Novell Home

AppNote: Interoperation Guide - VPN Tracker and NBM 3.8.4 Server

Novell Cool Solutions: AppNote
By Aruna Kumari

Digg This - Slashdot This

Posted: 15 Sep 2005
 

Introduction

This AppNote is intended for VPN client users. It explains the usage of the MAC OS VPN Tracker client with the NBM 3.8.4 server, in the following authentication modes:

  • PSK mode
  • Extended authentication (XAUTH) PSK mode
  • Certificate mode

For more information, visit:
http://www.novell.com/products/bordermanager/
http://www.equinux.com/download/Manual_VPN_Tracker.pdf

Prerequisites

Prior to configuration, ensure that the following are installed:

  • NBM 3.8 VPN server with the latest support pack (SP4), installed on Netware Server (NetWare 6.5 SP4)
  • VPN Tracker version 3.6.0 or later on Mac OS X 10.2 or later version

Note: NBM 3.8.4 can be installed on any supported OS platform, such as NetWare 6.5, NetWare 5.1 SP6, Netware 6 SP3, etc.

Conventions

  • VPN - Virtual Private Network
  • PSK - Pre-Shared key
  • C2S -Client to Site: A secure VPN connection between client and VPN server
  • IKE - Internet Key Exchange protocol
  • IPsec - Internet Protocol Security
  • XAUTH - Extended authentication
  • NBM 3.8.4 - Novell Border Manager, Version 3.8 Support Pack version 4

Initial Configuration

The following is a simple setup diagram of a configuration that has been deployed and tested for a VPN C2S connection.

Figure 1: Setup Diagram

Ensure that the following configuration is done, for the NBM Server and the VPN Tracker.

NBM 3.8.4 Server Configuration

In Figure 1, the NBM 3.8.4 server connects the internal LAN 123.0.0.0/8 to Internet. The NBM3.8.4 server's WAN (Internet) interface has the address 160.99.16.105/16.

Here are the configuration details:

  • Server Name: BM6-5
  • WAN Interface IP Address: 160.99.16.105 / 255.255.0.0
  • LAN Interface IP Address: 123.1.1.105 / 255.0.0.0
  • Default Gateway: 160.99.16.1

VPN Tracker Configuration

The VPN Tracker on the MAC OS interoperates with NBM3.8.4 and is deployed in the public network.

Here are the configuration details:

WAN Interface IP Address: 160.99.16.175/ 255.255.0.0
Default Gateway: 160.99.16.1

Configuration

A VPN is needed to build a secure communication channel (IPsec Tunnel) between the VPN client and VPN server, in order to access the protected services behind the VPN server. Depending on the type of authentication configured on NBM server, the VPN Tracker can be configured in any of the following modes:

  • Pre-Shared Key (PSK) mode
  • XAUTH Pre-Shared Key (Xauth-PSK) mode
  • X.509 Certificates mode

NBM VPN Server Configuration

To configure the VPN service on NBM 3.8.4 using iManager,

1. Configure the VPN Server with the Address as 160.99.16.105 / 255.255.0.0.

2. Configure the Tunnel Address as 10.10.10.10 / 255.0.0.0.

3. Specify the Key lifetime in minutes (the default value is 480).

4. To enable PFS, check the Perfect Forward Secrecy check box.

5. Save the configuration.

Figure 2: NBM Server - Configuring the VPN service

6. Configure the traffic rule in C2S service to encrypt all the traffic, as shown in Figure 3.

Figure 3: NBM Server - Configuring the C2S traffic rule

7. Configure the authentication type in the NBM 3.8.4 Server.

Based on the authentication mode, one of the following configurations will need to be done from the VPN tracker client to the NBM server.

PSK Authentication

For PSK mode, enter the following command in system console of VPN server, as shown in Figure 4.

SET IKE PRE-SHARED KEY=1

Figure 4: NBM Server - Configuring PSK authentication mode

When prompted, enter the admin-equivalent username with full context (e.g., admin.novell), the password, and the pre-shared key.

XAUTH-PSK Authentication

For XAUTH PSK mode, enter the following command in the system console of the VPN server:

SET IKE XAUTH PRE-SHARED KEY=1

When prompted, enter the admin-equivalent username with full context (e.g., admin.novell), the password, and the XAUTH pre-shared key.

Certificate Authentication

To establish a C2S connection in certificate mode, configure the authentication rule in C2S service as shown in Figure 5. For more details on client-to-site configuration, see:
http://www.novell.com/documentation/nbm38/inst_admin/data/amh9knj.html#amh9knj

Figure 5: NBM Server-Configuring C2S authentication rule

8. At the server configuration, enable Client to Site service and select the C2S service rule added above.

9. Save the configuration.

Note: For X.509 certificate mode of connection, the user certificate should be available to the VPN Tracker client. The user certificate is created in the NBM VPN server and is stored on the VPN Tracker computer.

For more information on creation of user certificate on NBM server, see:
http://www.novell.com/documentation/nbm38/inst_admin/data/anp5cjt.html#anp5cjt
For more information on exporting of user certificate on NBM server, see:
http://www.novell.com/documentation/nbm38/inst_admin/data/anp5cn7.html

10. Copy the exported certificate into VPN Tracker client machine.

VPN Tracker Configuration

To configure the VPN Tracker,

1. Click the VPN tracker client icon on the desktop. The VPN tracker will be as shown in Figure 6.

2. To add a connection, click New+.

Figure 6: VPN Tracker - New connection

3. To add a new connection, such as "NBM 3.8," configure the following options:

Vendor: Novell
Model: Novell BorderManager 3.8
Connection Options: Select "Initiate connection from this end"

Figure 7: VPN Tracker - Connection settings

4. The default phase-1 and phase-2 proposals of the Novell Border Manager 3.8 model will set all the working parameters. To edit the configuration, click the icon where the arrow is pointed in Figure 7 and edit it by selecting the model.

5. Configure the Network Settings as shown in Figure 8.

Topology: "Host to Network"
Network Port: "Automatic"
VPN Gateway Address: IP address of VPN Gateway (e.g., 160.99.16.105)
Remote Network/Mask: Network address and Netmask of the remote network (e.g., 123.0.0.0/255.0.0.0).

Figure 8: VPN Tracker - Network settings

Note: In order to access multiple remote networks simultaneously, add them by pressing the Plus button.

6. Configure the Authentication Settings.

Depending on the server configuration authentication can be any of the following:

  • Pre-shared key authentication
  • Certificate authentication
  • X-auth pre-shared key authentication

Pre-shared Key Authentication

*Select PSK as the 'Authenticate using' option as shown in Figure 9.

*Enter the Pre-shared key as configured in the NBM VPN server.

Figure 9: VPN Tracker - PSK Authentication settings

Extended Authentication(XAUTH)

*Select 'PSK' and 'Enable Extended Authentication' option as shown in Figure 10.

*Edit the Pre-shared key as configured in the NBM VPN server.

*Enter the full username (such as admin.novell) and password in the client authentication screen, which pops-up while connecting.

Figure 10: VPN Tracker - XAUTH Authentication settings

Certificate Authentication

To establish the certificate mode of authentication from VPN Tracker client to the NBM 3.8.4 VPN server,

*In the authentication tab, select 'Certificates' option and click Edit.

*Select 'Edit Certificates....' to import the user certificate of Border Manager VPN server. When the certificate is browsed, it is stored in the local directory of the VPN Tracker machine. Figure 11 shows the imported certificate.

*Close the window.

Figure 11: VPN Tracker - Imported certificate in view

*Own Certificate: Select the imported user certificate (for example, admin is a user certificate) as shown in Figure 12.

*Remote Certificate: Verify with the CAs.

Figure 12: VPN Tracker - Authentication Settings

7. Configure the identifiers.

*For PSK and XAUTH modes, configure the identifiers as shown in Figure 13:

  • Local Identifier: Local endpoint IP address.
  • Remote Identifier: Remote endpoint IP address.

Figure 13: VPN Tracker - Identifier settings

For Certificate mode, configure the identifiers as follows:

  • Local Identifier: Own Certificate
  • Remote Identifier: Remote Certificate

8. Save the connection.

9. Select the connection type and click Start VPN in the VPN Tracker main window, as shown in Figure 14.

Figure 14: VPN Tracker - Start VPN

10. To view the logs, click the Log button located at right top of the window.

Once the connection is established, the status displays the connection as shown in Figure 15. You can define the amount of information available in the log file in the VPN Tracker preferences.

Figure 15: VPN Tracker - Connection established with NBM server

The IPsec-SA and tunnel-established messages are also displayed in the log messages.

Verifying the Tunnel

After 10-20 seconds, the red status indicator for the connection should change to green. This means the secure connection to the VPN server has been established.

To test the connection, ping a host (e.g., 123.1.1.100) in the protected network of VPN server from the VPN client Terminal. The host should be able to communicate with the encrypted traffic passing through.

Alternate Setups

A VPN C2S connection can be established securely in the following scenarios, using the same configuration and providing the respective VPN server's IP addresses:

  • VPN client behind dynamic NAT (VPN Tracker in a private/protected network)
  • VPN server behind Static NAT (VPN Server in a private/protected network)

If the VPN server is behind Static NAT, the nat'ed IP address through which the VPN tracker can reach the VPN-server is provided. If a NAT setup is used, the NAT-enabled message can be viewed as "NAT-T (new) enabled" as shown in Figure 16.

Figure 16: VPN Tracker - Log messages

Troubleshooting

1. If the status indicator does not change to green, look at the log file on both sides (VPN tracker and NBM server) for more information. For log messages on NBM server, view the IKE screen or CSAUDIT Screen on the server or the IKE .log file at sys:\etc\ike\ike.log on the NBM server.

For more information on VPN connection failure, view the online logs in the VPN tracker client. These logs can be selected and saved into a file.

2. Make sure all IPsec parameters configured on both Server and Client are the same for both Phase-1 and Phase-2 tunnel negotiations.

3. If the IPsec tunnel is established , and protected network machines cannot communicate, then:

  • If any firewall is configured on or between the client and server, ensure that the corresponding traffic rules are added to allow the traffic to pass through it.
  • Check the Remote Network settings in VPN Tracker and make sure that the protected networks is added in VPN tracker at remote network.

Conclusion

The VPN Tracker client on the MAC OS can interoperate with the NBM 3.8.4 VPN server in the PSK mode, XAUTH-PSK mode, and Certificate mode of authentication. The setup shown in Figure 1 is successfully demonstrated in this AppNote for PSK, XAUTH, and certificate modes of connection. This applies to the NBM VPN server from the VPN Tracker client, which can be in the same network or in different networks (such as VPN Tracker behind a dynamic NAT setup).


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell