Novell BorderManager® VPN: No Secrets Novell BrainShare 2002 Novell BorderManager® VPN: No Secrets Caterina Luppi Novell SysOp Novell Support Connection caterina@wirediguana.com Craig Johnson craigsj@ix.netcom.com http://nscsysop.hypermart.net TUT341—Novell BorderManager VPN: No Secrets

Vision…one Net Mission A world where networks of all types—corporate and public, intranets, extranets, and the Internet—work together as one Net and securely connect employees, customers, suppliers, and partners across organizational boundaries Mission To solve complex business and technical challenges with Net business solutions that enable people, processes, and systems to work together and our customers to profit from the opportunities of a networked world

VPN=Virtual Private Network Novell BrainShare 2002 What Is the VPN? If you’re here you should know this already, but… VPN=Virtual Private Network A network that uses the Internet as the medium for transporting data By using encryption and other security mechanisms, this system ensures that only authorized users can access the network and that the data cannot be intercepted TUT341—Novell BorderManager VPN: No Secrets

The BorderManager® VPN Novell BrainShare 2002 The BorderManager® VPN The VPN is one of the modules included in the BorderManager (BM) product suite There are two types of VPN in BorderManager Site-to-site Client-to-site Site-to-Site VPN links two LANs together with an “encrypted tunnel” over the Internet Client-to-Site VPN allows a remote PC to make a secure connection to a LAN over the Internet TUT341—Novell BorderManager VPN: No Secrets

Important Things to Remember Novell BrainShare 2002 Important Things to Remember About the site-to-site VPN It is established between two or more BM/VPN servers (one master, one or more slaves) An encrypted tunnel links two or more LANs connected to the same VPN It is mainly based on routing—traffic passes through the tunnel because a static route makes the tunnel the lowest-cost route Traffic passing through the tunnel is encrypted and decrypted at the VPN server No need for special software at the workstations TUT341—Novell BorderManager VPN: No Secrets

Important Things to Remember (cont.) Novell BrainShare 2002 Important Things to Remember (cont.) About the client-to-site VPN It is established between a client, running special software, and a VPN server configured as “master” It provides secure access to the LAN and WAN behind the VPN server The user must be authorized to establish the VPN with a username and through “Access Rules” The client workstation must use MS Windows (Win 9x, NT, 2000; XP and ME soon) The VPN client and the NetWare® client are distinct and independent TUT341—Novell BorderManager VPN: No Secrets

The “Must Know” You should be familiar with Novell BrainShare 2002 The “Must Know” You should be familiar with The terminology (VPTUNNEL IP address, Public IP address, Private IP address) How to configure a “standard” VPN by using VPNCFG.NLM NWADMN32.EXE Exchange of the VPN information and digest Basic routing concepts (default gateway, IP routing protocols used in your LAN) The details of the Internet connectivity for your LAN The emergency phone number of your ISP TUT341—Novell BorderManager VPN: No Secrets

The Secrets of Your Success Novell BrainShare 2002 The Secrets of Your Success Make sure you are not doing anything against your company policy List your needs and know what you want to do What kind of VPN do you want to set up (client-to-site, site-to-site, or both) Will your users log into Novell eDirectory™ or only use IP services (HTTP, FTP, mail, etc)? Which version(s) of Windows are your users using? Pick a good ISP Bad ISPs (incompetent, not helpful, not flexible) are the “public enemy number one’’ of your VPN TUT341—Novell BorderManager VPN: No Secrets

“Intense” material ahead! Novell BrainShare 2002 WARNING “Intense” material ahead! Concentration is required TUT341—Novell BorderManager VPN: No Secrets

The Guiding Flowcharts Novell BrainShare 2002 The Guiding Flowcharts Instruction for the flowcharts Choose the map that suits your environment Start from “start here” and follow the flowchart by answering the questions When both the following conditions apply, Your LAN has a different “gateway” to the Internet (NOT the VPN server) You need both client-to-site and site-to-site You will need two separate VPN servers—apply the recommendations of flowcharts 4 and 5 TUT341—Novell BorderManager VPN: No Secrets

1 Novell BrainShare 2002 * ** * Novell Directory Service® ** Novell NetWare® TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 2 TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 3 TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 4 TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 5 TUT341—Novell BorderManager VPN: No Secrets

Tips for Partitioning the eDirectory Novell BrainShare 2002 Tips for Partitioning the eDirectory We don’t recommend spanning your eDirectory tree across multiple sites connected through the VPN The eDirectory health depends on the reliability of the connection between the servers, and the connection between the servers is as reliable as the least reliable of all the links If you really really really need it…. TUT341—Novell BorderManager VPN: No Secrets

Tips for Partitioning the eDirectory (cont.) Novell BrainShare 2002 Tips for Partitioning the eDirectory (cont.) Partition your tree sensibly Very little, if any, eDirectory traffic should travel across the VPN for standard office operations Store a copy of all the needed licenses locally The BorderManager server needs to hold a replica of the partition where its container resides The master replica of the partition associated to each remote site must be stored at the remote site TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN Novell BrainShare 2002 Case Study: VPN within a Corporate LAN Your LAN is part of a larger corporate LAN, using an existing default gateway to the Internet What do you want to do? Establish site-to-site and client-to-site VPN eDirectory access only for VPN clients IP-only (HTTP, FTP, mail, database) access for sites Need access to certain corporate servers but can’t change the routing tables of these servers, or these servers are across routers whose routing tables can’t be changed TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) S_master (site-to-site) Priv. IP 192.168.1.39 VPNtunnel: 192.168.168.1 Slave LAN IP: 192.168.2.x Def. Gw. 192.168.2.1 Def.gw Dynamic NAT here Net C_master (client-to-site) Priv. IP 192.168.1.40 VPNtunnel: 192.168.169.1 S_slave Priv.IP 192.168.2.1 VPNtunnel: 192.168.168.2 TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) For BOTH site-to-site and client-to-site VPN, you need TWO separate VPN servers (S_master and C_master) The VPN server for the client-to-site (C_master) must have DYNAMIC NAT enabled on its PRIVATE interface only No NAT on the public interface Before anything else, fix the routing ROUTING ROUTING ROUTING TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Configure the “protected networks” in S_master in NWADMN32, BM set-up, VPN, site-to-site, details, double-click on each server name The protected network for each server is the private network behind that VPN server Ex. Protected network for S_master: 192.168.1.0/24 Protected network for S_slave: 192.168.2.0/24 etc. Make sure that “Enable IP RIP” is checked TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Select “encrypt only the listed networks” in C_master In NWADMN32, BM set-up, VPN, client-to-site, details You should add the private IP network behind the C_master server to the list of networks to encrypt Ex. The list of networks to encrypt should show “Public IP add. of C_master” mask 255.255.255.255 192.168.1.0 mask 255.255.255.0 TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) The servers (only the ones that you want to reach through the VPN) in your master LAN must have static routing entries for the slave LANs Ex: routing table of SRV1 (in the Master LAN) Destination Next Hop Default Gateway 0.0.0.0 corporate firewall Network 192.168.2.0 192.168.1.39 Network 192.168.3.0 192.168.1.39 Network 192.168.168.0 192.168.1.39 This is the VPTUNNEL network TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Problem There are servers or services within your corporate LAN that need to be accessible through the VPN, but you can’t change their routing table Solution You can configure generic proxies on the private IP address of your VPN server Ex: SQL server at IP address 10.11.1.89 in your LAN Create a generic TCP proxy on the S_master private IP address for port 1433(SQL) and origin server 10.11.1.89. The users in the slave LANs will access the SQL server @ 192.168.1.39 (private IP of S_master) TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) S_master Priv. IP 192.168.1.39 VPNtunnel: 192.168.168.1 Generic TCP proxy on 192.168.1.39 port 1433 origin IP 10.11.1.89 Dynamic NAT here SQL server IP 10.11.1.89 C_master Priv. IP 192.168.1.40 VPNtunnel: 192.168.169.1 INTERNET TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Problem You want to hide the structure of your slave LANs to the master LAN Solution Enable dynamic NAT on the VPTUNNEL interface of each slave This trick can also be used to simplify the routing in your LAN if you don’t need to reach the remote LANs individually from the master LAN WARNING: If you do this, and something goes wrong, you might expect to reconfigure the networking part of your slave server (including the VPN) TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) To enable dynamic NAT on the VPTUNNEL interface, in the sys:\etc\tcpip.cfg of the slave server, edit this section as follows <snip> Interface { Address 192.168.168.2 Port VPTUNNEL Type nbma RouterDiscovery no SolicitationAddress multicast NATStatus Enabled HeaderCompression no } TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Problem You want only certain services/servers from the slave LANs to be available to the master Solution Enable generic proxies for specific service on the VPTUNNEL interface the slave server Ex: SQL server at IP address 192.168.2.33 in the slave LAN. Create a generic TCP proxy on the C_master VPTUNNEL address for port 1433 (SQL) and origin server 192.168.2.33 . The users in the master LAN will access the SQL server @ 192.168.168.2 TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Slave LAN IP: 192.168.2.x Def. Gw. 192.168.2.1 INTERNET SQL server IP 192.168.2.33 Generic TCP proxy on 192.168.168.2 port 1433 origin IP 192.168.2.33 S_slave Priv.IP 192.168.2.1 VPNtunnel: 192.168.168.2 TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN—The Client Configuration Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration If possible, choose only one protocol for the VPN tunnel (IPX or IP)—see the flowcharts Note that IPX is not required if you don’t need eDirectory access SCMD doesn’t work over the VPN If login to eDirectory is required, install the NetWare client in addition to the VPN client When installing the NetWare client, choose only the protocol you decided to encrypt in the VPN configuration (IPX or IP) TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration (cont.) If you have both IPX and IP over the VPN Only IPX will be used for eDirectory communication (in most cases) If you have only IPX over the VPN Make sure IPX is NOT bound to the physical NIC of the VPN client, but only to the VPN interface If necessary, use hardware profiles Check that you don’t have more than four IPX bindings in your network components at the workstation Doesn’t work with Win2000 (or XP) TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration (cont.) If you have only IP over the VPN, the VPN client will be able to login to eDirectory only if it properly receives the SLP information The SLP information, even if properly configured, takes about 10 minutes to propagate to the VPN client, starting from the moment in which the VPN is established Not very convenient Solution... TUT341—Novell BorderManager VPN: No Secrets

Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration (cont.) Complement the SLP information with static HOSTS information Configure SLP at the client with a static SLP DA Populate the HOSTS file of your VPN client with the names and IP addresses of the NetWare servers you want to log into Use the server name instead of the eDirectory tree in the NetWare login window TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN—The Client Configuration Novell BrainShare 2002 Case Study: VPN within a Corporate LAN—The Client Configuration You have two ways to perform name resolution for the internal servers Populate the HOSTS file of your VPN client with the names and IP addresses of the services that the client has to reach through the VPN Ex. 192.168.1.39 SQL_Server 192.168.1.2 SRV1 Set your internal DNS server (reachable only through the VPN) as second DNS server in the VPN client TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) You are done! TUT341—Novell BorderManager VPN: No Secrets

Case Study: VPN within a Corporate LAN (cont.) Novell BrainShare 2002 Case Study: VPN within a Corporate LAN (cont.) Let’s troubleshoot now... TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Site-to-Site VPN Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN Symptom I configured the VPN between two servers The VPN was established but I can’t reach the internal LAN Make sure that your VPN tunnel IP address is in a different network from the private and the public IP addresses of the server Public IP address 123.123.123.1 Private IP address 192.168.1.1/24 VPN TUNNEL IP address 192.168.168.1/24 TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Site-to-Site VPN (cont.) Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN (cont.) Symptom In the logs in NWadmn32 I have the message “Time synchronization error from connection XXX (SKIP) Construction of SA failed for peer <IP_address>” The VPN stays in the “Being configured” status Check That the time (clock) in the servers is not more than one hour apart in UTP That your ISP is not filtering any packet type (especially SKIP and UDP) TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Site-to-Site VPN (cont.) Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN (cont.) Symptom Proxies and VPN seem OK, I can ping the VPTUNNEL from the slave server, but I cannot ping anything in the master site from the clients in the slave site Check The default gateway of the clients in the slave LAN NAT should be enabled on the public interface of the BM server ONLY (not on the private one) TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Site-to-Site VPN (cont.) Novell BrainShare 2002 Common Problems and Solutions: Site-to-Site VPN (cont.) Symptom The VPN seems okay, I can read the logs and connect to the slave site, but ping to the VPTUNNEL address doesn’t respond Check The VPN licenses The slave server might not be able to read its VPN licenses and even if the VPN is established, it is not activated TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Client-to-Site VPN Novell BrainShare 2002 Common Problems and Solutions: Client-to-Site VPN Symptom When I try to authenticate to the VPN I get the message “Unable to authenticate token password” If you aren’t using ActivCard or Radius, delete the Login Policy Object from the eDirectory and delete the LPOCACHE.DAT file from the server Or, configure VPN and Proxy rules in the Login Policy Object TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Client-to-Site VPN (cont.) Novell BrainShare 2002 Common Problems and Solutions: Client-to-Site VPN (cont.) Symptom I am not able to use the VPN client from Windows ME Other VPN clients, running different OS versions, are fine Correct—the VPN client doesn’t work for Windows ME Announced for BorderManager v.3.7 TUT341—Novell BorderManager VPN: No Secrets

Common Problems and Solutions: Client-to-Site VPN (cont.) Novell BrainShare 2002 Common Problems and Solutions: Client-to-Site VPN (cont.) Symptom When trying to connect to the VPN, the IPX negotiation fails (if IPX is enabled) and I can see that the client receives only unencrypted packets Check That the return traffic is actually routed through the VPN server That the public IP address associated to the VPN (in VPNCFG) is NOT a secondary IP address lower than the primary IP address bound to the NIC TUT341—Novell BorderManager VPN: No Secrets

wiN big Access and Security table one Net solutions lab visit the in the to obtain an entry form