Novell Home

Configuring the NBM 3.8 VPN Client with with the NSM 6 Server, using PSK

Novell Cool Solutions: AppNote
By Gaurav Vaidya

Digg This - Slashdot This

Posted: 8 Mar 2006
 

Introduction

This document describes the steps needed to configure Client to Site (Host to Network) VPN service with Novell Security Manager Powered by Astaro (Ver 6) as VPN server, and Novell BorderManager 3.8 VPN client. The document describes the steps for such a configuration using a Pre-Shared Secret.

The document assumes that Novell Security Manager Ver 6 and NBM3.8 VPN Client are already installed respectively. Further, basic network interface configuration (IP addresses) should already be done on the NSM 6 server.

Accessing the NSM6 Configuration Interface

To access the NSM6 Configuration Interface, connect to the Management IP address configured while installing NSM as <https://nsm-management-IP>. After administrator user credentials are provided, the web interface will be launched as shown in Figure 1.

Figure 1: Webadmin Interface for NSM6

Configuring NSM6 VPN for Pre-Shraed Key

Creating a VPN Policy for the BorderManager Client

IPsec policy objects define parameters to be negotiated during IKE and IPsec negotiation. To create new IPsec policy on NSM for NBM3.8 VPN Client,

  1. Go to IPSec VPN in the left menu panel.
  2. Select Policies.
  3. To add a new policy, click New in the top right-hand corner and then configure the values as given in Table-1 (see also Figure 2). Also note that phase-2 encryption algorithm is 1DES.
Parameter Value
Name NBM-Client-PSK-Policy
ISAKMP (IKE) Settings
IKE Mode Main Mode
Authentication Algorithm 3DES 168bit
Encryption Algorithm MD5 160bit
IKE DH Group DH Group 2 (MODP1024)
SA Lifetime (secs) 14400
IPSec Settings
IPSec Mode Tunnel
IPSec Protocol ESP
Encryption Algorithm 1DES-CBC 56bit
Enforce Algorithm off
Authentication Algorithm MD5 160bit
SA Lifetime (secs) 3600
PFS PFS Group 2 (MODP1024)
Compression off

Table 1: New IPsec Policy for NBM Client

Figure 2: Configuring New IPSec Policy

Adding Pre-Shared Remote Key on NSM6

NSM requires the creation of a Remote Pre-Shared Key object for PSK authentication mode. To create a new Remote Key, proceed with the following steps (shown in Figure 3):

1. Go to IPSec VPN in the left menu panel and select Remote Keys.

2. From the New Remote IPSec Key section, select the Key Type as PSK.

3. Enter the Name for shared secret (e.g. "NBM-PSK") and provide the value of Pre-Shared Key you intend to use into the Preshared Key field.

4. Click Add to add the key.

Figure 3: Configuring Pre-Shared Key (Remote Key) in NSM

Adding Roadwarrior VPN Connection at NSM

As the final step of configuration on NSM server, a VPN connection for NBM3.8 VPN clients needs to be defined. To create new IPSec connection,

1. Go to IPSec VPN in the left menu panel and select Connections.

2. Go to the New IPSec Connection, and select "Road warrior" from the Type dropdown box.

3. Configure the values as given in Table 2.

4. The newly added connection would be disabled by default. To enable the connection click the red square icon at the left of the connection definition.

Now the NSM6 server is ready to accept the VPN Connection from NBM3.8 VPN client in PSK mode.

Parameter Value
Name NBM38-Client_Connection
Type Roadwarrior
IPSec Policy NBM-Client-PSK-Policy
Auto Packet Filter On
End Point Definition
Local Endpoint External
Remote Endpoint Any (Fixed)
Subnet Definition (optional)
Local Subnet Any
Remote Subnet None
Authentication of Remote Subnet(s)
L2TP Encapsulation Off
Keys PSK: NBM-PSK

Table 2: Parameters for new IPSec Roadwarrior Connection on NSM Server

VPN Connection from NBM3.8 Client

1. Launch the NBM3.8 Client.

2. From the Configuration Tab, select the authentication method as Preshared Key (shown in Figure 4).

Figure 4: Select Pre-Shared key on BorderManager3.8 VPN Client

2. Click the VPN Tab and enter NSM Server's external IP Address (configured as Local Endpoint above). Then enter the configured preshared key and click OK to connect (shown in Figure 5).

Figure-5: Enter Pre-shared key and Connect

Verifying the Connection

3. On the NBM3.8 VPN Client, send traffic to any machine in the private network of the NSM server (or NSM Server's private Interface). This must be successful.

4. On the NSM6 Server, go to IPSec VPN -> Connections.

5. Verify the both IKE phase 1 and phase 2 SA negotiations as shown in Figure-4. Here you can verify connection status for all the clients currently connected to NSM6 VPN Server.

Figure 6: Verifying Client Connections at NSM

Troubleshooting Logs

Here are some steps to try if you need to troubleshoot logs:

1. Check for the NSM server logs from [Local Logs -> Browse] and then select IPSec VPN to browser through current logging activities.

2. At the NBM3.8 Client check for client log at: C:\Novell\VPNC\WINNT\log\ikelog.txt

Conclusion

This document describes how to successfully connect the BorderManager3.8 VPN client to the Novell Security Manager 6 VPN service, using PSK mode. However, PSK is not the most secure method to do a VPN connection when compared to certificate mode of authentication. The steps to configure this VPN scenario using certificates will be explained in a forthcoming document.


Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com

© 2014 Novell