BorderManager and Novell Security Manager Site-to-Site VPN
Novell Cool Solutions: Feature
By Jenn Bitondo
Digg This -
Posted: 21 Apr 2005
BorderManager supports third-party VPNs as long as they follow the RFC 2409 with the Internet Key Exchange (IKE). This article explains how to set up a third-party VPN using the Novell Security Manager. The BorderManager server will be the master and the Novell Security Manager will be the slave.
First, you need to make sure that your BorderManager server is set up to be a master. The BorderManager 3.8 documentation explains how to set up the BorderManager as a master. If your BorderManager server is the master, then VPMASTER.NLM should already be loaded on the server. You can also check iManager in the NBM VPN configuration. It will list the server name and indicate if the server is a Site-to-Site Master.
To set up the VPN, you need to use WEBADMIN on the Novell Security Manager. To access WEBADMIN, enter HTTPS://IPADDRESS (the IP address of the Novell Security Manager server).
You need to use WEBADMIN to set up a remote key. From the menu on the left, select IPSec VPN >> Remote Keys. (See the following figure.)
In the Remote Key field, type a name for the key. You do not need to fill in the Virtual IP address. For Key Type, select PSK. In the Preshared Key field, type the password you will use to connect to the BorderManager server. (You will have to remember what the Preshared Key is to make the BorderManager connection later.) When you are done, click ADD.
After you have created the remote key, you need to set up the VPN connection. On the IPSEC VPN tab, select Connections. Type a name for your connection. (Valid characters include alphanumerical characters, spaces, dashes, and underscores.) Select Standard as the Type you want to use to connect to the BorderManager server. (The other types are mostly for client connections.) For IPSEC Policy, select 3DES. Set Auto Packet Filter to either On or Off. If you turn it on, the Novell Security Manager box will create the needed VPN filters for communication through the VPN. You can also set Strict Routing to either On or Off. If strict routing is enabled (On), then VPN routing is based on both source and destination IP address (instead of only destination IP address). In most cases, you should enable strict routing.
Next, you need to determine your endpoints. For Local Endpoint, select an interface that is used as the local endpoint of the IPSec tunnel. For this connection to the VPN, the local endpoint should be your internal interface. If the remote endpoint uses a dynamic IP address, choose >> Dynamic IP Address << for the Remote Endpoint. Otherwise, select a host for the Remote Endpoint. (See the figure below.) For the Authentication of remote Stations, select the key you just created. Now all you need to do is add this connection.
You are ready to turn on the connection. On the IPSec VPN >> Connection page, click the gray box next to the red one. When the gray box turns green, (red box will turn grey) Novell Security Manager is ready to make a VPN connection when it hears from its master.
Now you need to notify the BorderManager server that you have a slave. In iManager, go into the NBM VPN Configuration and set up your VPN site-to-site configuration. Your BorderManager server should appear in the Member list. On the right-hand side of the page, you will see an Add button. You will use this button to add your third-party VPN (Novell Security Manager).
When you type the Server Name, the name doesn't really matter because it isn't in your eDir tree. Assign the server a name that will help you distinguish it, especially if you have several servers you want to connect to the VPN. In the example above, the server is called NovellSecurityManager. (The service name cannot include spaces.) For the Server Address, you must enter the real/public IP address of the server you want to establish the tunnel with.
You did not create a tunnel address on the Novell Security Manager server because it doesn't need one. However, the BorderManager server does need a tunnel address. Assign the BorderManager server a tunnel address that is in the same network as your master, but unique to the server itself. (In the example, the tunnel IP address for the BorderManager server is 22.214.171.124; the tunnel IP address for the Novell Security Manager is 126.96.36.199.)
Make sure you click on Non-Border Manager VPN. This tells the BorderManager server that you need to know different information in order to establish the tunnel. For Authentication method, select PSS (this is the Preshared Key type that you created on the Novell Security Manager server). For the PSS Key, use the same string or password that you specified for the Preshared Key. The PSS Key and the Preshared Key must match or the tunnel won't be established.
Select the 3rd Party Traffic Rules tab (shown below). The most important thing to remember when creating the 3rd party traffic rules is that they must match what you put on the Novell Security Manager server. For example, if you choose to encrypt all networks on the Novell Security Manager server, you must choose to encrypt all networks here as well.
From the drop-down box, select your gateway, which is the public IP address of the Novell Security Manager server. If you choose to encrypt all traffic here, you must choose all hosts. (If you only want some traffic to go through the tunnel, you can create an IP list.)
In the Define action section, select Encrypt and specify your packet security (3DES and HMAC-MD5 are used in the example).
After you have set the 3rd Party Traffic rules, click Apply. Then click OK. You should see the following message if your modifications were successful:
Now you should have a working VPN tunnel between your BorderManager server and your Novell Security Manager server. You can use ping to test the VPN tunnel.
On your server console, you should see a call connection being established to the IP address of your Novell Security Manager server (see the example below).
With VPMON.NLM loaded on the master server, you can check VPN monitoring and statistics through Novell Remote Manager (NRM). When you view this information, note that NovellSecurityManager is being configured. No matter how many times you synchronize all servers, the status of a third-party VPN will always be listed as being configured (see below).
You can also check your VPN connection and tunnel communication using the IKE screen on your NetWare server (shown below). On the IKE screen, you should see that an IKE connection was made. You should also see a HASH-PAYLOAD as well as information indicating that a 3DES connection was made to the IP address of your Novell Security Manager server.
Novell Security Manager also provides logging and capturing tools. The screen below is an example of what the VPN Status looks like in the VPN connection section. This log indicates that the IPSec connection is established.
Novell Cool Solutions (corporate web communities) are produced by WebWise Solutions. www.webwiseone.com