AppNote: Configuring an IPSec Tunnel for Cisco and NBM
Novell Cool Solutions: AppNote
Digg This -
Posted: 30 Sep 2004
Configuring an IPsec Tunnel - Cisco VPN 3000 Concentrator to Novell BorderManager 3.8 VPN
Senior Software Engineer, Novell Inc.
Abstract: This AppNote describes in detail the configuration steps to be followed for setting up an IPsec tunnel between the Novell BorderManager 3.8 VPN Gateway and the Cisco VPN 3000 Concentrator Series Router. It also helps in monitoring and troubleshooting the Cisco VPN 3000 Concentrator.
This AppNote demonstrates how to form an IPsec tunnel with pre-shared keys to join the following private networks:
- A private network inside the Novell BorderManager 3.8 VPN.
- A private network inside the Cisco VPN 3000 Concentrator.
The IPsec tunnel established between these two private networks enables users from one private network to securely access the resources in other private network and vice-versa.
This AppNote is intended for network administrators who plan to set up an IPsec tunnel between the Novell BorderManager (NBM) 3.8 VPN and the Cisco VPN 3000 Concentrator Series. It also aids in interoperability testing between the two gateways.
Pre-requisitesIt is assumed you are familiar with installation and configuration of NBM 3.8 VPN and the Cisco VPN 3000 Concentrator. This document does not discuss the installation or network configuration of the gateways. It is also assumed that before configuration, traffic is flowing to the Internet (represented in this document by the 137.65.x.x networks) both from inside the VPN Concentrator and from inside the Novell BorderManager 3.8 VPN.
The information in this document is based on the following software and hardware versions:
- Cisco VPN 3000 Concentrator Type 3015
- Cisco VPN 3000 Concentrator Software Release Version 3.6.7 or later
- Novell BorderManager 3.8 VPN
- Novell BorderManager 3.8 Support Pack 2 or later
The information in this document is based on devices in a specific lab environment. All these devices started with a cleared (default) configuration. The information in this document may also apply to other models of the Cisco VPN 3000 Concentrator Series.
This document uses the following network setup:
Figure 1: Network Setup
As shown in Figure 1, 10.10.10.x is the protected network behind the NBM server, and 20.20.20.x is the protected network behind the Cisco router.
- NBM - Novell BorderManager
- IKE - Internet Key Exchange
- IPsec - Internet Protocol Security
- ESP - Encapsulation Security Payload
- SA - Security Association
- VPN - Virtual Private Network
- PSK - Pre-Shared Key
- DH - Diffie-Hellman
A: Configuring the Cisco VPN 3000 Concentrator
Complete the following tasks to configure the VPN 3000 Concentrator. You will access the Cisco VPN configuration Web-based management tool using a browser.
Task A1: Modifying/Adding an IKE Proposal
- Select Configuration > System > Tunneling Protocols > IPsec > IKE Proposals > Add/Modify.
- Create an Internet Key Exchange (IKE) proposal named NBM38-PSK-3DES-SHA with Pre-shared Keys (PSK) Authentication Mode, Secure Hash Algorithm (SHA) hashing, Data Encryption Standard (3DES), Diffie-Hellman Group 1, and Time Lifetime Measurement.
- Set the Time Lifetime to 28800 seconds. Select Add.
Figure 2: Modifying/Adding IKE Proposal in Cisco configuration (Larger image)
Task A2: Activating an IKE Proposal
- Select Configuration > System > Tunneling Protocols > IPsec > IKE Proposals.
- Select NBM38-PSK-3DES-SHA.
- Click Activate to activate the IKE proposal.
Figure 3: Activating an IKE proposal
Task A3: Modifying/Adding an IPsec LAN-to-LAN connection (Larger image)
- Select Configuration > System > Tunneling Protocols > IPsec LAN-to-LAN > Add/Modify.
- Set up an IPsec tunnel called "TO-NBM38" with the NBM server address as the Peer.
- Select "None (Use Pre-shared Keys)" for Digital Certificate.
- For a Pre-shared Key, enter the actual key ("novell" in this example).
- Select ESP/SHA/HMAC-160 for Authentication and 3DES-168 for Encryption.
- Enter the IKE proposal ("NBM38-PSK-3DES-SHA" in this example), and the Local (188.8.131.52) and Remote (10.10.10.0) networks.
- Click Apply.
Figure 4: Modifying/Adding LAN-to-LAN connection (cont'd.) (Larger image)
Figure 5: Modifying/Adding LAN-to-LAN connection (Larger image)
Task A4: Modify Security Association
- Select Configuration > Policy Management > Traffic Management > SAs > Add/Modify.
- Make sure that Perfect Forward Secrecy is disabled.
- Set the IPsec Time Lifetime to 7200 seconds.
- Click Apply.
Figure 6: Modifying/Adding Security Association. (Larger image)
Task A5: Save the configuration
Click Save Needed at the top right corner of the dialog. The configuration file CONFIG.TXT will be saved, and this can be obtained from Administration > File Management.
B: Configuring Novell BorderManager 3.8 VPN
Complete the following tasks to configure the Novell BorderManager 3.8 VPN, using the iManager configuration tool from a Web browser.
Task B1: Adding NBM server to the VPN Server List
- Select NBM VPN Configuration > NBM VPN Server Configuration > VPN Server List > Add.
- Enter the server name with context and select 'Next'. Do not select the Site to Site or Client to Site role at this point.
- Enter the NBM server public address and subnet mask.
- Enter the Tunnel Address and subnet mask. Tunnel Address is not used with third- party interoperability, but it is required for completing the configuration.
- Make sure the Key Life Time is set to 480 minutes (IKE Key Life Time) and Perfect Forward Secrecy is disabled.
- Click OK. All the certificate-related configuration will be created automatically.
After this step, NBM server (PRV-BM.novell, in this example) is added to VPN Server List (path: NBM VPN Configuration > NBM VPN Server Configuration > VPN Server List). Note: Key Life Time and Perfect Forward Secrecy values should be the same as the ones configured in the Cisco VPN 3000 Concentrator.
Figure 7: Adding NBM server. (Larger image)
Task B2: Creating Site to Site Configuration
- Select NBM VPN Configuration > NBM VPN Server Configuration > VPN Server List.
- Click the server name you created in Task B1.
- Select Site to Site Role as Master.
- Click Create.
- Select the subject name of the server certificate and add the protected local network (10.10.10.0) behind the NBM server.
- Disable IP RIP.
- Save the configuration by clicking Apply and then OK.
Figure 8: Selecting NBM server as Master. (Larger image)
After this step, Site to Site service (VPNS2SPRV-BM.novell, in this example) is created with NBM server as the master in the Site to Site Member list. THis list is found under NBM VPN Configuration > VPN Site To Site Configuration > Member List.
Figure 9: Creating Site to Site configuration (Larger image)
Task B3: Adding Cisco VPN 3000 Concentrator as a slave to the Site To Site Member List
- Select VPN Site To Site Configuration > VPNS2S Service > Member Lists > Site To Site Member List > Add.
- Select Server Name as "TO-CISCO" with Server Address as the Cisco peer address.
- Make sure the Tunnel Address and subnet mask are entered, even though they are not used for third-party interoperability.
- Select Non-BorderManager VPN with Authentication Method as PSS (Pre-Shared Secret).
- For the PSS Key, enter the same PSS key that was entered in the Cisco VPN configuration.
- Add the protected remote network (184.108.40.206) behind the Cisco Server.
- Click Apply.
Figure 10: Adding Cisco Server as Slave Member in Site to Site configuration. (Larger image)
The Site to Site Member List will have the NBM server as the master server and the Cisco server as the slave server, as shown below.
Figure 11: Site to Site Member List (Larger image)
Task B4: Configuring third-party traffic rules
- Select VPN Site To Site Configuration > VPNS2S Service > 3rd Party Traffic Rules > New.
- Enter the traffic rule name (CISCO-ALLOW, in this example) and make sure the rule is enabled.
- Select Cisco Server Address as the third-party Server Gateway Address.
- Add the third-party (Cisco) server protected network (220.127.116.11, in this example).
- Add the NBM server protected network (10.10.10.0, in this example).
- Define the action as Encrypt with IPsec Key Life Time as 120 minutes, Encryption as 3DES, and Authentication as HMAC-SHA1.
- Click Apply and then OK.
Note: Make sure the IPsec Proposal values entered for Key Life Time, Authentication and Encryption match the ones entered in the Cisco VPN configuration. The default rule says to deny all the packets. So, make sure that the new rule you add comes above the default rule in the list of third- party traffic rules, to avoid packet denial.
Figure 12: Configuring 3rd party traffic rules (cont'd.) (Larger image)
Figure 13: Configuring 3rd party traffic rules. (Larger image)
To establish an IPsec tunnel between the two gateways, try transmitting data from 10.10.10.x network to 20.20.20.x network or vice-versa (like ping, for example). It triggers IKE negotiation and establishes IPsec tunnel between the gateways. If the tunnel gets established, then data will be transmitted from 10.10.10.x to 20.20.20.x and vice-versa.
Monitoring the Cisco VPN 3000 Concentrator
To monitor the LAN-to-LAN tunnel traffic, select Monitoring > Sessions. All the active LAN-to-LAN IPsec sessions, Remote Access sessions, and Management sessions are displayed as shown below.
Figure 14: Monitoring LAN-to-LAN sessions (Larger image)
To see more details on the IPsec tunnel established between NBM 3.8 VPN and Cisco VPN 3000 Concentrator, click the active LAN-to-LAN session ("TO-NBM", in this example). As shown in Figure 15, you'll see the following kinds of information:
- IKE session details (Authentication mode, Hashing algorithm, Encryption algorithm, Negotiation mode, DH Group, Re-key lifetime interval)
- IPsec session details (Hashing algorithm, Encryption algorithm, Local and Remote networks, Re-key lifetime interval and Bytes transmitted and received)
The IKE and IPsec session details are for the tunnel ("TO-NBM", in this example) between the peers (NBM and Cisco, in this example).
Figure 15: More details of an active LAN-to-LAN connection (Larger image)
To see the overall IPsec statistics of the Cisco router, select Monitoring > Statistics > IPsec as shown below.
Figure 16: Overall IPsec statistics (Larger image)
To clear an individual IPsec tunnel, select Administration > Administer Sessions > LAN-to-LAN sessions > Actions > Logout.
To clear all IPsec LAN-to-LAN sessions at once, select Administration > Administer Sessions > Logout All > IPsec LAN-to-LAN.
Troubleshooting the Cisco VPN 3000 Concentrator
This section provides information you can use to troubleshoot your configuration. Possible VPN Concentrator debugging includes IKE, IKEDBG, IKEDECODE, IPSEC, IPSECDBG, and IPSECDECODE. These are set up in Configuration > System > Events > Classes.
Figure 17: Selecting debug events (Larger image)
To view a log, select Monitoring > Filterable Event Log > Get Log. To save a log to file, select Monitoring > Filterable Event Log > Save Log.
Figure 18: Capturing debug logs (Larger image)
To view the Live Event Log, select Monitoring > Filterable Event log > Live Event Log.
Figure 19: Live Event Logging (Larger image)
Sample Configuration File
The boot configuration file (CONFIG) and its predecessor (CONFIG.BAK) of the Cisco VPN 3000 concentrator can be obtained by selecting Administration > File Management. These configuration files are also very useful for troubleshooting purposes.
Monitoring and Troubleshooting NBM 3.8 VPN
Monitoring and troubleshooting details of NBM 3.8 VPN does not come under the scope of this document.
Note: The status of the third party VPN slave member will be shown as "Being Configured" in the VPN Member List, when the VPN master is being monitored.
This document discusses the detailed configuration of Cisco and NBM to enable the IPsec tunnel. This document also discussed the monitoring and troubleshooting of the Cisco router. Novell recommends that you verify the setup on a simulated test network before you deploy this configuration directly into a production environment.
For NBM 3.8 VPN configuration and administration:
For NBM 3.8 VPN Troubleshooting:
For NBM 3.8 Monitoring:
For Cisco VPN 3000 Concentrator 3.6 configuration:
For Cisco VPN 3000 Concentrator 3.6 Monitoring:
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com