The following features are available in the VPN client software:
The Novell BorderManager 3.8 VPN client provides the user with a X.509 certificate and the server's trusted root to perform the IKE main mode of authentication. These two should be copied to the local workstation (<drive>:\novell\vpnc\certificates\users or drive:\novell\vpnc\certificates\trustedroot) from where VPN is to be executed.
The VPN client provides a feature to retrieve the user certificate from Novell eDirectoryTM. If the Novell ClientTM is installed, this option is enabled for the user to retrieve his or her certificate. To retrieve a user certificate you must provide the username, password, context, and IP address (optional) and the user certificate name (such as adminCert). This will retrieve the user certificate and store it in drive:\novell\vpnc\certificates\users as AdminCert.pfx. If a user has more than one certificate it will store them as AdminCert(n).pfx (n = 1..n)
In the Certificate mode of authentication, the user can provide IKE and IPsec parameters by clicking the policy editor on the VPN tab. This policy will mandate to the VPN server if the server is not imposing any policy. The proposal part will takes precedence if connecting to a Novell BorderManager 3.8 VPN server and the IPsec policy and traffic rule will not take effect. For third- party servers this proposal is preferred and the IPsec policy and traffic rule are applied on outgoing traffic.
Novell VPN client is integrated with Novell Modular Authentication Services (NMASTM). NMAS works with the Novell Client, so you must install the Novell Client to benefit from the NMAS functionality.
Select the NMAS option in the configuration tab and provide NMAS user information and credentials in the eDirectory tab. In the VPN tab, provide the VPN server IP address and NMAS sequence (for example, NDS/eDirectory, Universal Smart Card, Simple Password and so on). The method displays a dialog box.
When users uninstall the Novell Client 4.9, they also need to uninstall NMAS. Leave the methods installed and remove only the client.
Select NMAS and select the LDAP check box on the Configuration page. Go to the VPN page and specify the VPN server IP address and LDAP user DN (for example, CN=Admin,O=Novell). The LDAP method displays a dialog box for the credential.
Select Backward Compatibility mode on the Configuration tab. Provide eDirectory credentials on the eDirectory page. In this mode, the Novell BorderManager 3.8 Client communicates with the Novell BorderManager server (BMEE 3.6, Novell BorderManager 3.7, Novell BorderManager 3.8) in SKIP mode. The ActiveCard token authentication is enabled if NMAS is installed on the client. The ActiveCard token authentication method works if the ActiveCard token method is configured for the user in eDirectory. The VPN page requires credentials for ActiveCard token method.
Select Pre-shared Authentication Mode on the Configuration page. Go to the VPN page and provide the pre-shared key configured in the VPN server.
The pre-shared key (PSS) mode of authentication is supported only for the purpose of debugging and for standards compliance. Traffic rules for the pre-shared key mode cannot be set using the iManager configuration snap-ins. Instead, you can use the set parameters on the server console to specify a single traffic rule for PSS.
Select X-Auth hybrid mode under Authentication Method in the Configuration page. Click the VPN tab and in the page provide VPN server IP address, username, and password. User need to copy the trusted root certificate corresponding to the server.VPN Server IP Address is the the IP address of the VPN server and username need to be specified as required in the server(3rd Party Server only).
NOTE: Xauth Hybrid mode will be supported in aggressive mode only and this has to be enabled in the policy editor. The policy editor page opens on clicking the Policy Editor button in the VPN page.
Select X-Auth PSK under Authentication Method in the Configuration page. Go to the VPN page by clicking the VPN tab and provide the VPN Server IP address. username, password and shared secret.
VPN Server IP_Address is the the IP address of the VPN server and username is the full DN name. Eg. john.novell
Shared Secret :This is used for IKE Phase1 authentication. The shared secret should be the one configured in the server.
NOTE: While connecting to NBM Server, put the IKE mode in main mode along with PFS=yes in the policy editor.
This version of the Novell VPN client will integrate into the Novell Client for Windows 98, Windows NT, Windows 2000, or Windows XP Home. Restart the machine after installing the new VPN client; during the restart, the VPN client integrates with the Novell Client. After the system comes up, the Novell Login page has a Location drop-down list. The list contains the default entry as well an entry for the VPN capabilities. You can select any of the locations, depending on the operation to be performed.
Four new tabs are available that can be configured in a Service Instance by selecting Novell Client32 Properties. The four tabs do the following:
This version of VPN client for Windows 98, Windows Me, Windows NT, Windows 2000, and Windows XP uses NICI (128-bit) encryption because there are no export restriction with NICI.
If NICI 1.7.0 (128-bit version) is not installed, the VPN Setup program installs it. This version of NICI overwrites NICI 1.5.7 (56-bit) or NICI 1.5.3 (56/128-bit), but not NICI 2.6.0. If NICI 2.6.0 is installed, NICI 1.5.7 and 2.6.0 will co-exist.
On Windows 98 and Windows Me, you can select a dial-up entry of any server type. Previously (with Novell BorderManager Enterprise Edition 3.0), you could only select dial-up entries of type Novell Virtual Private Network. All entries must be configured to negotiate only for TCP/IP connections. If you want to invoke the VPN client from Dial-Up Networking instead of vpnlogin.exe, then the dial-up entry that you select from Dial-Up Networking must be of server type Novell Virtual Private Network; otherwise, vpnlogin.exe is not spawned after the dial-up connection is established.
On Windows NT, you can select a dial-up entry of any server type. There is no Novell Virtual Private Network server type from the Dial-Up Networking selection on Windows NT.
If there is a dial-up requirement, install dial-up networking before you install the VPN client.
When you make your dial-up entry selection from VPNLogin.exe, choose entries that do not enable Point-to-Point Protocol (PPP) compression. Compressing data that has been encrypted incurs unnecessary CPU overhead and does not offer any savings in the size of the packets being sent.
Install the modem, then install the VPN client.
During VPN client installation, if you choose to use Dial-Up Networking, the VPN client installation creates a Novell VPN dial-up entry for you.
During VPN client login, the eDirectory user is notified if the user's eDirectory password has expired and grace logins are being used. The user is also given an option to change the eDirectory password during VPN Client login. This option is also provided via the VPN Client task bar. Users see the Change Password option only if they are using eDirectory credentials for VPN or NetWare login from the VPN client application. Change Password will fail for contextless login. It requires eDirectory user credentials.
If you have a file named vpnhost.txt in your VPN client installation directory, the installation program will take IP addresses from this file and specify them into the workstation's registry. Each line of the vpnhost.txt file can contain one IP address, optionally followed by a description of the entry. For example:
130.1.1.1 My Corporate VPN in Bangalore.
The policy specified by the administrator in eDirectory is applied on the client. If a policy is changed for that particular VPN user while a VPN session is active, the changes are not reflected until the next session.
NAT support on the VPN client provides IKE-NAT Traversal and UDP encapsulation in addition to the NAT support provided by earlier versions of Novell BorderManager. IKE-NAT traversal and UDP encapsulation is the standard used in the industry.
Make sure that the NAT supports the ESP protocol. If you are using Netware NAT, download the latest nat.nlm from the folder filtsrv\system directory in the product CD. This NAT supports ESP.
If the NAT gateway and any NetWare server are in the same subnet and RIP is enabled on both of them, the users can not communicate between the VPN servers.
NOTE: Because of the standard IKE support, the VPN server can be behind NAT and the VPN client can still connect to it using the IP address of the NAT instead of the server's IP address. This prevents the VPN server from being exposed to public networks.