Before you start to set up the VPN component of the Novell BorderManager 3.9 software, you must meet the prerequisites described in this section.
This section contains the following topics:
Before you set up a site-to-site VPN, your network must meet the following requirements:
The NetWare routing software must be installed and configured on each VPN server. Configuring the routing software includes, but is not limited to, setting up the LAN links to the other VPN members, and configuring static or dynamic routing for Internet Packet Exchange™ (IPX) and IP packets.
Verify connectivity between your VPN servers as required by your selected VPN topology. Any associated firewall software should be configured and connectivity should be verified before the VPN software is installed and before each VPN server is attached to the private networks it will protect.
If your VPN sites are not on the same intranet, each VPN server must have a connection to the Internet, either directly or indirectly. If your VPN server is connected directly to the Internet, obtain the public IP address provided by your Internet Service Provider (ISP) to use when connecting to the Internet. Each VPN server uses the public IP address to exchange encrypted information with other VPN servers.
Obtain the public IP address before you set up the VPN. The ISP connection should also be tested before the VPN software is installed and before the VPN server is attached to any private networks. In the case of an intranet VPN, an ISP connection is not required.
If your VPN server is connected directly to the Internet, you must obtain a permanent IP address for the ISP connection.
The VPN server must have only one connection to the Internet. Otherwise, you risk sending and receiving your confidential data unencrypted if your data is routed to the other connection.
If you are configuring a VPN server for the first time in an NDS® or Novell eDirectory tree, you must be able to log in to the server's NDS or eDirectory tree with administrative rights in order to extend the Server object schema.
If the VPN server is also the firewall machine that protects your private network from the Internet, select the Setup Novell BorderManager 3.9 for Secure Access to the Public Interface option during the initial Novell BorderManager 3.9 installation and configuration. Otherwise, load BDRCFG to configure the required filters.
If your VPN server is behind a firewall, be sure to configure the firewall with the proper packet forwarding filters, as determined by your security policy.
If the firewall is also running the Novell BorderManager 3.9 software, select the Setup Novell BorderManager 3.9 for Secure Access to the Public Interface option during the initial Novell BorderManager 3.9 installation and configuration to automatically configure firewall filters.
These firewall filters must then be altered as determined by your security policy. In general, the filters must be altered to allow VPN members to communicate with each other and allow encrypted packets to pass through. Refer Setting Up VPN Filters.
The filters listed in can be used as a guideline for how the firewall filters should be altered for VPN. The filters might also have to be altered to allow communication with other Novell BorderManager 3.9 services.
The firewall filters can also be configured after installation by loading BDRCFG. If the firewall is not running the Novell BorderManager 3.9 software, you must configure these filters manually as described in the documentation provided with the third-party firewall product.
If you have set up two VPN servers on the same network, or the hop count between the two VPN servers is one, you must use FILTCFG to prevent all private network routes from being advertised through the public interfaces.
If your network uses Open Shortest Path First (OSPF) dynamic routing, your VPN server must be located on a pure OSPF backbone area.
Before you install the VPN client software, verify that the following pre requisites have been met:
The workstation must be running Windows 2000 or Windows XP.
If the VPN client will be using a dial-up connection, Microsoft Dial-Up Networking must be installed before installing the VPN client software. Refer to the VPN client Readme for limitations on the Novell Documentation Web site..
If you are using the VPN client with the Novell Client™ software, Novell Client version 4.9.1 or later is recommended.
If you are using the VPN LAN client, you must have an Ethernet adapter.
If you are using Windows NT, you must use an Intel-based workstation. The VPN client does not support Alpha workstations.
If you are using Windows NT, use the latest support pack Windows NT SP4.
If you are using Windows NT, you must log in to Windows NT as a user with administrative rights in order to install the VPN client.
The VPN server must have only one connection to the Internet. Otherwise, you may risk sending and receiving your confidential data unencrypted if your data is routed to the other connection.
If your VPN server is behind a firewall, be sure to configure the firewall with the proper packet forwarding filters, as determined by your security policy. If the firewall is also running the Novell BorderManager 3.9 software, select the Setup Novell BorderManager 3.9 for Secure Access to the Public Interface option during the initial installation and configuration to automatically configure firewall filters.
These firewall filters must then be altered as determined by your security policy. In general, the filters must be altered to allow VPN clients to communicate with the server and allow encrypted packets to pass through. The filters listed in the following table can be used as a guideline for how the firewall filters should be altered. The filters might also have to be altered to allow communication with other Novell BorderManager 3.9 services.
The firewall filters can also be configured after installation by loading BDRCFG. If the firewall is not running the Novell BorderManager 3.9 software, you must configure these filters manually as described in the documentation provided with the third-party firewall product.
These tables provide details on exceptions required for a Novell BorderManager 3.9 in a BorderManager server to keep different types of VPN connections up.
NOTE:When IKE completes use KeepAlive port (udp 353) to indicate that the connection is through from the client side to the server side. It can also be used to indicate to the server that the connection timeouts have to be reset, whenever we start traffic from the client end. For these reasons, we will have to keep this port enabled, even for NMAS/IKE and even when keepalives are disabled.
Following are the list of filters that need to be opened on the Firewall to allow the Incoming packets
Following are the list of filters that need to be opened on the Firewall to allow the Outgoing packets.
Following are the list of filters that need to be opened on the Firewall to allow the Incoming packets.
Following are the list of filters that need to be opened on the Firewall to allow the Outgoing packets