Upgrading a VPN from a Previous Version

Earlier versions of BorderManager VPN servers use SKIP for key management. They also use VPNCFG and NWAdmn for configuration. Novell BorderManager 3.8 supports industry-standard IKE for key management, but also supports backward compatibility with Novell BorderManager 3.7 in SKIP mode. This section discusses ways of upgrading an earlier version of BorderManager VPN network to a Novell BorderManager 3.8 VPN network without affecting the connectivity between these networks. If you want to migrate the VPN configuration before upgrading to Novell BorderManager 3.8, make sure that the VPN is configured.

NOTE:  After initial configuration though VPBNCFG, reload vpmaster and vpslave if they are not already loaded.


General Guidelines for Upgrading

First, upgrade the master Novell BorderManager 3.8 server. Upgrade the slaves only after the master is upgraded.

When a master or slave is upgraded, automatic VPN configuration migration is supported from earlier versions of BorderManager configuration to Novell BorderManager 3.8 configuration. The actual upgrade consists of three steps:

  1. Installing Novell BorderManager 3.8 over earlier versions of BorderManager.
  2. During installation, selecting the Automatic Migration check box, which will automatically migrate the existing configuration.
  3. Some additional manual configuration or migration is necessary for certain scenarios. These scenarios are discussed later.

After the above three steps are complete, an earlier version of a BorderManager server can be considered fully migrated to a Novell BorderManager 3.8 server.

You can upgrade the slaves one by one. When some slaves are migrated and others are running an earlier version of BorderManager, the servers communicate with each other in the SKIP mode, if SKIP is configured on both. After all the slaves are migrated remove the SKIP configuration on all the servers and retain only the IKE configuration.

The SKIP configuration needs to be done using VPNCFG and NWAdmn, as with previous versions. The IKE configuration can be done using the iManager plug-ins. The Novell BorderManager 3.8 slaves and master can be monitored through the new Netware Remote Manager monitoring interface. For information see Monitoring Virtual Private Networks.

IMPORTANT:  Always back up your networking configuration files before an upgrade. The files to be backed up are \etc\tcpip.cfg, \etc\netinfo.cfg, and \etc\gateways. In the event of an abend and subsequent file corruption, this backup will help in restoring the networking configuration.

After migrating a slave to Novell BorderManager 3.8 and configuring site-to-site for IKE mode, the two servers might still continue to communicate in the SKIP mode for a few minutes until the changes take effect. Data communication continues to happen during this period.


Example Upgrade Scenario

The following example setup consists of one master and two slaves. All of them are running an earlier version of Novell BorderManager. The focus of the upgrade is to migrate all the existing VPN servers to Novell BorderManager 3.8 and eventually have the servers using IKE for key management, These servers can then be configured and monitored using Web-based interfaces. You can also add a new Novell BorderManager 3.8 slave to the VPN site-to-site network. This will be a fresh, newly configured Novell BorderManager 3.8 slave.

Figure 68
Example Upgrade Scenario


Upgrade Procedure

The following upgrade scenarios are discussed here:


Upgrading an Earlier BorderManager Master to Novell BorderManager 3.8

  1. Run the Novell BorderManager 3.8 installation on the master.

  2. On the upgrade page, make sure the Migrate check box is selected (this is selected by default).

  3. After the master is upgraded, verify that the configuration migration is successful by viewing the server and site-to-site configuration in the iManager VPN configuration pages.

  4. Use the VPN console option 5 to verify that the master contains information about all the slaves.


Upgrading an Earlier BorderManager Slave to Novell BorderManager 3.8

  1. Run the Novell BorderManager 3.8 installation on the slave.

  2. In the upgrade page, make sure the Migrate check box is selected (this is selected by default).

  3. After the slave is upgraded, verify that the configuration migration is successful by viewing the slave server's configuration in the iManager VPN configuration page.

  4. Using iManager, go to the slave and configure the slave for IKE.

    1. Import the master's trusted root certificate as a TRO into the trusted root container of the slave

    2. Add the certificate subject name of the master.

  5. Using iManager, go to the master,

    1. Import the slave's trusted root certificate as a TRO into the master's trusted root container.

    2. Add the slave member to the site-to-site member configuration.


Adding a New Novell BorderManager 3.8 Slave to a Partially or Fully Upgraded Setup

  1. Run the Novell BorderManager 3.8 installation on the slave. Because this is not an upgrade, the configuration migration does not take place.

  2. In iManager, complete the following steps:

    1. Go to the slave and configure the slave for IKE. For information, refer to Configuring a VPN Server As a Slave Server.

    2. Go to the master and add this slave as a Novell BorderManager 3.8 slave. For information, refer to Configuring a VPN Server As a Slave Server.

      At this point, the new slave is able to receive the configuration from the master, and also communicate with the other Novell BorderManager 3.8 slaves.

  3. [Conditional] If this slave is required to communicate with the other earlier BorderManager slaves in a partially upgraded setup, add SKIP configuration using VPNCFG. Then add the slave as a SKIP slave using NWAdmn.

IMPORTANT:  It is important for the Novell BorderManager 3.8 slave to be configured first for IKE. After that, configure the SKIP.


Adding a New BorderManager 3.7 Slave to an Existing Novell BorderManager 3.8 Setup

Although this scenario is not recommended, it is supported in this release.

Configure the earlier BorderManager slave using VPNCFG and add it as an earlier BorderManager slave using NWadmn. After this is done, the slave is able to communicate with the master and the other BorderManager slaves configured for SKIP.


Removing SKIP Configuration

After all the earlier BorderManager slaves are upgraded to Novell BorderManager 3.8 and are configured for IKE, the SKIP configuration can be removed first from the slaves and finally from the master.

  1. Go to NWAdmn and remove the slave from the earlier BorderManager network.

  2. Use NWAdmn Monitoring to verify that the removal of slave has taken effect on the master.

  3. Go to the slave and remove the SKIP configuration using VPNCFG. Repeat steps 1 to 3 for all the slaves.

  4. When all the slaves are removed from the earlier BorderManager network, use VPNCFG to remove the master's SKIP configuration.

NOTE:  Sometimes removing SKIP configuration will bring the VPN service down. Restart the VPN service with a stopvpn and startvpn sequence.