Академический Документы
Профессиональный Документы
Культура Документы
User and
Administrator Guide
for
Mac OS X, Linux, Solaris
Windows Mobile 2003 CE and SE
Published by:
Nortel Networks Corporation
8200 Dixie Road, Suite 100
Brampton, Ontario L6T 5P6
Canada
Nortel Networks
600 Technology Park Drive
Billerica, MA 01821-4130
Customer Support:
Voice: 1-800-4NORTEL
Web Page: http://www.nortel.com
For FAQs, follow the pathway:
Customer Support FAQ Search (selection on left side of screen)
Product family: Enterprise Data Product: Contivity
For Technical Documentation, follow the pathway:
Customer Support Technical Documents Select a Product:
Contivity 4000 VPN Switches
The Apani Networks site is an excellent source of information. You can use the Apani
Knowledge Base to search for FAQs pertaining to the Contivity VPN Client.
1. http://support.apani.com/kb/
2. Select Contivity VPN Client in the Select a Product list.
3. Click Start Search.
Chapter 1. Getting Started 1
Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2
Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Product Name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Cautionary Information - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Keyboard Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Typographical Conventions - - - - - - - - - - - - - - - - - - - - - - - 4
Typographical Terminology - - - - - - - - - - - - - - - - - - - - - - - 4
System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
What’s New in Version 3.5? - - - - - - - - - - - - - - - - - - - - - - - - - 7
Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
The Nortel Networks Contivity Switch - - - - - - - - - - - - - - - 8
The Contivity VPN Client - - - - - - - - - - - - - - - - - - - - - - - - 8
Glossary 95
Index 103
iv
1 Getting Started
Contents of this Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2
Chapter Provides an introductory overview of Contivity
VPN Client functions.
Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3
Explains the typographical and command
conventions used in this guide.
System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5
Lists the system requirements for installing a
Contivity VPN Client.
What’s New in Version 3.5? - - - - - - - - - - - - - - - - - - - - - - - - - 7
Provides a list of features that are new to
Contivity VPN Client version 3.4.
Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8
Provides a brief introduction to the Nortel Networks
Contivity Switch and the Contivity VPN Client.
2
Conventions
Conventions
Product Name Throughout most of this guide, the Contivity VPN Client is
referred to simply as the Client and the Nortel Networks
Contivity Switch is referred to simply as the Contivity
Switch.
4
System Requirements
System Requirements
A Contivity VPN Client installation requires the following
minimum configurations.
Mac OS X
Operating System: Mac OS X
System Version: 10.3 through 10.3.9, 10.4 through
10.4.7
Power Macintosh or Intel Mac
CD-ROM Drive
10 MB of free disk space
128 MB of RAM
Ethernet card or dialup modem
A web browser (Safari or Netscape are preferred.)
Linux
Linux for Intel x86 or equivalent processors, 32-bit
only
Intel-based Linux system (The Client will not work
on a Sparc-based system.)
Linux kernel 2.4.x*, and 2.6.x up to 2.6.18. Linux
kernel 2.6.15-1.2054 will not work due to a kernel
bug preventing proprietary license modules from
loading correctly.
Operating Systems:
RedHat Enterprise Advanced Server 3.0 to 4
Fedora Core 4, Core 5, and Core 6
SUSE 9.2, 9.3, and 10.1
32 MB RAM (64 MB Recommended)
30 MB of free disk space
Ethernet card or dialup modem
CD-ROM Drive
Kernel source 2.4.x or 2.6.x
A web browser (Netscape and Mozilla are
preferred.)
X-Window System
6
What’s New in Version 3.5?
Product Overview
The Nortel The Contivity Switch is a single hardware device that pro-
Networks Contivity vides routing, firewall, bandwidth management, encryp-
tion, authentication, and data integrity for secure tunneling
Switch
across managed IP networks and the Internet. Contivity
Switches are used to connect remote users, branch offices,
suppliers, and customers with the cost and performance
advantages of shared IP networks and the security and
control inherent in private networks.
8
Product Overview
12
Configuring the Contivity Switch
Initial Configuration This document assumes that you have already configured the
Contivity Switch with basic settings including identity, private
and public addresses, etc. Be sure that IPSec is enabled.
Nortel Networks To work with the Client, the Contivity Switch’s IPSec settings
Contivity Switch must be set according to the values in the following table.
Configuration "Supported" means the Client supports all valid options for
this setting.
"Don’t Care" means the Client ignores this feature, but it
may be supported by other clients.
14
Configuring the Contivity Switch
Split Tunnel Linux and UNIX operating systems support multiple simulta-
Inbound Port neous users. In order to help prevent unauthorized access to
Filtering on Linux or the private network, the client automatically blocks inbound
UNIX Computers access to TCP and UDP ports 0 through 1023 on the client's
local (public) network when you are connected to the Con-
tivity Switch with split tunneling enabled. Remote systems
and users cannot use services on these Well Known Ports
while the client is connected. Existing, active communications
through inbound ports 0 through 1023 will be blocked as soon
as the client connects to the Contivity Switch.
NOTE: All inbound When the Client is connected with split tunneling enabled, the
and outbound access Client permits outbound access through all ports. The Client
on the Client’s local also permits inbound access through ports 1024 and above.
(public) network is This allows the local user to take advantage of split tunneling
blocked when the to connect to remote servers using web browsers and other
client is connected applications.
and split tunneling is
disabled.
16
Pre-Configuration
Pre-Configuration
18
Installing the Contivity VPN Client for Macintosh OS X
6. Click OK.
20
Installing the Contivity VPN Client for Macintosh OS X
7. Click Continue.
8. Scroll to read the Read Me file, click Print to print the file,
or click Save to write the file to another location.
9. Click Continue to continue with the installation.
10. Scroll to read the license agreement, click Print to print the
file, or click Save to write the file to another location.
11. Click Continue to continue the installation.
22
Installing the Contivity VPN Client for Macintosh OS X
A message is displayed:
Installing this software requires you to restart your
computer when the installation is done. Are you sure you
want to install the software now?
24
Installing the Contivity VPN Client for Linux
NOTE: You must be NOTE: We recommend that you remove any previously-
logged on as root to installed IPSec Client software before installing the
execute the Contivity VPN Client. Failure to do so might result in a
commands that will failure of the installation.
install the Client on
Linux.
The Contivity VPN Client is shipped on a multi-platform CD-
ROM. Use the mount command to mount the CD, then install
the Client using either the RedHat Package Manager (RPM)
distribution or TAR distribution. Assuming that the CD is
mounted at "/cdrom", the full path to the Linux package
would be "/cdrom/linux/nleac."
Installing with RPM To install the Client on a Linux computer using RedHat with
Distribution on GCC 3 (RedHat Advanced Server 3.0 - 4 and Fedora Core 4, 5,
RedHat with GCC and 6), use the following procedure:
3.X
The Client is kernel dependent. The package contains source
code that needs to be rebuilt before being installed on the host.
To rebuild the package, on the host where the Client is being
installed, enter the following command:
rpmbuild --rebuild cvc_linux-rh-gcc3-[version]-0.src.rpm
Log out and log back in to the Linux computer before using
the Client.
Installing with RPM To install the Client on a Linux computer using SUSE 9.2, 9.3,
Distribution on and10.1 use the following procedure:
SUSE 9.2, 9.3, and
10.1 The Client is kernel dependent. The package contains source
code that needs to be rebuilt before being installed on the host.
To rebuild the package, on the host where the Client is being
installed, enter the following command:
rpmbuild --rebuild cvc_linux-suse-gcc3-[version]-
0.src.rpm
26
Installing the Contivity VPN Client for Linux
Log out and log back in to the Linux computer before using
the Client.
Installing with TAR To install the Client with TAR distribution, unTAR the files by
Distribution entering the following command in the directory where the
TAR file is located:
# tar -xvf <file_name>.tar
Requirements In order to configure the Client and to access the on-line help,
you must have a web browser installed on the host computer.
The Contivity VPN Client prefers Netscape, but will also use
the Sun HotJava browser.
NOTE: Commands are If you install a browser after the Client, make sure that a file
case sensitive. Those called "netscape" exists in the standard command path. That
commands shown file should call or point to the installed browser. For example,
here in lower case if you install Netscape at "/opt/NSCPcom/netscape," create a
must be typed in lower symbolic link call "/usr/bin/netscape" or change your com-
case. mand path to include "/opt/NSCPcom."
In order to install a Client on a Solaris system, you must have
root or superuser permission.
Dynamic Routing The Client will not operate on a Solaris system that has
dynamic routing enabled. If dynamic routing is enabled, you
must disable it prior to installing the Client.
To disable dynamic routing:
Create a file named /etc/defaultrouter.
The contents of the file should be the IP address of the
router.
28
Installing the Contivity VPN Client for Solaris
Installing with TAR To install the Client with TAR distribution, unTAR the files by
Distribution entering the following command in the directory where the
TAR file is located:
tar -xvf <file_name>.tar
Enter the new directory created by the TAR file and proceed
with step 3 of a normal installation (on the following page).
The unTARed files are in the directory <directory_name>.
pkgadd -d . nleac
4. Press y to continue.
30
Installing the Contivity VPN Client for Windows Mobile
Windows Mobile This version of the Apani Contivity VPN Client is designed to
Compatibility be installed and run under Windows Mobile Pocket PC 2003
CE and SE.
Installing from a Unzip the install package to a known location on the hard disk
Desktop: of the desktop machine.
Run the program setup.exe from that location.
This starts the desktop portion of the install. Accept the default
for the location of the product on the PDA and observe that
the desktop install starts the PDA install at the proper time
and that it runs to completion. Reboot the PDA at this time.
Configuration The PDA must be rebooted after installation for the client to
function.
32
Registering the Contivity VPN Client Software
New Registration At the completion of installation when you first start the
Client, the Product Registration window appears. You must
enter your license code before any further operations can take
place.
If the Client has been pre-configured (see “Pre-Configuration”
on page 17), the Product Registration window will not appear
and the Connections window appears when the Client is first
launched.
An exception to that rule is: in a multi-seat license installation,
if a 0 (zero) is entered as the seat number on the initial Client
configuration, the Product Registration window will appear. In
this case, you are prompted only for a Seat Number .
Figure 2-11. Product
Registration Window
How and where you obtain the license code depends on where
you purchased the Client.
Nortel Networks—If you purchased the Client from Nortel
Networks, click the note at the bottom of the dialog box.
You will be connected to the Apani Networks web site. A
form is displayed which you fill out. When filling out the
form, you will be asked to supply the registration code
attached to the installation CD. Upon completion of the
form, you will be given the license code.
4. Click OK.
Entering a New If for any reason you need to re-enter the license code or other
Registration registration information:
1. In any of the windows (such as Connections, Monitor,
Preferences, etc.), click Registration in the left column of the
window to display the Product Registration window.
34
Registering the Contivity VPN Client Software
2. Click Clear.
3. Double-click Uninstall.
36
Removing the Contivity VPN Client from Macintosh OS
4. Click Uninstall.
6. Click OK.
7. Click OK.
NOTE: You must be To remove a Client from Linux, enter the following command:
logged on as root to
execute the command If using RPM distribution:
that will remove the Enter the following command to obtain the correct
Client from Linux. version number:
rpm -ga | grep cvc
38
Removing the Contivity VPN Client from Linux
pkgrm nleac
40
Removing the Contivity VPN Client from Solaris
42
Customizing User-Interface Graphics
For other To add a customized graphic, create the graphic with the file
computers: name and size as shown in the following table. Copy or move
the file to the /etc/netlock directory. The graphic will display
in the GUI after the computer has been restarted.
The graphics files, their required sizes (in pixels), and their
current applications are:
44
3 Configuring the
Contivity VPN Client
This chapter explains how to establish a connection between the
Client and the Contivity Switch. It also explains how to monitor
Client status, how to control the logging of Alert information, and
how to disconnect and reconnect the Client.
46
User Interface
User Interface
48
Launching the Contivity VPN Client
50
Certificate Management
Certificate Management
The Client supports the use of X.509 Version 3 public key cer-
tificates to bind public key values to the Client and the
Contivity Switch. The binding is asserted by having a trusted
Certificate Authority (CA) digitally sign each certificate. These
digitally signed certificates (CA certificates) provide each
Client and Contivity Switch with the confidence that the asso-
ciated key is owned by the correct system with which secure
communications will be established. The CA certificate is used
to validate the certificate provided to the Client by the Con-
tivity Switch when the Client establishes a connection with the
Contivity Switch.
If you are using Certificate authorization to establish a connec-
tion, as opposed to User Name and Password or one of the
Group Authentication options, the personal certificate and CA
certificate must be in place prior to establishing a connection.
Use the procedures in this section to request a personal certifi-
cate, to request a CA certificate, to import certificates, to view
certificate details, to assign a certificate, and to delete a
certificate.
Certificate management is performed with the Certificate Man-
agement window.
To display the Certificate Management window, click Certifi-
cates in the left column of the first Connections window (see
Figure 3-20).
Before you can use your personal certificate, you must have
imported a CA certificate. This is a signed certificate from your
designated Certificate Authority (CA) that validates the certifi-
cates issued by the CA.
52
Certificate Management
2. Click New.
54
Certificate Management
Exporting a When the Certificate Signing Request (CSR) has been created,
Certificate Request you can export it to the Certificate Authority (CA).
1. In the Certificate Management window shown in
Figure 3-26, click Export.
The Certificate Management window displays the CSR
export form.
Figure 3-27. Exporting
the CSR
56
Certificate Management
2. Click Add.
The window shown above can contain more than one cer-
tificate. You will select the certificate to use for your per-
58
Certificate Management
3. Click Delete.
3. Click Show.
60
Defining a New Connection Profile
6. Click Next.
62
Defining a New Connection Profile
User Name and If you selected User Name and Password Authentication in
Password the page shown in Figure 3-35, a page for you to specify a user
Authentication name appears.
NOTE: The Save You also may have the option of saving your password on
Password feature only the Client. If the Contivity Switch is configured to permit
works on Macintosh saving passwords, the Save Password check box will be
computers and is not active. Click this box if you want to save the password and
available on Linux and not be prompted for it the next time you establish a con-
UNIX systems. nection.
5. Continue with the procedure described in “Completing the
Connection” on page 70.
64
Defining a New Connection Profile
66
Defining a New Connection Profile
6. Click Finish.
68
Defining a New Connection Profile
NOTE: The Save You also may have the option of saving the password on
Password feature only the Client. If the Contivity Switch is configured to permit
works on Macintosh saving passwords, the Save Password check box will be
computers and is not active. Click this box if you want to save the password and
available on Linux and not be prompted for it the next time you establish a con-
UNIX systems. nection.
8. Continue with the procedure described in “Completing the
Connection” on page 70.
Completing the After defining the authentication method, you were instructed
Connection to return to this point. Continue with the following steps to
complete establishing a connection.
Depending on previous connections, you may have the
option of disabling Keepalives. This would override the
setting of the Contivity Switch. You can disable Keepalives
at the Client, even if it has been enabled at the Contivity
Switch. If Keepalives is disabled at the Contivity Switch, it
cannot be enabled at the Client.
1. Click Connect.
70
Defining a New Connection Profile
NOTE: You do not have to keep the browser window open once
you have completed a connection. You may close the
browser window or quit the browser application. The
connection will stay unchanged.
72
Defining a New Connection Profile
74
Connecting the Contivity VPN Client
User ID & Password If User ID & Password is the method of authentication, the
Authentication Connections window that first appears will look like the fol-
lowing:
Figure 3-48. User ID and
Pasword Connections
Window
1. If you are being prompted, select your User Name from the
selection list.
2. Type your password in the Password text box.
NOTE: The Save You also may have the option of saving your password on
Password feature only the Client. If the Contivity Switch is configured to permit
works on Macintosh saving passwords, the Save Password check box will be
computers and is not active. Click this box if you want to save the password and
available on Linux and not be prompted for it the next time you establish a con-
UNIX systems. nection.
3. Continue with the procedure described in “Completing the
Connection” on page 80.
76
Connecting the Contivity VPN Client
Response Token If the Response Token with Passcode is the method of authen-
with Passcode tication, the Connections window that first appears will look
Authentication like the following:
78
Connecting the Contivity VPN Client
NOTE: The Save You also may have the option of saving the password on
Password feature only the Client. If the Contivity Switch is configured to permit
works on Macintosh saving passwords, the Save Password check box will be
computers and is not active. Click this box if you want to save the password and
available on Linux and not be prompted for it the next time you establish a con-
UNIX systems. nection.
3. Continue with the procedure described in "Completing the
Connection" below.
80
Connecting the Contivity VPN Client
NOTE: You do not have to keep the browser window open once
you have completed a connection. You may close the
browser window or quit the browser application. The
connection will stay unchanged.
82
Setting Client Preferences
Audit Controls The Client logs audit messages to a log file. You can view the
log file at any time. Audit controls are used to select the types
of audit messages that are written to the log file and to set the
maximum size of the log file.
Four types of audit information may be logged. The four types
of information are:
Information Meaning
Type
Security Audits Indicates a possible penetration
attempt.
System Audits Indicates a failure of an operating
system resource within the Client.
Protocol Audits Indicates a failure of the key
management or encapsulation
protocol.
Trace Audits Records actions provided by the key
management and encapsulation
protocols.
You can enable (or disable) log file archiving by selecting what
(if any) information will be logged.
Controlling Audit
Information
Logging
Types of Information To select the logging of Client audit information and to select
Logged which types of information should be logged:
1. In the Client Monitor window, click Preferences.
• On other computers:
Click the expand arrow above the Apani icon on the
Front Panel and select Preferences in the pop-up
menu.
Figure 3-56. Client
Preferences Window
84
Setting Client Preferences
Changing the Log The Client maintains audit information in a log file. When the
File Size size of the log file reaches a maximum value, it is archived in
an old log file (overwriting the previous old log file, if it exists)
and a new log file is created. An audit message is written at
the top of the new log file. This mechanism prevents audit
information from filling the disk. The amount of time it takes
for the log file to reach its maximum allowed size depends on
which audit types are logged and how often the Client is run.
The default maximum log file is 1000 Kilobytes.
To choose the log file maximum size:
1. In the Client Monitor window, click Preferences.
To Lock a configuration:
All of the current connection profiles are listed in the Configu-
ration Locking window.
1. Select (check) those configurations that you want to lock.
2. Click Submit.
86
Setting Client Preferences
2. Click Submit.
88
Setting Client Preferences
1. Click Submit.
The log files are displayed in the Contivity VPN Client Log
window.
Figure 3-64. Viewing Agent Status
2. When you are finished viewing the log files, close the Client
Log window.
90
Disconnecting the Contivity VPN Client
92
Command Line Interface
Examples 1:
# cvc -h
Contivity VPN Client Command Line Interface
Usage: cvc [-c <connect string>] [-pqdvh]
-d disconnect
-v display version
-h help
Example 2:
# cvc -c connection_name:username:password
Connects the Client to the Contivity Switch using the con-
nection named in the connect string then passes the user
name and password to the Contivity Switch to establish
the Client-to-Contivity Switch connection.
Example 3:
# cvc -d
Disconnects the Client from the Contivity Switch.
94
G lossary
Data Compression Encoding data to take up less storage space. Digital data is
compressed by finding repeatable patterns of binary 0s and 1s.
The more patterns can be found, the more the data can be com-
pressed. Text can generally be compressed to about 40% of its
original size, and graphics files from 20% to 90%. Data com-
pression, as used in the Contivity VPN Client, is applied to the
data before encryption.
Denial of Service Denotes attacks that do not cause a security violation as such,
but harm the availability of a service. For example, someone
sending a large number of forged packets to a host could
degrade the performance of the host.
96
Glossary
Internet Key Exchange A key management protocol that provides secure management
(IKE) and exchange of cryptographic keys between distant devices.
IKE also provides a secure way to transmit keys. IKE uses pub-
lic-key cryptography to create a secure association. That associ-
ation is then used to perform a secure second public-key
exchange, resulting in a symmetric key for encryption.
98
Glossary
100
Glossary
Security Audit Trail Data collected and potentially used in a security audit.
Transport Mode As opposed to tunnel mode wherein the entire packet, includ-
ing the IP header, is wrapped in the packet protection of a tun-
nel and a new IP header is prepended to the packet, in
transport mode, the IP header is sent in the normal, unencap-
sulated format.
Tunnel Mode Packet transmission wherein the entire packet, including the IP
header, is wrapped in the packet protection of a tunnel and a
new IP header is prepended to the packet.
Unsecured Unencrypted, non-firewalled, or unprotected communications
Communications between two network computers.
102
Index
A Client
disconnecting 91
discussion about 8
address of Contivity Switch 62 log file archiving 83
address, DNS 62 new connection 61
allowing new configuraitons 87 preferences 83
audit purpose 8
information 90 re-connecting 74
audit information registering license code 33
controlling 83 Contivity VPN Client
logging 84 See Client
viewing 90 Client Log window 90
authentication 13 command line interface 47
autoconnect 14 commands
start_cvc 49
compression 14
configuration locking 86
E K
Keepalives, disabling 70, 80
encryption 14 keyboard conventions 3
establishing a new connection 61
F L
LDAP 13
Failover 14 license code 33
failover 14 Linux
forced logoff 14 installing Client on 25
removing Client from 38
system requirements 5
locking a configuration 86
headbar.gif file 43
N
I Nortel Contivity Switch
See Contivity Switch
numbered lists 4
information
status 90
trace 83
104
Index
O status
information 90
supported settings 13
obtaining a license code 33 system requirements
operation of Client 8 Linux 5
organization of document 2 Macintosh OS X 5
overview of product 8 Solaris 6
P T
password timeout 14
with Group ID 63 trace information 83
with user name 63 tunneling 13
perfect forward secrecy 14 typographical conventions 3
PIN 69, 77 typographical terminology 4
Preferences window 84
preferences, setting 83
prevent defining a new connection profile 87
prevent deleting a connection profile 86
prevent editing of connection profile 86
product overview 8
U
product registration 33 user interface
command line 47
graphical (GUI) 47
user name 63
R using certificates 51
radius authentication 14
re-connecting the Client 74
registration of Client 33
removing
V
Client from Linux 38 viewing audit information 90
Client from Macintosh OS X 36
Client from Solaris 40
requirements, system 5
W
S
windows
Certificate Management 52
Client Log 90
security policies 8 Configuration Locking 86
setting configuration locking 86 Connections 49
setting preferences 83 Preferences 84
Solaris Windows Mobile
installing Client on 28 installing Client on 31
removing Client from 40
system requirements 6
split tunneling 13
start_cvc command 49
106