Nortel Contivity Client

Contivity VPN Client
User and
Administrator Guide
for
Mac OS X, Linux, Solaris
Windows Mobile 2003 CE and SE
Part Number 314455-3.5

Version 3.5
February 2007
Copyright ©2007 by Apani Networks. All rights reserved.
This software or document (and the software described herein) is furnished under a license
agreement between Apani Networks and the Licensee. The software may be used or copied
only in accordance with the terms of the license agreement. The document may not be
reproduced in whole or in part, except with the written permission of Apani Networks.
Product names mentioned in this document are trademarks or registered trademarks of their
respective holders.
Published by:
Nortel Networks Corporation
8200 Dixie Road, Suite 100
Brampton, Ontario L6T 5P6
Canada
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821-4130
Customer Support:
Voice: 1-800-4NORTEL
Web Page: http://www.nortel.com
For FAQs, follow the pathway:
Customer Support FAQ Search (selection on left side of screen)
Product family: Enterprise Data Product: Contivity
For Technical Documentation, follow the pathway:
Customer Support Technical Documents Select a Product:
Contivity 4000 VPN Switches
The Apani Networks site is an excellent source of information. You can use the Apani
Knowledge Base to search for FAQs pertaining to the Contivity VPN Client.
1. http://support.apani.com/kb/
2. Select Contivity VPN Client in the Select a Product list.
3. Click Start Search.
Chapter 1. Getting Started 1
Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2
Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Product Name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Cautionary Information - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Keyboard Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Typographical Conventions - - - - - - - - - - - - - - - - - - - - - - - 4
Typographical Terminology - - - - - - - - - - - - - - - - - - - - - - - 4
System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
What’s New in Version 3.5? - - - - - - - - - - - - - - - - - - - - - - - - - 7
Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
The Nortel Networks Contivity Switch - - - - - - - - - - - - - - - 8
The Contivity VPN Client - - - - - - - - - - - - - - - - - - - - - - - - 8
Chapter 2. Installing the Contivity VPN Client 11

Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - 13
Initial Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - 13
Nortel Networks Contivity Switch Configuration - - - - - - - 13
Split Tunnel Inbound Port Filtering on Linux or UNIX Computers
15
Pre-Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17
Installing the Contivity VPN Client for Macintosh OS X - - - - - 19
Installing the Contivity VPN Client for Linux - - - - - - - - - - - - - 25
Installing with RPM Distribution on RedHat with GCC 3.X 26
Installing with RPM Distribution on SUSE 9.2, 9.3, and 10.1 26
Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 27
Installing the Contivity VPN Client for Solaris - - - - - - - - - - - - 28
Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28
Dynamic Routing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28
Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 29
Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29
Contivity VPN Client iii

Installing the Contivity VPN Client for Windows Mobile - - - - - 31
Windows Mobile Compatibility - - - - - - - - - - - - - - - - - - - 31
Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 31
Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 32
Registering the Contivity VPN Client Software - - - - - - - - - - - - 33
New Registration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 33
Entering a New Registration - - - - - - - - - - - - - - - - - - - - - - 34
Removing the Contivity VPN Client from Macintosh OS X - - - 36
Removing the Contivity VPN Client from Linux - - - - - - - - - - - 38
Removing the Contivity VPN Client from Solaris - - - - - - - - - - 40
Removing the Contivity VPN Client from Windows CE - - - - - - 42
Customizing User-Interface Graphics - - - - - - - - - - - - - - - - - - 43
Chapter 3. Configuring the Contivity VPN Client 45

User Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47
Launching the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 48
Certificate Management - - - - - - - - - - - - - - - - - - - - - - - - - - - 51
Importing a CA Certificate - - - - - - - - - - - - - - - - - - - - - - - 52
Requesting a Certificate - - - - - - - - - - - - - - - - - - - - - - - - 53
Importing a Certificate - - - - - - - - - - - - - - - - - - - - - - - - - 57
Deleting a Certificate - - - - - - - - - - - - - - - - - - - - - - - - - - 59
Viewing Certificate Details - - - - - - - - - - - - - - - - - - - - - - 60
Defining a New Connection Profile - - - - - - - - - - - - - - - - - - - 61
Completing the Connection - - - - - - - - - - - - - - - - - - - - - - 70
Editing a Connection Profile - - - - - - - - - - - - - - - - - - - - - 73
Connecting the Contivity VPN Client - - - - - - - - - - - - - - - - - - 74
Selecting the Connection Profile - - - - - - - - - - - - - - - - - - 74
Completing the Connection - - - - - - - - - - - - - - - - - - - - - - 80
Monitoring Connection History - - - - - - - - - - - - - - - - - - - - - - 82
Connection Statistics - - - - - - - - - - - - - - - - - - - - - - - - - - 82
Setting Client Preferences - - - - - - - - - - - - - - - - - - - - - - - - - - 83
Audit Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 83
Controlling Audit Information Logging - - - - - - - - - - - - - - 84
Configuration Locking - - - - - - - - - - - - - - - - - - - - - - - - - 86
Viewing Audit Information - - - - - - - - - - - - - - - - - - - - - - - - - 90
Disconnecting the Contivity VPN Client - - - - - - - - - - - - - - - - 91
Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - - 92
Glossary 95
Index 103
iv
1 Getting Started
Contents of this Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2
Chapter Provides an introductory overview of Contivity
VPN Client functions.
Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Explains the typographical and command
conventions used in this guide.
System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
Lists the system requirements for installing a
Contivity VPN Client.
What’s New in Version 3.5? - - - - - - - - - - - - - - - - - - - - - - - - - 7
Provides a list of features that are new to
Contivity VPN Client version 3.4.
Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
Provides a brief introduction to the Nortel Networks
Contivity Switch and the Contivity VPN Client.
Contivity VPN Client 1

Chapter 1. Getting Started
Organization of this Guide
This guide is organized as follows:

Chapter 1, Getting Started—introduces the guide,
explains the conventions used in the guide, lists system
requirements for the Contivity VPN Client, and pro-
vides an overview of the Contivity VPN Client.
Chapter 2, Installing the Contivity VPN Client—
describes how to configure the Nortel Networks Con-
tivity Switch for the Contivity VPN Client and how to
install the Contivity VPN Client on supported systems.
Chapter 3, Configuring the Contivity VPN Client—a
guide to the configuration and use of the Contivity
VPN Client.
Glossary—provides brief definitions of security terms
and terminology used in this guide.
2
Conventions
Conventions
Product Name Throughout most of this guide, the Contivity VPN Client is
referred to simply as the Client and the Nortel Networks
Contivity Switch is referred to simply as the Contivity
Switch.
Cautionary This guide presents several classes of cautionary informa-

Information tion:
NOTE clarifies or identifies exceptions.
IMPORTANT calls your attention to information
necessary to the proper installation and configuration
of the Client.
CAUTION alerts you to situations that could result in
unexpected or destructive results to data or software.
Keyboard The following conventions are used in describing actions

Conventions for you to take, methods of selecting and entering data,
and operation of the system:
Computer dialog, code, file names, directory names,
and screen instructions are represented by a mono-
spaced font:
screen text display
Characters you enter on a command line are

represented by bold mono-spaced type:
system text: your response
Optional text you enter on a command line is

represented in mono-spaced italicized type. Where it is
a term for a file name, directory name, path, or such, it
is surrounded by angle brackets:
<filename>
The “|” character is used to signify one or the other:

<filename1>|<filename2>

Typographical This guide uses the following typographical conventions:

Conventions The names of on-screen buttons, checkboxes, option
buttons, and keys are in Bold Text with Initial Caps.
The names of windows, dialog boxes, lists, window
elements, and dialog box elements are in Bold Italics,
capitalized the same as the item.
The names of menus and menu items are in Bold Text.
Menu selections are shown as:
Choose MenuName Item1 Item2
This means to select Item1 in the MenuName menu and
then select Item2 in the sub-menu.
Numbered items in a list describe steps in a procedure
that must be followed in order. Bulleted items in a list
are members of a set or parts of a whole that have no
order or priority.
Typographical Press—means to press a particular key or key

Terminology combination. It does not imply also pressing the Enter
key:
Press Tab
Key Combinations—two or more keys that must be
pressed simultaneously are linked by a plus sign:
Press Ctrl+Alt+Del
Type—means to type text, usually in a text box or scroll
box within a dialog box. It does not imply to press the
Enter (or Return) key. It is usually followed by a step
such as “Click OK” or “Click Continue.”
Enter—means to type text and press the Enter (or
Return) key when the text has been typed.
4
System Requirements
System Requirements
A Contivity VPN Client installation requires the following
minimum configurations.
Mac OS X
Operating System: Mac OS X
System Version: 10.3 through 10.3.9, 10.4 through
10.4.7
Power Macintosh or Intel Mac
CD-ROM Drive
10 MB of free disk space
128 MB of RAM
Ethernet card or dialup modem
A web browser (Safari or Netscape are preferred.)
Linux
Linux for Intel x86 or equivalent processors, 32-bit
only
Intel-based Linux system (The Client will not work
on a Sparc-based system.)
Linux kernel 2.4.x*, and 2.6.x up to 2.6.18. Linux
kernel 2.6.15-1.2054 will not work due to a kernel
bug preventing proprietary license modules from
loading correctly.
Operating Systems:
RedHat Enterprise Advanced Server 3.0 to 4
Fedora Core 4, Core 5, and Core 6
SUSE 9.2, 9.3, and 10.1
32 MB RAM (64 MB Recommended)
30 MB of free disk space
Ethernet card or dialup modem
CD-ROM Drive
Kernel source 2.4.x or 2.6.x
A web browser (Netscape and Mozilla are
preferred.)
X-Window System

* If the system is using the 2.4.x kernel, the kernel

header’s 2.4.x package must be used. If the system is
using the 2.6.x kernel, the kernel header’s 2.6.x
package must be used.
Solaris
System Version: 2.7 to 2.9
Sun SPARC platform
CD-ROM Drive
12 MB of free disk space; 32 MB of RAM
Ethernet card
A web browser (Netscape and Hot Java are
supported.)
Windows Mobile 2003 CE and SE

A list of supported devices is available on the Apani
website:
http://www.apani.com/vpn-clients/nortel-overview
Refer to the system requirements in the information
section.
6
What’s New in Version 3.5?
What’s New in Version 3.5?
Added support for Fedora Core 5 and Core 6

Added support for SuSE Linux 10.1
Fixed dial-up support for Mac OS X

Product Overview
The purpose of the Client is to provide tunneled, secure

communications between the Client computer and the
Contivity Switch across an IP network, including the
Internet and the local area network (LAN).
The Nortel The Contivity Switch is a single hardware device that pro-
Networks Contivity vides routing, firewall, bandwidth management, encryp-
tion, authentication, and data integrity for secure tunneling
Switch
across managed IP networks and the Internet. Contivity
Switches are used to connect remote users, branch offices,
suppliers, and customers with the cost and performance
advantages of shared IP networks and the security and
control inherent in private networks.
The Contivity VPN The Client is an intelligent, autonomous software agent

Client residing in the computer for which communication is to be
secured. All communications security functions are per-
formed using the rules supplied by the Contivity Switch.
When the Client is installed, the Contivity Switch
(according to the policies set by the network administrator)
sends a set of security policies for the Client to follow
when exchanging data with the Contivity Switch. These
rules determine:
(1) the algorithm to be used for ESP encryption;
(2) if ESP data integrity checking is to be performed
and if so, the algorithm to use;
(3) if anti-replay protection is to be provided;
(4) if Authentication Header (AH) Integrity protection
is to be applied
Once these instructions are received directly from the Con-
tivity Switch, the Client stores these rules locally and fol-
lows them autonomously when communicating with the
8
Product Overview
Contivity Switch. The user of the Client computer can con-

tinue to operate as before except that all communications
over the extranet or Internet are now protected with a
layer of security as part of the network protocol.
Once connected to the Contivity Switch, the operation of
the Client is transparent to the user and requires no user
intervention.

10
2F Installing the
This chapter provides a list of required Contivity Switch settings to
operate with the Contivity VPN Client, step-by-step instructions for
the installation and removal of Contivity VPN Client software, and
instructions for customizing the user-interface graphics on the
Contents of this Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - - 13

Chapter Provides instructions for configuring the Contivity
Switch prior to installing the Client.
Pre-Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17
Provides a step-by-step procedure for pre-configuring
Clients for mass deployment in a large installation.
Installing the Contivity VPN Client for Macintosh OS X - - - - - - 19
Provides a step-by-step procedure for installing a
Client on a Macintosh OS X system.
Installing the Contivity VPN Client for Linux - - - - - - - - - - - - - 25
Client on a Linux system.
Installing the Contivity VPN Client for Solaris - - - - - - - - - - - - - 28
Client on a Solaris system.
Installing the Contivity VPN Client for Windows Mobile - - - - - 31
Client on a Windows CE system.

Chapter 2. Installing the Contivity VPN Client
Registering the Contivity VPN Client Software - - - - - - - - - - - - 33

Explains the procedure for receiving a license code and
registering your Contivity VPN Client.
Removing the Contivity VPN Client from Macintosh OS X - - - - 36
Provides a step-by-step procedure for removing the
Client software and database from a Macintosh OS X.
Removing the Contivity VPN Client from Linux - - - - - - - - - - - 38
Client software and database from a Linux system.
Removing the Contivity VPN Client from Solaris - - - - - - - - - - - 40
Client software and database from a Solaris system.
Removing the Contivity VPN Client from Windows CE - - - - - - 42
Client software from a Windows CE system.
Customizing User-Interface Graphics - - - - - - - - - - - - - - - - - - 43
Explains how to customize areas of the Graphical User
Interface with user-provided art.
12
Configuring the Contivity Switch
The Contivity Switch must be configured for the Client prior

to installing the Client. This is important because the Client
accepts configuration settings that are sent down from the
Contivity Switch during IKE negotiations.
Initial Configuration This document assumes that you have already configured the
Contivity Switch with basic settings including identity, private
and public addresses, etc. Be sure that IPSec is enabled.
Nortel Networks To work with the Client, the Contivity Switch’s IPSec settings
Contivity Switch must be set according to the values in the following table.
Configuration "Supported" means the Client supports all valid options for
this setting.
"Don’t Care" means the Client ignores this feature, but it
may be supported by other clients.
Parameter Setting(s) Allowed

Split Tunneling Supported*
Split Tunnel Networks Supported*
Client Selection
Allowed Clients Only Contivity Clients or Both
Contivity and Non-Contivity
Allow undefined networks for Supported
non-Contivity clients
Authentication
Database Authentication (LDAP)
User Name and Password Supported
RSA Digital Signature Don’t Care


Default Server Certificate Supported
Radius Authentication
User Name and Password Supported
Axent Technologies Defender Don’t Care
RSA Security SecureID Supported
Encryption Supported (all settings except
40-bit DES)
Perfect Forward Secrecy Supported
Forced Logoff Supported (up to 23:59, or
00:00 for off)
Client Auto Connect Don’t Care
Banner Supported
Display Banner Supported
Client Screen Saver Password Disabled (not supported)
Required
Client Screen Saver Activation Time Don’t Care
Client Failover Tuning Supported
Allow Password Storage on Client Supported on Macintosh,
Linux, and Windows CE 2003
only
Compression LZS Compression supported
IPSec NAT Traversal Supported
Rekey Timeout Supported
Rekey Data Count Supported
Domain Name Don’t Care
Primary DNS Supported
Secondary DNS Supported
Primary WINS Don’t Care
Secondary WINS Don’t Care
Client Policy Macintosh: Don’t Care
Linux and UNIX: Supported
14

NOTE: You must enable at least one of the following user
authentication options:
LDAP with User Name and Password
LDAP with Default Server Certificate
RADIUS with User Name and Password
RADIUS with RSA Security SecurID
* If using split tunneling with the Client located on a

Linux or a UNIX computer, please refer to the follow-
ing section for port filtering requirements.
Split Tunnel Linux and UNIX operating systems support multiple simulta-
Inbound Port neous users. In order to help prevent unauthorized access to
Filtering on Linux or the private network, the client automatically blocks inbound
UNIX Computers access to TCP and UDP ports 0 through 1023 on the client's
local (public) network when you are connected to the Con-
tivity Switch with split tunneling enabled. Remote systems
and users cannot use services on these Well Known Ports
while the client is connected. Existing, active communications
through inbound ports 0 through 1023 will be blocked as soon
as the client connects to the Contivity Switch.
NOTE: All inbound When the Client is connected with split tunneling enabled, the
and outbound access Client permits outbound access through all ports. The Client
on the Client’s local also permits inbound access through ports 1024 and above.
(public) network is This allows the local user to take advantage of split tunneling
blocked when the to connect to remote servers using web browsers and other
client is connected applications.
and split tunneling is
disabled.

CAUTION: The Client cannot protect the Client computer,

tunnel, and the private networks behind the
Contivity Switch from all possible remote attacks,
even though it blocks inbound access through ports
0 through 1023 (Well Known Ports) when
connected. Access through higher ports is still
possible. (The X Window System uses ports 6000
through 6063, for example.) The system
administrator of the Client computer must
frequently check to ensure that services have not
been inadvertently or malevolently enabled on
higher ports.
We highly recommend that you enable a host-
based firewall on the Client computer.
The Contivity Switch administrator can enable inbound access

on one or more ports 0 through 1023 by creating a Client
Policy on the Contivity Switch. See "Client Policy" in the
"Group and User Configuration" chapter of the Nortel Net-
works Managing the Contivity Extranet Switch user guide. Keep
in mind that creating a Client Policy blocks all inbound and
outbound ports, except those specifically enabled by the Con-
tivity Switch administrator.
16
Pre-Configuration
Pre-Configuration
A pre-configuration allows you to configure a Client and then

install a number of Clients with the same configuration. This
precludes individual users from having to enter license codes,
group IDs, and preferences. The primary purpose of a pre-
configuration is to simplify the installation of large numbers
(100+) of Clients.
If you are performing a pre-configuration on platforms with
different operating systems, it may be necessary to change the
file format of the database files before distributing to the other
operating systems.
After a Client has been pre-configured, when the user first
launches the Client, the Product Registration window will not
appear and the user is taken directly to the Connections
window. There is one exception to this rule.
If you are pre-configuring a multi-seat license installation,
you might want to require the input of the seat number by
each Client. To do this, enter a 0 (zero) as the seat number
in the configuration of the first Client. Thereafter, each
Client, when launched, will present the Product Registration
window and require the input of a seat number.
To enter a zero for the seat number of the first Client, you
must first enter a valid seat number. Then complete and
test the configuration. Prior to performing step 3, below,
edit the registration (see “Entering a New Registration” on
page 34) and change the Seat Number to zero.
To perform a pre-configuration:
1. Perform a manual installation of the Client.
2. Configure the Client, following the instructions provided

in Chapter 3, Configuring the Contivity VPN Client.
3. Copy the prefs.db and eac.db files to the same directory as
the installer. This step differs slightly with different
platforms.
• For a Macintosh OS X installation:

Copy the .db files into the same directory as the

nleac.pkg file.
• For a Linux tar installation:

a. Untar the directory created by the tar file.
b. Copy the .db files to the nleac-<version> directory.
c. Re-tar the directory.

• For a Linux RPM installation:
Copy the .db files into the
/usr/src/<distributor>RPMS/i386 directory. This is the
same directory where the binary package was placed
during the rebuild for the first install.
• For a Solaris installation:
Copy the .db files to the directory containing the nleac
package.
• For a Windows CE installation:
NOTE: A pre-configured Client installation for Windows CE is

not supported.
4. Using either a web distribution or creating a CDROM,

install the Clients.
Each Client, when installed, will be configured as the
original.
18
Installing the Contivity VPN Client for Macintosh OS X
NOTE: We recommend that you remove any previously-

installed IPSec Client software before installing the
Contivity VPN Client. Failure to do so might result in a
failure of the installation.
NOTE: There are separate installers for the MacOS versions

10.3 (Panther) and 10.4 (Tiger).
To install the Client for Macintosh OS X, perform the fol-

lowing steps:
1. Display the Contivity VPN Client Installation CD-ROM (or
folder from electronic download).
Figure 2-1. Macintosh
OS X Install CD-ROM
2. Double-click Install Disk Image (.dmg) file.
A screen appears informing you that the install program

requires an administrator password.


OS X Install
Authorization
3. Click on the lock image.
An authentication dialog box appears.

OS X Install
Authentication
4. Type your user name in the Name text box.
5. Type your administrator password in the Password or

phrase text box.
6. Click OK.
The Contivity VPN Client Install screen appears.
20

OS X Client Installer
Screen
7. Click Continue.
The Release Notes appear.

OS X Client Release
Notes
8. Scroll to read the Read Me file, click Print to print the file,
or click Save to write the file to another location.
9. Click Continue to continue with the installation.

The Software License Agreement appears.

OS X Software License
Agreement
10. Scroll to read the license agreement, click Print to print the
file, or click Save to write the file to another location.
11. Click Continue to continue the installation.
A message appears asking you to agree to the terms of the

license agreement.
OS X Agreement to
Terms of License
12. Click Agree to continue.
You are prompted for a destination for the installation.
22

OS X Select Destination
13. Select the destination drive and click Continue.
You are prompted for the type of installation.

OS X Type of Installation
Prompt
14. To accept Easy Installation (recommended), click Install.

A message is displayed:
Installing this software requires you to restart your
computer when the installation is done. Are you sure you
want to install the software now?
15. Click Continue Installation to complete the installation.
Messages are displayed informing you of the progress of

the installation.
At the completion of the installation, a message appears
informing you that the software was successfully installed.
OS X Installation
Successful
16. Click Restart.
Your computer will now reboot.
24
Installing the Contivity VPN Client for Linux
NOTE: You must be NOTE: We recommend that you remove any previously-
logged on as root to installed IPSec Client software before installing the
execute the Contivity VPN Client. Failure to do so might result in a
commands that will failure of the installation.
install the Client on
Linux.
The Contivity VPN Client is shipped on a multi-platform CD-
ROM. Use the mount command to mount the CD, then install
the Client using either the RedHat Package Manager (RPM)
distribution or TAR distribution. Assuming that the CD is
mounted at "/cdrom", the full path to the Linux package
would be "/cdrom/linux/nleac."
NOTE: Commands are case sensitive. Those commands shown

here in lower case must be typed in lower case.

Installing with RPM To install the Client on a Linux computer using RedHat with
Distribution on GCC 3 (RedHat Advanced Server 3.0 - 4 and Fedora Core 4, 5,
RedHat with GCC and 6), use the following procedure:
3.X
The Client is kernel dependent. The package contains source
code that needs to be rebuilt before being installed on the host.
To rebuild the package, on the host where the Client is being
installed, enter the following command:
rpmbuild --rebuild cvc_linux-rh-gcc3-[version]-0.src.rpm
This command rebuilds the Client and places the binary

package in the /usr/src/redhat/RPMS/i386/ directory.
To install the package, enter the following command:
rpm -i /usr/src/redhat/RPMS/i386/cvc_linux-rh-gcc3-
[version]-0.i386.rpm
Log out and log back in to the Linux computer before using
the Client.
NOTE: A reboot may not always be necessary. We highly

recommend, however, that you reboot the computer
before using the Client.
Installing with RPM To install the Client on a Linux computer using SUSE 9.2, 9.3,
Distribution on and10.1 use the following procedure:
SUSE 9.2, 9.3, and
10.1 The Client is kernel dependent. The package contains source
code that needs to be rebuilt before being installed on the host.
To rebuild the package, on the host where the Client is being
installed, enter the following command:
rpmbuild --rebuild cvc_linux-suse-gcc3-[version]-
0.src.rpm
This command rebuilds the Client and places the binary

package in the /usr/src/packages/RPMS/i386/ directory.
26

rpm -i /usr/src/packages/RPMS/i386/cvc_linux-suse-gcc3-
[version]-0.i386.rpm
Log out and log back in to the Linux computer before using
the Client.

Installing with TAR To install the Client with TAR distribution, unTAR the files by
Distribution entering the following command in the directory where the
TAR file is located:
# tar -xvf <file_name>.tar
Enter the new directory created by the TAR file:

# cd <directory_name>
Rebuild the package on the host where the Client is being

installed:
# make all

# make install
Reboot the Linux computer before using the Client.


Installing the Contivity VPN Client for Solaris
NOTE: We recommend that you remove any previously-

installed IPSec Client software before installing the
Contivity VPN Client. Failure to do so might result in a
failure of the installation.
Requirements In order to configure the Client and to access the on-line help,
you must have a web browser installed on the host computer.
The Contivity VPN Client prefers Netscape, but will also use
the Sun HotJava browser.
NOTE: Commands are If you install a browser after the Client, make sure that a file
case sensitive. Those called "netscape" exists in the standard command path. That
commands shown file should call or point to the installed browser. For example,
here in lower case if you install Netscape at "/opt/NSCPcom/netscape," create a
must be typed in lower symbolic link call "/usr/bin/netscape" or change your com-
case. mand path to include "/opt/NSCPcom."
In order to install a Client on a Solaris system, you must have
root or superuser permission.
Dynamic Routing The Client will not operate on a Solaris system that has
dynamic routing enabled. If dynamic routing is enabled, you
must disable it prior to installing the Client.
To disable dynamic routing:
Create a file named /etc/defaultrouter.
The contents of the file should be the IP address of the
router.
28
Installing the Contivity VPN Client for Solaris
Installing with TAR To install the Client with TAR distribution, unTAR the files by
Distribution entering the following command in the directory where the
TAR file is located:
tar -xvf <file_name>.tar
Enter the new directory created by the TAR file and proceed
with step 3 of a normal installation (on the following page).
The unTARed files are in the directory <directory_name>.
Installation To install the Client for Solaris:

1. Insert the CD into the drive.
The Solaris Volume Manager should mount the CD at

/cdrom/cdrom0 .
2. Change directory to the location of the Client installation

software:
cd /cdrom/cdrom0/<path>
3. Enter the package installation command:
pkgadd -d . nleac
The version of the Client that is about to be installed is

listed along with the first part of the User’s Sublicense
Agreement. The User’s Sublicense Agreement is displayed
in sections to allow it to be read in its entirety. Between
each section, the following prompt is displayed:
Press RETURN to continue [?]
After the entire license agreement has been displayed, you

are prompted to accept the agreement:
Do you accept the above license agreement [y, n, ?]
4. Press y to continue.
The installer checks the system to verify that the package

can be installed and the install program provides you the
opportunity to abort the installation.
Do you want to continue with the installation of <nleac> [y,n,?]
y

5. Press y to continue the installation. (Pressing n or any other

key will abort the installation.)
Files from the CD are copied to the system. A series of
messages appear, listing the process of file processing and
ending with a message stating that the installation of the
Client was successful.
6. Reboot the Solaris system to ensure proper operation and
to start using the Client.
The installation of the Client is complete.
30
Installing the Contivity VPN Client for Windows Mobile
Installing the Contivity VPN Client for Windows

Mobile
IMPORTANT: You must remove any previously-installed IPSec

Client software before installing the Contivity
VPN Client. Failure to do so will result in a
failure of the installation and of the PDA device
as well.
Windows Mobile This version of the Apani Contivity VPN Client is designed to
Compatibility be installed and run under Windows Mobile Pocket PC 2003
CE and SE.
Installation Installation can be done from a desktop computer using

ActiveSync or directly on the PDA itself.
Installing from a Unzip the install package to a known location on the hard disk
Desktop: of the desktop machine.
Run the program setup.exe from that location.
This starts the desktop portion of the install. Accept the default
for the location of the product on the PDA and observe that
the desktop install starts the PDA install at the proper time
and that it runs to completion. Reboot the PDA at this time.
NOTE: The Client requires installation in the default directory. If

you choose an alternate location, the Client will not
start.
Installing Directly: 1. Copy the .cab file to the PDA.
2. Double-click the .cab file.
The Client software is installed.

Configuration The PDA must be rebooted after installation for the client to
function.
32
Registering the Contivity VPN Client Software
New Registration At the completion of installation when you first start the
Client, the Product Registration window appears. You must
enter your license code before any further operations can take
place.
If the Client has been pre-configured (see “Pre-Configuration”
on page 17), the Product Registration window will not appear
and the Connections window appears when the Client is first
launched.
An exception to that rule is: in a multi-seat license installation,
if a 0 (zero) is entered as the seat number on the initial Client
configuration, the Product Registration window will appear. In
this case, you are prompted only for a Seat Number .
Figure 2-11. Product
Registration Window
How and where you obtain the license code depends on where
you purchased the Client.
Nortel Networks—If you purchased the Client from Nortel
Networks, click the note at the bottom of the dialog box.
You will be connected to the Apani Networks web site. A
form is displayed which you fill out. When filling out the
form, you will be asked to supply the registration code
attached to the installation CD. Upon completion of the
form, you will be given the license code.

Apani Networks—If you purchased the Client from Apani

Networks, you were given the license code at the time of
purchase.
1. Enter the license code in the License Code text box.
2. If this Client is one of a multi-seat license, type the assigned

seat number for this client in the Seat Number text box.
3. Click Register.
A window appears with the message that the license code

has been validated.
Figure 2-12. License
Code Validated
4. Click OK.
The Connections window appears and you can begin the

configuration and operation of the Client as described in
Chapter 3.
Entering a New If for any reason you need to re-enter the license code or other
Registration registration information:
1. In any of the windows (such as Connections, Monitor,
Preferences, etc.), click Registration in the left column of the
window to display the Product Registration window.
34
Figure 2-13. Re-

Displaying the Product
Registration Window
2. Click Clear.
A confirmation prompt appears.

Figure 2-14. Confirming
Clear Registration
3. Click Yes, Clear Registration.
The current registration is cleared and the initial Product

Registration window appears, as shown in Figure 2-11.

Removing the Contivity VPN Client from Macintosh OS X
IMPORTANT: This procedure completely removes the Client

software from the Macintosh OS X computer. It
should not be confused with the Disconnect
procedure described in Chapter 3, Configuring
the Contivity VPN Client.
IMPORTANT: The Client must be disconnected before the

Client software is removed. Failure to do this
will result in the Client computer being unable
to access the public network. For the procedure
to disconnect the Client, see Chapter 3,
Configuring the Contivity VPN Client,
“Disconnecting the Contivity VPN Client” on
page 91.
To remove the Client from a Macintosh OS X computer:

1. Display the hard disk (HD) map.
2. Select Library Application Support Apani.
The Apani map appears.

OS X Apani Screen
3. Double-click Uninstall.
36
Removing the Contivity VPN Client from Macintosh OS
The Uninstaller screen appears.

OS X Uninstaller Screen
4. Click Uninstall.
A screen appears with a prompt to enter your Adminis-

trator Password.
OS X Uninstall Enter
Admin Password Prompt
5. Type the Administrator Password in the text box.
6. Click OK.
The uninstall process begins. A progress message is dis-

played followed by a message that the uninstall was suc-
cessful.
Figure 2-18. Macinstosh
OS X Uninstall
Successful
7. Click OK.

Removing the Contivity VPN Client from Linux

software from the Linux computer. It should not
be confused with the Disconnect procedure
described in Chapter 3, Configuring the

page 91.
NOTE: You must be To remove a Client from Linux, enter the following command:
logged on as root to
execute the command If using RPM distribution:
that will remove the Enter the following command to obtain the correct
Client from Linux. version number:
rpm -ga | grep cvc
The system will return the name of the installed

rpm—something on the order of:
cvc_linux_rh_gcc<number>_<version_number>-0
Enter the command:

# rpm -e cvc_linux_gcc<number>_<version_number>-0
If using TAR distribution:

# cd <directory with unTARed installation files>
# make uninstall
Reboot the Linux host computer.
38
Removing the Contivity VPN Client from Linux
NOTE: If you want to save the configuration information, as for

example in an upgrade or re-installation, save the file
/etc/netlock/eac.db to another location where it will not
be overwritten by another installation or upgrade. After
installing the upgrade version, restore the eac.db file.

Removing the Contivity VPN Client from Solaris

software from the Solaris computer. It should
not be confused with the Disconnect procedure
described in Chapter 3, Configuring the

page 91.
To remove a Client from Solaris, perform the following steps:

1. Login as root.
2. At the UNIX prompt, enter:
pkgrm nleac
A screen message appears, listing the Solaris version

number and requesting confirmation for removal of the
Apani Extranet Access Client package.
The following package is currently installed:
nleac Apani Extranet Access Client (sparc) (version number)
Do you want to remove this package?
3. Enter y to continue removal of the Client package.
40
Removing the Contivity VPN Client from Solaris
A second request appears, confirming removal of the

Client package.
## Removing installed package instance <nleac>
This package contains scripts which will be executed with
super-user permission during the process of removing this
package.
Do you want to continue the removal of this package (y,n,?,q)
4. Enter y to confirm removal of the Client.
A series of messages appear, describing the step-by-step

removal process and finishing with the message that the
removal of the Client was successful.
/etc/netlock <non-empty directory not removed>
## Executing postremove script.
Removing Agent log files.
Removing Agent database files.
Removing directory /etc.
## Updating system information.
Removal of <nleac> was successful.
5. Reboot the Solaris system to ensure proper operation.
The removal of the Client is now complete.
NOTE: If you want to save the configuration information, as for

example in an upgrade or re-installation, save the file
/etc/netlock/eac.db to another location where it will not
be overwritten by another installation or upgrade. After
installing the upgrade version, restore the eac.db file.

Removing the Contivity VPN Client from Windows CE

page 91.
To remove the Client software from the PDA:

Select the Remove Programs applet under Settings.
42
Customizing User-Interface Graphics
Customizing User-Interface Graphics
The Client allows you to add customized graphic art to the

various windows. With this feature, you can add graphics that
are meaningful to your application, such as a logo or business
unit representation. The graphics files packaged with the
Client software are used if you do not specify customized
graphics. The ability to customize user-interface graphics is
applicable to all platforms that run Client software.
The graphics must be in CompuServe Bitmap (GIF) format.
There are two graphics that can be customized (listed in the
table below and illustrated in Figure 2-19). The graphics
replace the logos for Nortel Networks and Apani Networks.
For other To add a customized graphic, create the graphic with the file
computers: name and size as shown in the following table. Copy or move
the file to the /etc/netlock directory. The graphic will display
in the GUI after the computer has been restarted.
The graphics files, their required sizes (in pixels), and their
current applications are:
File Name Size Application

logo1.gif 100w X 32h Nortel Networks Logo
logo2.gif 72w X 32h Apani Networks Logo
Examples of the customized displays are shown in Figure 2-19.

Figure 2-19. Customize

GUI Display
logo1.gif logo2.gif
44
3 Configuring the
This chapter explains how to establish a connection between the
Client and the Contivity Switch. It also explains how to monitor
Client status, how to control the logging of Alert information, and
how to disconnect and reconnect the Client.
Contents of this User Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47

Chapter Discusses the two types of user interface provided
by the Contivity VPN Client.
Launching the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 48
Explains the procedures for launching the Client
after installation and license registration and prior to
establishing a new connection.
Certificate Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51
Explains the procedures for using digital certificates
and for importing certificates and CA certificates.
Defining a New Connection Profile - - - - - - - - - - - - - - - - - - - - 61
Explains the step-by-step manual procedures for
defining a connection profile prior to establishing a
new connection between the Contivity VPN Client
and the Nortel Networks Contivity Switch.
Connecting the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 74
Explains the step-by-step procedure for establishing
the connection between the Contivity VPN Client
and the Contivity Switch using a defined connection

Chapter 3. Configuring the Contivity VPN Client
profile or re-connecting the Client after it has been

disconnected.
Monitoring Connection History - - - - - - - - - - - - - - - - - - - - - - 82
Explains the procedure for viewing the status of the
Contivity VPN Client connection.
Setting Client Preferences - - - - - - - - - - - - - - - - - - - - - - - - - - - 83
Explains the procedures for controlling what audit and
error information will be logged, controlling the
maximum log file size, enabling or disabling the display
of alerts information messages, and controlling
configuration lockdown features.
Viewing Audit Information - - - - - - - - - - - - - - - - - - - - - - - - - - 90
Explains the procedure for viewing the log files of audit
and error information.
Disconnecting the Contivity VPN Client - - - - - - - - - - - - - - - - 91
Explains the step-by-step procedure for disconnecting
the Contivity VPN Client from the Contivity Switch.
Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - 92
Provides instructions for the operation of the Contivity
VPN Client using the command line interface instead of
the graphical user interface.
46
User Interface
User Interface
The Client provides a graphical user interface (GUI).

The instructions on the following pages illustrate the use of the
GUI in the operation of the Client.
A command line interface is available for Client users on Mac-
intosh OS X and Linux computers.
The command line interface does not duplicate the function-
ality of the GUI. Its main purpose is to be used in shell scripts
that connect to the Contivity Switch, allow limited operations
such as file transfers, and disconnect.
The instructions for using the command line interface begin on
page 92.

Launching the Contivity VPN Client
IMPORTANT: The operation and appearance of windows differ

from one browser to another. The contents of the
windows are the same. The illustrations that
follow all show windows in a Safari browser on a
Macintosh OS X system. Where procedural steps
and descriptions are different from Macintosh to
Linux and UNIX systems, those differences are
noted in the text.
NOTE: If your TCP/IP configuration uses dialup PPP (Pass or

Remote Access) or a similar non-continuous network
connection, you must first connect to the network using
your dialup tool before launching the Client.
After completion of a new installation and rebooting:

• on Mac OS X computers an Alias is created and labeled
Apani Contivity VPN Client.url
• on Windows CE (PDA) computers, Contivity VPN
Client selection is listed under the Start menu or the
Start/Programs menu
• on other computers, a Apani icon is displayed on the
front panel
Depending on the type of computer you have:
• On Macintosh OS X computers:
Click the Apani Contivity VPN Client icon.
The browser launches and the Connections window
appears.
• On other computers (Linux, Solaris):
48
Launching the Contivity VPN Client
1. Click the expand arrow above the Apani icon on the

Front Panel. Or, on the command line, enter the
command:
start_cvc
A pop-up menu appears.

2. Choose Extranet Access Client.
appears.
• On Windows CE computers:
1. Click Contivity VPN Client under the Start menu or
the Start/Programs menu.
appears.
NOTE: Another way to launch the Client is to load the browser

and go to URL "http:/127.0.0.1:9161" or to
"http:/localhost:9161."
Figure 3-20. Connection

s Window
To establish a new connection between the Client and the

Contivity Switch, follow the procedures in “Defining a
New Connection Profile” on page 61.

If you are re-connecting to the Contivity Switch or if your

connection has been pre-configured, follow the procedure
in “Connecting the Contivity VPN Client” on page 74.
If you will be using Certificate Authorization to establish a
connection, as opposed to User Name and Password or one
of the Group Authentication options, follow the procedures
in the next section to import and assign your personal
certificate. After that, follow the procedures to establish a
new connection or to re-connect, as appropriate.
50
Certificate Management
The Client supports the use of X.509 Version 3 public key cer-
tificates to bind public key values to the Client and the
Contivity Switch. The binding is asserted by having a trusted
Certificate Authority (CA) digitally sign each certificate. These
digitally signed certificates (CA certificates) provide each
Client and Contivity Switch with the confidence that the asso-
ciated key is owned by the correct system with which secure
communications will be established. The CA certificate is used
to validate the certificate provided to the Client by the Con-
tivity Switch when the Client establishes a connection with the
Contivity Switch.
If you are using Certificate authorization to establish a connec-
tion, as opposed to User Name and Password or one of the
Group Authentication options, the personal certificate and CA
certificate must be in place prior to establishing a connection.
Use the procedures in this section to request a personal certifi-
cate, to request a CA certificate, to import certificates, to view
certificate details, to assign a certificate, and to delete a
certificate.
Certificate management is performed with the Certificate Man-
agement window.
To display the Certificate Management window, click Certifi-
cates in the left column of the first Connections window (see
Figure 3-20).
The Certificate Management window appears.

Figure 3-21. Certificate

Management Window
Before you can use your personal certificate, you must have
imported a CA certificate. This is a signed certificate from your
designated Certificate Authority (CA) that validates the certifi-
cates issued by the CA.
Importing a CA To import a CA certificate:

Certificate 1. In the Certificate Management window, click CA Certs in
the left column.
The Certificate Management window displays CA Certifi-

cates.
Figure 3-22. CA
No CA Certificates should be listed at this time.

2. Click Add.
The Certificate Management window appears.
52
Figure 3-23. Add a CA

Certificate
3. Do one of the following to specify the CA certificate file:
• Type the full path of the file containing the CA

certificate in the Filename text box and click Import.
• Go to the CA certificate file, cut and paste the certificate
into the Certificate panel.
4. With either a file name listed or the CA certificate
displayed, click Add.
The CA certificate is imported into the Client and will be used
to validate personal certificates imported from now on.
Requesting a To establish a connection using personal certificate authoriza-

Certificate tion, you must have imported the certificate and added it to
the certificate store. This is a four-part process:
• Generate the Certificate Signing Request (CSR)
• Submit the CSR to the CA
• Import the certificate from the CA
• Add the certificate to the certificate store
This section explains how to request a certificate by (1) gener-
ating a request and (2) exporting the request. Importing and
assigning the certificate is covered in the following section.

Generating a To generate a Certificate Signing Request (CSR):

Certificate Request
1. In the Certificate Management window (see Figure 3-21),
click Requests in the left column.
The Certificate Management window displays Pending

Certificate Requests (which at this point should display
"No pending certificate requests.").
Figure 3-24. No Pending
Certificate Requests
2. Click New.
The Certificate Signing Request form appears in the

Certificate Management window.
54

Signing Request Form
3. Type the required information in the appropriate text

boxes. Type a 6-character passphrase in the Passphrase text
box. Type the passphrase again. (You will need this
passphrase for authorization when connecting the Client to
the Contivity Switch.)
4. Click Generate Request.
The Certificate Management window lists the new request.

Figure 3-26. New
Pending Certificate
Request

Exporting a When the Certificate Signing Request (CSR) has been created,
Certificate Request you can export it to the Certificate Authority (CA).
1. In the Certificate Management window shown in
Figure 3-26, click Export.
The Certificate Management window displays the CSR
export form.
Figure 3-27. Exporting
the CSR
The CSR is displayed in the CSR panel.

2. To export the CSR, you can either:
• Type a file name in the Filename text box where the

CSR is to be sent and click Export.
• Or cut and paste the CSR from the display to the export
location.
3. Click Continue.
The process of receiving the CSR and generating a new certifi-

cate is a function of the CA. At the completion of the process,
the new certificate will be in a location where you can then
import it into the Client.
56
Importing a When a CSR is sent to the CA, a new certificate is generated.

Certificate That certificate will be in a file or on a server, ready to be
imported. The actual location and the method of generating
the certificate varies depending on the particular CA being
used.
IMPORTANT: The certificate can be in either binary or base-64

encoded format. If using base-64 encoded format,
you should be aware of line endings if transfering
files between Windows, UNIX, and Macintosh
computers because all of those systems use
different line endings.
To import a new certificate:

1. The Certificate Management window should be displayed
with Local Certs selected.
Management Window
2. Click Add.
The Certificate Management window displays a form for

importing a personal certificate.

Figure 3-29. Importing a

Personal Certificate
3. Do one of the following to specify the certificate file:
• Type the full path of the file containing the certificate in

the Filename text box and click Import.
• Go to the certificate file, cut and paste the certificate
into the Certificate panel.
4. Click Add.
The Certificate Management window displays the certifi-

cate information and notifies that the import was suc-
cessful.
Imported
The window shown above can contain more than one cer-
tificate. You will select the certificate to use for your per-
58
sonal certificate authorization. This is explained in the

following section, "Establishing a New Connection."
5. Click Connections in the left column to close the
Certificate Management window and return to the
Connections window.
When you get to the step in establishing a new connection
where you must give the name of the certificate, you can select
from a pull-down list of certificates.
Deleting a To delete a certificate:

Certificate 1. If you are in the Connections window, click Certificates in
the left column to display the Certificate Management
window.
Figure 3-31. Personal

Certificates Listed
2. Select the certificate that you want to delete.
3. Click Delete.

Viewing To view the details of a certificate:

Certificate 1. In the Certificate Management window, click Local Certs
Details to view the list of certificates currently imported into the
Client (see Figure 3-31, above).
2. Select the certificate from the list.
3. Click Show.
The window displays a view of the certificate details.

Details
4. Click Continue to close the window and return to the

Certificate Management window.
60
Defining a New Connection Profile
When the Client is launched, the Connections window is dis-

played. (If you have been importing a certificate or performing
a similar function and are in the Certificate Management
window, click Connections in the left column.)
The procedures described below are predicated on this being a
new connection for which you are creating a configuration
profile.
If a connection has already been defined, or if your system
administrator has defined the connection and enabled
configuration lockdown, follow the procedures described
in “Connecting the Contivity VPN Client” on page 74.
If a connection has been previously established but you
want to define a new configuration profile, follow the
procedure described below.
Figure 3-33. Contivity
VPN Client New
Connections Window
A connection profile is identified by a Connection Name. The

profile specifies the user name and password (if required), the
destination name or address, and the authentication method to
be used to complete the connection. There may be numerous
connection profiles from which to choose. It is also possible the
the system administrator will pre-define a profile and then
enable configuration lockdown in which case no selection of
(or changes to) connection profiles can be made.

To define a new connection profile:

1. Click New.
The page to define a new connection profile appears.

Figure 3-34. Define a
New Connection Profile
2. Type a name for the connection in the Connection Name

text box.
3. Type the address of the Contivity Switch in the Destination
text box.
The address can be either in decimal format
(nnn.nnn.nnn.nnn) or a DNS Lookup address.
4. Click Next.
The page to select the method of authentication appears.

Figure 3-35. Selecting
the Authentication
Method
5. Select one of the three authentication methods.
6. Click Next.
62
7. How you proceed now depends upon the method of

authentication that you selected in Step 5 and that will be
used for this connection profile.
• If authorization will be only with a User Name and
Password, continue with "User Name and Password
Authentication below.
• If authorization will be by Certificate Authorization,
continue with the procedure under “Digital Certificate
Authentication” on page 65.
• If authorization will be by any of the optional Group
Authentication methods (such as RADIUS) where you
were given a Group ID and Password and possibly an
RSA SecurID Token or Card, continue with the
procedure under “Group Security Authentication” on
page 66.
User Name and If you selected User Name and Password Authentication in
Password the page shown in Figure 3-35, a page for you to specify a user
Authentication name appears.
Figure 3-36. Selecting a

User ID
1. Type a User ID in the User ID text box.
2. Select Prompt or leave unselected.

If you select Prompt, you will be prompted to type in the

User ID on the New Connections page, like this:
If you leave Prompt unselected, the User ID will appear

on the New Connections page without prompting, as
shown in Figure 3-37, below. Also, if you leave Prompt
unselected, a username should not be entered with
<connect_string> when using the command line interface.
3. Click Finish.
The Connections window appears with the connection pro-

file for this connection displayed.
Figure 3-37. User Name
in Connections Window
4. Type the password in the Password text box.
NOTE: The Save You also may have the option of saving your password on
Password feature only the Client. If the Contivity Switch is configured to permit
works on Macintosh saving passwords, the Save Password check box will be
computers and is not active. Click this box if you want to save the password and
available on Linux and not be prompted for it the next time you establish a con-
UNIX systems. nection.
5. Continue with the procedure described in “Completing the
Connection” on page 70.
64
Digital Certificate If you selected Digital Certificate Authentication in the page

Authentication shown in Figure 3-35, a page for you to specify a certificate
appears.
Figure 3-38. Selecting a
Certificate
1. Select a certificate from the Default Cert list.
If no certificates are listed, a certificate or certificates will

have to be imported. See “Importing a Certificate” on page
57.

certificate name on the New Connections page, like this:
If you leave Prompt unselected, the certificate will appear

on the New Connections page without prompting, as
shown in Figure 3-48, below. Also, if you leave Prompt
unselected, a username should not be entered with
<connect_string> when using the command line interface.
3. Click Finish.
The Connections window appears with the connection pro-



Name in Connections
Window
4. Type the passphrase that you used when generating the

Certificate Signing Request in the Passphrase text box.
The use of the passphrase protects the integrity of the
signed digital certificate.
Group Security If you selected Group Security Authentication in the page

Authentication shown in Figure 3-40, a page appears for you to specify one of
the Group Authentication Options.
Figure 3-40. Selecting
Group Authentication
Options
66
1. Type a User Name in the User Name text box.

If you leave Prompt unselected, the User Name will
appear on the New Connections page without prompting,
like this:
Also, if you leave Prompt unselected, a username should

not be entered with <connect_string> when using the com-
mand line interface.
User Name on the New Connections page, as shown in
Figure 3-44, Figure 3-45, or Figure 3-43, below.
3. Type the Group ID in the Group ID text box.
4. Type a password in the Group Password text box.
5. Select the appropriate Group Authentication Option. You
can select:
• If authentication will be by using only a Group ID and
Password, select Group ID and Password.
• If authentication will be by a standard RSA SecurID
Token, which may be a Key Fob or a Card, without a
numeric pinpad (as shown in Figure 3-41), select
Response Only Token.
• If authentication will be by an RSA SecurID PinPad
Card having a numeric pinpad entry (as shown in
Figure 3-42), select Response Only Token and select
Passcode Display.
Figure 3-41. RSA
SecurID Token Key Fob
and Card

Figure 3-42. RSA

SecurID PinPad Card
6. Click Finish.
Depending on the type of Authentication option selected,

the Connections window appears with the connection pro-
• If you selected Group ID and Password, continue with
the procedure under Group Password Authentication,
below.
• If you selected Response Only Token, continue with the
procedure under “Response Only Token” on page 69.
• If you selected Response Only Token and Passcode
Display, continue with the procedure under “Response
Only Token with Passcode” on page 70.
Group Password Authentication

After selecting Group Password Authentication and
clicking Finish in the previous Connections window, the
Group Password option appears in the Connections window.
Figure 3-43. Group
Password Option in
Connections Window
68
7. Type the Group Password in the Password text box.
NOTE: The Save You also may have the option of saving the password on
Response Only Token

After selecting Response Only Token and clicking Finish in
the previous Connections window, the Response Token option
appears in the Connections window.
Figure 3-44. Response
Token Option in
Connections Window
9. Type the PIN given to you by the network administrator.
10. Type the Token number currently appearing on your RSA

SecurID Card.

Response Only Token with Passcode

After selecting Response Only Token and Passcode Dis-
play followed by clicking Finish in the previous Connections
window, the Response Token with Passcode option appears in
the Connections window.
Token with Passcode
Option in Connections
Window
12. Enter the PIN given to you by the network administrator

on the pinpad of your RSA SecurID Card.
13. Read the Passcode number from your RSA SecurID Card
and type that number in the Passcode field.
14. Continue with the procedure for completing the
connection, described below.
Completing the After defining the authentication method, you were instructed
Connection to return to this point. Continue with the following steps to
complete establishing a connection.
Depending on previous connections, you may have the
option of disabling Keepalives. This would override the
setting of the Contivity Switch. You can disable Keepalives
at the Client, even if it has been enabled at the Contivity
Switch. If Keepalives is disabled at the Contivity Switch, it
cannot be enabled at the Client.
1. Click Connect.
70
The Client Monitor window appears and displays a mes-

sage screen while the connection is being made.
Figure 3-46. Negotiation
in Progress Message
When negotiations between the Client and the Contivity

Switch complete successfully, the Contivity VPN Client
window with connection values is replaced by the Client
Monitor window (see Figure 3-47). The Negotiation Status
value in the Client Monitor window displays Successful.
The other values are updated according to the Contivity
Switch IPSec settings.
If the connection is not established:
• The Contivity VPN Client window is displayed, and the
message "Negotiation with switch failed" is displayed.
The Client Monitor window periodically refreshes the
Duration, Bytes In/Out, and Frames In/Out values as long as
the Client is connected to the Contivity Switch.
Figure 3-47. Client
Monitor Window

NOTE: You do not have to keep the browser window open once
you have completed a connection. You may close the
browser window or quit the browser application. The
connection will stay unchanged.
To access the Client again:

On Macintosh computers, click the Apani icon on the
menu bar and choose an item from the drop-down
menu.
On Macintosh OS X computers, click the Apani icon on
the desktop.
On other computers, click the expand arrow above the
Apani icon on the Front Panel and choose an item from
the pop-up menu.
72
Editing a Provision is made to edit a connection profile. The editing fea-

Connection ture can be disabled by the system administrator using the
Configuration Lockdown facility. If the editing feature has
Profile been disabled, the Edit button will not appear in any of the
configuration windows.
To edit settings in a configuration profile, click Edit in the part
of the configuration that you want to edit.
A screen will appear that will be similar to the screen with
which you set the current screen’s values while creating the
current configuration profile. The editing screen, instead of
having blank values as it did when creating the configuration
profile, will show the current configuration values.
You can change any values by typing in a new value, for
example, change a password or select a new certificate.
Click Next to move through the configuration screens in the
same order as when creating the configuration profile.
If you change a value, such as changing the method of authen-
tication, when you click Next, you will then have to continue
through the remainder of the configuration procedure for the
newly selected method. The values for successive screens
would be blank, as in defining a new profile.

Connecting the Contivity VPN Client

The following procedure is for:
Re-connecting a Client to a Contivity Switch
Establishing a initial connection of a Client to a Contivity
Switch when a configuration profile has previously been
defined
Selecting the To connect the Client:

Connection 1. If the browser is not already launched and the Connections
Profile window displayed, follow the procedures described in
“Launching the Contivity VPN Client” on page 48, to
launch the Client.
The Connections window is displayed.
The appearance and content of the window will vary
depending upon the configuration profile defined for this
Client and, if the Client has been previously connected,
upon the configuration profile last used.
2. The current configuration profile name is shown in the
Connection list. If you want to connect under a different
connection profile, select the connection name in the
Connection list.
If Java scripts have been enabled, the new profile features
are displayed. If Java scripts have not been enabled, click
Go after selecting the connection name.
3. The type of authentication for this connection is shown

directly under the Connection list under the Type heading.
This will show one of several values:
• User ID & Password—If this is shown as the
authentication Type, continue with the procedure
described in “User ID & Password Authentication” on
page 75
• Digital Certificate—If this is shown as the
74
described in “Digital Certificate Authentication” on

page 76.
• One of the Group Authentication options may be
displayed:
• Group (Token)—If this is shown as the
described in “Response Token Authentication” on
page 77.
• Group (Token/Passcode)—If this is shown as the
described in “Response Token with Passcode
• Group Password—If this is shown as the
described in “Group ID and Password
User ID & Password If User ID & Password is the method of authentication, the
Authentication Connections window that first appears will look like the fol-
lowing:
Figure 3-48. User ID and
Pasword Connections
Window
The User Name might be displayed or a selection text box will

prompt to select a User Name from the scroll list. Whether the
prompt appears depends on the setting when the configura-
tion profile was defined.

1. If you are being prompted, select your User Name from the
selection list.
2. Type your password in the Password text box.
NOTE: The Save You also may have the option of saving your password on
Digital Certificate If Digital Certificates is the method of authentication, the Con-

Authentication nections window that first appears will look like the following:
Figure 3-49. Digital

Certificates Connections
Window
The Certificate name might be displayed or a selection text box

will prompt to select a Certificate name from the scroll list.
Whether the prompt appears depends on the setting when the
configuration profile was defined.
1. If you are being prompted, select your Certificate from the
selection list.
2. Type your passphrase in the Passphrase text box.
76
This is the passphrase used to protect the integrity of the

personal certificate. It is not the same as the User ID Pass-
word.
Response Token If the Response Token is the method of authentication, the

Authentication Connections window that first appears will look like the fol-
lowing:
Token Connections
Window

selection list.
2. Type the PIN given to you by the network administrator.
3. Type the Token number currently appearing on your RSA

SecurID Card (see Figure 3-41).

Response Token If the Response Token with Passcode is the method of authen-
with Passcode tication, the Connections window that first appears will look
Authentication like the following:

Token with Passcode
Option in Connections
Window

selection list.
2. Enter the PIN given to you by the network administrator
on the pinpad of your RSA SecurID Card (see Figure 3-42).
3. Read the Passcode number from your RSA SecurID Card
and type that number in the Passcode field.
78
Group ID and If Group ID and Password is the method of authentication, the

Password Connections window that first appears will look like the fol-
Authentication lowing:
Figure 3-52. Group

Password Connections
Window

selection list.
2. Type the Group Password in the Password text box.
NOTE: The Save You also may have the option of saving the password on
3. Continue with the procedure described in "Completing the
Connection" below.

Completing the Continue with the following steps to complete establishing a

Connection connection.
Depending on previous connections, you may have the
option of disabling Keepalives. This would override the
setting of the Contivity Switch. You can disable Keepalives
at the Client, even if it has been enabled at the Contivity
Switch. If Keepalives is disabled at the Contivity Switch, it
cannot be enabled at the Client.
1. Click Connect.
The Client Monitor window appears and displays a mes-

sage screen while the connection is being made.
Figure 3-53. Negotiation
in Progress Message
When negotiations between the Client and the Contivity

Switch complete successfully, the Contivity VPN Client
window with connection values is replaced by the Client
Monitor window (see Figure 3-47). The Negotiation Status
value in the Client Monitor window displays Successful.
The other values are updated according to the Contivity
Switch IPSec settings.
If the connection is not established:
• The Contivity VPN Client window is displayed, and the
message "Notification with switch failed" is displayed.
The Client Monitor window periodically refreshes the
Duration, Bytes In/Out, and Frames In/Out values as long as
the Client is connected to the Contivity Switch.
80
Figure 3-54. Client

Monitor Window
NOTE: You do not have to keep the browser window open once
you have completed a connection. You may close the
browser window or quit the browser application. The
connection will stay unchanged.
To access the Client again:

On Macintosh OS X computers, click the Apani icon on
the desktop.
On other computers, click the expand arrow above the
Apani icon on the Front Panel and choose an item from
the pop-up menu.

Monitoring Connection History
Connection The statistics for an established connection between the Client

Statistics and the Contivity Switch are displayed in the Client Monitor
window. The Client Monitor window appears as soon as a suc-
cessful connection is established. The connection Duration,
Bytes In/Out, and Frames In/Out values are periodically
updated. To update those values in the window without
waiting, click Refresh.
Figure 3-55. Client
Monitor Window
If the Client Monitor window is not displayed and you want to

display it:
On Macintosh OS X computers:
Click the Apani Contivity VPN Client url on the
desktop.
On other computers:
a. Click the expand arrow above the Apani icon on the
Front Panel.
b. Choose Extranet Access Client in the pop-up menu.
The Client Monitor window appears.
82
Setting Client Preferences
The Client Preferences window allows you to control the log-

ging of audit information, to display the log files of audit
information, to set the size of the log files, to control the dis-
play of audit messages, and to control configuration lockdown
features.
Audit Controls The Client logs audit messages to a log file. You can view the
log file at any time. Audit controls are used to select the types
of audit messages that are written to the log file and to set the
maximum size of the log file.
Four types of audit information may be logged. The four types
of information are:
Information Meaning
Type
Security Audits Indicates a possible penetration
attempt.
System Audits Indicates a failure of an operating
system resource within the Client.
Protocol Audits Indicates a failure of the key
management or encapsulation
protocol.
Trace Audits Records actions provided by the key
management and encapsulation
protocols.
You can enable (or disable) log file archiving by selecting what
(if any) information will be logged.

Controlling Audit
Information
Logging
Types of Information To select the logging of Client audit information and to select
Logged which types of information should be logged:
1. In the Client Monitor window, click Preferences.
The Client Preferences window appears.

If the Client Monitor window is not displayed, you can
also view Preferences by:
• On Macintosh computers:
Click the Apani icon on the menu bar and select Pref-
erences in the drop-down menu.
• On other computers:
Click the expand arrow above the Apani icon on the
Front Panel and select Preferences in the pop-up
menu.
Figure 3-56. Client
Preferences Window
2. Select which of the four types of information you want to

have logged. See “Audit Controls” on page 83.
3. Click Submit.
84
Changing the Log The Client maintains audit information in a log file. When the
File Size size of the log file reaches a maximum value, it is archived in
an old log file (overwriting the previous old log file, if it exists)
and a new log file is created. An audit message is written at
the top of the new log file. This mechanism prevents audit
information from filling the disk. The amount of time it takes
for the log file to reach its maximum allowed size depends on
which audit types are logged and how often the Client is run.
The default maximum log file is 1000 Kilobytes.
To choose the log file maximum size:
1. In the Client Monitor window, click Preferences.
The Client Preferences window appears (see Figure 3-56).

2. Type a value, in kilobytes, in Max Logfile Size to set the
maximum log file size. The minimum setting is 10 Kb; the
maximum setting is 10240 Kb.
3. Click Submit.

Configuration Configuration locking allows you to prevent a user from

Locking editing or deleting a connection profile, prevent a user from
creating a new connection profile, and set a passphrase to pre-
vent others from accessing configuration locking.
To set configuration locking:

1. In the Preferences window, click Configuration Locking.
The Configuration Locking window appears.

Figure 3-57. Configurati
on Locking Window
To Lock a configuration:
All of the current connection profiles are listed in the Configu-
ration Locking window.
1. Select (check) those configurations that you want to lock.
2. Click Submit.
When a user selects a connection profile, the Edit and

Delete buttons are not available.
86
Figure 3-58. Editing and

Deleting of
Configuration Locked
To prevent a user from defining a new connection:

1. In the Configuration Locking window, leave Allow New
Configs unselected.
Figure 3-59. Disallowing

a New Configuration
2. Click Submit.
When a user selects a connection profile, the New button

is not available.

Figure 3-60. Editing,

Deleting, and Creating a
New Configuration
Locked
Figure 3-60 shows a connection for which configuration

locking has been applied and new connections are not
allowed. If new connections are not allowed but the configura-
tion has not been locked, the user will be able to edit and
delete a connection profile but not create a new one, as shown
in Figure 3-61.
Figure 3-61. Creating a
New Configuration
Prohibited
To set a passphrase for configuration locking:

1. In the Configuration Locking window, type a passphrase in
the Passphrase text box.
2. Type the passphrase a second time in the Repeat text box.
88
Figure 3-62. Specifying a

Passphrase
1. Click Submit.
The passphrase is set. The next time you click Configura-

tion Locking in the Preferences window to set configura-
tion locking, you will be prompted to enter the passphrase,
as shown in Figure 3-63.
Figure 3-63. Passphrase
Prompt for
Configuration Locking
When the Configuration Locking window appears, the pass-

phrase is cleared. If you want to set the passphrase to limit
access the next time, you must enter it again as in the above
steps.

Viewing Audit Information
To view logged audit information:

In any of the Client windows (Connections, Client Monitor,
Certificate Management, Preferences, etc.), click Logfiles
in the left-hand column.
The log files are displayed in the Contivity VPN Client Log
window.
Figure 3-64. Viewing Agent Status
2. When you are finished viewing the log files, close the Client
Log window.
90
Disconnecting the Contivity VPN Client
Disconnecting the Contivity VPN Client
To disconnect the Client from the Contivity Switch:

1. The Client Monitor window may already be displayed. If it
isn’t double click on the URL shortcut. The Client Monitor
window appears.
• Or.:
a. Click the expand arrow above the Apani icon on the
Front Panel.
b. Choose Extranet Access Client in the pop-up menu.
The Client Monitor window appears.

2. In the Client Monitor window, click Disconnect.
A status message is displayed informing you that the net-

work session is no longer established.

Command Line Interface
On Macintosh OS X and Linux computers only, the Client pro-

vides a command line interface. The command line interface
does not duplicate the functionality of the graphical user inter-
face (GUI). It does, however, provide a means of connecting to
and disconnecting from the Contivity Switch.
The command line interface can be used in shell scripts to con-
nect to the Contivity Switch, perform some functions such as
file transfers, and disconnect.
IMPORTANT: You must be careful with the file permissions for

scripts that invoke the command line utility. If you
embed Contivity connection information, such as
usernames and passwords, in scripts that invoke
the command line utility, the information may be
disclosed to other users who have read access to
your scripts. There is no way to prevent users with
Administrator (Mac OS X) or root privileges from
reading your files.
If you use a single line command to invoke the

command line utility, the connection information
(including username/password) in the command
can be seen by other users who run process
monitoring utilities or have access to logs of
precesses run on your computer.
The format of the command is:

cvc [-c <connect_string>|-p|-q|-d|-h|-v]
The options are:
<connect_string> =
connection:username:password
-c connect connects to the Contivity Switch using
<connect_string>
92
Command Line Interface
-p prompt prompts for <connect_string> then

connects to the Contivity Switch using
<connect_string>
-q read reads <connect_string> from stdin then
connects to the Contivity Switch using
<connect_string>
-d disconnect disconnects from the Contivity Switch
-h help displays a list of command options
-v version displays the current version and build
number of the Client
IMPORTANT: When defining a connection profile (see “Defining

a New Connection Profile” on page 61) if you
leave Prompt unselected, you would not be
promted for a User ID when establishing a
connection using the GUI. The same default
applies when using the command line interface. If
Prompt is unselected, you should not enter a
username as part of the <connect_string>. Doing
so will cause an error. Without the username
prompt, the <connect_string> should look like:
connection::password. Note that two colons are
still used.
NOTE: If the browser is open and the Client Window is

displayed when you connect using the command line
interface, the Client Window is not updated. You must
first use the browser Refresh or Reload command to
update the window.

Examples 1:
# cvc -h
Contivity VPN Client Command Line Interface
Usage: cvc [-c <connect string>] [-pqdvh]
-c connect using specified connect string

-p prompt for connect string and connect
-q read connect string from stdin and connect
connect string = connection:username:password
-d disconnect
-v display version
-h help
Example 2:
# cvc -c connection_name:username:password
Connects the Client to the Contivity Switch using the con-
nection named in the connect string then passes the user
name and password to the Contivity Switch to establish
the Client-to-Contivity Switch connection.
Example 3:
# cvc -d
Disconnects the Client from the Contivity Switch.
94
G lossary
AH See: Authentication Header.
Anti-Replay A form of partial sequence integrity. It detects the arrival of

Protection duplicate IP packets (within a constrained window) and the
arrival of IP packets out of sequence. See also: Integrity.
Authentication (1) The verification of the identity of a user, device or other

entity in a computer system, usually as a prerequisite to allow-
ing access to system resources.
(2) The verification of data that have been stored, transmitted,
or exposed to possible unauthorized modification.
Authentication An upper-level header located between the IP header and the

Header (AH) payload within an IP packet. The AH includes an integrity
check value (ICV) for the contents of the IP packet. The exact
nature of the checksum depends upon the method selected
during configuration. It is used to ensure the integrity of the
entire IP packet, including both the payload and the IP header.
The AH does not provide data confidentiality.
Authentication The public key information needed to authenticate a digital

Information signature.
Authorization The granting of privileges, which includes the granting of
access based on previously authorized access.
Compression See: Data Compression.
Confidentiality The protection of data from unauthorized disclosure. Usually,

the unauthorized disclosure of application level data is the pri-
mary concern, but the disclosure of the external characteristics
of communication can also be a concern in some circumstances.
The traffic flow confidentiality service addresses this latter con-

cern by concealing source and destination addresses, message
length, or frequency of communication. In the IPSec context,
using Encapsulating Security Payload (ESP), especially at a
security gateway, can provide some level of traffic flow confi-
dentiality.
Data Compression Encoding data to take up less storage space. Digital data is
compressed by finding repeatable patterns of binary 0s and 1s.
The more patterns can be found, the more the data can be com-
pressed. Text can generally be compressed to about 40% of its
original size, and graphics files from 20% to 90%. Data com-
pression, as used in the Contivity VPN Client, is applied to the
data before encryption.
Data Encryption A standard encryption algorithm providing a high degree of

Standard (DES) protection. DES has a key length of 56 bits and meets U.S. gov-
ernment approval for general export. See also: Triple DES.
Data Integrity The property that data has not been altered or destroyed in an
unauthorized manner.
Data Origin The corroboration that the source of data received is as

Authentication claimed.
Decryption See: Encryption.
Denial of Service Denotes attacks that do not cause a security violation as such,
but harm the availability of a service. For example, someone
sending a large number of forged packets to a host could
degrade the performance of the host.
DES See: Data Encryption Standard.
Digital Signature Data appended to, or a cryptographic transformation of, a data

unit that allows a recipient of the data unit to prove the source
and integrity of the data unit and protect against forgery (e.g.,
by the recipient).
Encapsulating Security An OSI layer 3 connection or connectionless security protocol.

Payload (ESP) In general, ESP provides for the following: peer entity authenti-
cation, data origin authentication, access control services, con-
nection confidentiality, connectionless confidentiality, traffic
flow confidentiality, connection integrity without recovery,
and connectionless integrity.
96
Glossary
Encapsulation The process of wrapping a packet, or some part of it, in a secu-

rity envelope to provide the means for network devices to
check the authentication of the sending node and the integrity
of the data.
Encryption A security mechanism used for the transformation of data from

an intelligible form (plaintext) into an unintelligible form
(ciphertext) to provide confidentiality. The inverse transforma-
tion process is termed decryption, but encryption is often used
generically to refer to both processes.
Entity A device attached to a network and identified by an internet-

work address, network number, or any combination. Compo-
nents are comprised of one or more entities.
ESP See: Encapsulating Security Payload.
Extranet (1) A semi-permanent WAN connection over a public network

between a corporation and its business associations, such as
partners, customers, suppliers, and investors.
(2) A Web site for existing customers rather than the general
public. It can provide access to paid research, current invento-
ries and internal databases, and virtually any information that
is private and not published for everyone. An extranet uses the
public Internet as its transmission system, but requires pass-
words to gain access. See also: Internet, Intranet.
File Encryption File encryption software is specific to particular operating sys-

tems, and does not protect data during remote logins or when
updating records across a network.
Firewall (1) A combination of hardware and software that separates a

LAN into two or more parts for security purposes.
(2) A router or workstation with multiple network interfaces
that controls and limits specific protocols, types of traffic
within each protocol, types of services, and direction of the
flow of information.
Host Any computer on a network that is a repository for services

available to other computers on the network. It is quite com-
mon to have one host machine provide several different ser-
vices.

ICV See: Integrity Check Value.
Identity-Based A security policy based on the identities and/or attributes of

Security Policy users, a group of users, or entities acting on behalf of the users
and the resources/ objects being accessed.
IKE See: Internet Key Exchange.

Integrity A security service ensuring that data modifications are
detected.
Integrity Check Value A value that is derived by performing an algorithmic transfor-

(ICV) mation on the data unit for which data integrity services are
provided. The ICV is sent with the protected data unit and is
recalculated and compared by the receiver to detect data modi-
fication.
Intrusion Detection A generic term for detecting network penetration attempts by

observing activities on the network.
Internet (1) A large network made up of a number of smaller networks.

(2) "The" Internet is made up of more than 100,000 intercon-
nected networks in over 100 countries, comprised of commer-
cial, academic and government networks. See also: Extranet,
Intranet.
Internet Key Exchange A key management protocol that provides secure management
(IKE) and exchange of cryptographic keys between distant devices.
IKE also provides a secure way to transmit keys. IKE uses pub-
lic-key cryptography to create a secure association. That associ-
ation is then used to perform a secure second public-key
exchange, resulting in a symmetric key for encryption.
Intranet An inhouse Web site serving the employees of the enterprise.

Although intranet pages may link to the Internet, an intranet is
not a site accessed by the general public. The term has become
so popular that it is often used to refer to any inhouse LAN and
client/server system. See also: Extranet, Internet.
IPSec Internet Protocol Security. A set of protocols for authentica-

tion, privacy, and data integrity that is transparent to the
underlying network infrastructure and can be configured to
run in two distinct modes—tunnel mode and transport mode.
98
Glossary
IPSec is implemented at the packet processing layer of network

communication as opposed to earlier security approaches that
were implemented at the application layer.
IPSec provides two choices of security service: Authentication
Header (AH), which allows authentication of the sender, and
Encapsulating Security Payload (ESP), which supports both
authentication of the sender and encryption of data, The spe-
cific AH and ESP information is inserted into the packet as a
header that follows the IP packet header. Separate key proto-
cols, such as ISAKMP, can be selected. See also: Authentication,
Authentication Header (AH), Encapsulating Security Payload
(ESP), Internet Key Exchange (IKE), and ISAKMP
ISAKMP Internet Security Association and Key Management Protocol.

The IPSec standard procedures and packet formats to establish,
negotiate, modify and delete Security Associations (SA) and for
defining payloads for exchanging key generation and authenti-
cation data. See also: Authentication, Internet Key Exchange (IKE),
and IPSec.
IS Router Intermediate Services Router. A router, acting as a security

gateway, usually placed between an intranet and the public
network. See also: Router.
Key Generation Method of establishing key materials used in ciphering func-

tions.
Key Management The generation, storage, distribution, deletion, archiving, and
application of keys in accordance with a security policy.
LAN (Local Area Network) See Intranet.
Logging The process of maintaining a diary of the occurrence of security

relevant events.
Logging Trail A chronological record of system activities that can be used to

reconstruct and review the sequence of activities surrounding
or leading to an operation, procedure, or event in a transaction
from its inception to final results.
LZS An algorithm used for data compression. See also: Data Com-
pression.
NAT See: Network Address Translator.

Network Address Usually implemented in a firewall or router at the boundary
Translator (NAT) between a company's intranet and the public Internet, main-
taining a mapping between internal IP addresses and external
public IP addresses. The internal addresses are not advertised
outside of the intranet and can remain private (in the case of
globally ambiguous addresses), or secret (in the case of glo-
bally unique addresses).
Packet Filtering A method for determining how passing IP packets should be

handled. Packet filtering is applied to all IP packets passing the
IPSec engine. Packet filtering may modify the IP packet, pass it
intact, or even drop it. See also: Port Filtering.
Perfect Forward Forces the regeneration of keying material for each new Secu-
Secrecy rity Association (SA) and/or completely separates authentica-
tion encryption from data encryption.
Port Filtering Allows communications to be limited to certain specific appli-

cations.
Protocol A set of rules that governs the communication and exchange of

data between system elements and that provides a basic level
of service in a system.
Protocol Alerts An alert indicating a failure of the key management or encap-

sulation protocol.
RC4 An encryption algorithm that provides solid, mid-range pro-

tection using a variable-length encryption key. RC4/128 key
length is 128 bits and is approved for limited export. RC4/40
key length is 40 bits and meets U.S. government standards for
general export.
Repudiation Denial by one of the entities involved in a communication of

having participated in all or part of the communication.
Router A special-purpose dedicated system that connects several net-

works and makes decisions about which of several paths net-
work traffic will take. The process may be repeated several
times on a single packet by multiple routers until the packet is
delivered to its final destination. To accomplish this, a routing
protocol is used to gather information about the network, and
algorithms based on several criteria known as “routing met-
rics” choose the best route. See also: IS Router.
100
Glossary
Security Audit An independent review and examination of system records

and activities in order to test for adequacy of system controls,
to ensure compliance with established policy and operational
procedures, to detect breaches in security, and to recommend
any indicated changes in control, policy, and procedures.
Security Audit Trail Data collected and potentially used in a security audit.
Security Controls Hardware, firmware, and software features within a system

that restrict access of resources to authorized users, devices, or
entities only.
Security Gateway An intermediate system acting as a communications interface

between two networks. The internal subnetworks and hosts
served by a security gateway are presumed to be trusted
because of shared local security administration. The set of hosts
and networks on the external side of the security gateway is
viewed as not trusted or less trusted.
Security Policy The set of laws, rules, and practices that regulate how an orga-
nization manages, protects, and distributes sensitive informa-
tion.
Security Service The technology-based security functions provided by a net-
working system. They are Authentication Services, Access
Control Services, Confidentiality Services, Data Integrity Ser-
vices, and Non-repudiation Services.
Subject An active entity, either a person, device, or process, that causes

information to flow among objects or changes the system state.
Subnet A portion of a network, which may be a physically indepen-

dent network, which shares a network address with other por-
tions of the network and is distinguished by a subnet number.
A subnet is to a network what a network is to an internet.
Subnet Number A part of the internet address that designates a subnet. It is

ignored for the purposes of internet routing, but is used for
intranet routing.
TCP Transmission Control Protocol. The major Internet transport

protocol, which provides reliable, connection-oriented, full-
duplex streams.

Threat Any circumstance or event which has the potential to cause
harm to a system. Harm may arise in the form of destruction,
modification, or disclosure of data, and/or denial of service.
Transformation A particular type of change applied to an IP packet. ESP

encryption and AH integrity are types of transformations. A
Security Association supplies the keys and other association-
specific data to a transformation.
Transformation A set of transformations applied to an IP packet one after

Sequence another. For example, an outgoing IP packet can be protected
first with an ESP to ensure data confidentiality and higher level
data integrity, and then with an AH to protect the integrity of
the IP header carrying the IP packet. In this case, the transfor-
mation sequence consists of an ESP transformation followed by
an AH transformation. IPSec supports other types of transfor-
mations, and therefore transformation sequences may occa-
sionally be rather long, even 5 or 6 stages. However, more
transformation sequences typically consist of just one or two
steps.
Transport Mode As opposed to tunnel mode wherein the entire packet, includ-
ing the IP header, is wrapped in the packet protection of a tun-
nel and a new IP header is prepended to the packet, in
transport mode, the IP header is sent in the normal, unencap-
sulated format.
Triple DES A stronger iteration of the Data Encryption Standard, Triple

DES is designed to resist focused, persistent attacks by well-
financed, expert crypto-analysts. The U.S. government restricts
Triple DES to domestic use and limited export.
Tunnel Mode Packet transmission wherein the entire packet, including the IP
header, is wrapped in the packet protection of a tunnel and a
new IP header is prepended to the packet.
Unsecured Unencrypted, non-firewalled, or unprotected communications
Communications between two network computers.
Virtual Private A temporary, secure connection over a public network, usually

Network (VPN) the Internet.
102
Index
A Client
disconnecting 91
discussion about 8
address of Contivity Switch 62 log file archiving 83
address, DNS 62 new connection 61
allowing new configuraitons 87 preferences 83
audit purpose 8
information 90 re-connecting 74
audit information registering license code 33
controlling 83 Contivity VPN Client
logging 84 See Client
viewing 90 Client Log window 90
authentication 13 command line interface 47
autoconnect 14 commands
start_cvc 49
compression 14
configuration locking 86
B Configuration Locking window 86

configuring the Contivity Switch 13
connecting the Client 61
bulleted lists 4 connection profile 61
Connections window 49
Contivity Switch
address 62
C configuring 13
description of 8
purpose 8
Certificate Authority controlling
Netlock Manager 51 audit information logging 84
third party 51 log file size 85
Certificate Management window 52 conventions
certificates keyboard 3
managing 51 terminology 4
typographical 3
customizing graphics 43

D installing
Client for Linux 25
Client for Macintosh OS X 19
database authentication 13 Client for Solaris 28
disabling Keepalives 70, 80 Client for Windows Mobile 31
disconnecting the Client 91 IPSec
display banner 14 Contivity Switch settings 13
DNS Lookup 62
E K
Keepalives, disabling 70, 80
encryption 14 keyboard conventions 3
establishing a new connection 61
F L
LDAP 13
Failover 14 license code 33
failover 14 Linux
forced logoff 14 installing Client on 25
removing Client from 38
system requirements 5
locking a configuration 86
G log file archiving for Clients 83
graphical user interface (GUI) 47

graphics files
headbar.gif 43
graphics, customizing 43
M
group ID 63 Macintosh OS X
installing Client on 19
H managing the use of certificates 51
headbar.gif file 43
N
I Nortel Contivity Switch
See Contivity Switch
numbered lists 4
information
status 90
trace 83
104
Index
O status
information 90
supported settings 13
obtaining a license code 33 system requirements
operation of Client 8 Linux 5
organization of document 2 Macintosh OS X 5
overview of product 8 Solaris 6
P T
password timeout 14
with Group ID 63 trace information 83
with user name 63 tunneling 13
perfect forward secrecy 14 typographical conventions 3
PIN 69, 77 typographical terminology 4
Preferences window 84
preferences, setting 83
prevent defining a new connection profile 87
prevent deleting a connection profile 86
prevent editing of connection profile 86
product overview 8
U
product registration 33 user interface
command line 47
graphical (GUI) 47
user name 63
R using certificates 51
radius authentication 14
re-connecting the Client 74
registration of Client 33
removing
V
Client from Linux 38 viewing audit information 90
Client from Macintosh OS X 36
Client from Solaris 40
requirements, system 5
W
S
windows
Certificate Management 52
Client Log 90
security policies 8 Configuration Locking 86
setting configuration locking 86 Connections 49
setting preferences 83 Preferences 84
Solaris Windows Mobile
installing Client on 28 installing Client on 31
split tunneling 13
start_cvc command 49

X
X.509v3 certificates
format 51
106

Nortel Contivity Client

Загружено:

Сведения о документе

Исходное описание:

Авторское право

Доступные форматы

Поделиться этим документом

Поделиться или встроить документ

Параметры публикации

Этот документ был вам полезен?

Это неприемлемый материал?

Авторское право:

Доступные форматы

Nortel Contivity Client

Загружено:

Авторское право:

Доступные форматы

Contivity VPN Client

Part Number 314455-3.5

Chapter 2. Installing the Contivity VPN Client 11

Contivity VPN Client iii

Chapter 3. Configuring the Contivity VPN Client 45

Contivity VPN Client 1

Organization of this Guide

This guide is organized as follows:

Cautionary This guide presents several classes of cautionary informa-

Keyboard The following conventions are used in describing actions

Characters you enter on a command line are

Optional text you enter on a command line is

The “|” character is used to signify one or the other:

Contivity VPN Client 3

Typographical This guide uses the following typographical conventions:

Typographical Press—means to press a particular key or key

Contivity VPN Client 5

* If the system is using the 2.4.x kernel, the kernel

Windows Mobile 2003 CE and SE

What’s New in Version 3.5?

Added support for Fedora Core 5 and Core 6

Contivity VPN Client 7

The purpose of the Client is to provide tunneled, secure

The Contivity VPN The Client is an intelligent, autonomous software agent

Contivity Switch. The user of the Client computer can con-

Contivity VPN Client 9

Contents of this Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - - 13

Contivity VPN Client 11

Registering the Contivity VPN Client Software - - - - - - - - - - - - 33

Configuring the Contivity Switch

The Contivity Switch must be configured for the Client prior

Parameter Setting(s) Allowed

Contivity VPN Client 13

Parameter Setting(s) Allowed

Parameter Setting(s) Allowed

* If using split tunneling with the Client located on a

Contivity VPN Client 15

CAUTION: The Client cannot protect the Client computer,

The Contivity Switch administrator can enable inbound access

A pre-configuration allows you to configure a Client and then

2. Configure the Client, following the instructions provided

Contivity VPN Client 17

Copy the .db files into the same directory as the

• For a Linux tar installation:

c. Re-tar the directory.

NOTE: A pre-configured Client installation for Windows CE is

4. Using either a web distribution or creating a CDROM,

Installing the Contivity VPN Client for Macintosh OS X

NOTE: We recommend that you remove any previously-

NOTE: There are separate installers for the MacOS versions

To install the Client for Macintosh OS X, perform the fol-

2. Double-click Install Disk Image (.dmg) file.

A screen appears informing you that the install program

Contivity VPN Client 19

Figure 2-2. Macintosh

3. Click on the lock image.

An authentication dialog box appears.

4. Type your user name in the Name text box.

5. Type your administrator password in the Password or

The Contivity VPN Client Install screen appears.

Figure 2-4. Macintosh

The Release Notes appear.

Contivity VPN Client 21