VPN Server Configuration

The VPN server can be used to modify or delete existing configuration. You can also configure a new server as a VPN server. The pre requisites to configuring a VPN server are:

• Trusted Root Container (TRC, referred to as Trusted Root in the iManager and in Novell eDirectory). If you want to create the Container see Creating Trusted Root Containers. If you want the VPN configuration utility to create the Container automatically, skip the Creating Trusted Root Containers section.
• Key Material Object (KMO) for the server. If you want to create the KMO manually, see Creating Server Certificates, and export the KMO using the steps in Exporting Root Certificates from the Server Certificate. If you want the VPN configuration to create the KMO automatically, you need not refer to Creating Server Certificates, but after it is created you need to export it using the steps in Exporting Root Certificates from the Server Certificate .
• Trusted Root Object (TRO) under the Trusted Root Container see Creating the Trusted Root Object.

Click the NBM VPN Server Configuration role to display the following page:

Figure 44
NBM VPN Server Configuration

1. The page is currently blank. The list of VPN servers is empty until a VPN server is configured. After a server is added, the list shows the server, its IP address, and whether it is hosting a client-to-site or a site-to-site service. Use the Context text box to select the Novell eDirectory context in which you would want to view the already configured VPN servers. Select Subtree Level for a detailed context check. The Subtree Level search shows all VPN servers residing in all subcontexts. To change the context, click the Browse button and select the context. After selecting the context, click Update List. Click Add to add a VPN server.

2. Click the Browse button next to the field and choose a server in the tree.

   Figure 45
   VPN Server Selection
   

3. Select a server from the list (it should be one of the underlined objects), then click Next.

   The selected server is reflected on the original page.

   Figure 46
   VPN Server Page
   

4. Specify the details on the next page.

   • IP Address and Subnet Mask (Server): Public IP address and subnet mask of the VPN server. This is the public IP address bound to the NetWare server.

   • IP Address and Subnet Mask (Tunnel): Novell BorderManager 3.8 server's virtual tunnel IP address and subnet mask. This should have an encrypted tunnel and not a real IP address bound to an interface.

   • WAN Client IPX Network Address: Specifies the IPX^TM network address that dialing clients will use for IPX connectivity. This is applicable only when you select the client-to-site check box.

   • Key Life Time: The IKE Key Life Time in minutes. The default is set to 480 minutes. This is the lifetime for which the IKE key is valid. If the time period is reduced, the overhead increases and the performance is impacted. However, it provides higher security.

   • Configuration Update Interval: The interval at which the VPN server will look for updates to the configuration.

   • Server Certificate: Use the default value if you want to automatically create and use the server certificate (Key Material Object). If you want to use a server certificate that you have already created using the steps in Creating Server Certificates, select the Key Material Object from Novell eDirectory by using the Browse button.

   • Trusted Roots: The Trusted Root Container object that will contain all the Trusted Root objects for this VPN Server. Use the default value if you want to automatically create and use the Trusted Root Container. If you want to use a Trusted Root Container that you have already created using the steps mentioned in Creating Trusted Root Containers, select the Trusted Root Container for eDirectory using the Browse button (trusted root is one of the underlined items).

   • Perfect Forward Secrecy: Indicates whether to enable or disable PFS in IKE Quick Mode. Enable this if you want higher level of security of IKE keys. For more information, refer to RFC: 2409.

   • Trusted Master Server Certificate Subject Name: Specify the certificate subject name of the trusted master. If the master is in the same tree as the slave, browse to select the master's certificate instead of entering the certificate subject name.

   NOTE:  : If the VPN server is assigned a site-to-site role and is acting as a slave, the trusted master for this slave needs to be configured. The Trusted Master Server Certificate Subject Name field will be visible.

5. This page shows both the client-to-site and site-to-site services as disabled. These services are currently disabled on this VPN Server. To enable either or both of them, click the server name link.

6. Use the button with an X to delete a VPN server configuration from a particular Novell BorderManager 3.8 server.

7. Click the server name link to modify the VPN server information. When you modify a server, you can choose to either modify the VPN server parameters or you can enable (attach) a site-to-site or a client-to-site service.

HINT:  The Synchronize feature is available when you modify VPN server information. Click Synchronize to reload the configuration information. The Synchronize feature saves the configuration information and increments or decrements the Configuration Update interval by a second.

VPN Server Behind NAT

The VPN server can also be configured behind NAT. To do so, use the nat.nlm shipped with Novell BorderManager 3.8. The nat.nlm is available in filtsrv\system directory on the product CD. For more details on NAT, see Setting Up NAT .

In case of static NAT, the site-to-site tunnel cannot be established between Novell BorderManager 3.7 and Novell BorderManager 3.8. So once the server is behind NAT all SKIP capabilities of that server will not work.

Shipping versions of NetWare 6.5 do not work properly if they are not patched with the bsdsock.nlm version 6.51o or later for NetWare 6.5. The domestic stack that is available in the Companion CD resolves this issue.