Contivity VPN Client User and Administrator Guide for Mac OS X, Linux, Solaris Windows Mobile 2003 CE and SE
Part Number 314455-3.5 Version 3.5 February 2007
Copyright ©2007 by Apani Networks. All rights reserved. This software or document (and the software described herein) is furnished under a license agreement between Apani Networks and the Licensee. The software may be used or copied only in accordance with the terms of the license agreement. The document may not be reproduced in whole or in part, except with the written permission of Apani Networks. Product names mentioned in this document are trademarks or registered trademarks of their respective holders.
Published by: Nortel Networks Corporation 8200 Dixie Road, Suite 100 Brampton, Ontario L6T 5P6 Canada Nortel Networks 600 Technology Park Drive Billerica, MA 01821-4130 Customer Support: Voice: 1-800-4NORTEL Web Page: http://www.nortel.com For FAQs, follow the pathway: Customer Support FAQ Search (selection on left side of screen) Product family: Enterprise Data Product: Contivity For Technical Documentation, follow the pathway: Customer Support Technical Documents Select a Product: Contivity 4000 VPN Switches
The Apani Networks site is an excellent source of information. You can use the Apani Knowledge Base to search for FAQs pertaining to the Contivity VPN Client. 1. http://support.apani.com/kb/ 2. Select Contivity VPN Client in the Select a Product list. 3. Click Start Search.
Chapter 1. Getting Started
1
Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Product Name - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Cautionary Information - - - - - - - - - - - - - - - - - - - - - - - - - Keyboard Conventions - - - - - - - - - - - - - - - - - - - - - - - - - Typographical Conventions - - - - - - - - - - - - - - - - - - - - - - Typographical Terminology - - - - - - - - - - - - - - - - - - - - - - System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - What’s New in Version 3.5? - - - - - - - - - - - - - - - - - - - - - - - - Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - The Nortel Networks Contivity Switch - - - - - - - - - - - - - - The Contivity VPN Client - - - - - - - - - - - - - - - - - - - - - - - -
Chapter 2. Installing the Contivity VPN Client
2 3 3 3 3 4 4 5 7 8 8 8
11
Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - 13 Initial Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - 13 Nortel Networks Contivity Switch Configuration - - - - - - - 13 Split Tunnel Inbound Port Filtering on Linux or UNIX Computers 15 Pre-Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 Installing the Contivity VPN Client for Macintosh OS X - - - - - 19 Installing the Contivity VPN Client for Linux - - - - - - - - - - - - - 25 Installing with RPM Distribution on RedHat with GCC 3.X 26 Installing with RPM Distribution on SUSE 9.2, 9.3, and 10.1 26 Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 27 Installing the Contivity VPN Client for Solaris - - - - - - - - - - - - 28 Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 Dynamic Routing - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 28 Installing with TAR Distribution - - - - - - - - - - - - - - - - - - - 29 Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 29
Contivity VPN Client
iii
Installing the Contivity VPN Client for Windows Mobile - - - - Windows Mobile Compatibility - - - - - - - - - - - - - - - - - - Installation - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Registering the Contivity VPN Client Software - - - - - - - - - - - New Registration - - - - - - - - - - - - - - - - - - - - - - - - - - - - Entering a New Registration - - - - - - - - - - - - - - - - - - - - - Removing the Contivity VPN Client from Macintosh OS X - - Removing the Contivity VPN Client from Linux - - - - - - - - - - Removing the Contivity VPN Client from Solaris - - - - - - - - - Removing the Contivity VPN Client from Windows CE - - - - - Customizing User-Interface Graphics - - - - - - - - - - - - - - - - - -
Chapter 3. Configuring the Contivity VPN Client
45
User Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Launching the Contivity VPN Client - - - - - - - - - - - - - - - - - - Certificate Management - - - - - - - - - - - - - - - - - - - - - - - - - - Importing a CA Certificate - - - - - - - - - - - - - - - - - - - - - - Requesting a Certificate - - - - - - - - - - - - - - - - - - - - - - - Importing a Certificate - - - - - - - - - - - - - - - - - - - - - - - - Deleting a Certificate - - - - - - - - - - - - - - - - - - - - - - - - - Viewing Certificate Details - - - - - - - - - - - - - - - - - - - - - Defining a New Connection Profile - - - - - - - - - - - - - - - - - - Completing the Connection - - - - - - - - - - - - - - - - - - - - - Editing a Connection Profile - - - - - - - - - - - - - - - - - - - - Connecting the Contivity VPN Client - - - - - - - - - - - - - - - - - Selecting the Connection Profile - - - - - - - - - - - - - - - - - Completing the Connection - - - - - - - - - - - - - - - - - - - - - Monitoring Connection History - - - - - - - - - - - - - - - - - - - - - Connection Statistics - - - - - - - - - - - - - - - - - - - - - - - - - Setting Client Preferences - - - - - - - - - - - - - - - - - - - - - - - - - Audit Controls - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - Controlling Audit Information Logging - - - - - - - - - - - - - Configuration Locking - - - - - - - - - - - - - - - - - - - - - - - - Viewing Audit Information - - - - - - - - - - - - - - - - - - - - - - - - Disconnecting the Contivity VPN Client - - - - - - - - - - - - - - - Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - -
Glossary Index
iv
31 31 31 32 33 33 34 36 38 40 42 43
47 48 51 52 53 57 59 60 61 70 73 74 74 80 82 82 83 83 84 86 90 91 92
95 103
1 Contents of this Chapter
Getting Started Organization of this Guide - - - - - - - - - - - - - - - - - - - - - - - - - - 2 Provides an introductory overview of Contivity VPN Client functions. Conventions - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 3 Explains the typographical and command conventions used in this guide. System Requirements - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 5 Lists the system requirements for installing a Contivity VPN Client. What’s New in Version 3.5? - - - - - - - - - - - - - - - - - - - - - - - - - 7
Provides a list of features that are new to Contivity VPN Client version 3.4. Product Overview - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 8 Provides a brief introduction to the Nortel Networks Contivity Switch and the Contivity VPN Client.
Contivity VPN Client
1
Chapter 1. Getting Started
Organization of this Guide This guide is organized as follows: Chapter 1, Getting Started—introduces the guide, explains the conventions used in the guide, lists system requirements for the Contivity VPN Client, and provides an overview of the Contivity VPN Client. Chapter 2, Installing the Contivity VPN Client— describes how to configure the Nortel Networks Contivity Switch for the Contivity VPN Client and how to install the Contivity VPN Client on supported systems. Chapter 3, Configuring the Contivity VPN Client—a guide to the configuration and use of the Contivity VPN Client. Glossary—provides brief definitions of security terms and terminology used in this guide.
2
Conventions
Conventions Product Name
Throughout most of this guide, the Contivity VPN Client is referred to simply as the Client and the Nortel Networks Contivity Switch is referred to simply as the Contivity Switch.
Cautionary Information
This guide presents several classes of cautionary information: NOTE clarifies or identifies exceptions. IMPORTANT calls your attention to information necessary to the proper installation and configuration of the Client. CAUTION alerts you to situations that could result in unexpected or destructive results to data or software.
Keyboard Conventions
The following conventions are used in describing actions for you to take, methods of selecting and entering data, and operation of the system: Computer dialog, code, file names, directory names, and screen instructions are represented by a monospaced font: screen text display
Characters you enter on a command line are represented by bold mono-spaced type: system text: your response
Optional text you enter on a command line is represented in mono-spaced italicized type. Where it is a term for a file name, directory name, path, or such, it is surrounded by angle brackets:
The “|” character is used to signify one or the other: | Contivity VPN Client
3
Chapter 1. Getting Started
Typographical Conventions
This guide uses the following typographical conventions: The names of on-screen buttons, checkboxes, option buttons, and keys are in Bold Text with Initial Caps. The names of windows, dialog boxes, lists, window elements, and dialog box elements are in Bold Italics, capitalized the same as the item. The names of menus and menu items are in Bold Text. Menu selections are shown as: Item1 Item2 Choose MenuName This means to select Item1 in the MenuName menu and then select Item2 in the sub-menu. Numbered items in a list describe steps in a procedure that must be followed in order. Bulleted items in a list are members of a set or parts of a whole that have no order or priority.
Typographical Terminology
Press—means to press a particular key or key combination. It does not imply also pressing the Enter key: Press Tab Key Combinations—two or more keys that must be pressed simultaneously are linked by a plus sign: Press Ctrl+Alt+Del Type—means to type text, usually in a text box or scroll box within a dialog box. It does not imply to press the Enter (or Return) key. It is usually followed by a step such as “Click OK” or “Click Continue.” Enter—means to type text and press the Enter (or Return) key when the text has been typed.
4
System Requirements
System Requirements A Contivity VPN Client installation requires the following minimum configurations.
Mac OS X
Operating System: Mac OS X System Version: 10.3 through 10.3.9, 10.4 through 10.4.7 Power Macintosh or Intel Mac CD-ROM Drive 10 MB of free disk space 128 MB of RAM Ethernet card or dialup modem A web browser (Safari or Netscape are preferred.)
Linux
Contivity VPN Client
Linux for Intel x86 or equivalent processors, 32-bit only Intel-based Linux system (The Client will not work on a Sparc-based system.) Linux kernel 2.4.x*, and 2.6.x up to 2.6.18. Linux kernel 2.6.15-1.2054 will not work due to a kernel bug preventing proprietary license modules from loading correctly. Operating Systems: RedHat Enterprise Advanced Server 3.0 to 4 Fedora Core 4, Core 5, and Core 6 SUSE 9.2, 9.3, and 10.1 32 MB RAM (64 MB Recommended) 30 MB of free disk space Ethernet card or dialup modem CD-ROM Drive Kernel source 2.4.x or 2.6.x A web browser (Netscape and Mozilla are preferred.) X-Window System
5
Chapter 1. Getting Started
* If the system is using the 2.4.x kernel, the kernel header’s 2.4.x package must be used. If the system is using the 2.6.x kernel, the kernel header’s 2.6.x package must be used.
Solaris
System Version: 2.7 to 2.9 Sun SPARC platform CD-ROM Drive 12 MB of free disk space; 32 MB of RAM Ethernet card A web browser (Netscape and Hot Java are supported.)
Windows Mobile 2003 CE and SE A list of supported devices is available on the Apani website: http://www.apani.com/vpn-clients/nortel-overview Refer to the system requirements in the information section.
6
What’s New in Version 3.5?
What’s New in Version 3.5? Added support for Fedora Core 5 and Core 6 Added support for SuSE Linux 10.1 Fixed dial-up support for Mac OS X
Contivity VPN Client
7
Chapter 1. Getting Started
Product Overview The purpose of the Client is to provide tunneled, secure communications between the Client computer and the Contivity Switch across an IP network, including the Internet and the local area network (LAN).
The Nortel Networks Contivity Switch
The Contivity Switch is a single hardware device that provides routing, firewall, bandwidth management, encryption, authentication, and data integrity for secure tunneling across managed IP networks and the Internet. Contivity Switches are used to connect remote users, branch offices, suppliers, and customers with the cost and performance advantages of shared IP networks and the security and control inherent in private networks.
The Contivity VPN Client
The Client is an intelligent, autonomous software agent residing in the computer for which communication is to be secured. All communications security functions are performed using the rules supplied by the Contivity Switch. When the Client is installed, the Contivity Switch (according to the policies set by the network administrator) sends a set of security policies for the Client to follow when exchanging data with the Contivity Switch. These rules determine: (1) the algorithm to be used for ESP encryption; (2) if ESP data integrity checking is to be performed and if so, the algorithm to use; (3) if anti-replay protection is to be provided; (4) if Authentication Header (AH) Integrity protection is to be applied Once these instructions are received directly from the Contivity Switch, the Client stores these rules locally and follows them autonomously when communicating with the
8
Product Overview
Contivity Switch. The user of the Client computer can continue to operate as before except that all communications over the extranet or Internet are now protected with a layer of security as part of the network protocol. Once connected to the Contivity Switch, the operation of the Client is transparent to the user and requires no user intervention.
Contivity VPN Client
9
10
2F
Installing the Contivity VPN Client
This chapter provides a list of required Contivity Switch settings to operate with the Contivity VPN Client, step-by-step instructions for the installation and removal of Contivity VPN Client software, and instructions for customizing the user-interface graphics on the Contivity VPN Client.
Contents of this Chapter
Configuring the Contivity Switch - - - - - - - - - - - - - - - - - - - - - - 13 Provides instructions for configuring the Contivity Switch prior to installing the Client. Pre-Configuration - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 17 Provides a step-by-step procedure for pre-configuring Clients for mass deployment in a large installation. Installing the Contivity VPN Client for Macintosh OS X - - - - - - 19 Provides a step-by-step procedure for installing a Client on a Macintosh OS X system. Installing the Contivity VPN Client for Linux - - - - - - - - - - - - - 25 Provides a step-by-step procedure for installing a Client on a Linux system. Installing the Contivity VPN Client for Solaris - - - - - - - - - - - - - 28 Provides a step-by-step procedure for installing a Client on a Solaris system. Installing the Contivity VPN Client for Windows Mobile - - - - - 31 Provides a step-by-step procedure for installing a Client on a Windows CE system.
Contivity VPN Client
11
Chapter 2. Installing the Contivity VPN Client
Registering the Contivity VPN Client Software - - - - - - - - - - - - 33 Explains the procedure for receiving a license code and registering your Contivity VPN Client. Removing the Contivity VPN Client from Macintosh OS X - - - - 36 Provides a step-by-step procedure for removing the Client software and database from a Macintosh OS X. Removing the Contivity VPN Client from Linux - - - - - - - - - - - 38 Provides a step-by-step procedure for removing the Client software and database from a Linux system. Removing the Contivity VPN Client from Solaris - - - - - - - - - - - 40 Provides a step-by-step procedure for removing the Client software and database from a Solaris system. Removing the Contivity VPN Client from Windows CE - - - - - - 42 Provides a step-by-step procedure for removing the Client software from a Windows CE system. Customizing User-Interface Graphics - - - - - - - - - - - - - - - - - - 43 Explains how to customize areas of the Graphical User Interface with user-provided art.
12
Configuring the Contivity Switch
Configuring the Contivity Switch The Contivity Switch must be configured for the Client prior to installing the Client. This is important because the Client accepts configuration settings that are sent down from the Contivity Switch during IKE negotiations.
Initial Configuration
This document assumes that you have already configured the Contivity Switch with basic settings including identity, private and public addresses, etc. Be sure that IPSec is enabled.
Nortel Networks Contivity Switch Configuration
To work with the Client, the Contivity Switch’s IPSec settings must be set according to the values in the following table. "Supported" means the Client supports all valid options for this setting. "Don’t Care" means the Client ignores this feature, but it may be supported by other clients. Parameter
Setting(s) Allowed
Split Tunneling
Supported*
Split Tunnel Networks
Supported*
Client Selection Allowed Clients
Only Contivity Clients or Both Contivity and Non-Contivity
Allow undefined networks for non-Contivity clients
Supported
Authentication Database Authentication (LDAP)
Contivity VPN Client
User Name and Password
Supported
RSA Digital Signature
Don’t Care
13
Chapter 2. Installing the Contivity VPN Client
Parameter Default Server Certificate
Setting(s) Allowed Supported
Radius Authentication User Name and Password
Supported
Axent Technologies Defender Don’t Care RSA Security SecureID
14
Supported
Encryption
Supported (all settings except 40-bit DES)
Perfect Forward Secrecy
Supported
Forced Logoff
Supported (up to 23:59, or 00:00 for off)
Client Auto Connect
Don’t Care
Banner
Supported
Display Banner
Supported
Client Screen Saver Password Required
Disabled (not supported)
Client Screen Saver Activation Time
Don’t Care
Client Failover Tuning
Supported
Allow Password Storage on Client
Supported on Macintosh, Linux, and Windows CE 2003 only
Compression
LZS Compression supported
IPSec NAT Traversal
Supported
Rekey Timeout
Supported
Rekey Data Count
Supported
Domain Name
Don’t Care
Primary DNS
Supported
Secondary DNS
Supported
Primary WINS
Don’t Care
Secondary WINS
Don’t Care
Client Policy
Macintosh: Don’t Care Linux and UNIX: Supported
Configuring the Contivity Switch
Parameter
Setting(s) Allowed
NOTE: You must enable at least one of the following user authentication options: LDAP with User Name and Password LDAP with Default Server Certificate RADIUS with User Name and Password RADIUS with RSA Security SecurID *
If using split tunneling with the Client located on a Linux or a UNIX computer, please refer to the following section for port filtering requirements.
Split Tunnel Inbound Port Filtering on Linux or UNIX Computers
Linux and UNIX operating systems support multiple simultaneous users. In order to help prevent unauthorized access to the private network, the client automatically blocks inbound access to TCP and UDP ports 0 through 1023 on the client's local (public) network when you are connected to the Contivity Switch with split tunneling enabled. Remote systems and users cannot use services on these Well Known Ports while the client is connected. Existing, active communications through inbound ports 0 through 1023 will be blocked as soon as the client connects to the Contivity Switch.
NOTE: All inbound and outbound access on the Client’s local (public) network is blocked when the client is connected and split tunneling is disabled.
When the Client is connected with split tunneling enabled, the Client permits outbound access through all ports. The Client also permits inbound access through ports 1024 and above. This allows the local user to take advantage of split tunneling to connect to remote servers using web browsers and other applications.
Contivity VPN Client
15
Chapter 2. Installing the Contivity VPN Client
CAUTION:
The Client cannot protect the Client computer, tunnel, and the private networks behind the Contivity Switch from all possible remote attacks, even though it blocks inbound access through ports 0 through 1023 (Well Known Ports) when connected. Access through higher ports is still possible. (The X Window System uses ports 6000 through 6063, for example.) The system administrator of the Client computer must frequently check to ensure that services have not been inadvertently or malevolently enabled on higher ports. We highly recommend that you enable a hostbased firewall on the Client computer.
The Contivity Switch administrator can enable inbound access on one or more ports 0 through 1023 by creating a Client Policy on the Contivity Switch. See "Client Policy" in the "Group and User Configuration" chapter of the Nortel Networks Managing the Contivity Extranet Switch user guide. Keep in mind that creating a Client Policy blocks all inbound and outbound ports, except those specifically enabled by the Contivity Switch administrator.
16
Pre-Configuration
Pre-Configuration A pre-configuration allows you to configure a Client and then install a number of Clients with the same configuration. This precludes individual users from having to enter license codes, group IDs, and preferences. The primary purpose of a preconfiguration is to simplify the installation of large numbers (100+) of Clients. If you are performing a pre-configuration on platforms with different operating systems, it may be necessary to change the file format of the database files before distributing to the other operating systems. After a Client has been pre-configured, when the user first launches the Client, the Product Registration window will not appear and the user is taken directly to the Connections window. There is one exception to this rule. If you are pre-configuring a multi-seat license installation, you might want to require the input of the seat number by each Client. To do this, enter a 0 (zero) as the seat number in the configuration of the first Client. Thereafter, each Client, when launched, will present the Product Registration window and require the input of a seat number. To enter a zero for the seat number of the first Client, you must first enter a valid seat number. Then complete and test the configuration. Prior to performing step 3, below, edit the registration (see “Entering a New Registration” on page 34) and change the Seat Number to zero. To perform a pre-configuration: 1. Perform a manual installation of the Client. 2. Configure the Client, following the instructions provided
in Chapter 3, Configuring the Contivity VPN Client.
3. Copy the prefs.db and eac.db files to the same directory as
the installer. This step differs slightly with different platforms. •
Contivity VPN Client
For a Macintosh OS X installation: 17
Chapter 2. Installing the Contivity VPN Client
Copy the .db files into the same directory as the nleac.pkg file. •
For a Linux tar installation: a.
Untar the directory created by the tar file.
b. Copy the .db files to the nleac- directory. c.
•
Re-tar the directory.
For a Linux RPM installation: Copy the .db files into the
/usr/src/RPMS/i386 directory. This is the same directory where the binary package was placed during the rebuild for the first install.
•
For a Solaris installation: Copy the .db files to the directory containing the nleac package.
• NOTE:
For a Windows CE installation: A pre-configured Client installation for Windows CE is not supported.
4. Using either a web distribution or creating a CDROM,
install the Clients.
Each Client, when installed, will be configured as the original.
18
Installing the Contivity VPN Client for Macintosh OS X
Installing the Contivity VPN Client for Macintosh OS X NOTE:
We recommend that you remove any previouslyinstalled IPSec Client software before installing the Contivity VPN Client. Failure to do so might result in a failure of the installation.
NOTE:
There are separate installers for the MacOS versions 10.3 (Panther) and 10.4 (Tiger).
To install the Client for Macintosh OS X, perform the following steps: 1. Display the Contivity VPN Client Installation CD-ROM (or
folder from electronic download).
Figure 2-1. Macintosh OS X Install CD-ROM
2. Double-click Install Disk Image (.dmg) file.
A screen appears informing you that the install program requires an administrator password.
Contivity VPN Client
19
Chapter 2. Installing the Contivity VPN Client
Figure 2-2. Macintosh OS X Install Authorization
3. Click on the lock image.
An authentication dialog box appears. Figure 2-3. Macintosh OS X Install Authentication
4. Type your user name in the Name text box. 5. Type your administrator password in the Password or
phrase text box.
6. Click OK.
The Contivity VPN Client Install screen appears.
20
Installing the Contivity VPN Client for Macintosh OS X
Figure 2-4. Macintosh OS X Client Installer Screen
7. Click Continue.
The Release Notes appear. Figure 2-5. Macintosh OS X Client Release Notes
8. Scroll to read the Read Me file, click Print to print the file,
or click Save to write the file to another location.
9. Click Continue to continue with the installation. Contivity VPN Client
21
Chapter 2. Installing the Contivity VPN Client
The Software License Agreement appears. Figure 2-6. Macintosh OS X Software License Agreement
10. Scroll to read the license agreement, click Print to print the
file, or click Save to write the file to another location.
11. Click Continue to continue the installation.
A message appears asking you to agree to the terms of the license agreement. Figure 2-7. Macintosh OS X Agreement to Terms of License
12. Click Agree to continue.
You are prompted for a destination for the installation.
22
Installing the Contivity VPN Client for Macintosh OS X
Figure 2-8. Macintosh OS X Select Destination
13. Select the destination drive and click Continue.
You are prompted for the type of installation. Figure 2-9. Macintosh OS X Type of Installation Prompt
14. To accept Easy Installation (recommended), click Install.
Contivity VPN Client
23
Chapter 2. Installing the Contivity VPN Client
A message is displayed: Installing this software requires you to restart your computer when the installation is done. Are you sure you want to install the software now? 15. Click Continue Installation to complete the installation.
Messages are displayed informing you of the progress of the installation. At the completion of the installation, a message appears informing you that the software was successfully installed. Figure 2-10. Macintosh OS X Installation Successful
16. Click Restart.
Your computer will now reboot.
24
Installing the Contivity VPN Client for Linux
Installing the Contivity VPN Client for Linux NOTE: You must be logged on as root to execute the commands that will install the Client on Linux.
NOTE:
The Contivity VPN Client is shipped on a multi-platform CDROM. Use the mount command to mount the CD, then install the Client using either the RedHat Package Manager (RPM) distribution or TAR distribution. Assuming that the CD is mounted at "/cdrom", the full path to the Linux package would be "/cdrom/linux/nleac." NOTE:
Contivity VPN Client
We recommend that you remove any previouslyinstalled IPSec Client software before installing the Contivity VPN Client. Failure to do so might result in a failure of the installation.
Commands are case sensitive. Those commands shown here in lower case must be typed in lower case.
25
Chapter 2. Installing the Contivity VPN Client
Installing with RPM Distribution on RedHat with GCC 3.X
To install the Client on a Linux computer using RedHat with GCC 3 (RedHat Advanced Server 3.0 - 4 and Fedora Core 4, 5, and 6), use the following procedure: The Client is kernel dependent. The package contains source code that needs to be rebuilt before being installed on the host. To rebuild the package, on the host where the Client is being installed, enter the following command: rpmbuild --rebuild cvc_linux-rh-gcc3-[version]-0.src.rpm
This command rebuilds the Client and places the binary package in the /usr/src/redhat/RPMS/i386/ directory. To install the package, enter the following command: rpm -i /usr/src/redhat/RPMS/i386/cvc_linux-rh-gcc3[version]-0.i386.rpm
Log out and log back in to the Linux computer before using the Client. NOTE:
Installing with RPM Distribution on SUSE 9.2, 9.3, and 10.1
A reboot may not always be necessary. We highly recommend, however, that you reboot the computer before using the Client.
To install the Client on a Linux computer using SUSE 9.2, 9.3, and10.1 use the following procedure: The Client is kernel dependent. The package contains source code that needs to be rebuilt before being installed on the host. To rebuild the package, on the host where the Client is being installed, enter the following command: rpmbuild --rebuild cvc_linux-suse-gcc3-[version]0.src.rpm
This command rebuilds the Client and places the binary package in the /usr/src/packages/RPMS/i386/ directory.
26
Installing the Contivity VPN Client for Linux
To install the package, enter the following command: rpm -i /usr/src/packages/RPMS/i386/cvc_linux-suse-gcc3[version]-0.i386.rpm
Log out and log back in to the Linux computer before using the Client. NOTE:
Installing with TAR Distribution
A reboot may not always be necessary. We highly recommend, however, that you reboot the computer before using the Client.
To install the Client with TAR distribution, unTAR the files by entering the following command in the directory where the TAR file is located: # tar -xvf .tar
Enter the new directory created by the TAR file: # cd
Rebuild the package on the host where the Client is being installed: # make all
To install the package, enter the following command: # make install
Reboot the Linux computer before using the Client. NOTE:
Contivity VPN Client
A reboot may not always be necessary. We highly recommend, however, that you reboot the computer before using the Client.
27
Chapter 2. Installing the Contivity VPN Client
Installing the Contivity VPN Client for Solaris NOTE:
We recommend that you remove any previouslyinstalled IPSec Client software before installing the Contivity VPN Client. Failure to do so might result in a failure of the installation.
Requirements
In order to configure the Client and to access the on-line help, you must have a web browser installed on the host computer. The Contivity VPN Client prefers Netscape, but will also use the Sun HotJava browser.
NOTE: Commands are case sensitive. Those commands shown here in lower case must be typed in lower case.
If you install a browser after the Client, make sure that a file called "netscape" exists in the standard command path. That file should call or point to the installed browser. For example, if you install Netscape at "/opt/NSCPcom/netscape," create a symbolic link call "/usr/bin/netscape" or change your command path to include "/opt/NSCPcom." In order to install a Client on a Solaris system, you must have root or superuser permission.
Dynamic Routing
The Client will not operate on a Solaris system that has dynamic routing enabled. If dynamic routing is enabled, you must disable it prior to installing the Client. To disable dynamic routing: Create a file named /etc/defaultrouter. The contents of the file should be the IP address of the router.
28
Installing the Contivity VPN Client for Solaris
Installing with TAR Distribution
To install the Client with TAR distribution, unTAR the files by entering the following command in the directory where the TAR file is located: tar -xvf .tar
Enter the new directory created by the TAR file and proceed with step 3 of a normal installation (on the following page). The unTARed files are in the directory .
Installation
To install the Client for Solaris: 1. Insert the CD into the drive.
The Solaris Volume Manager should mount the CD at /cdrom/cdrom0 . 2. Change directory to the location of the Client installation
software:
cd /cdrom/cdrom0/<path> 3. Enter the package installation command: pkgadd -d . nleac
The version of the Client that is about to be installed is listed along with the first part of the User’s Sublicense Agreement. The User’s Sublicense Agreement is displayed in sections to allow it to be read in its entirety. Between each section, the following prompt is displayed: Press RETURN to continue [?]
After the entire license agreement has been displayed, you are prompted to accept the agreement: Do you accept the above license agreement [y, n, ?]
4. Press y to continue.
The installer checks the system to verify that the package can be installed and the install program provides you the opportunity to abort the installation. Do you want to continue with the installation of [y,n,?] y
Contivity VPN Client
29
Chapter 2. Installing the Contivity VPN Client
5. Press y to continue the installation. (Pressing n or any other
key will abort the installation.)
Files from the CD are copied to the system. A series of messages appear, listing the process of file processing and ending with a message stating that the installation of the Client was successful. 6. Reboot the Solaris system to ensure proper operation and
to start using the Client.
The installation of the Client is complete.
30
Installing the Contivity VPN Client for Windows Mobile
Installing the Contivity VPN Client for Windows Mobile IMPORTANT:
You must remove any previously-installed IPSec Client software before installing the Contivity VPN Client. Failure to do so will result in a failure of the installation and of the PDA device as well.
Windows Mobile Compatibility
This version of the Apani Contivity VPN Client is designed to be installed and run under Windows Mobile Pocket PC 2003 CE and SE.
Installation
Installation can be done from a desktop computer using ActiveSync or directly on the PDA itself.
Installing from a Desktop:
Unzip the install package to a known location on the hard disk of the desktop machine. Run the program setup.exe from that location. This starts the desktop portion of the install. Accept the default for the location of the product on the PDA and observe that the desktop install starts the PDA install at the proper time and that it runs to completion. Reboot the PDA at this time. NOTE:
Installing Directly:
The Client requires installation in the default directory. If you choose an alternate location, the Client will not start.
1. Copy the .cab file to the PDA. 2. Double-click the .cab file.
The Client software is installed.
Contivity VPN Client
31
Chapter 2. Installing the Contivity VPN Client
Configuration
32
The PDA must be rebooted after installation for the client to function.
Registering the Contivity VPN Client Software
Registering the Contivity VPN Client Software New Registration
At the completion of installation when you first start the Client, the Product Registration window appears. You must enter your license code before any further operations can take place. If the Client has been pre-configured (see “Pre-Configuration” on page 17), the Product Registration window will not appear and the Connections window appears when the Client is first launched. An exception to that rule is: in a multi-seat license installation, if a 0 (zero) is entered as the seat number on the initial Client configuration, the Product Registration window will appear. In this case, you are prompted only for a Seat Number .
Figure 2-11. Product Registration Window
How and where you obtain the license code depends on where you purchased the Client. Nortel Networks—If you purchased the Client from Nortel
Networks, click the note at the bottom of the dialog box. You will be connected to the Apani Networks web site. A form is displayed which you fill out. When filling out the form, you will be asked to supply the registration code attached to the installation CD. Upon completion of the form, you will be given the license code.
Contivity VPN Client
33
Chapter 2. Installing the Contivity VPN Client
Apani Networks—If you purchased the Client from Apani
Networks, you were given the license code at the time of purchase.
1. Enter the license code in the License Code text box. 2. If this Client is one of a multi-seat license, type the assigned
seat number for this client in the Seat Number text box.
3. Click Register.
A window appears with the message that the license code has been validated. Figure 2-12. License Code Validated
4. Click OK.
The Connections window appears and you can begin the configuration and operation of the Client as described in Chapter 3.
Entering a New Registration
If for any reason you need to re-enter the license code or other registration information: 1. In any of the windows (such as Connections, Monitor,
Preferences, etc.), click Registration in the left column of the window to display the Product Registration window.
34
Registering the Contivity VPN Client Software
Figure 2-13. ReDisplaying the Product Registration Window
2. Click Clear.
A confirmation prompt appears. Figure 2-14. Confirming Clear Registration
3. Click Yes, Clear Registration.
The current registration is cleared and the initial Product Registration window appears, as shown in Figure 2-11.
Contivity VPN Client
35
Chapter 2. Installing the Contivity VPN Client
Removing the Contivity VPN Client from Macintosh OS X IMPORTANT:
This procedure completely removes the Client software from the Macintosh OS X computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.
IMPORTANT:
The Client must be disconnected before the Client software is removed. Failure to do this will result in the Client computer being unable to access the public network. For the procedure to disconnect the Client, see Chapter 3, Configuring the Contivity VPN Client, “Disconnecting the Contivity VPN Client” on page 91.
To remove the Client from a Macintosh OS X computer: 1. Display the hard disk (HD) map. 2. Select Library
Application Support
The Apani map appears. Figure 2-15. Macintosh OS X Apani Screen
3. Double-click Uninstall.
36
Apani.
Removing the Contivity VPN Client from Macintosh OS
The Uninstaller screen appears. Figure 2-16. Macintosh OS X Uninstaller Screen
4. Click Uninstall.
A screen appears with a prompt to enter your Administrator Password. Figure 2-17. Macintosh OS X Uninstall Enter Admin Password Prompt
5. Type the Administrator Password in the text box. 6. Click OK.
The uninstall process begins. A progress message is displayed followed by a message that the uninstall was successful. Figure 2-18. Macinstosh OS X Uninstall Successful
7. Click OK.
Contivity VPN Client
37
Chapter 2. Installing the Contivity VPN Client
Removing the Contivity VPN Client from Linux
NOTE: You must be
logged on as root to execute the command that will remove the Client from Linux.
IMPORTANT:
This procedure completely removes the Client software from the Linux computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.
IMPORTANT:
The Client must be disconnected before the Client software is removed. Failure to do this will result in the Client computer being unable to access the public network. For the procedure to disconnect the Client, see Chapter 3, Configuring the Contivity VPN Client, “Disconnecting the Contivity VPN Client” on page 91.
To remove a Client from Linux, enter the following command: If using RPM distribution: Enter the following command to obtain the correct version number: rpm -ga | grep cvc
The system will return the name of the installed rpm—something on the order of: cvc_linux_rh_gcc_-0
Enter the command: # rpm -e cvc_linux_gcc_-0
If using TAR distribution: # cd # make uninstall
Reboot the Linux host computer. 38
Removing the Contivity VPN Client from Linux
NOTE:
Contivity VPN Client
If you want to save the configuration information, as for example in an upgrade or re-installation, save the file /etc/netlock/eac.db to another location where it will not be overwritten by another installation or upgrade. After installing the upgrade version, restore the eac.db file.
39
Chapter 2. Installing the Contivity VPN Client
Removing the Contivity VPN Client from Solaris IMPORTANT:
This procedure completely removes the Client software from the Solaris computer. It should not be confused with the Disconnect procedure described in Chapter 3, Configuring the Contivity VPN Client.
IMPORTANT:
The Client must be disconnected before the Client software is removed. Failure to do this will result in the Client computer being unable to access the public network. For the procedure to disconnect the Client, see Chapter 3, Configuring the Contivity VPN Client, “Disconnecting the Contivity VPN Client” on page 91.
To remove a Client from Solaris, perform the following steps: 1. Login as root. 2. At the UNIX prompt, enter: pkgrm nleac
A screen message appears, listing the Solaris version number and requesting confirmation for removal of the Apani Extranet Access Client package. The following package is currently installed: nleac Apani Extranet Access Client (sparc) (version number) Do you want to remove this package?
3. Enter y to continue removal of the Client package.
40
Removing the Contivity VPN Client from Solaris
A second request appears, confirming removal of the Client package. ## Removing installed package instance This package contains scripts which will be executed with super-user permission during the process of removing this package. Do you want to continue the removal of this package (y,n,?,q)
4. Enter y to confirm removal of the Client.
A series of messages appear, describing the step-by-step removal process and finishing with the message that the removal of the Client was successful. /etc/netlock <non-empty directory not removed> ## Executing postremove script. Removing Agent log files. Removing Agent database files. Removing directory /etc. ## Updating system information. Removal of was successful.
5. Reboot the Solaris system to ensure proper operation.
The removal of the Client is now complete. NOTE:
Contivity VPN Client
If you want to save the configuration information, as for example in an upgrade or re-installation, save the file /etc/netlock/eac.db to another location where it will not be overwritten by another installation or upgrade. After installing the upgrade version, restore the eac.db file.
41
Chapter 2. Installing the Contivity VPN Client
Removing the Contivity VPN Client from Windows CE IMPORTANT:
The Client must be disconnected before the Client software is removed. Failure to do this will result in the Client computer being unable to access the public network. For the procedure to disconnect the Client, see Chapter 3, Configuring the Contivity VPN Client, “Disconnecting the Contivity VPN Client” on page 91.
To remove the Client software from the PDA: Select the Remove Programs applet under Settings.
42
Customizing User-Interface Graphics
Customizing User-Interface Graphics The Client allows you to add customized graphic art to the various windows. With this feature, you can add graphics that are meaningful to your application, such as a logo or business unit representation. The graphics files packaged with the Client software are used if you do not specify customized graphics. The ability to customize user-interface graphics is applicable to all platforms that run Client software. The graphics must be in CompuServe Bitmap (GIF) format. There are two graphics that can be customized (listed in the table below and illustrated in Figure 2-19). The graphics replace the logos for Nortel Networks and Apani Networks.
For other computers:
To add a customized graphic, create the graphic with the file name and size as shown in the following table. Copy or move the file to the /etc/netlock directory. The graphic will display in the GUI after the computer has been restarted. The graphics files, their required sizes (in pixels), and their current applications are: File Name
Size
Application
logo1.gif
100w X 32h
Nortel Networks Logo
logo2.gif
72w X 32h
Apani Networks Logo
Examples of the customized displays are shown in Figure 2-19.
Contivity VPN Client
43
Chapter 2. Installing the Contivity VPN Client
Figure 2-19. Customize GUI Display
44
logo1.gif
logo2.gif
3
Configuring the Contivity VPN Client This chapter explains how to establish a connection between the Client and the Contivity Switch. It also explains how to monitor Client status, how to control the logging of Alert information, and how to disconnect and reconnect the Client.
Contents of this Chapter
User Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - - 47 Discusses the two types of user interface provided by the Contivity VPN Client. Launching the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 48 Explains the procedures for launching the Client after installation and license registration and prior to establishing a new connection. Certificate Management - - - - - - - - - - - - - - - - - - - - - - - - - - - - 51 Explains the procedures for using digital certificates and for importing certificates and CA certificates. Defining a New Connection Profile - - - - - - - - - - - - - - - - - - - - 61 Explains the step-by-step manual procedures for defining a connection profile prior to establishing a new connection between the Contivity VPN Client and the Nortel Networks Contivity Switch. Connecting the Contivity VPN Client - - - - - - - - - - - - - - - - - - - 74 Explains the step-by-step procedure for establishing the connection between the Contivity VPN Client and the Contivity Switch using a defined connection
Contivity VPN Client
45
Chapter 3. Configuring the Contivity VPN Client
profile or re-connecting the Client after it has been disconnected. Monitoring Connection History - - - - - - - - - - - - - - - - - - - - - - 82 Explains the procedure for viewing the status of the Contivity VPN Client connection. Setting Client Preferences - - - - - - - - - - - - - - - - - - - - - - - - - - - 83 Explains the procedures for controlling what audit and error information will be logged, controlling the maximum log file size, enabling or disabling the display of alerts information messages, and controlling configuration lockdown features. Viewing Audit Information - - - - - - - - - - - - - - - - - - - - - - - - - - 90 Explains the procedure for viewing the log files of audit and error information. Disconnecting the Contivity VPN Client - - - - - - - - - - - - - - - - 91 Explains the step-by-step procedure for disconnecting the Contivity VPN Client from the Contivity Switch. Command Line Interface - - - - - - - - - - - - - - - - - - - - - - - - - - - 92 Provides instructions for the operation of the Contivity VPN Client using the command line interface instead of the graphical user interface.
46
User Interface
User Interface The Client provides a graphical user interface (GUI). The instructions on the following pages illustrate the use of the GUI in the operation of the Client. A command line interface is available for Client users on Macintosh OS X and Linux computers. The command line interface does not duplicate the functionality of the GUI. Its main purpose is to be used in shell scripts that connect to the Contivity Switch, allow limited operations such as file transfers, and disconnect. The instructions for using the command line interface begin on page 92.
Contivity VPN Client
47
Chapter 3. Configuring the Contivity VPN Client
Launching the Contivity VPN Client IMPORTANT: The operation and appearance of windows differ from one browser to another. The contents of the windows are the same. The illustrations that follow all show windows in a Safari browser on a Macintosh OS X system. Where procedural steps and descriptions are different from Macintosh to Linux and UNIX systems, those differences are noted in the text.
NOTE: If your TCP/IP configuration uses dialup PPP (Pass or Remote Access) or a similar non-continuous network connection, you must first connect to the network using your dialup tool before launching the Client. After completion of a new installation and rebooting: •
on Mac OS X computers an Alias is created and labeled Apani Contivity VPN Client.url
•
on Windows CE (PDA) computers, Contivity VPN Client selection is listed under the Start menu or the Start/Programs menu
•
on other computers, a Apani icon is displayed on the front panel
Depending on the type of computer you have: •
On Macintosh OS X computers: Click the Apani Contivity VPN Client icon. The browser launches and the Connections window appears.
•
48
On other computers (Linux, Solaris):
Launching the Contivity VPN Client
1. Click the expand arrow above the Apani icon on the Front Panel. Or, on the command line, enter the command: start_cvc
A pop-up menu appears. 2. Choose Extranet Access Client. The browser launches and the Connections window appears. •
On Windows CE computers: 1. Click Contivity VPN Client under the Start menu or the Start/Programs menu. The browser launches and the Connections window appears.
NOTE: Another way to launch the Client is to load the browser and go to URL "http:/127.0.0.1:9161" or to "http:/localhost:9161." Figure 3-20. Connection s Window
To establish a new connection between the Client and the Contivity Switch, follow the procedures in “Defining a New Connection Profile” on page 61.
Contivity VPN Client
49
Chapter 3. Configuring the Contivity VPN Client
If you are re-connecting to the Contivity Switch or if your connection has been pre-configured, follow the procedure in “Connecting the Contivity VPN Client” on page 74. If you will be using Certificate Authorization to establish a connection, as opposed to User Name and Password or one of the Group Authentication options, follow the procedures in the next section to import and assign your personal certificate. After that, follow the procedures to establish a new connection or to re-connect, as appropriate.
50
Certificate Management
Certificate Management The Client supports the use of X.509 Version 3 public key certificates to bind public key values to the Client and the Contivity Switch. The binding is asserted by having a trusted Certificate Authority (CA) digitally sign each certificate. These digitally signed certificates (CA certificates) provide each Client and Contivity Switch with the confidence that the associated key is owned by the correct system with which secure communications will be established. The CA certificate is used to validate the certificate provided to the Client by the Contivity Switch when the Client establishes a connection with the Contivity Switch. If you are using Certificate authorization to establish a connection, as opposed to User Name and Password or one of the Group Authentication options, the personal certificate and CA certificate must be in place prior to establishing a connection. Use the procedures in this section to request a personal certificate, to request a CA certificate, to import certificates, to view certificate details, to assign a certificate, and to delete a certificate. Certificate management is performed with the Certificate Management window. To display the Certificate Management window, click Certificates in the left column of the first Connections window (see Figure 3-20).
The Certificate Management window appears.
Contivity VPN Client
51
Chapter 3. Configuring the Contivity VPN Client
Figure 3-21. Certificate Management Window
Before you can use your personal certificate, you must have imported a CA certificate. This is a signed certificate from your designated Certificate Authority (CA) that validates the certificates issued by the CA.
Importing a CA Certificate
To import a CA certificate: 1. In the Certificate Management window, click CA Certs in
the left column.
The Certificate Management window displays CA Certificates. Figure 3-22. CA Certificate Management
No CA Certificates should be listed at this time. 2. Click Add.
The Certificate Management window appears.
52
Certificate Management
Figure 3-23. Add a CA Certificate
3. Do one of the following to specify the CA certificate file:
•
Type the full path of the file containing the CA certificate in the Filename text box and click Import.
•
Go to the CA certificate file, cut and paste the certificate into the Certificate panel.
4. With either a file name listed or the CA certificate displayed, click Add.
The CA certificate is imported into the Client and will be used to validate personal certificates imported from now on.
Requesting a Certificate
To establish a connection using personal certificate authorization, you must have imported the certificate and added it to the certificate store. This is a four-part process: •
Generate the Certificate Signing Request (CSR)
•
Submit the CSR to the CA
•
Import the certificate from the CA
•
Add the certificate to the certificate store
This section explains how to request a certificate by (1) generating a request and (2) exporting the request. Importing and assigning the certificate is covered in the following section.
Contivity VPN Client
53
Chapter 3. Configuring the Contivity VPN Client
Generating a Certificate Request
To generate a Certificate Signing Request (CSR): 1. In the Certificate Management window (see Figure 3-21), click Requests in the left column.
The Certificate Management window displays Pending Certificate Requests (which at this point should display "No pending certificate requests."). Figure 3-24. No Pending Certificate Requests
2. Click New.
The Certificate Signing Request form appears in the Certificate Management window.
54
Certificate Management
Figure 3-25. Certificate Signing Request Form
3. Type the required information in the appropriate text
boxes. Type a 6-character passphrase in the Passphrase text box. Type the passphrase again. (You will need this passphrase for authorization when connecting the Client to the Contivity Switch.)
4. Click Generate Request.
The Certificate Management window lists the new request. Figure 3-26. New Pending Certificate Request
Contivity VPN Client
55
Chapter 3. Configuring the Contivity VPN Client
Exporting a Certificate Request
When the Certificate Signing Request (CSR) has been created, you can export it to the Certificate Authority (CA). 1. In the Certificate Management window shown in Figure 3-26, click Export.
The Certificate Management window displays the CSR export form. Figure 3-27. Exporting the CSR
The CSR is displayed in the CSR panel. 2. To export the CSR, you can either:
•
Type a file name in the Filename text box where the CSR is to be sent and click Export.
•
Or cut and paste the CSR from the display to the export location.
3. Click Continue.
The process of receiving the CSR and generating a new certificate is a function of the CA. At the completion of the process, the new certificate will be in a location where you can then import it into the Client.
56
Certificate Management
Importing a Certificate
When a CSR is sent to the CA, a new certificate is generated. That certificate will be in a file or on a server, ready to be imported. The actual location and the method of generating the certificate varies depending on the particular CA being used. IMPORTANT: The certificate can be in either binary or base-64 encoded format. If using base-64 encoded format, you should be aware of line endings if transfering files between Windows, UNIX, and Macintosh computers because all of those systems use different line endings. To import a new certificate: 1. The Certificate Management window should be displayed with Local Certs selected.
Figure 3-28. Certificate Management Window
2. Click Add.
The Certificate Management window displays a form for importing a personal certificate.
Contivity VPN Client
57
Chapter 3. Configuring the Contivity VPN Client
Figure 3-29. Importing a Personal Certificate
3. Do one of the following to specify the certificate file:
•
Type the full path of the file containing the certificate in the Filename text box and click Import.
•
Go to the certificate file, cut and paste the certificate into the Certificate panel.
4. Click Add.
The Certificate Management window displays the certificate information and notifies that the import was successful. Figure 3-30. Certificate Imported
The window shown above can contain more than one certificate. You will select the certificate to use for your per58
Certificate Management
sonal certificate authorization. This is explained in the following section, "Establishing a New Connection." 5. Click Connections in the left column to close the
Certificate Management window and return to the Connections window.
When you get to the step in establishing a new connection where you must give the name of the certificate, you can select from a pull-down list of certificates.
Deleting a Certificate
To delete a certificate: 1. If you are in the Connections window, click Certificates in
the left column to display the Certificate Management window.
Figure 3-31. Personal Certificates Listed
2. Select the certificate that you want to delete. 3. Click Delete.
Contivity VPN Client
59
Chapter 3. Configuring the Contivity VPN Client
Viewing Certificate Details
To view the details of a certificate: 1. In the Certificate Management window, click Local Certs
to view the list of certificates currently imported into the Client (see Figure 3-31, above).
2. Select the certificate from the list. 3. Click Show.
The window displays a view of the certificate details. Figure 3-32. Certificate Details
4. Click Continue to close the window and return to the
Certificate Management window.
60
Defining a New Connection Profile
Defining a New Connection Profile When the Client is launched, the Connections window is displayed. (If you have been importing a certificate or performing a similar function and are in the Certificate Management window, click Connections in the left column.) The procedures described below are predicated on this being a new connection for which you are creating a configuration profile. If a connection has already been defined, or if your system administrator has defined the connection and enabled configuration lockdown, follow the procedures described in “Connecting the Contivity VPN Client” on page 74. If a connection has been previously established but you want to define a new configuration profile, follow the procedure described below. Figure 3-33. Contivity VPN Client New Connections Window
A connection profile is identified by a Connection Name. The profile specifies the user name and password (if required), the destination name or address, and the authentication method to be used to complete the connection. There may be numerous connection profiles from which to choose. It is also possible the the system administrator will pre-define a profile and then enable configuration lockdown in which case no selection of (or changes to) connection profiles can be made. Contivity VPN Client
61
Chapter 3. Configuring the Contivity VPN Client
To define a new connection profile: 1. Click New.
The page to define a new connection profile appears. Figure 3-34. Define a New Connection Profile
2. Type a name for the connection in the Connection Name
text box.
3. Type the address of the Contivity Switch in the Destination
text box.
The address can be either in decimal format (nnn.nnn.nnn.nnn) or a DNS Lookup address. 4. Click Next.
The page to select the method of authentication appears. Figure 3-35. Selecting the Authentication Method
5. Select one of the three authentication methods. 6. Click Next. 62
Defining a New Connection Profile
7. How you proceed now depends upon the method of
authentication that you selected in Step 5 and that will be used for this connection profile.
User Name and Password Authentication
•
If authorization will be only with a User Name and Password, continue with "User Name and Password Authentication below.
•
If authorization will be by Certificate Authorization, continue with the procedure under “Digital Certificate Authentication” on page 65.
•
If authorization will be by any of the optional Group Authentication methods (such as RADIUS) where you were given a Group ID and Password and possibly an RSA SecurID Token or Card, continue with the procedure under “Group Security Authentication” on page 66.
If you selected User Name and Password Authentication in the page shown in Figure 3-35, a page for you to specify a user name appears.
Figure 3-36. Selecting a User ID
1. Type a User ID in the User ID text box. 2. Select Prompt or leave unselected.
Contivity VPN Client
63
Chapter 3. Configuring the Contivity VPN Client
If you select Prompt, you will be prompted to type in the User ID on the New Connections page, like this:
If you leave Prompt unselected, the User ID will appear on the New Connections page without prompting, as shown in Figure 3-37, below. Also, if you leave Prompt unselected, a username should not be entered with when using the command line interface. 3. Click Finish.
The Connections window appears with the connection profile for this connection displayed. Figure 3-37. User Name in Connections Window
4. Type the password in the Password text box.
NOTE: The Save Password feature only works on Macintosh computers and is not available on Linux and UNIX systems.
You also may have the option of saving your password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a connection. 5. Continue with the procedure described in “Completing the
Connection” on page 70.
64
Defining a New Connection Profile
Digital Certificate Authentication
If you selected Digital Certificate Authentication in the page shown in Figure 3-35, a page for you to specify a certificate appears.
Figure 3-38. Selecting a Certificate
1. Select a certificate from the Default Cert list.
If no certificates are listed, a certificate or certificates will have to be imported. See “Importing a Certificate” on page 57. 2. Select Prompt or leave unselected.
If you select Prompt, you will be prompted to type in the certificate name on the New Connections page, like this:
If you leave Prompt unselected, the certificate will appear on the New Connections page without prompting, as shown in Figure 3-48, below. Also, if you leave Prompt unselected, a username should not be entered with when using the command line interface. 3. Click Finish.
The Connections window appears with the connection profile for this connection displayed.
Contivity VPN Client
65
Chapter 3. Configuring the Contivity VPN Client
Figure 3-39. Certificate Name in Connections Window
4. Type the passphrase that you used when generating the Certificate Signing Request in the Passphrase text box.
The use of the passphrase protects the integrity of the signed digital certificate. 5. Continue with the procedure described in “Completing the
Connection” on page 70.
Group Security Authentication Figure 3-40. Selecting Group Authentication Options
66
If you selected Group Security Authentication in the page shown in Figure 3-40, a page appears for you to specify one of the Group Authentication Options.
Defining a New Connection Profile
1. Type a User Name in the User Name text box. 2. Select Prompt or leave unselected.
If you leave Prompt unselected, the User Name will appear on the New Connections page without prompting, like this:
Also, if you leave Prompt unselected, a username should not be entered with when using the command line interface. If you select Prompt, you will be prompted to type in the User Name on the New Connections page, as shown in Figure 3-44, Figure 3-45, or Figure 3-43, below. 3. Type the Group ID in the Group ID text box. 4. Type a password in the Group Password text box. 5. Select the appropriate Group Authentication Option. You
can select: •
If authentication will be by using only a Group ID and Password, select Group ID and Password.
•
If authentication will be by a standard RSA SecurID Token, which may be a Key Fob or a Card, without a numeric pinpad (as shown in Figure 3-41), select Response Only Token.
•
If authentication will be by an RSA SecurID PinPad Card having a numeric pinpad entry (as shown in Figure 3-42), select Response Only Token and select Passcode Display.
Figure 3-41. RSA SecurID Token Key Fob and Card
Contivity VPN Client
67
Chapter 3. Configuring the Contivity VPN Client
Figure 3-42. RSA SecurID PinPad Card
6. Click Finish.
Depending on the type of Authentication option selected, the Connections window appears with the connection profile for this connection displayed. •
If you selected Group ID and Password, continue with the procedure under Group Password Authentication, below.
•
If you selected Response Only Token, continue with the procedure under “Response Only Token” on page 69.
•
If you selected Response Only Token and Passcode Display, continue with the procedure under “Response Only Token with Passcode” on page 70.
Group Password Authentication After selecting Group Password Authentication and clicking Finish in the previous Connections window, the Group Password option appears in the Connections window. Figure 3-43. Group Password Option in Connections Window
68
Defining a New Connection Profile
7. Type the Group Password in the Password text box.
NOTE: The Save Password feature only works on Macintosh computers and is not available on Linux and UNIX systems.
You also may have the option of saving the password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a connection. 8. Continue with the procedure described in “Completing the
Connection” on page 70.
Response Only Token After selecting Response Only Token and clicking Finish in the previous Connections window, the Response Token option appears in the Connections window. Figure 3-44. Response Token Option in Connections Window
9. Type the PIN given to you by the network administrator. 10. Type the Token number currently appearing on your RSA
SecurID Card.
11. Continue with the procedure described in “Completing the
Connection” on page 70.
Contivity VPN Client
69
Chapter 3. Configuring the Contivity VPN Client
Response Only Token with Passcode After selecting Response Only Token and Passcode Display followed by clicking Finish in the previous Connections window, the Response Token with Passcode option appears in the Connections window. Figure 3-45. Response Token with Passcode Option in Connections Window
12. Enter the PIN given to you by the network administrator
on the pinpad of your RSA SecurID Card.
13. Read the Passcode number from your RSA SecurID Card
and type that number in the Passcode field.
14. Continue with the procedure for completing the
connection, described below.
Completing the Connection
After defining the authentication method, you were instructed to return to this point. Continue with the following steps to complete establishing a connection. Depending on previous connections, you may have the option of disabling Keepalives. This would override the setting of the Contivity Switch. You can disable Keepalives at the Client, even if it has been enabled at the Contivity Switch. If Keepalives is disabled at the Contivity Switch, it cannot be enabled at the Client. 1. Click Connect.
70
Defining a New Connection Profile
The Client Monitor window appears and displays a message screen while the connection is being made. Figure 3-46. Negotiation in Progress Message
When negotiations between the Client and the Contivity Switch complete successfully, the Contivity VPN Client window with connection values is replaced by the Client Monitor window (see Figure 3-47). The Negotiation Status value in the Client Monitor window displays Successful. The other values are updated according to the Contivity Switch IPSec settings. If the connection is not established: •
The Contivity VPN Client window is displayed, and the message "Negotiation with switch failed" is displayed.
The Client Monitor window periodically refreshes the Duration, Bytes In/Out, and Frames In/Out values as long as the Client is connected to the Contivity Switch. Figure 3-47. Client Monitor Window
Contivity VPN Client
71
Chapter 3. Configuring the Contivity VPN Client
NOTE: You do not have to keep the browser window open once you have completed a connection. You may close the browser window or quit the browser application. The connection will stay unchanged. To access the Client again: On Macintosh computers, click the Apani icon on the menu bar and choose an item from the drop-down menu. On Macintosh OS X computers, click the Apani icon on the desktop. On other computers, click the expand arrow above the Apani icon on the Front Panel and choose an item from the pop-up menu.
72
Defining a New Connection Profile
Editing a Connection Profile
Provision is made to edit a connection profile. The editing feature can be disabled by the system administrator using the Configuration Lockdown facility. If the editing feature has been disabled, the Edit button will not appear in any of the configuration windows. To edit settings in a configuration profile, click Edit in the part of the configuration that you want to edit. A screen will appear that will be similar to the screen with which you set the current screen’s values while creating the current configuration profile. The editing screen, instead of having blank values as it did when creating the configuration profile, will show the current configuration values. You can change any values by typing in a new value, for example, change a password or select a new certificate. Click Next to move through the configuration screens in the same order as when creating the configuration profile. If you change a value, such as changing the method of authentication, when you click Next, you will then have to continue through the remainder of the configuration procedure for the newly selected method. The values for successive screens would be blank, as in defining a new profile.
Contivity VPN Client
73
Chapter 3. Configuring the Contivity VPN Client
Connecting the Contivity VPN Client The following procedure is for: Re-connecting a Client to a Contivity Switch Establishing a initial connection of a Client to a Contivity Switch when a configuration profile has previously been defined
Selecting the Connection Profile
To connect the Client: 1. If the browser is not already launched and the Connections
window displayed, follow the procedures described in “Launching the Contivity VPN Client” on page 48, to launch the Client. The Connections window is displayed.
The appearance and content of the window will vary depending upon the configuration profile defined for this Client and, if the Client has been previously connected, upon the configuration profile last used. 2. The current configuration profile name is shown in the
Connection list. If you want to connect under a different connection profile, select the connection name in the Connection list. If Java scripts have been enabled, the new profile features are displayed. If Java scripts have not been enabled, click Go after selecting the connection name.
3. The type of authentication for this connection is shown
directly under the Connection list under the Type heading. This will show one of several values:
74
•
User ID & Password—If this is shown as the authentication Type, continue with the procedure described in “User ID & Password Authentication” on page 75
•
Digital Certificate—If this is shown as the authentication Type, continue with the procedure
Connecting the Contivity VPN Client
described in “Digital Certificate Authentication” on page 76. •
User ID & Password Authentication
One of the Group Authentication options may be displayed: •
Group (Token)—If this is shown as the authentication Type, continue with the procedure described in “Response Token Authentication” on page 77.
•
Group (Token/Passcode)—If this is shown as the authentication Type, continue with the procedure described in “Response Token with Passcode Authentication” on page 78.
•
Group Password—If this is shown as the authentication Type, continue with the procedure described in “Group ID and Password Authentication” on page 79.
If User ID & Password is the method of authentication, the Connections window that first appears will look like the following:
Figure 3-48. User ID and Pasword Connections Window
The User Name might be displayed or a selection text box will prompt to select a User Name from the scroll list. Whether the prompt appears depends on the setting when the configuration profile was defined. Contivity VPN Client
75
Chapter 3. Configuring the Contivity VPN Client
1. If you are being prompted, select your User Name from the
selection list.
2. Type your password in the Password text box.
NOTE: The Save Password feature only works on Macintosh computers and is not available on Linux and UNIX systems.
You also may have the option of saving your password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a connection. 3. Continue with the procedure described in “Completing the
Connection” on page 80.
Digital Certificate Authentication
If Digital Certificates is the method of authentication, the Connections window that first appears will look like the following:
Figure 3-49. Digital Certificates Connections Window
The Certificate name might be displayed or a selection text box will prompt to select a Certificate name from the scroll list. Whether the prompt appears depends on the setting when the configuration profile was defined. 1. If you are being prompted, select your Certificate from the
selection list.
2. Type your passphrase in the Passphrase text box.
76
Connecting the Contivity VPN Client
This is the passphrase used to protect the integrity of the personal certificate. It is not the same as the User ID Password. 3. Continue with the procedure described in “Completing the
Connection” on page 80.
Response Token Authentication
If the Response Token is the method of authentication, the Connections window that first appears will look like the following:
Figure 3-50. Response Token Connections Window
The User Name might be displayed or a selection text box will prompt to select a User Name from the scroll list. Whether the prompt appears depends on the setting when the configuration profile was defined. 1. If you are being prompted, select your User Name from the
selection list.
2. Type the PIN given to you by the network administrator. 3. Type the Token number currently appearing on your RSA
SecurID Card (see Figure 3-41).
4. Continue with the procedure described in “Completing the
Connection” on page 80.
Contivity VPN Client
77
Chapter 3. Configuring the Contivity VPN Client
Response Token with Passcode Authentication
If the Response Token with Passcode is the method of authentication, the Connections window that first appears will look like the following:
Figure 3-51. Response Token with Passcode Option in Connections Window
The User Name might be displayed or a selection text box will prompt to select a User Name from the scroll list. Whether the prompt appears depends on the setting when the configuration profile was defined. 1. If you are being prompted, select your User Name from the
selection list.
2. Enter the PIN given to you by the network administrator
on the pinpad of your RSA SecurID Card (see Figure 3-42).
3. Read the Passcode number from your RSA SecurID Card
and type that number in the Passcode field.
4. Continue with the procedure described in “Completing the
Connection” on page 80.
78
Connecting the Contivity VPN Client
Group ID and Password Authentication
If Group ID and Password is the method of authentication, the Connections window that first appears will look like the following:
Figure 3-52. Group Password Connections Window
The User Name might be displayed or a selection text box will prompt to select a User Name from the scroll list. Whether the prompt appears depends on the setting when the configuration profile was defined. 1. If you are being prompted, select your User Name from the
selection list.
2. Type the Group Password in the Password text box.
NOTE: The Save Password feature only works on Macintosh computers and is not available on Linux and UNIX systems.
You also may have the option of saving the password on the Client. If the Contivity Switch is configured to permit saving passwords, the Save Password check box will be active. Click this box if you want to save the password and not be prompted for it the next time you establish a connection. 3. Continue with the procedure described in "Completing the
Connection" below.
Contivity VPN Client
79
Chapter 3. Configuring the Contivity VPN Client
Completing the Connection
Continue with the following steps to complete establishing a connection. Depending on previous connections, you may have the option of disabling Keepalives. This would override the setting of the Contivity Switch. You can disable Keepalives at the Client, even if it has been enabled at the Contivity Switch. If Keepalives is disabled at the Contivity Switch, it cannot be enabled at the Client. 1. Click Connect.
The Client Monitor window appears and displays a message screen while the connection is being made. Figure 3-53. Negotiation in Progress Message
When negotiations between the Client and the Contivity Switch complete successfully, the Contivity VPN Client window with connection values is replaced by the Client Monitor window (see Figure 3-47). The Negotiation Status value in the Client Monitor window displays Successful. The other values are updated according to the Contivity Switch IPSec settings. If the connection is not established: •
The Contivity VPN Client window is displayed, and the message "Notification with switch failed" is displayed.
The Client Monitor window periodically refreshes the Duration, Bytes In/Out, and Frames In/Out values as long as the Client is connected to the Contivity Switch.
80
Connecting the Contivity VPN Client
Figure 3-54. Client Monitor Window
NOTE: You do not have to keep the browser window open once you have completed a connection. You may close the browser window or quit the browser application. The connection will stay unchanged. To access the Client again: On Macintosh OS X computers, click the Apani icon on the desktop. On other computers, click the expand arrow above the Apani icon on the Front Panel and choose an item from the pop-up menu.
Contivity VPN Client
81
Chapter 3. Configuring the Contivity VPN Client
Monitoring Connection History Connection Statistics
The statistics for an established connection between the Client and the Contivity Switch are displayed in the Client Monitor window. The Client Monitor window appears as soon as a successful connection is established. The connection Duration, Bytes In/Out, and Frames In/Out values are periodically updated. To update those values in the window without waiting, click Refresh.
Figure 3-55. Client Monitor Window
If the Client Monitor window is not displayed and you want to display it: On Macintosh OS X computers: Click the Apani Contivity VPN Client url on the desktop. On other computers: a.
Click the expand arrow above the Apani icon on the Front Panel.
b. Choose Extranet Access Client in the pop-up menu.
The Client Monitor window appears.
82
Setting Client Preferences
Setting Client Preferences The Client Preferences window allows you to control the logging of audit information, to display the log files of audit information, to set the size of the log files, to control the display of audit messages, and to control configuration lockdown features.
Audit Controls
The Client logs audit messages to a log file. You can view the log file at any time. Audit controls are used to select the types of audit messages that are written to the log file and to set the maximum size of the log file. Four types of audit information may be logged. The four types of information are: Information Type
Meaning
Security Audits
Indicates a possible penetration attempt.
System Audits
Indicates a failure of an operating system resource within the Client.
Protocol Audits Indicates a failure of the key management or encapsulation protocol. Trace Audits
Records actions provided by the key management and encapsulation protocols.
You can enable (or disable) log file archiving by selecting what (if any) information will be logged.
Contivity VPN Client
83
Chapter 3. Configuring the Contivity VPN Client
Controlling Audit Information Logging Types of Information Logged
To select the logging of Client audit information and to select which types of information should be logged: 1. In the Client Monitor window, click Preferences.
The Client Preferences window appears. If the Client Monitor window is not displayed, you can also view Preferences by: •
On Macintosh computers: Click the Apani icon on the menu bar and select Pref-
erences in the drop-down menu.
•
On other computers: Click the expand arrow above the Apani icon on the Front Panel and select Preferences in the pop-up menu.
Figure 3-56. Client Preferences Window
2. Select which of the four types of information you want to
have logged. See “Audit Controls” on page 83.
3. Click Submit.
84
Setting Client Preferences
Changing the Log File Size
The Client maintains audit information in a log file. When the size of the log file reaches a maximum value, it is archived in an old log file (overwriting the previous old log file, if it exists) and a new log file is created. An audit message is written at the top of the new log file. This mechanism prevents audit information from filling the disk. The amount of time it takes for the log file to reach its maximum allowed size depends on which audit types are logged and how often the Client is run. The default maximum log file is 1000 Kilobytes. To choose the log file maximum size: 1. In the Client Monitor window, click Preferences.
The Client Preferences window appears (see Figure 3-56). 2. Type a value, in kilobytes, in Max Logfile Size to set the
maximum log file size. The minimum setting is 10 Kb; the maximum setting is 10240 Kb.
3. Click Submit.
Contivity VPN Client
85
Chapter 3. Configuring the Contivity VPN Client
Configuration Locking
Configuration locking allows you to prevent a user from editing or deleting a connection profile, prevent a user from creating a new connection profile, and set a passphrase to prevent others from accessing configuration locking.
To set configuration locking: 1. In the Preferences window, click Configuration Locking.
The Configuration Locking window appears. Figure 3-57. Configurati on Locking Window
To Lock a configuration: All of the current connection profiles are listed in the Configuration Locking window. 1. Select (check) those configurations that you want to lock. 2. Click Submit.
When a user selects a connection profile, the Edit and Delete buttons are not available.
86
Setting Client Preferences
Figure 3-58. Editing and Deleting of Configuration Locked
To prevent a user from defining a new connection: 1. In the Configuration Locking window, leave Allow New Configs unselected. Figure 3-59. Disallowing a New Configuration
2. Click Submit.
When a user selects a connection profile, the New button is not available.
Contivity VPN Client
87
Chapter 3. Configuring the Contivity VPN Client
Figure 3-60. Editing, Deleting, and Creating a New Configuration Locked
Figure 3-60 shows a connection for which configuration locking has been applied and new connections are not allowed. If new connections are not allowed but the configuration has not been locked, the user will be able to edit and delete a connection profile but not create a new one, as shown in Figure 3-61. Figure 3-61. Creating a New Configuration Prohibited
To set a passphrase for configuration locking: 1. In the Configuration Locking window, type a passphrase in the Passphrase text box. 2. Type the passphrase a second time in the Repeat text box.
88
Setting Client Preferences
Figure 3-62. Specifying a Passphrase
1. Click Submit.
The passphrase is set. The next time you click Configuration Locking in the Preferences window to set configura-
tion locking, you will be prompted to enter the passphrase, as shown in Figure 3-63. Figure 3-63. Passphrase Prompt for Configuration Locking
When the Configuration Locking window appears, the passphrase is cleared. If you want to set the passphrase to limit access the next time, you must enter it again as in the above steps.
Contivity VPN Client
89
Chapter 3. Configuring the Contivity VPN Client
Viewing Audit Information To view logged audit information: In any of the Client windows (Connections, Client Monitor, Certificate Management, Preferences, etc.), click Logfiles in the left-hand column.
The log files are displayed in the Contivity VPN Client Log window. Figure 3-64. Viewing Agent Status
2. When you are finished viewing the log files, close the Client
Log window.
90
Disconnecting the Contivity VPN Client
Disconnecting the Contivity VPN Client To disconnect the Client from the Contivity Switch: 1. The Client Monitor window may already be displayed. If it
isn’t double click on the URL shortcut. The Client Monitor window appears. •
Or.:
a.
Click the expand arrow above the Apani icon on the Front Panel.
b. Choose Extranet Access Client in the pop-up menu.
The Client Monitor window appears. 2. In the Client Monitor window, click Disconnect.
A status message is displayed informing you that the network session is no longer established.
Contivity VPN Client
91
Chapter 3. Configuring the Contivity VPN Client
Command Line Interface On Macintosh OS X and Linux computers only, the Client provides a command line interface. The command line interface does not duplicate the functionality of the graphical user interface (GUI). It does, however, provide a means of connecting to and disconnecting from the Contivity Switch. The command line interface can be used in shell scripts to connect to the Contivity Switch, perform some functions such as file transfers, and disconnect. IMPORTANT: You must be careful with the file permissions for scripts that invoke the command line utility. If you embed Contivity connection information, such as usernames and passwords, in scripts that invoke the command line utility, the information may be disclosed to other users who have read access to your scripts. There is no way to prevent users with Administrator (Mac OS X) or root privileges from reading your files. If you use a single line command to invoke the command line utility, the connection information (including username/password) in the command can be seen by other users who run process monitoring utilities or have access to logs of precesses run on your computer. The format of the command is: cvc [-c |-p|-q|-d|-h|-v]
The options are: = connection:username:password -c
92
connect
connects to the Contivity Switch using
Command Line Interface
-p
prompt
prompts for then connects to the Contivity Switch using
-q
read
reads from stdin then connects to the Contivity Switch using
-d
disconnect disconnects from the Contivity Switch
-h
help
displays a list of command options
-v
version
displays the current version and build number of the Client
IMPORTANT: When defining a connection profile (see “Defining a New Connection Profile” on page 61) if you leave Prompt unselected, you would not be promted for a User ID when establishing a connection using the GUI. The same default applies when using the command line interface. If Prompt is unselected, you should not enter a username as part of the . Doing so will cause an error. Without the username prompt, the should look like: connection::password. Note that two colons are still used.
NOTE: If the browser is open and the Client Window is displayed when you connect using the command line interface, the Client Window is not updated. You must first use the browser Refresh or Reload command to update the window.
Contivity VPN Client
93
Chapter 3. Configuring the Contivity VPN Client
Examples 1: # cvc -h Contivity VPN Client Command Line Interface Usage: cvc [-c ] [-pqdvh] -c connect using specified connect string -p prompt for connect string and connect -q read connect string from stdin and connect connect string = connection:username:password -d disconnect -v display version -h help
Example 2: # cvc -c connection_name:username:password
Connects the Client to the Contivity Switch using the connection named in the connect string then passes the user name and password to the Contivity Switch to establish the Client-to-Contivity Switch connection. Example 3: # cvc -d
Disconnects the Client from the Contivity Switch.
94
G
lossary
AH Anti-Replay Protection Authentication
See: Authentication Header.
A form of partial sequence integrity. It detects the arrival of duplicate IP packets (within a constrained window) and the arrival of IP packets out of sequence. See also: Integrity. (1) The verification of the identity of a user, device or other entity in a computer system, usually as a prerequisite to allowing access to system resources. (2) The verification of data that have been stored, transmitted, or exposed to possible unauthorized modification.
Authentication Header (AH)
An upper-level header located between the IP header and the payload within an IP packet. The AH includes an integrity check value (ICV) for the contents of the IP packet. The exact nature of the checksum depends upon the method selected during configuration. It is used to ensure the integrity of the entire IP packet, including both the payload and the IP header. The AH does not provide data confidentiality.
Authentication Information
The public key information needed to authenticate a digital signature.
Authorization Compression Confidentiality
Contivity VPN Client
The granting of privileges, which includes the granting of access based on previously authorized access. See: Data Compression. The protection of data from unauthorized disclosure. Usually, the unauthorized disclosure of application level data is the primary concern, but the disclosure of the external characteristics of communication can also be a concern in some circumstances. The traffic flow confidentiality service addresses this latter con-
95
cern by concealing source and destination addresses, message length, or frequency of communication. In the IPSec context, using Encapsulating Security Payload (ESP), especially at a security gateway, can provide some level of traffic flow confidentiality. Data Compression
Encoding data to take up less storage space. Digital data is compressed by finding repeatable patterns of binary 0s and 1s. The more patterns can be found, the more the data can be compressed. Text can generally be compressed to about 40% of its original size, and graphics files from 20% to 90%. Data compression, as used in the Contivity VPN Client, is applied to the data before encryption.
Data Encryption Standard (DES)
A standard encryption algorithm providing a high degree of protection. DES has a key length of 56 bits and meets U.S. government approval for general export. See also: Triple DES.
Data Integrity
The property that data has not been altered or destroyed in an unauthorized manner.
Data Origin Authentication Decryption Denial of Service
DES
The corroboration that the source of data received is as claimed. See: Encryption. Denotes attacks that do not cause a security violation as such, but harm the availability of a service. For example, someone sending a large number of forged packets to a host could degrade the performance of the host. See: Data Encryption Standard.
Digital Signature
Data appended to, or a cryptographic transformation of, a data unit that allows a recipient of the data unit to prove the source and integrity of the data unit and protect against forgery (e.g., by the recipient).
Encapsulating Security Payload (ESP)
An OSI layer 3 connection or connectionless security protocol. In general, ESP provides for the following: peer entity authentication, data origin authentication, access control services, connection confidentiality, connectionless confidentiality, traffic flow confidentiality, connection integrity without recovery, and connectionless integrity.
96
Glossary
Encapsulation
The process of wrapping a packet, or some part of it, in a security envelope to provide the means for network devices to check the authentication of the sending node and the integrity of the data.
Encryption
A security mechanism used for the transformation of data from an intelligible form (plaintext) into an unintelligible form (ciphertext) to provide confidentiality. The inverse transformation process is termed decryption, but encryption is often used generically to refer to both processes.
Entity
ESP Extranet
A device attached to a network and identified by an internetwork address, network number, or any combination. Components are comprised of one or more entities. See: Encapsulating Security Payload. (1) A semi-permanent WAN connection over a public network between a corporation and its business associations, such as partners, customers, suppliers, and investors. (2) A Web site for existing customers rather than the general public. It can provide access to paid research, current inventories and internal databases, and virtually any information that is private and not published for everyone. An extranet uses the public Internet as its transmission system, but requires passwords to gain access. See also: Internet, Intranet.
File Encryption
Firewall
File encryption software is specific to particular operating systems, and does not protect data during remote logins or when updating records across a network. (1) A combination of hardware and software that separates a LAN into two or more parts for security purposes. (2) A router or workstation with multiple network interfaces that controls and limits specific protocols, types of traffic within each protocol, types of services, and direction of the flow of information.
Host
Contivity VPN Client
Any computer on a network that is a repository for services available to other computers on the network. It is quite common to have one host machine provide several different services.
97
ICV Identity-Based Security Policy IKE Integrity Integrity Check Value (ICV)
Intrusion Detection Internet
See: Integrity Check Value. A security policy based on the identities and/or attributes of users, a group of users, or entities acting on behalf of the users and the resources/ objects being accessed. See: Internet Key Exchange. A security service ensuring that data modifications are detected. A value that is derived by performing an algorithmic transformation on the data unit for which data integrity services are provided. The ICV is sent with the protected data unit and is recalculated and compared by the receiver to detect data modification. A generic term for detecting network penetration attempts by observing activities on the network. (1) A large network made up of a number of smaller networks. (2) "The" Internet is made up of more than 100,000 interconnected networks in over 100 countries, comprised of commercial, academic and government networks. See also: Extranet, Intranet.
Internet Key Exchange (IKE)
A key management protocol that provides secure management and exchange of cryptographic keys between distant devices. IKE also provides a secure way to transmit keys. IKE uses public-key cryptography to create a secure association. That association is then used to perform a secure second public-key exchange, resulting in a symmetric key for encryption.
Intranet
An inhouse Web site serving the employees of the enterprise. Although intranet pages may link to the Internet, an intranet is not a site accessed by the general public. The term has become so popular that it is often used to refer to any inhouse LAN and client/server system. See also: Extranet, Internet.
IPSec
Internet Protocol Security. A set of protocols for authentication, privacy, and data integrity that is transparent to the underlying network infrastructure and can be configured to run in two distinct modes—tunnel mode and transport mode.
98
Glossary
IPSec is implemented at the packet processing layer of network communication as opposed to earlier security approaches that were implemented at the application layer. IPSec provides two choices of security service: Authentication Header (AH), which allows authentication of the sender, and Encapsulating Security Payload (ESP), which supports both authentication of the sender and encryption of data, The specific AH and ESP information is inserted into the packet as a header that follows the IP packet header. Separate key protocols, such as ISAKMP, can be selected. See also: Authentication, Authentication Header (AH), Encapsulating Security Payload (ESP), Internet Key Exchange (IKE), and ISAKMP ISAKMP
IS Router
Internet Security Association and Key Management Protocol. The IPSec standard procedures and packet formats to establish, negotiate, modify and delete Security Associations (SA) and for defining payloads for exchanging key generation and authentication data. See also: Authentication, Internet Key Exchange (IKE), and IPSec. Intermediate Services Router. A router, acting as a security gateway, usually placed between an intranet and the public network. See also: Router.
Key Generation
Method of establishing key materials used in ciphering functions.
Key Management
The generation, storage, distribution, deletion, archiving, and application of keys in accordance with a security policy.
LAN
(Local Area Network) See Intranet.
Logging
The process of maintaining a diary of the occurrence of security relevant events.
Logging Trail
A chronological record of system activities that can be used to reconstruct and review the sequence of activities surrounding or leading to an operation, procedure, or event in a transaction from its inception to final results.
LZS NAT Contivity VPN Client
An algorithm used for data compression. See also: Data Compression. See: Network Address Translator. 99
Network Address Translator (NAT)
Usually implemented in a firewall or router at the boundary between a company's intranet and the public Internet, maintaining a mapping between internal IP addresses and external public IP addresses. The internal addresses are not advertised outside of the intranet and can remain private (in the case of globally ambiguous addresses), or secret (in the case of globally unique addresses).
Packet Filtering
A method for determining how passing IP packets should be handled. Packet filtering is applied to all IP packets passing the IPSec engine. Packet filtering may modify the IP packet, pass it intact, or even drop it. See also: Port Filtering.
Perfect Forward Secrecy
Forces the regeneration of keying material for each new Security Association (SA) and/or completely separates authentication encryption from data encryption.
Port Filtering
Allows communications to be limited to certain specific applications.
Protocol
A set of rules that governs the communication and exchange of data between system elements and that provides a basic level of service in a system.
Protocol Alerts
An alert indicating a failure of the key management or encapsulation protocol.
RC4
An encryption algorithm that provides solid, mid-range protection using a variable-length encryption key. RC4/128 key length is 128 bits and is approved for limited export. RC4/40 key length is 40 bits and meets U.S. government standards for general export.
Repudiation Router
100
Denial by one of the entities involved in a communication of having participated in all or part of the communication. A special-purpose dedicated system that connects several networks and makes decisions about which of several paths network traffic will take. The process may be repeated several times on a single packet by multiple routers until the packet is delivered to its final destination. To accomplish this, a routing protocol is used to gather information about the network, and algorithms based on several criteria known as “routing metrics” choose the best route. See also: IS Router.
Glossary
Security Audit
Security Audit Trail
An independent review and examination of system records and activities in order to test for adequacy of system controls, to ensure compliance with established policy and operational procedures, to detect breaches in security, and to recommend any indicated changes in control, policy, and procedures. Data collected and potentially used in a security audit.
Security Controls
Hardware, firmware, and software features within a system that restrict access of resources to authorized users, devices, or entities only.
Security Gateway
An intermediate system acting as a communications interface between two networks. The internal subnetworks and hosts served by a security gateway are presumed to be trusted because of shared local security administration. The set of hosts and networks on the external side of the security gateway is viewed as not trusted or less trusted.
Security Policy
The set of laws, rules, and practices that regulate how an organization manages, protects, and distributes sensitive information.
Security Service
The technology-based security functions provided by a networking system. They are Authentication Services, Access Control Services, Confidentiality Services, Data Integrity Services, and Non-repudiation Services.
Subject
An active entity, either a person, device, or process, that causes information to flow among objects or changes the system state.
Subnet
A portion of a network, which may be a physically independent network, which shares a network address with other portions of the network and is distinguished by a subnet number. A subnet is to a network what a network is to an internet.
Subnet Number
TCP
Contivity VPN Client
A part of the internet address that designates a subnet. It is ignored for the purposes of internet routing, but is used for intranet routing. Transmission Control Protocol. The major Internet transport protocol, which provides reliable, connection-oriented, fullduplex streams.
101
102
Threat
Any circumstance or event which has the potential to cause harm to a system. Harm may arise in the form of destruction, modification, or disclosure of data, and/or denial of service.
Transformation
A particular type of change applied to an IP packet. ESP encryption and AH integrity are types of transformations. A Security Association supplies the keys and other associationspecific data to a transformation.
Transformation Sequence
A set of transformations applied to an IP packet one after another. For example, an outgoing IP packet can be protected first with an ESP to ensure data confidentiality and higher level data integrity, and then with an AH to protect the integrity of the IP header carrying the IP packet. In this case, the transformation sequence consists of an ESP transformation followed by an AH transformation. IPSec supports other types of transformations, and therefore transformation sequences may occasionally be rather long, even 5 or 6 stages. However, more transformation sequences typically consist of just one or two steps.
Transport Mode
As opposed to tunnel mode wherein the entire packet, including the IP header, is wrapped in the packet protection of a tunnel and a new IP header is prepended to the packet, in transport mode, the IP header is sent in the normal, unencapsulated format.
Triple DES
A stronger iteration of the Data Encryption Standard, Triple DES is designed to resist focused, persistent attacks by wellfinanced, expert crypto-analysts. The U.S. government restricts Triple DES to domestic use and limited export.
Tunnel Mode
Packet transmission wherein the entire packet, including the IP header, is wrapped in the packet protection of a tunnel and a new IP header is prepended to the packet.
Unsecured Communications
Unencrypted, non-firewalled, or unprotected communications between two network computers.
Virtual Private Network (VPN)
A temporary, secure connection over a public network, usually the Internet.
Index
A
address of Contivity Switch 62 address, DNS 62 allowing new configuraitons 87 audit information 90 audit information controlling 83 logging 84 viewing 90 authentication 13 autoconnect 14
B
bulleted lists 4
C
Certificate Authority Netlock Manager 51 third party 51 Certificate Management window 52 certificates managing 51
Contivity VPN Client
Client disconnecting 91 discussion about 8 log file archiving 83 new connection 61 preferences 83 purpose 8 re-connecting 74 registering license code 33 Contivity VPN Client See Client Client Log window 90 command line interface 47 commands start_cvc 49 compression 14 configuration locking 86 Configuration Locking window 86 configuring the Contivity Switch 13 connecting the Client 61 connection profile 61 Connections window 49 Contivity Switch address 62 configuring 13 description of 8 purpose 8 controlling audit information logging 84 log file size 85 conventions keyboard 3 terminology 4 typographical 3 customizing graphics 43
103
D
database authentication 13 disabling Keepalives 70, 80 disconnecting the Client 91 display banner 14 DNS Lookup 62
installing Client for Linux 25 Client for Macintosh OS X 19 Client for Solaris 28 Client for Windows Mobile 31 IPSec Contivity Switch settings 13
E
K
F
L
encryption 14 establishing a new connection 61
Failover 14 failover 14 forced logoff 14
G
graphical user interface (GUI) 47 graphics files headbar.gif 43 graphics, customizing 43 group ID 63
H
headbar.gif file 43
I
information status 90 trace 83
104
Keepalives, disabling 70, 80 keyboard conventions 3
LDAP 13 license code 33 Linux installing Client on 25 removing Client from 38 system requirements 5 locking a configuration 86 log file archiving for Clients 83
M
Macintosh OS X installing Client on 19 removing Client from 36 system requirements 5 managing the use of certificates 51
N
Nortel Contivity Switch See Contivity Switch numbered lists 4
Index
O
obtaining a license code 33 operation of Client 8 organization of document 2 overview of product 8
status information 90 supported settings 13 system requirements Linux 5 Macintosh OS X 5 Solaris 6
P
T
password with Group ID 63 with user name 63 perfect forward secrecy 14 PIN 69, 77 Preferences window 84 preferences, setting 83 prevent defining a new connection profile 87 prevent deleting a connection profile 86 prevent editing of connection profile 86 product overview 8 product registration 33
R
timeout 14 trace information 83 tunneling 13 typographical conventions 3 typographical terminology 4
U
user interface command line 47 graphical (GUI) 47 user name 63 using certificates 51
radius authentication 14 re-connecting the Client 74 registration of Client 33 removing Client from Linux 38 Client from Macintosh OS X 36 Client from Solaris 40 requirements, system 5
V
S
windows Certificate Management 52 Client Log 90 Configuration Locking 86 Connections 49 Preferences 84 Windows Mobile installing Client on 31
security policies 8 setting configuration locking 86 setting preferences 83 Solaris installing Client on 28 removing Client from 40 system requirements 6 split tunneling 13 start_cvc command 49 Contivity VPN Client
viewing audit information 90
W
105
X
X.509v3 certificates format 51
106