To set up any type of VPN, you must set up a master server. After you set up the master server, you will complete additional setup tasks based upon whether you want to set up a site-to-site VPN or a client-to-site VPN. This section contains the following procedure:
NOTE: You use the VPNCFG utility to set up the master server, set up the slave server, and generate the encryption information.
A VPN can have only one master server. The master server is the central control point for the configuration and management of the VPN. In addition, a server (master or slave) can be a member of only one VPN.
To set up the master server for your VPN, complete the following steps:
At the server console prompt, enter
LOAD VPNCFG
If this server is the first in the NDS or eDirectory tree to be set up as a VPN server, you are prompted to log in to the tree. You must have administrative rights to the root directory to extend the NDS or eDirectory schema and define the VPN attributes.
Select Master Server Configuration.
Configure the IP addresses for the master server.
The VPN master server uses two IP addresses: a public address to communicate with the Internet, and a VPN tunnel address to exchange encrypted information with other VPN members.
Select Configure IP Addresses.
Enter the public IP address.
If the VPN server is connected directly to the Internet, the public IP address is the address that was assigned by your ISP.
Enter the subnet mask for the public IP address.
Enter the VPN tunnel IP address.
This address is associated with the VPN tunnel through which encrypted information passes. This address should be unregistered.
IMPORTANT: The VPN tunnel IP address for all VPN servers must be on the same subnet. The VPN tunnel IP address is an arbitrarily chosen private address. The scope of this address is limited to the VPN tunnel link. This address should not be used as the source or destination IP address for data packets. Use PING on this address to verify the direct connectivity through the VPN tunnel.
Enter the subnet mask for the VPN tunnel IP address.
Press Esc > select Yes when prompted to save your changes.
Generate the master server encryption information.
Select Generate Encryption Information.
Enter up to 255 characters for the random seed.
There is no need to record this value. The software uses this value to help randomize the master server Rivest Shamir Adleman (RSA) public and private keys, and the master server Diffie-Hellman public and private values that it generates.
Copy the master encryption information file (MINFO.VPN) to diskette or save it to a local hard disk.
Give the MINFO.VPN file to the network administrator of each slave server you want to add to the VPN.
You can either send the diskette containing the file by surface mail or send the file as an e-mail attachment. There is no danger of compromising security if the file is intercepted because it contains only public information. Any alteration of the file can be detected by verifying the message digest during the configuration of the slave server.
Press Esc until you exit VPNCFG.
This section explains the basic tasks you perform to set up a site-to-site VPN. This section contains the following procedures:
To set up a slave server for your VPN, complete the following steps. Make sure you have the MINFO.VPN file from the master server administrator.
At the server console prompt, enter
LOAD VPNCFG
Select Slave Server Configuration.
Configure the IP addresses for the slave server.
Like the master server, a VPN slave server uses two IP addresses: a public address to communicate with the Internet, and a VPN tunnel address to exchange encrypted information with other VPN members.
Select Configure IP Addresses.
Enter the public IP address.
If the VPN server is connected directly to the Internet, the public IP address is the address that was assigned by your ISP.
Enter the subnet mask for the public IP address.
Enter the VPN tunnel IP address.
This address is associated with the VPN tunnel through which encrypted information passes. This address should be unregistered.
IMPORTANT: The VPN tunnel IP address for all VPN servers must be on the same subnet.
Enter the subnet mask for the VPN tunnel IP address.
Press Esc and select Yes when prompted to save your changes.
Generate the slave server encryption information.
Select Generate Encryption Information.
Enter the location of the master encryption information file (MINFO.VPN).
Contact the master server administrator and verify that you have the same message digest values.
Having the same digest values ensures the authenticity of the MINFO.VPN file.
IMPORTANT: If the message digest values do not match, the encrypted tunnel between the slave and master servers cannot be created. In this case, the master server administrator must provide a new MINFO.VPN file.
Ask the master server administrator to select Authenticate Encryption Information to authenticate the MINFO.VPN file.
To authenticate this file, the administrator must load VPNCFG and select the following menu path:
Master Server Configuration > Authenticate Encryption Information
If the message digest values match, enter up to 255 characters for the random seed.
There is no need to record this value. The software uses this value to help randomize the Diffie-Hellman public and private values that it generates for the slave server.
Copy the slave encryption information file (SINFO.VPN) to diskette or save it to a local hard disk.
Select Copy Encryption Information.
Enter the path or name of the file in which you want to save the slave encryption information file. The default is A:\SINFO.VPN.
HINT: Rename your SINFO.VPN file to a name such as SINFO_S1.VPN. This enables the master server administrator to collect all slave encryption information files in a single directory without overwriting them. You can also use a server or location name when renaming the SINFO.VPN file.
Give your slave encryption information file to the master server administrator.
You can either send the diskette containing the file by surface mail or send the file as an e-mail attachment. There is no danger of compromising security if the file is intercepted because it cannot be interpreted without the master server's RSA public and private keys and Diffie-Hellman public and private values.
Press Esc until you exit VPNCFG.
IMPORTANT: Before the slave server can communicate with other members of the VPN, you must perform the procedure described in Setting Up Your VPN.
Before you can add a server to a VPN, you must use the VPNCFG utility to do the following;
After you complete the VPNCFG procedures, the master server is automatically added to the VPN. You use the NetWare Administrator utility to add a server to a VPN and synchronize VPN servers.
To add a slave server to the VPN, complete the following steps:
In NetWare Administrator, double-click the VPN master server and select the Novell BorderManager 3.7 Setup page.
Click the VPN tab.
Double-click Master Site-to-Site under Enable Service.
Click Add.
Locate the encryption information file for the server you want to add, then click Open.
The encryption information file is generated during the procedure described in Setting Up Your VPN. The default name for the file is SINFO.VPN. NetWare Administrator reads the file and displays a 16-byte message digest.
Contact the administrator of the VPN slave server and ask him to select Authenticate Encryption Information to authenticate the SINFO.VPN file.
To authenticate this file, the administrator must load VPNCFG and select the following menu path:
Slave Server Configuration > Authenticate Encryption Information
Compare the value of your message digest with the one generated at the slave server console.
If the digests are equal, click Yes; otherwise, click No.
Unequal digest values indicate that the data has been tampered with or corrupted.
Click Status.
Click Synchronize All, then click OK.
Complete this procedure for each slave server that you want to add as a member of the VPN.
When you synchronize servers on a VPN, the VPN master server updates all VPN slave servers with the current VPN topology and encryption keys. A server's synchronization status can assume one of the following states:
The server has been configured with the latest topology and encryption information. This does not indicate that the server's VPN tunnel connections are up. Use the Activity display to determine the status of the VPN tunnel connections.
The server still must receive the current topology and encryption information from the master server.
The server is being removed from the VPN.
NOTE: Any server state that remains at Being Configured or Being Removed for an extended period of time indicates a problem with the master server's ability to communicate with that VPN member. For more information, refer to the VPN online documentation.
To synchronize the members of a VPN:
In NetWare Administrator, double-click the VPN master server and select the Novell BorderManager 3.7 Setup page.
Click the VPN tab.
Under Enable Service, double-click Master Site-to-Site.
Click Status.
The Synchronization Status window displays each member of the VPN, its public IP address, and its update status.
To synchronize all servers on the VPN, click Synchronize All.
Or
To synchronize only one server on the VPN, select the server name and click Synchronize Selected.
There are several different ways you can build your site-to-site VPN. Depending on the configuration you require, you will need to complete several different setup tasks. The following detailed examples are available in the VPN online documentation:
NOTE: To correctly set up a VPN for a particular configuration, it is vital that you refer to the examples in the VPN online documentation. The examples contain procedures that are required for a particular configuration but are not included in the basic procedures provided in this publication.
This section explains the tasks required to set up a client-to-site VPN and make a client-to-site connection. This section contains the following procedure:
To set up a VPN server to support VPN clients:
Set up a NetWare server with the VPN software.
In NetWare Administrator, double-click the VPN server that you want to support the clients and select the Novell BorderManager 3.7 Setup page.
Click the VPN tab.
Double-click Client-to-Site under Enable Service.
(Optional) Configure the Inactivity Timeout parameter, if required.
To enable the encryption of IPX data for VPN clients, you must set WAN Client IPX Network Address to the IPX network address that VPN clients will use to access this server.
This address must be unique and should not match the server's network address or the network address of any of the server's LAN adapters. If the client dials directly in to the VPN server using the remote access software, the IPX network address that you configured for remote access is automatically displayed. If you change the address in this field, the remote access software is updated with the new address.
IMPORTANT: When IPX support is enabled for the VPN client on Windows 95 and Windows 98 workstations, the client's IPX LAN connection is disabled after the VPN IPX connection is established. This also occurs when the client is not a VPN client and you use DIal-Up Networking with IPX enabled.
(Optional) If you do not want the VPN clients to negotiate the data encryption and data authentication methods for the connection with the VPN server, select Restrict Clients to Use Server Preferred Security.
To configure the server's preferred security, select Details under Master Site-to-Site or Slave Site-to-Site.
(Optional) If you want to specify a limited number of networks to which VPN clients can communicate securely using encryption, configure a list of protected networks.
To add a network to the list, select Encrypt Only Networks Listed Below > click Add. Select the network address and subnet mask > click OK.
This step is optional because by default the client encrypts data to and from all networks. By specifying a list of protected networks, you enable the VPN client to send unencrypted IP traffic to the Internet and encrypt only intranet traffic.
If you have an IPX-only network and do not want to encrypt IP traffic, select Do Not Encrypt Any IP Packets.
(Optional) Click Digest to view the digest of the VPN server's configuration information.
This digest is used to authenticate the information sent to the VPN client during its attempt to log in to the VPN server.
Click OK > select Novell BorderManager 3.7 Access Rules.
To configure the NDS or eDirectory users, groups, or containers that are allowed to use this VPN server, complete the following substeps:
Click OK until you return to the VPN page.
If needed, configure authentication rules and access methods.
VPN clients can use security devices such as hardware tokens in addition to using their NDS or eDirectory password to authenticate to the VPN server. If a Login Policy object exists in your NDS or eDirectory tree, it is associated with all VPN version 3.7 servers in the tree, and authenticates VPN users using authentication rules and access methods defined in the object.
If you have a Login Policy object in your tree, then only users that have a rule defined for their authentication method can connect to the VPN server.
If users are accessing the VPN server using the remote access software, set up the remote access accounts for the users as described in Setting Up Virtual Private Networks.
Provide VPN users with the following information by e-mail or telephone:
To install a VPN client on a Windows 98, Windows 2000, Windows XP, Windows Me or Windows NT Workstation:
If you are using a dial-up client, verify that the workstation has a modem installed and set up.
Insert the VPN client CD-ROM and start the installation program.
Follow the online instructions in the installation program. Insert the Windows 98, Windows 2000, Windows XP, Windows Me or Windows NT CD containing the Novell Client software provided with Novell BorderManager 3.7 when prompted to do so.
Restart the workstation when prompted.
If the installation is successful, the Novell Virtual Private Network adapter will appear in the Windows 98, Windows 2000, Windows XP, Windows Me or Windows NT Network Control Panel. For Windows NT systems, the Novell BorderManager 3.7 VPN Client is listed under Services in the Network Control Panel.
A default dial-up entry named Novell VPN is automatically created for the VPN client during installation. This dial-up entry can be used to connect to your ISP by starting the VPN Login software. Use the VPN Login dialog box to configure various parameters before connecting to your ISP. These parameters include the dialing properties, the dialing location, the type of modem that is used, and the phone number, which can be entered manually or selected from a phone book listing. If you do not want to use the default dial-up entry, you can create a new entry using Microsoft Dial-Up Networking.
To create and configure a new dial-up entry on a Windows 98, Windows 2000, Windows XP, Windows Me or Windows NT Workstation:
Create a new dial-up entry.
For Windows 98, Windows 2000, Windows XP, Windows Me clients, set the server type for the dial-up entry. For Windows NT clients, do not change the default setting.
Use the Dial-up VPN Login if you want to use a Microsoft Dial-Up Networking entry to connect to your ISP.
Use the LAN VPN Login if you are already connected to your ISP through a cable modem, an ADSL device, a LAN connection, or an established dial-up connection.
To log in from a VPN client, complete the following steps:
Start the VPN login in one of the following ways and wait for the Novell VPN Login dialog box to appear:
Select the NetWare Login tab in the Novell VPN Login dialog box and provide the following information:
The IP address can be followed by a space and a description.
This password is required only if you have configured the Login Policy object with rules requiring VPN clients to use a security device such as a hardware token in addition to using their NDS or eDirectory password. See the Authentication Services online documentation for more information on how to generate the token password and configure authentication rules.
After the client has been successfully authenticated, this information (except for the password) is saved by the VPN client in the workstation's registry and is presented to the user the next time the VPN client comes up. The most recently used entries for the name and IP address are saved and displayed.
For Dial-Up connections, select the Dial-Up tab and select a VPN dial-up entry name from the list of configured entries.
(Optional) Enter the dial-up username and password if you have not connected using this dial-up entry before or your password was not saved.
To configure the phone number and other dial properties, select Settings. You can override the dial-up password and phone number configured in the dial-up entry by selecting or entering new values.
(Optional) If your ISP is using the RADIUS proxy feature to authenticate users, click Use NetWare Name and set RADIUS Domain to the name used by the ISP to identify the domain that contains the user when acting as an authentication request proxy.
The name used for the dial-up authentication is the NetWare username and context, followed by the RADIUS domain that you enter. For example, if the username is User1, the context is Engineering.ACME, and the RADIUS domain is acme.com, then the name used for the dial-up authentication is .User1.Engineering.ACME@acme.com.
Select the NetWare Options tab and select from the following options:
NOTE: If you configured your Novell Client software to use the compatibility mode driver (CMD), you can use the CMD to access IPX services through the VPN, instead of enabling IPX.
Click the Launcher tab to specify an application that is launched after the encrypted tunnel has been established with the VPN server.
Click OK to connect to the VPN server.
If you are prompted to compare the summary of the authentication information to the information that the administrator distributed, click OK if the values match.
This prompt is displayed only if you are connecting to this VPN server from this workstation for the first time or the VPN server has regenerated its keys.
(Optional) Click the VPN Status tab to view the progress of the VPN connection.
After the connection is established, a VPN Client icon appears in the task bar. Double-click the icon to display VPN client statistics for this session. For more information about VPN client statistics, refer to the VPN online documentation.
To terminate your VPN connection, double-click the VPN statistics icon and click Disconnect.
On Windows NT systems, do not terminate your session by disconnecting your dial-up connection using the Dial-Up Monitor. You must terminate your VPN connection from the VPN Statistics screen.
There are several different ways you can build your client-to-site VPN. Depending on the configuration you require, you will need to complete several different setup tasks. The following detailed examples are available in the VPN online documentation:
NOTE: To correctly set up a VPN for a particular configuration, it is vital that you refer to the examples in the VPN online documentation. The examples contain procedures that are required for a particular configuration but are not included in the basic procedures provided in this publication.