Nortel Contivity 221 User manual
CCM
Using Contivity Configuration
Manager to Configure Contivity
221
317747-B
.
Document status: Standard
Document version: 01.01
Document date: March 2006
Copyright © 2006, Nortel Networks
All Rights Reserved.
The information in this document is subject to change without notice. The statements, configurations, technical
data, and recommendations in this document are believed to be accurate and reliable, but are presented without
express or implied warranty. Users must take full responsibility for their applications of any products specified in this
document. The information in this document is proprietary to Nortel Networks Inc.
The software described in this document is furnished under a license agreement and may be used only in accordance
with the terms of that license. The software license agreement is included in this document.
Trademarks
Nortel, Nortel Networks, the Nortel Networks logo, the Globemark, Contivity, and Contivity Configuration Manager
are trademarks of Nortel Networks.
The asterisk after a name denotes a trademarked item.
Restricted rights legend
Use, duplication, or disclosure by the United States Government is subject to restrictions as set forth in subparagraph
(c)(1)(ii) of the Rights in Technical Data and Computer Software clause at DFARS 252.227-7013.
Notwithstanding any other license agreement that may pertain to, or accompany the delivery of, this computer
software, the rights of the United States Government regarding its use, reproduction, and disclosure are as set forth
in the Commercial Computer Software-Restricted Rights clause at FAR 52.227-19.
Statement of conditions
In the interest of improving internal design, operational function, and/or reliability, Nortel Networks Inc. reserves the
right to make changes to the products described in this document without notice.
Nortel Networks Inc. does not assume any liability that may occur due to the use or application of the product(s) or
circuit layout(s) described herein.
Portions of the code in this software product may be Copyright © 1988, Regents of the University of California. All
rights reserved. Redistribution and use in source and binary forms of such portions are permitted, provided that the
above copyright notice and this paragraph are duplicated in all such forms and that any documentation, advertising
materials, and other materials related to such distribution and use acknowledge that such portions of the software
were developed by the University of California, Berkeley. The name of the University may not be used to endorse or
promote products derived from such portions of the software without specific prior written permission.
SUCH PORTIONS OF THE SOFTWARE ARE PROVIDED "AS IS" AND WITHOUT ANY EXPRESS OR IMPLIED
WARRANTIES, INCLUDING, WITHOUT LIMITATION, THE IMPLIED WARRANTIES OF MERCHANTABILITY AND
FITNESS FOR A PARTICULAR PURPOSE.
In addition, the program and information contained herein are licensed only pursuant to a license agreement that
contains restrictions on use and disclosure (that may incorporate by reference certain limitations and notices
imposed by third parties).
Nortel Networks Inc. software license agreement
This Software License Agreement ("License Agreement") is between you, the end-user ("Customer") and Nortel
Networks Corporation and its subsidiaries and affiliates ("Nortel Networks"). PLEASE READ THE FOLLOWING
CAREFULLY. YOU MUST ACCEPT THESE LICENSE TERMS IN ORDER TO DOWNLOAD AND/OR USE THE
SOFTWARE. USE OF THE SOFTWARE CONSTITUTES YOUR ACCEPTANCE OF THIS LICENSE AGREEMENT.
If you do not accept these terms and conditions, return the Software, unused and in the original shipping container,
within 30 days of purchase to obtain a credit for the full purchase price.
"Software" is owned or licensed by Nortel Networks, its parent or one of its subsidiaries or affiliates, and is
copyrighted and licensed, not sold. Software consists of machine-readable instructions, its components, data,
audio-visual content (such as images, text, recordings or pictures) and related licensed materials including all whole
or partial copies. Nortel Networks grants you a license to use the Software only in the country where you acquired the
Software. You obtain no rights other than those granted to you under this License Agreement. You are responsible for
the selection of the Software and for the installation of, use of, and results obtained from the Software.
1. Licensed Use of Software. Nortel Networks grants Customer a nonexclusive license to use a copy of the
Software on only one machine at any one time or to the extent of the activation or authorized usage level,
whichever is applicable. To the extent Software is furnished for use with designated hardware or Customer
furnished equipment ("CFE"), Customer is granted a nonexclusive license to use Software only on such
hardware or CFE, as applicable. Software contains trade secrets and Customer agrees to treat Software as
confidential information using the same care and discretion Customer uses with its own similar information that it
does not wish to disclose, publish or disseminate. Customer will ensure that anyone who uses the Software
does so only in compliance with the terms of this Agreement. Customer shall not a) use, copy, modify, transfer or
distribute the Software except as expressly authorized; b) reverse assemble, reverse compile, reverse engineer
or otherwise translate the Software; c) create derivative works or modifications unless expressly authorized; or d)
sublicense, rent or lease the Software. Licensors of intellectual property to Nortel Networks are beneficiaries of
this provision. Upon termination or breach of the license by Customer or in the event designated hardware or
CFE is no longer in use, Customer will promptly return the Software to Nortel Networks or certify its destruction.
Nortel Networks may audit by remote polling or other reasonable means to determine Customer’s Software
activation or usage levels. If suppliers of third party software included in Software require Nortel Networks to
include additional or different terms, Customer agrees to abide by such terms provided by Nortel Networks
with respect to such third party software.
2. Warranty. Except as may be otherwise expressly agreed to in writing between Nortel Networks and Customer,
Software is provided "AS IS" without any warranties (conditions) of any kind. NORTEL NETWORKS DISCLAIMS
ALL WARRANTIES (CONDITIONS) FOR THE SOFTWARE, EITHER EXPRESS OR IMPLIED, INCLUDING,
BUT NOT LIMITED TO THE IMPLIED WARRANTIES OF MERCHANTABILITY AND FITNESS FOR A
PARTICULAR PURPOSE AND ANY WARRANTY OF NON-INFRINGEMENT. Nortel Networks is not obligated
to provide support of any kind for the Software. Some jurisdictions do not allow exclusion of implied warranties,
and, in such event, the above exclusions may not apply.
3. Limitation of Remedies. IN NO EVENT SHALL NORTEL NETWORKS OR ITS AGENTS OR SUPPLIERS BE
LIABLE FOR ANY OF THE FOLLOWING: a) DAMAGES BASED ON ANY THIRD PARTY CLAIM; b) LOSS
OF, OR DAMAGE TO, CUSTOMER’S RECORDS, FILES OR DATA; OR c) DIRECT, INDIRECT, SPECIAL,
INCIDENTAL, PUNITIVE, OR CONSEQUENTIAL DAMAGES (INCLUDING LOST PROFITS OR SAVINGS),
WHETHER IN CONTRACT, TORT OR OTHERWISE (INCLUDING NEGLIGENCE) ARISING OUT OF YOUR
USE OF THE SOFTWARE, EVEN IF NORTEL NETWORKS, ITS AGENTS OR SUPPLIERS HAVE BEEN
ADVISED OF THEIR POSSIBILITY. The forgoing limitations of remedies also apply to any developer and/or
supplier of the Software. Such developer and/or supplier is an intended beneficiary of this Section. Some
jurisdictions do not allow these limitations or exclusions and, in such event, they may not apply.
4. General
a. If Customer is the United States Government, the following paragraph shall apply: All Nortel Networks
Software available under this License Agreement is commercial computer software and commercial
computer software documentation and, in the event Software is licensed for or on behalf of the United States
Government, the respective rights to the software and software documentation are governed by Nortel
Networks standard commercial license in accordance with U.S. Federal Regulations at 48 C.F.R. Sections
12.212 (for non-DoD entities) and 48 C.F.R. 227.7202 (for DoD entities).
b. Customer may terminate the license at any time. Nortel Networks may terminate the license if Customer
fails to comply with the terms and conditions of this license. In either event, upon termination, Customer
must either return the Software to Nortel Networks or certify its destruction.
c. Customer is responsible for payment of any taxes, including personal property taxes, resulting from
Customer’s use of the Software. Customer agrees to comply with all applicable laws including all applicable
export and import laws and regulations.
d. Neither party may bring an action, regardless of form, more than two years after the cause of the action
arose.
e. The terms and conditions of this License Agreement form the complete and exclusive agreement between
Customer and Nortel Networks.
f. This License Agreement is governed by the laws of the country in which Customer acquires the Software.
If the Software is acquired in the United States, then this License Agreement is governed by the laws of
the state of New York.
Contents
Using Contivity Configuration Manager to Configure Contivity
221 7
Before you begin 7
How to get help 7
New features for this release 8
802.1x over Ethernet 8
Bandwidth Management 9
Certificate Management 9
Contivity Client Global Setting for VPN 9
IPSec Tunnel Nail Up 9
Multi-user Configuration 9
SSH/HTTPS for Remote Management 9
Contivity 221 configuration tasks 9
Configuring 802.1x over Ethernet 10
Configuring Bandwidth Management 13
Configuring Certificate Management 17
Configuring Contivity Client Global Setting for VPN 20
Configuring IPSec Tunnel Nail Up 21
Configuring Multi-user Configuration 23
Configuring SSH/HTTPS for Remote Management 25
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
6Contents
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Using Contivity Configuration Manager
to Configure Contivity 221
This guide summarizes how to get started using Contivity* Configuration
Manager* (CCM) to configure Contivity 221 devices in your network. This
document is intended for network engineers who have some familiarity
with the Nortel* Contivity 221 device.
Note: Contivity is also known as VPN Router, and Contivity
Configuration Manager is also known as VPN Router Multi-Element
Manager.
Before you begin
For information about Contivity 221 and Contivity Configuration Manager,
see the following documents:
•Configuring and Troubleshooting the Contivity 221 SOHO Internet
Security Gateway
•Contivity 221 SOHO Internet Security Gateway Quick Start Guide
•Contivity Configuration Manager 2.2 User Guide
•Contivity Configuration Manager Wizards
How to get help
This section explains how to get help for Nortel* products and services.
How to get help
This section explains how to get help for Nortel* products and services.
Getting help from the Nortel web site
The best way to get technical support for Nortel products is from the Nortel
Technical Support web site:
www.nortel.com/support
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
8Using Contivity Configuration Manager to Configure Contivity 221
This site provides quick access to software, documentation, bulletins, and
tools to address issues with Nortel products. From this site, you can:
•download software, documentation, and product bulletins
•search the Technical Support Web site and the Nortel Knowledge Base
for answers to technical issues
•sign up for automatic notification of new software and documentation
for Nortel equipment
•open and manage technical support cases
Getting help over the phone from a Nortel Solutions Center
If you do not find the information you require on the Nortel Technical Support
web site, and you have a Nortel support contract, you can also get help over
the phone from a Nortel Solutions Center.
In North America, call 1-800-4NORTEL (1-800-466-7835).
Outside North America, go to the following web site to obtain the phone
number for your region:
www.nortel.com/callus
Getting help from a specialist by using an Express Routing Code
To access some Nortel Technical Solutions Centers, you can use an Express
Routing Code (ERC) to quickly route your call to a specialist in your Nortel
product or service. To locate the ERC for your product or service, go to:
www.nortel.com/erc
Getting help through a Nortel distributor or reseller
If you purchased a service contract for your Nortel product from a distributor
or authorized reseller, contact the technical support staff for that distributor
or reseller.
New features for this release
New features for this release include:
802.1x over Ethernet
The 802.1x standard is an IEEE standard for passing Extensible
Authentication Protocol (EAP) over a Local Area Network (LAN). The EAP
messages are packaged in Ethernet frames to provide authentication.
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 221 configuration tasks 9
Bandwidth Management
With the Bandwidth Management feature, you can allocate the outgoing
capacity of an interface to specific types of traffic. You can also ensure
that the Contivity 221 forwards certain types of traffic (especially real-time
applications) with minimum delay. This feature allows you to manage
bandwidth for the Contivity 221 by configuring classes and filters for LANs
and WANs.
Certificate Management
The Contivity 221 uses certificates (also called digital IDs) to authenticate
users. Certificates are based on public-private key pairs. Certificates
provide a way to exchange public keys for use in authentication.
Contivity Client Global Setting for VPN
The Contivity Client Global Setting features provides configuration support
for client global settings for VPNs. You can use this feature to configure
exclusive use mode for client tunnels.
IPSec Tunnel Nail Up
This feature ensures that the Contivity 221 automatically renegotiates an
IPSec tunnel when the IPSec Security Association (SA) lifetime expires.
When the Contivity 251 restarts, it automatically renegotiates any nailed-up
tunnels. In effect, the IPSec tunnel becomes an always on connection after
the tunnel is initiated.
Multi-user Configuration
With this Contivity 221 feature, you can manage multiple users through the
import and export of user information.
SSH/HTTPS for Remote Management
Secure Shell (SSH) is a secure communication protocol that combines
authentication and data encryption to provide secure encrypted
communication between two hosts over an unsecured network. Hypertext
Transfer Protocol over SSL (HTTPS) is a web protocol that encrypts and
decrypts web pages. The Contivity 221 device supports these protocols
for remote management purposes.
Contivity 221 configuration tasks
The CCM client must be connected to the CCM server to perform the
configuration tasks described in this guide. To perform configuration
operations on the Contivity devices in the network, the CCM server requires
IP connectivity to the Contivity management IP addresses.
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
10 Using Contivity Configuration Manager to Configure Contivity 221
The following is a list of configuration tasks for new features:
•"Configuring 802.1x over Ethernet" (page 10)
•"Configuring Bandwidth Management" (page 13)
•"Configuring Certificate Management" (page 17)
•"Configuring Contivity Client Global Setting for VPN " (page 20)
•"Configuring IPSec Tunnel Nail Up" (page 21)
•"Configuring Multi-user Configuration" (page 23)
•"Configuring SSH/HTTPS for Remote Management" (page 25)
See the following sections for detailed explanations of these tasks. See
previous versions of this document for an explanation of legacy configuration
tasks.
Configuring 802.1x over Ethernet
To configure 802.1x over Ethernet:
Step Action
1In the CCM navigation pane, select the Contivity 221 device and
expand it.
2Select 802.1x and click the Properties tab.
3Click the 802.1x tab, then enter the appropriate information in the
boxes. See Figure 1 "Contivity 221 802.1x" (page 11).
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 221 configuration tasks 11
Figure 1
Contivity 221 802.1x
4On the Contivity 221 device, select AuthServer.
5Click the Properties tab, then select the Local User Database
tab. See Figure 2 "Contivity 221 AuthServer Local User Database"
(page 12).
6On the Local User Database page, enter the appropriate name
and password for the database.
7Select the appropriate Active check boxes for the databases. See
Figure 2 "Contivity 221 AuthServer Local User Database" (page 12).
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
12 Using Contivity Configuration Manager to Configure Contivity 221
Figure 2
Contivity 221 AuthServer Local User Database
8In the AuthServer node, click the Properties tab.
9Select the RADIUS tab. See Figure 3 "Contivity 221 AuthServer
RADIUS" (page 13).
10 On the RADIUS page, enter the appropriate information in the
Authentication Server and the Accounting Server sections. See
Figure 3 "Contivity 221 AuthServer RADIUS" (page 13).
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 221 configuration tasks 13
Figure 3
Contivity 221 AuthServer RADIUS
—End—
Configuring Bandwidth Management
See Configuring Firewalls, Filters, NAT, and QoS for the Contivity Secure
IP Services Gateway (315896-E) for more information about Bandwidth
Management.
To configure Bandwidth Management:
Step Action
1In the CCM navigation pane, select the Contivity 221 device and
expand it.
2Select Bandwidth Management and click the Properties tab. See
Figure 4 "Contivity 221 Bandwidth Management" (page 14).
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
14 Using Contivity Configuration Manager to Configure Contivity 221
Figure 4
Contivity 221 Bandwidth Management
3On the Properties page, select the Summary tab.
4Select the appropriate Active check boxes.
5Enter the appropriate speed for the Active check boxes you selected.
6In the Bandwidth Management node, select the LAN Root Class
element.
7Click the LAN Root Class Properties tab.
8Click the Properties tab, then select the Class Configuration
tab. See Figure 5 "Contivity 221 Class Configuration" (page 15).
The Class Name and Bandwidth Budget fields contain the values
specified in the Bandwidth Management Properties tab.
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 221 configuration tasks 15
Figure 5
Contivity 221 Class Configuration
9In the LAN Root Class node, select a LAN class or create a new
one if required.
Note: To create a new LAN class, select LAN Root Class, then
click the Palette tab. Double-click Class Set-up.
10 Click the Properties tab, then click the Class Configuration tab.
11 Configure the Class Name and Bandwidth Budget fields as
required. See Figure 6 "Contivity 221 LAN Class Configuration"
(page 16).
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
16 Using Contivity Configuration Manager to Configure Contivity 221
Figure 6
Contivity 221 LAN Class Configuration
12 On the Properties page, click the Filter Configuration tab.
13 To enable the Bandwidth Filter, select the Enable Bandwidth Filter
check box. See Figure 7 "Contivity 221 LAN Filter Configuration"
(page 17).
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 221 configuration tasks 17
Figure 7
Contivity 221 LAN Filter Configuration
14 In the Value section, enter the appropriate information in the boxes.
15 Repeat steps 10 to 14 for each LAN class requiring configuration.
—End—
Configuring Certificate Management
Use the Certificate Create wizard to import and create certificates. Also,
use this wizard for Contivity 221 devices or for Certificates, My Certificates,
Trusted Certificates, and Trusted Remote Host Certificates.
To configure Certificate Management:
Step Action
1In the CCM navigation pane, select the Contivity 221 device and
expand it.
2Select Certificates and expand it.
3In the Certificates node, select the Trusted CAs node.
4In the Trusted CAs node, import a trusted CA certificate by using
the Certificate Create wizard. For more information about importing
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
18 Using Contivity Configuration Manager to Configure Contivity 221
a trusted CA certificate, refer to the Certificate Create wizard in
Contivity Configuration Manager Wizards.
5In the Trusted CAs node, delete any CA certificate that is no longer
trusted.
6In the Certificates node, select and expand the My Certificates
node.
7In the My Certificates node, select a self-signed certificate. See
Figure 8 "Contivity 221 My Certificates self-signed certificate" (page
18).
Figure 8
Contivity 221 My Certificates self-signed certificate
Note: Use the Certificate Create wizard to import a certificate
issued by a certification authority or to create a self-signed
certificate or a certificate request. See Contivity Configuration
Manager Wizards.
8Select the Properties tab of the self-signed certificate. On the
Basic page, the certificate name, properties, the certification
path, and other certificate information appears. If more than one
self-signed certificate exists, you can select one of them as the
default self-signed certificate by editing the chosen certificate’s
property Default self-signed certificate, which signs the imported
remote host certificates.
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Contivity 221 configuration tasks 19
9In the My Certificates node, select a certificate issued by a
certification authority.
10 Click the Properties tab of the certificate. On the Basic page,
the certificate name, properties, the certification path, and other
certificate information appears.
11 In the My Certificates node, select a certificate request.
12 Click the Properties tab of the certificate request. On the Basic
page, the certificate name, properties, the certification path, and
other useful certificate information appears.
13 In the Certificates node, select Trusted Remote Host Certificate.
14 In the Directory Servers node, select a directory service. See
Figure 9 "Contivity 221 Directory Services" (page 19).
Figure 9
Contivity 221 Directory Services
15 Click the Properties tab of the directory service.
16 On the Basic page, enter the necessary information in the Directory
Service Setting and Login Setting boxes.
17 In the Contivity 221 device, select and expand the VPN node.
18 Click the Properties tab of a branch office connection.
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
20 Using Contivity Configuration Manager to Configure Contivity 221
19 On the Basic page, select either Pre-Shared Key or the certificate
from the Authentication Method list. See Figure 10 "Contivity 221
VPN Authentication Method" (page 20).
Figure 10
Contivity 221 VPN Authentication Method
20 If you choose certificate-based authentication, specify which
certificate to use from the list of available certificates. (The Local
ID Type and Content is automatically extracted from the selected
certificate.)
21 From the Remote ID Type list, select one of the following: IP,DNS,
E-mail,Subject Name, and Any. See Figure 10 "Contivity 221 VPN
Authentication Method" (page 20).
—End—
Configuring Contivity Client Global Setting for VPN
The Contivity Client Global Setting features provides configuration support
for client global settings for VPNs. You can use this feature to configure
exclusive use mode for client tunnels.
To configure Client Global Setting for VPN:
CCM
Using Contivity Configuration Manager to Configure Contivity 221
317747-B 01.01 Standard
Release 2.3 March 2006
Copyright © 2006, Nortel Networks Nortel Networks Confidential
.
Other manuals for Contivity 221
1
This manual suits for next models
1
Table of contents
Other Nortel Wireless Router manuals
