG) without having to start any applets from the Portal. It can

be used by any type of Java application or applet.

The tunnel specifications are set by defining a port forwarder in the

CLI/BBI. It is then referred to when setting up the Port Forwarder API.

Note: Defined applications are only started automatically if the port

forwarder API is used by an applet.

The API and Demo application are available from the Portal.

Example: https://vpn.example.com/nortel_cacheable/portfo

rwarder.zip

The zip file contains both a signed and an unsigned version of the API

along with javadoc documentation and a demo application with source

code.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create New Class 273

Creating a Port Forwarder

The Port Forwarder API is a collection of functions used to provide

applications with the ability to send traffic through a previously defined

port forwarder link. For instructions on how to configure a port forwarder

link on the NVG Portal, see the chapter "Group Links" in the Application

Guide for VPN.

To be able to use the Port Forwarder API, two URLs are needed:

•

URL for the Portal login (called loginUrl in the following examples)

Example: http://vpn.example.com/login_post.yaws?user=

test&password=test&authmethod=default&url=

The parameters are the same as if accessing the Portal through a web

browser.

•

URL for the actual port forwarder (called portForwarderUrl in the

following examples)

Example: http://vpn.example.com/link.yaws?t=custom&a=

1&b=1&c=1

The parameters a, b and c in the second link point out the link

according to:

a: VPN number

b: Linkset number

c: Link number

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

274 Using the Port Forwarder API

Demo Application

The Demo application is, in a simple way, showing how the Port Forwarder

API is used. It can be run both as a regular application and by using the

Java Web Start technology. It takes a couple of parameters needed to

point out the Portal and link to use.

-vpnurl

The URL to the portal, e.g. https://vpn.example.com.

-linktype

The type of the link to use, for example "custom". The link

type should be the same as defined in the CLI/BBI.

-vpn

The number of the VPN in the Portal, for example 1.

The number of the linkset in the VPN, for example 1.

The number of the link in the linkset, for example 1.

-linkset

-link

When run as a regular application, the arguments are simply passed on

the command line:

java com.nortel.nvg.demo.PortForwarderDemo -vpnurl

https://vpn.example.com -linktype custom -vpn 1 -linkset 1

-link 1

For Java Web Start, parameters are passed through the jnlp file. A templat

e jnlp file is provided along with a corresponding html file. For information

about Java Web Start, refer to http://java.sun.com/products/javawebstart.

A correct jnlp file corresponding to the preceding example look like this:

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Create New Class 275

The Custom Content concept (/cfg/vpn #/portal/content) can be

used to host Java Web Start applications on the Portal. Building the demo

project results in a content.zip file suitable for content area upload. A

precomiled one is also provided. For the material in the content area to

be cacheable by the client web browser, it has to be put in a top directory

called "/nortel_cacheable".

The demo project zip file has such a directory at it’s top level. When

uploaded to the content area, the demo is accessible through:

https://vpn.example.com/nortel_cacheable/PortForwarderDemo.html

The provided build.xml file contains an example of how to create a

content.zip file.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

276 Using the Port Forwarder API

Creating a Port Forwarder Authenticator

A Port Forwarder authenticator must implement the PortForwarderAuthenti

cator interface:

public PortForwarderCredentials getCredentials();

public java.net.PasswordAuthentication getProxyCredenti

als();

Example

Following is an example of the code for creating a Port Forwarder

authenticator.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Example 277

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

278 Using the Port Forwarder API

private String getCookieFromURL(String spec) {

try {

URL url = new URL(spec);

URLConnection connection = null;

((HttpURLConnection) connection).setFollowRedirects(false);

connection = url.openConnection();

connection.getInputStream();

/* check if we are authorized */

if (connection != null) {

String headerField =

getHeaderField(connection, SET_COOKIE_HEADER);

return headerField.substring (headerField.indexOf(’=’)

+ 1,

headerField.indexOf(’;’));

} else {

return null;

}

} catch (MalformedURLException e) {

e.printStackTrace();

} catch (IOException e) {

e.printStackTrace();

}

return null;

}

PortForwarderAuthenticator pfa =

new PortForwarderAuthenticator() {

public PortForwarderCredentials getCredentials() {

cookie = getCookieFromURL(loginUrl);

if (cookie == null) {

return null;

}

cred.setNortelToken(cookie);

return cred;

}

public PasswordAuthentication getProxyCredentials() {

LoginDialog loginDialog = new LoginDialog();

return new PasswordAuthentication(loginDialog.getUserId()

loginDialog.getPassword(

.toCharArray(

)

));

}

};

portForwarder.setAuthenticator(pfa);

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Example 279

Adding a Port Forwarder Logger

A Port Forwarder logger must implement the PortForwarderLogger

interface:

public void log(int logLevel, int logCode, Object[] params, Throwable

throwable);

public void log(int logLevel, String msg, Throwable throwable);

The first function is used when the Port Forwarder logs a message

in the Messages.properties file, i.e. messages of type PortForwar

derConstants.LOG_LEVEL_INFO and PortForwarderConstants.L

OG_LEVEL_ERROR and the second one is used for messages

of type PortForwarderConstants.LOG_LEVEL_DEBUG and

PortForwarderConstants.LOG_LEVEL_DEBUG_VERBOSE.

The PortForwarderLogger is added to the Port Forwarder by calling the

setLogger function.

Example

Following is an example of the code for adding a Port Forwarder logger.

public class PortForwarderLoggerImpl implements PortForwarderLogger {

private final ResourceBundle messages;

private PortForwarderGui portForwarderGui;

/**

* Creates a new instance of PortForwarderLoggerImpl

public PortForwarderLoggerImpl() {

messages = ResourceBundle.getBundle("Messages");

}

/**

* Tells the logger in which gui to log messages.

* @param portForwarderGui The gui to use

public void setGui(PortForwarderGui portForwarderGui) {

this.portForwarderGui = portForwarderGui;

}

private String createTimeStamp() {

SimpleDateFormat dateFormat = new SimpleDateFormat("hh:mm:ss.SSS

");

String timeStamp = dateFormat.format(new Date());

return timeStamp;

}

private String createMessage(String msg) {

return createTimeStamp() + " : " + msg;

}

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

280 Using the Port Forwarder API

public void log(final int logLevel, final int logCode,

final Object[] params, final Throwable throwable) {

if ((logLevel == PortForwarderConstants.LOG_LEVEL_ERROR) ||

(logLevel == PortForwarderConstants.LOG_LEVEL_INFO)) {

String msg =

MessageFormat.format(messages.getString("" + logCode),

params);

String messageString = createMessage(msg);

if (portForwarderGui == null) {

System.err.println("WARNING: Could not write to info area!

");

System.err.println(messageString);

if (throwable != null) {

System.out.println(throwable.getMessage());

throwable.printStackTrace();

}

} else {

portForwarderGui.appendInfo(messageString +

System.getProperty("line.separ

ator"));

if (throwable != null) {

portForwarderGui.appendInfo(throwable.getMessage() +

System.getProperty("line.se

parator"));

throwable.printStackTrace();

}

public void log(final int logLevel, final String msg,

final Throwable throwable) {

if (logLevel != PortForwarderConstants.LOG_LEVEL_DEBUG_VERBOSE) {

String messageString = createMessage(msg);

if (portForwarderGui == null) {

System.err.println("WARNING: Could not write to info area!

");

System.err.println(messageString);

if (throwable != null) {

System.out.println(throwable.getMessage());

throwable.printStackTrace();

}

} else {

portForwarderGui.appendInfo(messageString +

System.getProperty("line.separator"));

if (throwable != null) {

portForwarderGui.appendInfo(throwable.getMessage() +

System.getProperty("line.separ

ator"));

throwable.printStackTrace();

}

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Example 281

}

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

282 Using the Port Forwarder API

Connecting Through a Proxy

If the port forwarder is connecting through a proxy a number of properties

need to be set for the port forwarder to know where and how to connect

to the proxy.

The parameters are:

com.nortel.nvg.portforwarder.http.proxyHost

com.nortel.nvg.portforwarder.http.proxyPort

The proxy host for HTTP &

HTTPS accesses.

The proxy port for HTTP &

HTTPS accesses.

com.nortel.nvg.portforwarder.http.proxyUserN

ame

The proxy username for HTTP

& HTTPS accesses.

com.nortel.nvg.portforwarder.http.proxyPassw

ord

The proxy password for HTTP

& HTTPS accesses.

If the username and/or password is not set, the Port Forwarder API will

call the PortForwarderAuthenticator.getProxyCredentials()

function to obtain them.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Statistics 283

Monitoring the Port Forwarder

The Port Forwarder uses the Observer/Observable framework, meaning

that anyone wanting to have information from/about the Port Forwarder

can add a Listener to it. Currently, you can monitor Port Forwarder status

and statistics.

Note: When using these features, it is important that the

Observer.update() function does not block.

Status

Monitoring the Port Forwarder status gives you the ability to always

know the state of the Port Forwarder, for example if it is ready to receive

connections. Following is an example of the code for monitoring the status

of the Port Forwarder.

Statistics

The Port Forwarder keeps track of all bytes passing through, allowing you

to display or use the information in any way. An added statistics listener

will receive a PortForwarderStatistics object either when a change has

occurred or at a defined interval.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

284 Using the Port Forwarder API

Following is an example of the code for monitoring Port Forwarder

statistics.

This will print current statistics every 3 seconds.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

285

Glossary

Access Rules

Applies to the SSL VPN feature. When a user tries to log in

to the VPN server, either through the Portal page or through a

VPN client, his or her group membership determines the access

rights to different servers and applications on the intranet. This is

done by associating one or more access rules (each containing

parameters such as allowed network, ports and paths) with a

group.

ARP

Address Resolution Protocol. A network layer protocol used

to convert an IP address into a physical address, such as an

Ethernet address. A host wishing to obtain a physical address

broadcasts an ARP request onto the TCP/IP network. The host

on the network that has the IP address in the request then replies

with its physical hardware address.

Base Profile

Refers to links and access rules specified for a user group directly

under the Group level. If extended profiles are used, the base

profile’s links and access rules will be appended to the extended

profile’s links and access rules.

CA (Certificate Authority)

A trusted third-party organization or company that issues digital

certificates. The role of the CA in this process is to guarantee that

the entity granted the unique certificate is, in fact, who he or she

claims to be.

CLI (Command Line Interface)

The text-based interface pertaining to the NVG software,

presented to the user after having logged in. The CLI can be

accessed through a console connection or remote connection

(Telnet or SSH). The CLI is used for collecting information and

configuring the NVG.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

286 Glossary

Cluster (of VPN Gateways)

A cluster is a group of VPN Gateways that share the same

configuration parameters. There can be more than one NVG

cluster in the network, each with its own set of parameters and

services to be used with different real servers. Every cluster has a

Management IP address (MIP), which is an IP alias to one of the

master VPN Gateways in the cluster.

Console Connection

A connection to the VPN Gateway established through the

console port.

CRL (Certificate Revocation List)

A list containing the serial numbers of revoked client certificates.

Each CA issues and maintains their own CRLs. If you generate

client certificates on the VPN Gateway, you can also create your

own CRL.

CSR (Certificate Signing Request)

A request for a digital certificate, sent to a CA. On the VPN

Gateway, you can generate a CSR from the command line

interface by using the request command.

DCE (Data Communicatons Equipment)

A device that communicates with a Data Terminal Equipment

(DTE) in RS-232C communications.

DER (Distinguished Encoding Rules)

A process for unambiguously converting an object specified in

ASN.1 (such as an X.509 certificate, for example) into binary

values for storage or transmission on a network.

Digital Certificate

The digital equivalent of an ID card used in conjunction with

a public key encryption system. Digital certificates are issued

by trusted third parties known as certificate authorities (CAs),

after verifying that a public key belongs to a certain owner. The

certification process varies depending on the CA and the level of

certification.

Digital Signature

A digital guarantee that a document has not been altered, as if it

were carried in an electronically-sealed envelope. The "signature"

is an encrypted digest of the text that is sent with the text

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

287

message. The recipient decrypts the signature digest and also

recomputes the digest from the received text. If the digests match,

the message is proved intact and tamper free from the sender.

A digital signature ensures that the document originated with

the person signing it and that it was not tampered with after the

signature was applied. However, the sender could still be an

impersonator and not the person he or she claims to be. To verify

that the message was indeed sent by the person claiming to send

it requires a digital certificate (digital ID) which is issued by a

certification authority.

DIP (Destination IP) Address

The destination IP address of a frame.

DPort (Destination Port)

The destination port number, linking the incoming data to the

correct service. For example, port 80 for HTTP, port 443 for

HTTPS, port 995 for POP3S.

DTE (Data Terminal Equipment)

A device that controls data flowing to or from a computer. The

term is most often used in reference to serial communications

defined by the RS-232C standard. This standard defines the

two ends of the communication channel as being a DTE and

DCE device. However, using a null-modem cable, a DTE to DTE

communication channel can also be established between, for

example, two computers.

Extended Profile

Extended profiles can be defined for a user group if other links

and access rules should apply when the user authenticates by

means of a specific authentication method or when connecting

from a specific IP address or network.

GSLB (Global Server Load Balancing)

A Nortel Application Switch feature that allows you to balance

server traffic load across multiple physical sites. The Nortel GSLB

implementation takes into account an individual site’s health,

response time, and geographical location to smoothly integrate

the resources of the dispersed server sites for complete global

performance.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

288 Glossary

HTTP Proxy

Applies to the SSL VPN feature. Java applet accessible on the

Portal page’s Advanced tab, enabling links executed on complex

intranet Web pages (containing plugins like Flash, Shockwave and

Java applets) to be sent through a secure connection to the SSL

server for redirection.

IP Interface

IP interfaces are defined on the Nortel Application Switch and

are used for defining the subnets to which the switch belongs.

Up to 256 IP interfaces can be configured on a Nortel Application

Switch. The IP address assigned to each IP interface provides the

switch with an IP presence on your network. No two IP interfaces

can be on the same IP subnet. The IP interfaces can be used for

connecting to the switch for remote configuration, and for routing

between subnets and VLANs (if used).

Master

A VPN Gateway in a cluster that is in control of the MIP address,

or can take over the control of the MIP address should another

master fail. Configuration changes in the cluster are propagated to

other members through the master VPN Gateways.

MIB (Management Information Base)

An SNMP structure that describes which groups and objects can

be monitored on a particular device.

MIP (Management IP) Address

An IP address that is an IP alias to a master VPN Gateway in a

cluster of VPN Gateways. The MIP address identifies the cluster

and is used when making configuration changes through a Telnet

or SSH connection or through the Browser-Based Management

Interface (BBI).

Net Direct Client

The Net Direct client is an SSL VPN client that can be

downloaded from the Portal for each user session. As opposed to

the LSP and TDI versions of the SSL VPN client, the Net Direct

client does not have a user interface. Another difference is that

the Net Direct client is packet-based, while the SSL VPN clients

uses system calls. The packet-based solution supports more

applications (e.g. Microsoft Outlook).

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

289

Nslookup

A utility used to find the IP address or host name of a machine on

a network. To use the nslookup command on the VPN Gateway,

it must have been configured to use a DNS server.

NTP (Network Time Protocol)

A protocol used to synchronize the real-time clock in a computer.

There are numerous primary and secondary servers on the

Internet that are synchronized to the Coordinated Universal Time

(UTC) through radio, satellite or modem.

NVG

Nortel VPN Gateway.

Passphrase

Passphrases differ from passwords only in length. Passwords are

usually short, from six to ten characters. Short passwords may be

adequate for logging onto computer systems that are programmed

to detect a large number of incorrect guesses, but they are not

safe for use with encryption systems. Passphrases are usually

much longer—up to 100 characters or more. Their greater length

makes passphrases more secure.

PEM (Privacy Enhanced Mail)

A standard for secure e-mail on the Internet. It supports

encryption, digital signatures and digital certificates as well as

both private and public key methods. Keys and certificates are

often stored in the PEM format.

Ping (Packet INternet Groper)

A utility used to determine whether a particular IP address is

online.

PKCS12

A standard for storing private keys and certificates.

PKI (public key infrastructure)

Short for public key infrastructure, a system of digital certificates,

Certificate Authorities, and other registration authorities that verify

and authenticate the validity of each party involved in an Internet

transaction. PKIs are currently evolving and there is no single

PKI nor even a single agreed-upon standard for setting up a PKI.

However, nearly everyone agrees that reliable PKIs are necessary

before electronic commerce can become widespread.

A PKI is also called a trust hierarchy.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

290 Glossary

Portal

Applies to the SSL VPN feature. The Portal page is displayed

following a successful login to a virtual SSL VPN server

configured as a portal server. The Portal contains five different

tabs from where the user can access various intranet resources

such as web, mail and file servers.

Portal Guard

The Portal Guard feature is an easy way of "converting" an

existing HTTP site to generate HTTPS links, secure cookies etc.

The VPN Gateway will not only handle the SSL processing but

also see to it that all existing web links are rewritten to HTTPS.

This eliminates the need to rewrite each link manually.

Port Forwarder

Applies to the SSL VPN feature. Java applet accessible on

the Portal page’s Advanced tab, enabling transparent access

to applications through a secure connection. By specifying an

arbitrary port number on the client along with the desired intranet

host and port number, the user can access an intranet application

by connecting to localhost on the specified port number.

Real Server Group

A group of real servers that are associated with a virtual server IP

address (VIP) or filter on a Nortel Application Switch.

RIP (Real Server IP) Address

A real server IP address that the Nortel Application Switch

load balances to when requests are made to a virtual server IP

address (VIP).

RPort (Real Server Port)

The real server port, which a virtual SSL server on the VPN

Gateway uses when sending and receiving information to and

from the real servers.

Setup Utility

When starting a VPN Gateway the very first time, you enter the

Setup utility automatically. The Setup utility is used for performing

a basic configuration of the VPN Gateway. The Setup utility first

presents you with the choice of setting up the NVG as a single

device, or to add the VPN Gateway to an existing cluster.

If you perform a reinstallation of the NVG software, you will also

enter the Setup Utility after the VPN Gateway has rebooted.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

291

SIP (Source IP) Address

The source IP address of a frame.

Slave

A VPN Gateway that depends on a master device in the same

cluster for proper configuration.

SNMP (Simple Network Management Protocol)

A network monitoring and control protocol. Data is passed from

SNMP agents, which are hardware and/or software processes

reporting activity in each network device (a VPN Gateway, for

example), to the workstation console (or SNMP manager) used to

oversee the network. The SNMP agents return information in a

MIB (Management Information Base), which is a data structure

that defines what information is obtainable from the device.

SOCKS

A generic, proxy protocol for TCP/IP-based networking

applications. The SOCKS protocol provides a flexible framework

for developing secure communications by easily integrating other

security technologies, e.g. SSL.

SOCKS includes two components, the SOCKS server and

the SOCKS client. The SOCKS server is implemented at the

application layer, while the SOCKS client is implemented between

the application and transport layers. The basic purpose of the

protocol is to enable hosts on one side of a SOCKS server to gain

access to hosts on the other side of a SOCKS server, without

requiring direct IP reachability.

SPort (Source Port)

The source destination port, linking the incoming data to the

correct service. For example, port 80 for HTTP, port 443 for

HTTPS, port 995 for POP3S.

SSH (Secure Shell)

A program to log into another computer over a network, to

execute commands in a remote machine, and to move files from

one machine to another. It provides strong authentication and

secure communications over insecure channels.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

292 Glossary

SSL (Secure Sockets Layer) Protocol

The SSL protocol is the leading security protocol on the Internet.

It runs above the TCP/IP protocol and below higher-level protocols

such as HTTP or IMAP. SSL uses TCP/IP on behalf of the

higher-level protocols and, in the process, allows an SSL-enabled

server to authenticate itself to an SSL-enabled client.

SSL VPN client

Windows application with SOCKS support. When installed on a

user’s computer, transparent access (not through the Portal page)

to intranet applications is enabled.

STP (Spanning Tree Protocol)

An algorithm used in transparent bridges that dynamically

determines the best path from source to destination. It avoids

bridge loops (two or more paths linking one segment to another),

which can cause the bridges to misinterpret results. The algorithm

creates a hierarchical "tree" that "spans" the entire network

including all switches. It determines all redundant paths and

makes only one of them active at any given time.

TLS (Transport Layer Security)

The TLS protocol provides communications privacy over the

Internet. The protocol allows client/server applications to

communicate in a way that is designed to prevent eavesdropping,

tampering, or message forgery.

Traceroute

Trap

A utility used to identify the route used for station-to-station

connectivity across the network.

If a trap is defined in the MIB, a trap message is sent from the

SNMP agent to the SNMP manager when the trap is triggered.

A trap can for example define a hardware failure in a monitored

device.

Tunnel Guard

Tunnel Guard is an application that maintains checks that the

required components (executables, DLLs, configuration files, etc.)

are installed and active on the remote user’s machine.

URI (Uniform Resource Identifier)

The addressing technology from which URLs are created.

Technically, URLs such as HTTP:// and FTP:// are specific

subsets of URIs, although the term URL is mostly heard.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

293

VIP (Virtual Server IP) Address

An IP address that the switch owns and uses to load balance

particular service requests (like HTTP) to other servers.

Virtual Router

A shared address between two devices utilizing VRRP, as defined

in RFC 2338. One virtual router is associated with an IP interface

defined on the Nortel Application Switch. All IP interfaces on a

Nortel Application Switch must be in a VLAN. If there is more

than one VLAN defined on the Application Switch, then the

VRRP broadcast will only be sent out on the VLAN to which the

associated IP interface has been added.

Virtual SSL Server

A virtual SSL server handles a specific service on the VPN

Gateway, such as HTTPS, SMTPS, IMAPS, or POP3S. You

can create an unlimited number of virtual SSL servers per NVG

cluster, and each virtual SSL server is mapped to a virtual server

on the Nortel Application Switch. To authenticate itself towards

clients making requests for the specified service, the virtual SSL

server is configured to use a digital certificate.

VLAN (Virtual Local Area Network)

VLANs are commonly used to split up groups of network

users into manageable broadcast domains, to create logical

segmentation of workgroups, and to enforce security policies

among logical segments. Up to 246 VLANs are supported on a

Nortel Application Switch running Web OS.

VRRP (Virtual Router Redundancy Protocol)

A protocol similar to Cisco’s proprietary HSRP address-sharing

protocol. The reason for both of these protocols is to ensure

devices have a next hop or default gateway that is always

available. For example, two or more devices sharing an IP

interface are either advertising or listening for advertisements.

These advertisements are sent through a broadcast message to

address 224.0.0.18.

With VRRP, one switch is considered the master and the

other is the backup. The master is always advertising through

the broadcasts. The backup switch is always listening for the

broadcasts. Should the master stop advertising, the backup will

take over ownership of the VRRP IP and MAC addresses as

defined by the specification. The switch announces this change

in ownership to the devices around it by way of a gratuitous ARP

and advertisements. If the backup switch didn’t do the gratuitous

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

294 Glossary

ARP, the Layer 2 device attached to the switch will not know that

the MAC address had moved in the network. For a more detailed

description, refer to RFC 2338.

X.509

A widely-used specification for digital certificates that has been a

recommendation of the ITU since 1988.

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

295

Index

add using TFTP 103

client 110

access levels

The Administrator user 140

The Boot user 140

The Operator user 140

The Root user 140

managing 93

revoke client certiﬁcates 116

view installed certiﬁcates 172

ciphers

activate

list formats 179

meaning of string aliases 181

string aliases 181

strings 179

software upgrade package 75

software version 75

Active Director y , a dd attribute for user

preferences 261

supported 177

add

supported strings 181

client authentication

generate client certiﬁcates 110

managing 93

revoke client certiﬁcates 116

client certiﬁcate authentication 108

client certiﬁcates

certiﬁcate using TFTP 103

private key using TFTP 103

Administrator user, access level 140

Apache software license 223

ASCII terminal 136

attribute for user preferences 261

generate 110

revoke 116

cluster

baud rate, console connection 136

bookmarks, add attribute 261

Boot user

add ASA 310-FIPS device to existing

cluster 63

add VPN Gateway to existing cluster 52

general information 36

install ﬁrst ASA 310-FIPS in new

cluster 58

access level 140

software reinstall 70

install ﬁrst device in new cluster 42

interfaces within a cluster 39

unable to join 148

certiﬁcate formats 99

certiﬁcate revocation list (CRL)

revoke certiﬁcates issued by CA 116

revoke certiﬁcates issued by own

organization 117

commands

conventions used in this manual 13

certiﬁcate signing request (CSR)

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

296

through console 136

through Secure Shell 138

communication settings 136

connecting 136

CRL, see certiﬁcate revocation list 116

CSR, see certiﬁcate signing request 94

idle timeout, command line interface 144

database, replicated 36

documentation

other VPN Gateway manuals

HSM-USER 30

required iKey for speciﬁc operation 31

install options

adding ASA 310-FIPS device to

existing cluster 63

adding VPN Gateway to existing

extended security mode

on the ASA 310-FIPS 29

ﬁrst ASA 310-FIPS in new cluster 58

ﬁrst device in new cluster 42

interfaces

separate interfaces in cluster 39

IP address types 37

factory default conﬁguration

after reinstalling software 70

initial setup 142

key code deﬁnition ﬁle 254

on the ASA 310-FIPS 29

speciﬁcation 29

known hosts 257

known hosts (SSH) 257

the ASA 310-FIPS 27

ﬁrst-time conﬁguration 142

license information

Apache software license 223

GNU general public license 223

OpenSSL 223

SSLeay license 223

generate

client certiﬁcates 110

GNU general public license 223

major release upgrade 74

hardware security module

ASA 310-FIPS 27

iKey authentication 30

host IP 37

certiﬁcates 93

client authentication 93

manual style conventions 13

master

host keys (SSH) 257

HSM

iKey authentication 30

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

297

conﬁguration 36, 56

minor release upgrade 74

MI P , s ee Management IP 37

supported MIBs 184

supported traps 189

software

activate downloaded upgrade

package 76

features in this version 19

minor or major release upgrade 74

version handling when upgrading 75

ssh host keys 257

SSH host keys 257

ssh known hosts 257

SSH, see Secure Shell 138, 146

SSL

OpenSSL license issues 223

Operator user, access level 140

view conﬁgured servers 172

SSLeay license 223

starting device, ﬁrst time 41

supported

passwords

regain access after losing 152

portal bookmarks, add attribute 261

portal IP 37

ports 38

private key

certiﬁcate formats 99

ciphers 177

key formats 99

syslog messages, list of 192

error log ﬁles on Syslog server 174

events log ﬁle 174

real server IP 37

reboot

ASA indicated as down 151

reinstalling software 70

restrict

network diagnostics 172

SSH access 138

T e lnet access 137

revoke

certiﬁcates issued by external CA 116

certiﬁcates issued by own

organization 117

manage client revocation 116

Root user, access level 140

T e lnet

enable access 137

establish connection 137

restrict access 137

unable to connect using 146

terminal emulation 136

text convelintions, in this manual 13

timeout value, command line interface 144

troubleshooting

a user fails to authenticate to the

Portal 163

ASA 310-FIPS cluster needs to be

reconstructed 158

ASA stops responding 151

Cannot contact MIP 149

lost passwords 152

network diagnostics 172

unable to add to cluster 148

unable to connect through SSH 146

unable to connect using 146

security modes on the ASA 310-FIPS 29

slave

conﬁguration 36, 57

SNMP

agent 183

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

298

unable to connect through T e lnet 146

view certiﬁcates and SSL servers 172

typographic conventions, in this manual 13

upgrade

activate software package 76

handling software versions 75

minor or major release upgrade 74

user

access levels 140

Boot user for reinstall 70

Nortel VPN Gateway

User Guide

NN46120-104 02.01 Standard

14 April 2008

Download from Www.Somanuals.com. All Manuals Search And Download.

Nortel VPN Gateway

User Guide

Release: 7.1

Publication: NN46120-104

Document status: Standard

Document revision: 02.01

Document release date: 14 April 2008

To provide feedback or to report a problem in this document, go to www.nortel.com/documentfeedback.

www.nortel.com

The information in this document is subject to change without notice. The statements, configurations, technical data, and

recommendations in this document are believed to be accurate and reliable, but are presented without express or implied

warranty. Users must take full responsibility for their applications of any products specified in this document. The information in

this document is proprietary to Nortel Networks.

*Nortel, Nortel Networks, the Nortel logo and the Globemark are trademarks of Nortel Networks.

Export

This product, software and related technology is subject to U.S. export control and may be subject to export or import regulations

in other countries. Purchaser must strictly comply with all such laws and regulations. A license to export or reexport may be

required by the U.S. Department of Commerce.

Licensing

This product includes software developed by the OpenSSL Project for use in the OpenSSL Toolkit (https://www.openssl.org/).

This product includes cryptographic software written by Eric Young ([email protected]).

This product includes software written by Tim Hudson ([email protected]).

This product includes software developed by the Apache Software Foundation http://www.apache.org/

licensed under the GPL.

Download from Www.Somanuals.com. All Manuals Search And Download.

Miele Ventilation Hood DA270 User Manual
MSi Laptop CX640 User Manual
Niles Audio Radio GXR2 User Manual
Nortel Networks Switch NN47200 503 User Manual
Nuvo Stereo System NV MP User Manual
Olevia Car Satellite TV System 237T User Manual
Panasonic Boiler 8900 SH User Manual
Panasonic DVD Recorder DMR ES40V User Manual
Panasonic Laptop CF 29 User Manual
Panasonic Telephone BB GT1500C User Manual