Configuring the NBM 3.8 VPN Client with with the NSM 6 Server, using PSK
Novell Cool Solutions: AppNote
By Gaurav Vaidya
Reader Rating 
from 2 ratings
|
Digg This -
Slashdot This
Posted: 8 Mar 2006 |
Introduction
This document describes the steps needed to configure Client to Site (Host to Network) VPN service with Novell Security Manager Powered by Astaro (Ver 6) as VPN server, and Novell BorderManager 3.8 VPN client. The document describes the steps for such a configuration using a Pre-Shared Secret.
The document assumes that Novell Security Manager Ver 6 and NBM3.8 VPN Client are already installed respectively. Further, basic network interface configuration (IP addresses) should already be done on the NSM 6 server.
Accessing the NSM6 Configuration Interface
To access the NSM6 Configuration Interface, connect to the Management IP address configured while installing NSM as <https://nsm-management-IP>. After administrator user credentials are provided, the web interface will be launched as shown in Figure 1.
Figure 1: Webadmin Interface for NSM6
Configuring NSM6 VPN for Pre-Shraed Key
Creating a VPN Policy for the BorderManager Client
IPsec policy objects define parameters to be negotiated during IKE and IPsec negotiation. To create new IPsec policy on NSM for NBM3.8 VPN Client,
- Go to IPSec VPN in the left menu panel.
- Select Policies.
- To add a new policy, click New in the top right-hand corner and then configure the values as given in Table-1 (see also Figure 2). Also note that phase-2 encryption algorithm is 1DES.
| Parameter | Value |
| Name | NBM-Client-PSK-Policy |
| ISAKMP (IKE) Settings | |
| IKE Mode | Main Mode |
| Authentication Algorithm | 3DES 168bit |
| Encryption Algorithm | MD5 160bit |
| IKE DH Group | DH Group 2 (MODP1024) |
| SA Lifetime (secs) | 14400 |
| IPSec Settings | |
| IPSec Mode | Tunnel |
| IPSec Protocol | ESP |
| Encryption Algorithm | 1DES-CBC 56bit |
| Enforce Algorithm | off |
| Authentication Algorithm | MD5 160bit |
| SA Lifetime (secs) | 3600 |
| PFS | PFS Group 2 (MODP1024) |
| Compression | off |
Table 1: New IPsec Policy for NBM Client
Figure 2: Configuring New IPSec Policy
Adding Pre-Shared Remote Key on NSM6
NSM requires the creation of a Remote Pre-Shared Key object for PSK authentication mode. To create a new Remote Key, proceed with the following steps (shown in Figure 3):
1. Go to IPSec VPN in the left menu panel and select Remote Keys.
2. From the New Remote IPSec Key section, select the Key Type as PSK.
3. Enter the Name for shared secret (e.g. "NBM-PSK") and provide the value of Pre-Shared Key you intend to use into the Preshared Key field.
4. Click Add to add the key.
Figure 3: Configuring Pre-Shared Key (Remote Key) in NSM
Adding Roadwarrior VPN Connection at NSM
As the final step of configuration on NSM server, a VPN connection for NBM3.8 VPN clients needs to be defined. To create new IPSec connection,
1. Go to IPSec VPN in the left menu panel and select Connections.
2. Go to the New IPSec Connection, and select "Road warrior" from the Type dropdown box.
3. Configure the values as given in Table 2.
4. The newly added connection would be disabled by default. To enable the connection click the red square icon at the left of the connection definition.
Now the NSM6 server is ready to accept the VPN Connection from NBM3.8 VPN client in PSK mode.
| Parameter | Value |
| Name | NBM38-Client_Connection |
| Type | Roadwarrior |
| IPSec Policy | NBM-Client-PSK-Policy |
| Auto Packet Filter | On |
| End Point Definition | |
| Local Endpoint | External |
| Remote Endpoint | Any (Fixed) |
| Subnet Definition (optional) | |
| Local Subnet | Any |
| Remote Subnet | None |
| Authentication of Remote Subnet(s) | |
| L2TP Encapsulation | Off |
| Keys | PSK: NBM-PSK |
Table 2: Parameters for new IPSec Roadwarrior Connection on NSM Server
VPN Connection from NBM3.8 Client
1. Launch the NBM3.8 Client.
2. From the Configuration Tab, select the authentication method as Preshared Key (shown in Figure 4).
Figure 4: Select Pre-Shared key on BorderManager3.8 VPN Client
2. Click the VPN Tab and enter NSM Server's external IP Address (configured as Local Endpoint above). Then enter the configured preshared key and click OK to connect (shown in Figure 5).
Figure-5: Enter Pre-shared key and Connect
Verifying the Connection
3. On the NBM3.8 VPN Client, send traffic to any machine in the private network of the NSM server (or NSM Server's private Interface). This must be successful.
4. On the NSM6 Server, go to IPSec VPN -> Connections.
5. Verify the both IKE phase 1 and phase 2 SA negotiations as shown in Figure-4. Here you can verify connection status for all the clients currently connected to NSM6 VPN Server.
Figure 6: Verifying Client Connections at NSM
Troubleshooting Logs
Here are some steps to try if you need to troubleshoot logs:
1. Check for the NSM server logs from [Local Logs -> Browse] and then select IPSec VPN to browser through current logging activities.
2. At the NBM3.8 Client check for client log at: C:\Novell\VPNC\WINNT\log\ikelog.txt
Conclusion
This document describes how to successfully connect the BorderManager3.8 VPN client to the Novell Security Manager 6 VPN service, using PSK mode. However, PSK is not the most secure method to do a VPN connection when compared to certificate mode of authentication. The steps to configure this VPN scenario using certificates will be explained in a forthcoming document.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com