AppNote: Novell BorderManager 3.8 VPN client: An Introduction
Novell Cool Solutions: AppNote
By Manisha Malla, Sreekanth Settipalli, Surendranath Mohanty
Digg This -
Posted: 12 Nov 2003
|Surendranath Mohanty||Manisha Malla||S Sreekanth|
|Software Consultant||Senior Software Engineer||Senior Software Engineer|
The Novell BorderManager VPN client software allows a workstation to communicate securely over the internet to a network protected by a Novell VPN server over the Internet. This paper introduces the VPN client and provides a short summary on how to install and use it.
Table of Contents:
The Novell BorderManager VPN client software allows a workstation to communicate securely over the Internet to a network protected by a Novell VPN server. The new VPN client software provides a number of modes of authentication such as the X509 certificate mode, Novell Modular Authentication Service (NMAS) mode, NMAS mode with LDAP enabled, Preshared key (PSS), Backward compatibility mode (to earlier version of NBM server) and Backward Compatibility mode with token authentication. The key management protocols used are IKE and SKIP. The VPN client is simple to install and configure. It enhances the security features of Novell BorderManager but can also be used independently.
The VPN client supports the following features.
2.1 VPN client Integrated with Novell client
This version of the Novell VPN client will integrate into the Novell client for Windows 98, Windows NT, Windows 2000, Windows XP, or Windows XP Home Edition. Re-start the machine after installing the new VPN client. During re-start, the VPN client will integrate with Novell client. Once the system comes up, the Novell Login screen will have a location drop-down list. The list will contain the default entry as well an entry for the VPN capabilities. You can select any of the locations, depending on the operation to be performed.
Four new tabs are available that can be configured in a service Instance by selecting Novell client Properties. The four tabs do the following:
- eDirectory: To provide the details of eDirectory.
- Configuration: To provide authentication mechanism for VPN client as well as dial-up, Novell login and IPX option.
- Launcher: To launch an application after VPN connection.
- VPN: To provide credentials for the authentication type mentioned in the Configuration tab.
- VPN Status: Displays the status of the VPN dial-up and/or authentication.
There is one additional tab in case Dial-up is chosen as a mode of authentication.
- There is one additional tab in case Dial-up is chosen as a mode of authentication.
2.2 VPN clients for Windows Platforms use NICI for Encryption
This version of VPN client for Windows 98, Windows Me, Windows NT, Windows 2000, Windows XP and Windows XP Home Edition use Novell International Cryptographic Infrastructure (NICI 128-bit) encryption because there is no export restriction with NICI.
2.2.1 NICI Versions
If NICI 1.7.0 (128-bit version - kernel NICI) is not installed, the VPN Setup program installs it. This version of NICI overwrites NICI 1.5.7 (56-bit). This also installs NICI 2.6 (user NICI). It upgrades from any version of user NICI.
2.3 Modes of Authentication
The VPN client supports the following modes of authentication:
2.3.1 X509 Certificate Authentication Mode
To perform the IKE mode of authentication the VPN client needs the user to provide an x509 certificate and the server's trusted root (optional). Copy these two to the local workstation (either to
The user certificates stored in eDirectory can also be automatically retrieved using the 'Get Certificate' feature of the NBM 3.8 VPN client. The user certificate will be stored in .pfx format at
To do so, select the Certificates option in the configuration tab. In the VPN tab, choose the user certificate file (.pfx file) and in the Certificate password field provide the certificate password.
22.214.171.124 Local Policy
To use the IKE mode of authentication the user can provide IKE and IPsec parameters by clicking the Policy Editor on the VPN page. This policy will be imposed in the VPN client if there is no policy pushed by the VPN server. If the server has a policy already configured, the IKE/IPsec parameters configured on the client will be sent as a proposal during the IKE negotiation.
2.3.2 NMAS Authentication Mode
The VPN client is integrated with Novell Modular Authentication Service (NMAS). NMAS requires Novell client. Therefore, the users must install the Novell client to use NMAS methods.
Select NMAS option in the configuration tab and provide NMAS user information and credentials in the eDirectory/VPN tab. In the VPN tab provide VPN server IP address and NMAS sequence (for example, eDirectory, Universal Smart Card, LDAP user name and so on). For credentials, some methods will pop up a dialog box if the same is not already entered.
2.3.3 NMAS LDAP Authentication Mode
The NMAS authentication mode also works with Lightweight Directory Access Protocol (LDAP). LDAP users on remote LDAP servers can also be authenticated using the NMAS NBMLDAP sequence.
Select NMAS and check the LDAP box in the Configuration tab. Go to VPN tab and enter VPN server IP address and LDAP user DN (for example, CN=Admin, O=Novell). (The Sequence box in the screen has an entry of NBMLDAP automatically and it is grayed out.) The LDAP method will pop up a dialog box for the credential.
2.3.4 Pre-shared Authentication Mode
In this mode VPN client will authenticate with the NBM VPN server in an agreed upon shared secret.
Select Pre-shared Authentication mode in the Configuration tab. Go to VPN tab and provide password for the pre-shared key configured in the VPN server. Pre-shared authentication is one of the authentication methods that can be used for authenticating the IKE key exchange.
2.3.5 Backward Compatibility Mode
In this mode VPN client will talk to a NBM server (BMEE 3.6, NBM 3.7, NBM 3.8) in SKIP mode.
Select Backward Compatibility mode in the Configuration tab. Provide eDirectory credentials in the eDirectory tab.
The ActiveCard token authentication will be enabled if NMAS is installed on the client. The ActiveCard token authentication method will work if the ActiveCard token method is configured for the user in eDirectory. The VPN tab requires credentials for ActiveCard token method.
2.4 Dial-Up Entries
On Windows 98 and Windows Me, you may select a dial-up entry of any server type. Previously (with Novell BorderManager Enterprise Edition 3.0), you could only select dial-up entries of type Novell Virtual Private Network. All entries must be configured to negotiate only for TCP/IP connections. If you want to invoke the VPN client from Dial-Up Networking instead of vpnlogin.exe, then the dial-up entry that you select from Dial-Up Networking must be of server type Novell Virtual Private Network; otherwise, vpnlogin.exe will not be spawned after the dial-up connection has been established.
On Windows NT, you may select a dial-up entry of any server type. There is no Novell Virtual Private Network server type from the Dial-Up Networking selection on Windows NT.
If there is a dial-up requirement. Install dial-up networking before VPN client install.
When you make your dial-up entry selection from vpnlogin.exe, choose entries that do not enable Point-to-Point Protocol (PPP) compression. Compressing data that has been encrypted will incur unnecessary CPU overhead and will not offer any savings in the size of the packets being sent.
Note: Install the VPN client after installing the modem.
2.4.1 Automatic Creation of a Novell VPN Dial-Up Entry
During VPN client installation, if you choose to use Dial-Up Networking, the VPN client installation creates a Novell VPN dial-up entry for you.
2.5 Password Expiry Notice
During VPN client login, the eDirectory user will be notified in case user's eDirectory password has expired and grace logins are being used. The user will also be given an option to change the eDirectory password during VPN client login. This option will also be provided on the VPN client system tray icon. The user will get the change password option only if user is using eDirectory credentials for VPN/NetWare login from the VPN client application. Change password will fail in case of context less login. It requires all eDirectory user credentials as asked by the VPN client.
2.6 VPN Server Hosts List
If you have a file named vpnhost.txt in your VPN client installation directory, the installation program will take IP addresses from this file and enter them into the workstation's Registry. Each line of the vpnhost.txt file may contain one IP address, optionally followed by a description of the entry. For example:
126.96.36.199 My Corporate VPN in Bangalore
The policy specified by the administrator in eDirectory will be applied on the client. If a policy is changed for that particular VPN user while a VPN session is on the changes will not be reflected until the next session. After a VPN client connection is through, the list of policies being applied to the client for the current session can be seen in the Policy tab of the VPN status.
2.8 NAT Support
NAT support on VPN client provides IKE-NAT Traversal/UDP encapsulation draft in addition to the NAT support provided by earlier versions of Novell BorderManager. IKE-NAT traversal/UDP encapsulation is the standard used in the industry.
Note: Because of the standard IKE support, VPN server can be behind NAT and the VPN client can still connect to it using the IP address of the NAT instead of the server's IP address. This prevents the VPN server from being exposed to public networks.
This section discusses the installation of the VPN client. The VPN client software is available in the Novell BorderManager 3.8 product CD. Unzip the file on your local drive.
Follow the install logic to set up the product. While installing the install will configure the parameters associated with a secure connection.
The set up will ask two options you want to configure/install:
- Dial-Up VPN client
- NMAS client
Choose one or both depending upon your need.
The install prompts to install the following two versions of NICI on the system:
- NICI 1.7.0 (128-bit)
- NICI 2.6.0 (128-bit)
Once the installation is over, restart the machine for the VPN client software to work properly.
The VPN client can be configured in a number of modes. Here we shall discuss some of the common modes. A discussion about the interoperability of VPN client with VPN server is not the scope of this document. This document lists how to configure the VPN client to enable Backward Compatibility, NMAS, Certificates, Preshared Key, Dial-up and Novell client. In this section we shall take up each of these.
Please note the detailed configuration has to be done for the first time. After that the VPN client will pick the configurations from the registry and you will only need to provide the minimum credentials.
4.1 Backward Compatibility
The mode of authentication of the VPN client depends on the authentication method selected in the Configuration tab. By default the Backward Compatibility method will be enabled.
Figure 1 Backward Compatibility
The Backward Compatibility mode provides the SKIP mode of connection to earlier version of Novell BorderManager servers. It can also talk to other NBM 3.8 servers in this mode.
Once this is enabled go to the eDirectory tab and provide the eDirectory/NDS credentials.
Figure 2 VPN parameters of Backward Compatibility mode
In the VPN tab provide the NBM server IP address or DNS name.
4.2 Backward Compatibility with Token Password
Figure 3 Backward Compatibility with Token Password
The Backward Compatibility mode provides the SKIP mode of connection to earlier version of Novell BorderManager servers. It can also talk to NBM 3.8 servers in this mode. The Token Password method will be enabled if NMAS is installed.
Figure 4 VPN parameters of Backward Compatibility with Token Password
Provide the token password along with the other credentials for backward compatibility mode.
4.3 Certificate Mode
Figure 5 Certificate mode
The VPN client facilitates the user to perform the X509 Certificate mode of authentication. Select the Certificates Authentication method in the Configuration tab to proceed with X509 certificate authentication.
Figure 6 VPN parameters of Certificate mode
Choose the user certificate file (.pfx/.p12 file) from the drop down box and provide the certificate password in the VPN tab. To see the certificate file names in the drop down box, you can copy the .pfx/.p12 files to
This displays all the user certificates stored/imported to the VPN client. The certificate field requires certificate password. If the certificate password is correct then it displays the certificate subject name.
4.3.1 Certificate Mode - Get Certificate
Figure 7 VPN parameters of Get Certificate
This will retrieve the certificate for an eDirectory user. The user certificate should have been created/imported using Novell Certificate Server. The retrieved certificate will be stored in .pfx format at
4.3.2 Certificate Mode - Display Certificate
Figure 8 VPN parameters of Display Certificate
This displays the X.509 certificate details like the serial number of the certificate, the subject name of the certificate, the subject name of the issuer of the certificate and the range of validity of the certificate.
Figure 9 VPN parameters for Policy Editor - Proposal
This is the proposal configuration dialog that appears once the policy editor button is clicked on VPN certificate page. User can specify these proposals for IKE or IPsec when connecting to 3rd party VPN servers.
Figure 10 VPN parameters for Policy Editor - Lifetime
Figure 11 VPN parameters for Policy Editor - IP Sec Policy
Figure 12 VPN parameters for Policy Editor - Traffic Rules
4.4 NMAS Mode
Figure 13 NMAS mode
Figure 14 VPN parameters for NMAS mode
The VPN client supports the NMAS mode of authentication. The sequence field needed by the NMAS sequence/method will be used. The credentials for them will be provided in the eDirectory tab (except for the LDAP method). For more details on NMAS, refer to the NMAS documentation at www.novell.com/documentation.
4.4 NMAS Mode - Use LDAP
Figure 15 NMAS mode using LDAP
Figure 16 VPN parameters for NMAS mode using LDAP
Provide the IP Address of the VPN server with which you want to establish a VPN connection. Also provide the LDAP user name for authentication to the LDAP server.
Note: The LDAP server configuration as well as addition of the LDAP users needs to be done on the VPN server side for this authentication to work.
4.5 NMAS Mode - Enable Novell client
Figure 17 NMAS mode and Novell client Login
Figure 18 eDirectory parameters for NMAS mode and Novell client Login
The eDirectory tab shows the NetWare server. This provides the option for the user to perform a Novell authentication (if the NetWare client is installed) using this server instead of the VPN server. This NetWare server and VPN server should be in same eDirectory tree, as we need the same tree and context information for VPN as well as Novell connection.
4.6 NMAS Mode - Enable Dial-Up
Figure 19 NMAS mode and Enable Dial-Up
Figure 20 Dial-Up parameters of NMAS mode with Dial-Up enabled
If the Dial-Up check box is enabled in the configuration page, this page will take the dial-up information. This page appears only when dial-up is enabled. In this first, the Dial-Up connection will happen and the same connection will be used to perform VPN connection (if there is no LAN connectivity). Otherwise, the VPN connection may not use Dial-Up connection for VPN connection.
4.7 Preshared Key Mode
Figure 21 Preshared Key mode
The VPN client provides an option to the user to perform the IKE preshared key mode of authentication with the VPN server which is configured for the specific preshared key.
Figure 22 VPN parameters for Preshared Key mode
Provide the shared secret for Preshared key authentication. This key would have been configured as the Preshared key on the VPN server.
4.8 VPN Statistics
Figure 23 VPN statistics on general information and security
Shows general information if the client has connected to VPN server using IKE in certificate mode.
Figure 24 VPN statistics on Transfer statistics
Transmit statistics will display how many IP/IPX packets were sent encrypted from the workstation, how many packets were sent unencrypted, the number of packets that got discarded etc. Receive statistics will indicate how many IP/IPX packets that were received by the workstation were encrypted, how many packets that were received were unencrypted, the number of packets that were received by the workstation was discarded etc.
This page shows the transfer statistics which are the same for IKE and SKIP mode.
Figure 25 VPN statistics on Policies
These are the policies that get pushed by the VPN server to the VPN client after the client is successfully authenticated to the server. These policies will be applied on all the traffic to and from the client once the VPN connection is successfully established.
This page shows the accepted policies for the user connected using IKE to the VPN server.
For backward compatibility mode the Policy tab will look as below.
Figure 26 VPN statistics on Backward Compatibility
Novell BorderManager VPN client provides a number of modes of authentication and key security benefits. It can be used with Novell BorderManager 3.8 or independently.
The fact and figures provided in this paper are strictly from test scenarios and there can be deviations from these figures in real user scenarios. Novell does not recommend deploying these configuration changes directly on a production network. Please verify the configuration changes on a simulated test network before you deploy any of these in a production environment.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com