Nortel 200 Series User manual
Nortel VPN Router, VPN Gateway
Technical Configuration Guide
Engineering
> SOHO Secure Remote Access
Solution with Nortel VPN Gateway
VPN Router 200
Enterprise Solutions Engineering
Document Date: September 2006
Document Version: 1.0
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
1External Distribution NORTEL
Nortel is a recognized leader in delivering communications capabilities that enhance the human experience, ignite
and power global commerce, and secure and protect the world’s most critical information. Serving both service
provider and enterprise customers, Nortel delivers innovative technology solutions encompassing end-to-end
broadband, Voice over IP, multimedia services and applications, and wireless broadband designed to help people
solve the world’s greatest challenges. Nortel does business in more than 150 countries. For more information,
visit Nortel on the Web at nortel.com.
NORTEL NETWORKS CONFIDENTIAL: This document contains material considered to be proprietary to Nortel.
No part of it shall be disclosed to a third party for any reason except after receiving express written permission
from Nortel and only after securing agreement from the third party not to disclose any part of this document.
Receipt of this document does not confer any type of license to make, sell or use any device based upon the
teachings of the document. Receipt of the document does not constitute a publication of any part hereof and
Nortel explicitly retains exclusive ownership rights to all proprietary material contained herein. This restriction
does not limit the right to use information contained herein if it is obtained from any other source without
restriction.
Nortel Business Made Simple, Nortel, the Nortel logo, and the Globemark are trademarks of Nortel Networks.
All other trademarks are the property of their owners.
Copyright © 2006
Nortel Networks. All rights reserved. Information in this document is subject to change without
notice. Nortel assumes no responsibility for any errors that may appear in this document.
Disclaimer
This engineering document contains the best information available at the time of publication in terms of supporting
the application and engineering of Nortel products in the customer environment. They are solely for use by Nortel
customers and meant as a guide for network engineers and planners from a network engineering perspective. All
information is subject to interpretation based on internal Nortel test methodologies which were used to derive the
various capacity and equipment performance criteria and should be reviewed with Nortel engineering primes prior
to implementation in a live environment.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
2External Distribution NORTEL
Abstract
This document is a technical configuration guide to provide an end-to-end LAB example for demonstrating “SOHO
secure Remote Access Solution using Nortel VPN Gateway and Nortel VPN Router 200”.
The configurations in this example were successfully tested and may be used by the Nortel sales force to
demonstrate RAS solution and Interoperability for customers and channel partners.
For further understanding Nortel Enterprise Secure RAS solution, please refer to the “Secure Remote Access
Technical Solution Guide” V1.0. The solution guide can be downloaded from:
http://www.nortel.com/solutions/security/collateral/secure_remote_access_solution_guide.pdf
Note: Nortel VPN Router (NVR or VR) was formerly known as Contivity, and Nortel SSL VPN was formally known
as Alteon SSL VPN.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
3External Distribution NORTEL
Table of Contents
1. OVERVIEW........................................................................................................................................................5
1. OVERVIEW........................................................................................................................................................5
1.1 KEY COMPONENTS OVERVIEW......................................................................................................................5
1.1.1 Nortel VPN Gateway..............................................................................................................................6
1.1.2 Nortel SOHO VPN Router......................................................................................................................7
2. SOHO SECURE RAS SOLUTION LAB DEMO................................................................................................ 9
2.1 LAB TOPOLOGY............................................................................................................................................9
2.2 HARDWARE AND SOFTWARE .......................................................................................................................10
2.3 IP ADDRESSES...........................................................................................................................................10
2.4 VPN ROUTER 221 CONFIGURATION............................................................................................................11
2.4.1 Factory Default LAN.............................................................................................................................11
2.4.2 Static Fixed WAN IP and Default Gateway..........................................................................................12
2.4.3 VPN IP Policy.......................................................................................................................................13
2.4.4 Configure Pre-Shared Key and Tunnel Algorithm ...............................................................................14
2.4.5 Advanced Parameter ...........................................................................................................................15
2.4.6 Default firewall Policy on VR221..........................................................................................................16
2.5 VPN GATEWAY CONFIGURATION ................................................................................................................17
2.5.1 Connecting to the VPN Gateway.........................................................................................................17
2.5.2 Initial Setup ..........................................................................................................................................18
2.5.3 Run VPN Quick Setup Wizard .............................................................................................................18
2.5.4 Enable HTTP for Permitting BBI Access..............................................................................................18
2.5.5 IKE Profiles ..........................................................................................................................................18
2.5.6 Configure IKE Profile General Settings................................................................................................20
2.5.7 Configure IP Addresses for the Two End-Points of the BO Tunnel.....................................................21
2.5.8 Add Remote Network...........................................................................................................................22
2.5.9 Add Local Network...............................................................................................................................23
2.5.10 Configure Shared Secret for the BO Tunnel....................................................................................24
2.6 BRANCH-OFFICE TUNNEL MONITORING.......................................................................................................25
2.6.1 Check BO Status on VR221 ................................................................................................................25
2.6.2 Check BO Status on NVG....................................................................................................................26
2.6.3 Ping Test..............................................................................................................................................26
2.7 BCM 200 CONFIGURATION.........................................................................................................................27
2.7.1 Configure IP Address on LAN-1 Interface............................................................................................27
2.7.2 Default Gateway for BCM200 ..............................................................................................................28
2.7.3 IP Terminals Version............................................................................................................................28
2.7.4 IP Terminal Auto Assign DNs ..............................................................................................................29
2.7.5 IP Phone Features List.........................................................................................................................29
2.8 IP PHONE 2004 CONFIGURATION................................................................................................................30
2.8.1 IP Phone 2004 Configuration Setup ....................................................................................................30
2.8.2 IP Phone Registration Success ...........................................................................................................30
2.9 IP SOFTPHONE 2050 CONFIGURATION........................................................................................................31
2.9.1 Install and Configure Softphone 2050..................................................................................................31
2.9.2 Configure “Server Type”.......................................................................................................................32
2.9.3 IP Softphone 2050 Registering to BCM...............................................................................................33
2.9.4 Check IP Phone Status........................................................................................................................34
2.10 END-TO-END PHONE CALLS OVER BO.........................................................................................................35
2.11 END-TO-END FILE TRANSFER OVER BO ......................................................................................................35
2.11.1 Start FTP Server on PC-2................................................................................................................35
2.11.2 Start FTP Client on PC-1 .................................................................................................................36
2.11.3 IPSec BO Tunnel Traffic Statistics on NVG.....................................................................................37
2.12 TRAFFIC STATISTICS ON NVR200...............................................................................................................37
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
4External Distribution NORTEL
2.13 DATA CAPTURE AND EXAMINE.....................................................................................................................38
3. REFERENCE DOCUMENTATION..................................................................................................................41
4. APPENDIX.......................................................................................................................................................42
4.1 VR200 SERIES TECHNICAL SPECIFICATIONS ...............................................................................................42
4.2 BCM SERIAL CABLE...................................................................................................................................43
4.3 INITIALIZING THE IP PHONE 2004 ................................................................................................................44
4.4 CONFIGURE IP SOFTPHONE 2050 PREVIOUS VERSION ................................................................................45
4.4.1 Install and Configure IP Softphone 2050.............................................................................................45
4.4.2 Configure “Server Type”.......................................................................................................................46
4.4.3 IP Softphone 2050 Registering to BCM...............................................................................................47
List of Figures
Figure 1: SOHO RAS using NVG and NVR200..............................................................................5
Figure 2: VPN Gateway 3050.........................................................................................................6
Figure 3: VPN Gateway 3070.........................................................................................................6
Figure 4: VPN Router 200 (VR200)................................................................................................7
Figure 5: LAB Topology..................................................................................................................9
Figure 6: Console Configuration Parameters ...............................................................................17
Figure 7: Pinouts of VPN Gateway DB-9 Serial Connector..........................................................17
Figure 8: IP Phone Registered with DN 2429...............................................................................30
Figure 9: Start FTP Server on PC-2..............................................................................................35
Figure 10: Two End Points of the VPN Tunnel..............................................................................38
Figure 11: Encapsulating Security Payload...................................................................................39
Figure 12: IP Phone Initialization...................................................................................................44
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
5External Distribution NORTEL
1. Overview
More and more enterprises use secure remote access VPNs to establish end-to-end private network connections
over the Internet to reduce communication expenses while maintaining privacy, and allowing their SOHO
branches and mobile workers to take advantage of high speed connectivity while keeping up productivity.
The dramatically increasing number of enterprises’ remote SOHO and mobile workers are boosting the demand
for secure remote access VPN solutions. Nortel offers comprehensive Secure VPN solutions and wide range
selections of VPN products to meet our customers’ needs. One of the solutions is “SOHO Secure Remote Access
Solution using Nortel VPN Gateway and Nortel VPN Router 200” as depicted in the Figure below:
Figure 1: SOHO RAS using NVG and NVR200
In this solution, the IPSec branch-office VPN tunnel established between the VPN Router 221/251 (NVR200) and
Nortel VPN Gateway (NVG) provides always-on access to the enterprise network for small offices and home
offices (SOHO) where there is a need for continuous access to the enterprise network and a requirement to
support IP Phones. This solution supports both data applications and Voice over IP (VoIP) communications.
Multiple IP phones including IP soft-phones can be supported behind a single DSL, Fiber or Cable Modem
broadband connection, and full connectivity to the VoIP and data infrastructure is provided. This solution is
compatible with the Nortel Communication Server 1000 (CS1K), MCS 5100, BCM200/400/50, IP phones, IP
Softphone 2050, MCS PC Client, NVG, NVR and more.
For full information of Nortel Enterprise Secure VPN RAS solutions, please refer to the “Secure Remote Access
Technical Solution Guide” V1.0, which can be downloaded from:
http://www.nortel.com/solutions/security/collateral/secure_remote_access_solution_guide.pdf
Note: Nortel VPN Router (NVR or VR) was formerly known as Contivity, and Nortel SSL VPN was formally known
as Alteon SSL VPN.
1.1 Key Components Overview
In this section, the RAS solution key components are introduced. The two components are Nortel VPN Gateway
(NVG) and the Nortel VPN Router 200 (NVR200).
INTERNET
Mobile
Workforce
SOHO
Headquarter
Private Network
NVR200-NVG IPSec
BO VPN tunnel
SSL
SOHO BCM
CS1000 or
MCS5100
Web Portal
N
VR25
NVR221
Nortel VPN
Gateway
IP Phone
2004
IP Soft
Phone
2050
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
6External Distribution NORTEL
1.1.1 Nortel VPN Gateway
Nortel's VPN Gateway Portfolio is a remote access security solution that extends the reach of enterprise
applications and resources to remote employees, partners, and customers. By leveraging the native capability of
widely deployed Web browsers and SSL VPN while at the same time also supporting traditional IPSec based
VPN clients, the VPN Gateway offers the industries most convenient, flexible and cost effective secure remote
solution on the market today. The VPN Gateway can dramatically reduce the complexity of existing remote
access architectures and allow enterprises to quickly provision a flexible, scalable, and high-performance solution
that meets today’s set of challenging remote access requirements.
Nortel VPN Gateway Platforms:
VPN Gateway 3050 - designed for medium to large enterprise deployments that require support for several
hundred up to 2,000 concurrent SSL and IPSec VPN user connections.
Figure 2: VPN Gateway 3050
VPN Gateway 3070 - a higher performance gateway designed for large enterprise and managed VPN service
provider deployments. The VPN Gateway 3070 scales to thousands of concurrent SSL and IPSec VPN user
tunnels and provides hundreds of Mbps (3DES) of aggregate VPN throughput.
Figure 3: VPN Gateway 3070
Key Customer Benefits
Reduced Access Complexity
The VPN Gateway removes the ongoing client support and maintenance requirements associated with traditional
remote access solutions. With on-the-fly content transformation and seamless applet-based and network-level
SSL VPN access, the Nortel VPN Gateway mitigates the need to recode and secure individual applications or
deploy redundant extranet infrastructure to "externalize" private applications.
Deployment Flexibility and Investment Protection
The VPN Gateway supports simple web browser based access to full network-level SSL VPN access to support
of traditional IPSec VPN access with Nortel’s widely deployed IPSec VPN Client on a common high performance
VPN appliance. This technology integration reduces the cost and complexity of enterprises having to deploy and
provision multiple discrete VPN devices to address their various access requirements. Customer’s can now
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
7External Distribution NORTEL
deploy a single Nortel VPN Gateway provisioned with thousands of concurrent SSL and/or IPSec users to suit
their specific remote access requirements.
High Scalability and Performance
The VPN Gateways scales up to thousands of concurrent SSL and IPSec VPN user tunnels and provides
hundreds of Mbps of aggregate 3DES VPN throughput. Additional feature license keys can be purchased to
expand the VPN Gateway's user capacity and function with each VPN Gateway capable of server up to 255
unique domains. VPN Gateways can also be clustered in groups of up to 32 units. Adding a VPN Gateway to the
cluster is a simple plug-n-play procedure with the Single System Image (SSI) management capability.
Strong Remote Endpoint Security
The VPN Gateways provide a suite of safeguard features to protect against malicious intent and user negligence.
The VPN Gateway 3050/3070 supports the Nortel VPN Tunnel Guard feature which enforces endpoint security
checking for both client and client-less VPN endpoints. VPN Tunnel Guard enables the administrator to define
endpoint security policies on the VPN Gateway itself and ensure all remote users/devices connecting to that VPN
Gateway are inspected for compliance to a security policy, preventing end-user devices from becoming a vehicle
for viruses or other unwanted intrusions into the secure enterprise network through the VPN tunnel.
1.1.2 Nortel SOHO VPN Router
The VPN Router 200 series is an affordable all-in-one solution for tying small office and home office locations as
well as teleworkers into a secure corporate network.
The VPN Router 200 series of VPN devices (formerly known as Contivity) are the answer to enterprises requiring
low-cost secure connectivity across the Internet or managed IP networks. Designed for telecommuter and small
office/home offices, the VPN Router 200 series provides Virtual Private Networking (VPN), firewall, IP routing,
URL/content filtering and optional integrated DSL in a compact easy-to-manage platform. Consisting of the VPN
Router 221 and 251 models, the VPN Router 200 series provides options for small sites seeking secure Internet
connectivity along with firewall-based perimeter defense functions in a single device. Both models have an
integrated four-port Ethernet switch for connecting local LAN devices. The VPN Router 221 provides Ethernet-to-
Ethernet connectivity while the VPN Router 251 offers integrated ADSL conforming to international standards
allowing global deployment.
Figure 4: VPN Router 200 (VR200)
Low-cost IP Security for Small Sites
With its low-cost and integrated services, the VPN Router 200 is an affordable device for small sites that might
previously have felt such an IP security solution was too costly. It combines the advanced IP-VPN, firewall,
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
8External Distribution NORTEL
routing and content filtering functions required by most telecommuter and small office/home offices when
connecting to and accessing Internet services. It further delivers these in a compact and quiet chassis that neatly
fits into these environments.
Robust VPN and Firewall
Advanced IPSec services with flexible tunneling and powerful encryption are designed to ensure the highest
security for transmitted traffic. VPN encryption options include DES, 3DES and AES to address the most stringent
security requirement. A packet inspection engine with up to 50 filter rules, built-in denial of service, logging and e-
mail alerting functions provides perimeter defense against unwanted network intrusion. URL/content filtering
further serves to block unwanted Web-based traffic that might disrupt remote site PCs.
Flexible Site-to-Site VPN Services
The VPN Router 200 can flexibly and securely extend the corporate network to small remote sites. Supporting
both IPSec and PPTP tunneling, it can connect remote sites to a headquarters location or can connect to other
branch sites or to other enterprises in either a hub and spoke or small mesh configuration. The VPN Router 200
can also connect to a larger central site VPN Router in a variety of IPSec modes (e.g. branch office or client
mode) to best fit an enterprise’s VPN needs. As a member of the VPN Router family, the VPN Router 200 can
also participate as an endpoint in VPN Router’s Secure Routing Technology (SRT) framework.
Easy Installation and Management
The VPN Router 200 can be quickly set up and managed through an advanced set of management options. A
“client emulation mode” allows the VPN Router 200 to use information on a central-site VPN Router to minimize
set-up time. An existing ID and password can be used to authenticate the VPN Router 200 and IP address, WINS
and DNS server can be dynamically assigned without user intervention. The VPN Router 200 can further be
remotely initialized via an Easy Install utility, which enables a non-technical user using a Web browser to
download an initial configuration to the VPN Router for quick connection and set-up. The VPN Router 200 also
supports integrated Web-based and command line interfaces for flexible device configuration, as well as SNMP
for remote monitoring.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
9External Distribution NORTEL
2. SOHO Secure RAS Solution LAB Demo
The following lab demo will help Nortel sales force to demonstrate the SOHO Secure RAS solution and
Interoperability for customers and channel partners. The demo was successfully tested, and the detailed
information of lab topology, setups, configurations and end-to-end test steps are documented in this section.
2.1 Lab Topology
Figure 5: LAB Topology
•An IPSec BO tunnel was setup between the VR221 and the NVG V6.0. The NVG’s host interface is
physically connected to VR221 WAN port
•Headquarter: NVG is configured as One-Armed topology
•Headquarter: PC-2 on headquarter private LAN is served as NVG manager, BCM manager and FTP
server. The Ethereal network protocol analyzer is also installed on PC-2 for capturing and examining data
from a live network.
•Headquarter: An IP Softphone 2050 is setup on PC-2 on headquarter private LAN, for answering
incoming and initialing outgoing telephone calls from/to the SOHO and headquarter.
•Headquarter: BCM200 on private LAN is for managing and terminating VoIP calls from SOHO
•Headquarter: One T7208 terminal phone is connected to the BCM 4X16 Media Bay Module for
answering incoming and initialing outgoing telephone calls from/to the SOHO and headquarter.
IP PHONE
2004
DN: 2429
PC-1
192.168.1.3
Gw: 192.168.1.1
VR221 V2.5
gw=192.168.2.13
wan: 192.168.2.241
LAN: 192.168.1.1/24
DHCP server IPSec BO tunnel
VR221 - NVG
PC-2
192.168.2.12
gw:192.168.2.13
BCM200 (V3.7)
LAN-1
192.168.2.40
gw: 192.168.2.13
T7208
DN: 2285
IP softphone
2050
DN: 2428
NVG (V6.0)
gw: 192.168.2.241
192.168.2.13 (host IP)
192.168.2.113 (MIP)
192.168.2.100 (portal IP)
SOHO Site
Headquarter Site
IP softphone
2050
DN: 2427
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
10 External Distribution NORTEL
•SOHO: VPN Router VR221 provides DHCP service for SOHO private LAN 192.168.1.0/24
•SOHO: One IP Phone 2004 with dynamic IP (via DHCP) is on VR221 SOHO LAN 192.168.1.0/24 (BCM
supports wide range of IP Phones, e.g. 2001, 2002, 2004, and 2007). It is used for answering incoming
and initialing outgoing telephone calls from/to the SOHO and headquarters.
•SOHO: The IP Softphone 2050 is setup on PC-1 on VR221 SOHO LAN, for answering incoming and
initialing outgoing telephone calls from/to the SOHO and headquarters.
•SOHO: PC-1 on SOHO LAN provides GUI interfaces for managing VR221. PC-1 is also used as FTP
client goes to the FTP server on PC-2.
2.2 Hardware and Software
•SOHO: VPN Router VR221, SW: VE221.2.5.0.0.016
•SOHO: PC-1, WinXP, IE 6.0
•SOHO: IP Phone 2004, Phase-1.
•SOHO: IP Softphone 2050 build 385 or v2.
•Headquarter: NVG V6.0 is simulated on a Dell PC
•Headquarter: PC-2, WinXP, IE 6.0. FTP server (3CServer V1.1)
•Headquarter: BCM200, V3.7 BCM-Demo-A Image
•Headquarter: T7208 terminal phone
•Headquarter: Ethereal Network Analyzer V.0.99.0 is installed on PC-2.
(http://www.ethereal.com/download.html)
2.3 IP Addresses
•SOHO: VPN Router VR221 WAN, static 192.168.2.241/24
•SOHO: VPN Router VR221 management: 192.168.1.1, private LAN 192.168.1.0/24
•SOHO: One IP Phone 2004 using dynamic address from DHCP server of VR221 (192.168.1.0/24)
•SOHO: PC-1 static IP 192.168.1.11/24, gateway 192.168.1.1/24
•Headquarter: NVG Host IP address 192.168.2.13/24, MVP 192.168.2.113, Portal IP 192.168.2.100
•Headquarter: PC-2 static 192.168.2.12/24, gateway 192.168.2.13/24
•Headquarter: BCM200 private LAN-1 interface 192.168.2.40/24, Default gateway 192.168.2.241/24.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
11 External Distribution NORTEL
2.4 VPN Router 221 Configuration
Before configuring the NVR221, make sure to reset it to factory default configuration.
On PC-1, start IE, and open URL http://192.168.1.1, logon to VR221 with default user ID “admin” and password
“setup”.
2.4.1 Factory Default LAN
Keep factory default LAN setting on VR221, see below:
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
12 External Distribution NORTEL
2.4.2 Static Fixed WAN IP and Default Gateway
Go to WAN -> WAN IP, select fixed IP address:
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
13 External Distribution NORTEL
2.4.3 VPN IP Policy
Go to VPN, select Edit to start BO configuration. Name the BO tunnel. Add local and remote networks in IP policy,
and select them. The result is shown below:
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
14 External Distribution NORTEL
2.4.4 Configure Pre-Shared Key and Tunnel Algorithm
The Pre-Shared key is used for VR221 to establish the BO tunnel to the headquarter NVG. Make sure the shared
key is configured identical on both the NVR221 and the NVG. In this example, the key pre-shared key is
“boc221nvg” (Note: VR221 requires minimum of 8 characters)
When selecting Encryption and Authentication algorithms, make sure they are compatible with the configuration
on the headquarter NVG. In this demo, 3DES/MD5 is used.
For complete algorithms supported by VR200, refer to VR200 technical specification in the Appendix.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
15 External Distribution NORTEL
2.4.5 Advanced Parameter
Click “Advanced” button from previous screen shown above and select both Phase1 and Phase2 as shown
below. “Apply” the changes.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
16 External Distribution NORTEL
2.4.6 Default firewall Policy on VR221
By default factory configuration, VR221 has a set of firewall rules and filters configured and they are grouped and
applied based on the travel of packets on the following directions:
• LAN to LAN
• LAN to WAN
• WAN to LAN
• WAN to WAN
For example, if an initiation packet originates on the WAN, this means that someone is trying to make a
connection from the Internet into the LAN. Except in a few special cases, these packets are dropped and logged
by default. If an initiation packet originates on the LAN, this means that someone is trying to make a connection
from the LAN to the Internet. With the default policy, this is assuming an acceptable part of the security policy and
the connection will be allowed.
In this LAB demo, we used VR221’s factory default firewall and filters without altering. You may define additional
rules or modify existing ones, but please exercise extreme caution in doing so.
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
17 External Distribution NORTEL
2.5 VPN Gateway Configuration
VPN Gateway configuration and monitoring functions are accessed through the Browser-Based Management
Interface (BBI), a Web-based management interface for the VPN Gateway software. To access the BBI, a
minimum initial setup configuration is required on the VPN Gateway.
NOTE – Make sure that the host IP address, management IP address (MIP) and Portal IP address that you
entered during the Initial Setup are compatible with the IP address planned.
2.5.1 Connecting to the VPN Gateway
To establish a console connection with a VPN Gateway, the following is required:
•An ASCII terminal or a computer running ASCII terminal emulation software set to the parameters shown
in the table below:
Figure 6: Console Configuration Parameters
•A DB-9 male to female serial cable is required. The serial port on the unit is a DCE female DB-9
connector with the following pinouts.
Figure 7: Pinouts of VPN Gateway DB-9 Serial Connector
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
18 External Distribution NORTEL
2.5.2 Initial Setup
Access the VPN Gateway through a terminal to the console port using the correct serial cable:
>> Setup# new
Setup will guide you through the initial configuration.
Enter IP address for this machine (on management interface): 192.168.2.13
Enter network mask [255.255.255.0]:
Enter VLAN tag id (or zero for no VLAN) [0]: 0
Setup a two armed configuration (yes/no) [no]:
Enter default gateway IP address (or blank to skip): 192.168.2.241
Enter the Management IP (MIP) address: 192.168.2.113
Making sure the MIP does not exist...ok
Trying to contact gateway...ok
Enter a timezone or 'select' [select]: America/Chicago
Enter the current date (YYYY-MM-DD) [2006-08-07]:
Enter the current time (HH:MM:SS) [11:54:08]:
Enter NTP server address (or blank to skip):
Enter DNS server address: 192.168.2.1
Generate new SSH host keys (yes/no) [yes]: no
Enter a password for the "admin" user:
Re-enter to confirm:
2.5.3 Run VPN Quick Setup Wizard
Run VPN quick setup wizard [yes]:
Creating default networks under /cfg/vpn 1/aaa/network
Creating default services under /cfg/vpn 1/aaa/service
Enter VPN Portal IP address: 192.168.2.100
Is this VPN device used in combination with an Alteon switch? [no]:
Enter comma separated DNS search list
(eg company.com,intranet.company.com): example.com
Create HTTP to HTTPS redirect server [yes]: no
Create a trusted portal account [yes]:
User name: ras1
User password: ras1
Creating group 'trusted' with secure access.
Creating user 'ras1' in group 'trusted'.
Creating empty portal linkset 'base-links' for group trusted.
Setup IPSec [no]:
Initializing system......ok
Setup successful. Relogin to configure.
2.5.4 Enable HTTP for Permitting BBI Access
>> Main# /cfg/sys/adm/http/ena
>> Main# /cfg/sys/adm/http/apply
Now, you are ready to use the BBI for NVG configuration. To access the NVG on PC-2, open IE, and access
http://192.168.2.13, login with the user ID of “admin” and the password that you input during initial setup.
2.5.5 IKE Profiles
IKE profiles are required to configure a BO tunnel
Technical Configuration Guide:
SOHO Secure RAS with VPN Gateway and VPN Router V1.0 September, 2006
_______________________________________________________________________________________________________________________
19 External Distribution NORTEL
Add a new IKE Profile named “ipsec-BO-c221-NVG”
Table of contents
Other Nortel Network Router manuals
Nortel
Nortel BayStack ARN Dimensions
Nortel
Nortel 10292FA Instruction sheet
Nortel
Nortel 8003AC User manual
Nortel
Nortel Versalar 15000 Assembly Instructions
Nortel
Nortel Contivity 1000 GT Operation and maintenance manual
Nortel
Nortel Passport 8600 Series User manual
Nortel
Nortel Secure 1001 User manual
Nortel
Nortel 222 User manual
Nortel
Nortel Softphone 2050 User manual
Nortel
Nortel Contivity VPN Switch 1010 User manual
Nortel
Nortel Secure Router 8000 Series Instructions for use
Nortel
Nortel 7 Quick guide
Nortel
Nortel BCM50e Quick guide
Nortel
Nortel 2750 User manual
Nortel
Nortel 1700 Dimensions
Nortel
Nortel 5500 series User manual
Nortel
Nortel ASN Dimensions
Nortel
Nortel CallPilot Operator's manual
Nortel
Nortel 425-24T User manual
Nortel
Nortel 8300 Series Operation and maintenance manual
Popular Network Router manuals by other brands
Make Noise
Make Noise Rosie manual
Linksys
Linksys WET11 - Instant Wireless EN Bridge Network... user guide
MikroTik
MikroTik RouterBOARD Groove Quick setup guide and warranty information
Teltonica
Teltonica RUT9003G user manual
Draytek
Draytek Vigor2762 series quick start guide
TP-Link
TP-Link TD-VG5612 Quick installation guide