Configuration Guide Contivity Secure IP Services Gateway

Transcription

1 Contents Contents... 1 Overview... 1 Configuring Nailed UP Connection... 3 Configuration using GUI... 3 Event Log messages... 9 Configuration using CLI... 9 Sample Configuration Setup Configuring CES Configuring CES Testing the configuration Overview Before the introduction of the Nailed Up Connections feature branch office (BO) connections were established as a result of receiving data destined for some remote network or host. The initial data (one or more packets) would be discarded until the tunnel establishment was complete. Once the connection was established, data would then be successfully delivered. This type of branch office connection is known as an ondemand connection. In some networks setups it might be necessary to have some branch office tunnels remain up even when there is no traffic traversing the tunnel. These Nailed up branch office connections are established at system start-up or during re-configuration. These connections do not require data to trigger the establishment of the tunnel. Thus, when initial data arrives for a remote network the tunnel establishment may have already been completed and the data can be delivered. If the tunnel establishment is not complete prior to receiving data for the remote network, (i.e. connection establishment exchange in progress or the remote gateway not reachable), then the data is discarded. The nailed up connections are typically used with the ABOT tunnels, where the Central Office (CO) is a responder and the Remote Office (RO) is an initiator. If for example there are some servers on the CO side that need to start the conversation with the client on the RO side, without the connection being established the server would not be able to start the connection as it is on the responder side. When non-nailed up connections are configured the branch office routes appear in the routing table regardless of the connection state Up or Down, while in nailed up connections the branch office routes appear in the routing table only when the connections are established. CG September 2003 Page: 1 of 29

2 A branch office connection has a single logical connection establishment with the remote gateway. This connection (once established) uses a defined keep-alive mechanism in order to insure reachability to the remote gateway. During system start-up, each branch office connection configured as nailed-up will be initiated (Figure 1). Once successfully established, the keep-alive mechanism will insure the connection remains active as long as both gateways remain active and reachable. The idle timer for such connections will be disabled. Unlike on-demand connections, nailed-up connections do not require data activity in order to keep the tunnel established. Thus, nailed-up connections will remain established until the keep-alive mechanism determines the remote side is not reachable or some reconfiguration triggers termination. Contivity BO Contivity Host 1 Contivity 1 Contivity 2 Host 2 System Start Up Establish connection Successful Keep-alive Keep-alive System down Re-establish Nailed Up Retry Expiry Keep-alive Keep-alive Establish connection Establish connection Figure 1 CG September 2003 Page: 2 of 29

3 Configuring Nailed UP Connection Configuration using GUI Navigate Profiles Branch Office to configure the Nailed UP connection. Select the group the tunnel belongs to from the drop-down list next to the Group tab: CG September 2003 Page: 3 of 29

4 Once the group is selected the screen refreshes showing the configured tunnels for the group. Click Configure next to the group: Note: The Branch Office screen for the versions prior to V04_80 looks a bit different. Select the group the tunnel belongs to and click Edit next to the group: CG September 2003 Page: 4 of 29

5 The Branch Office Edit Group screen appears. Click Configure under the Connectivity tab: CG September 2003 Page: 5 of 29

6 The Branch Office Edit Connectivity screen appears. The Nailed Up feature is disabled by default. Click Configure next to the Nailed Up tab to change the setting: CG September 2003 Page: 6 of 29

7 Screen refreshes allowing changes to the setting. Select Enabled from the drop-down list and click OK at the bottom of the page to enable the Nailed Up feature: CG September 2003 Page: 7 of 29

8 The connections which belong to the selected group will be nailed up connections: The Return to Branch Office link will take you back to the Branch Office screen. CG September 2003 Page: 8 of 29

9 Event Log messages The nailed up feature has been turned on: 09/24/ :11:57 0 thttpd [33] DbGatewayGroups.Group[ou=Branch Group, ou=gateways, o=bay Networks, c=us].accounts.account[general,- ].TunnelNailedUp changed from 'FALSE' to 'TRUE' by user ' ' Configuration using CLI To configure Contivity using CLI you need to either telnet to Contivity or connect to it through serial interface -> option L on the menu. CES>enable Password: To start configuration: CES#configure terminal Enter configuration commands, one per line. End with Ctrl/z To enter the branch office group (/Base/Branch Group) connectivity configuration menu: CES(config)#bo-group connectivity "/Base/Branch Group" CES(config-bo_group/con)# To enable the nailed up feature for the group: CES(config-bo_group/con)#nailed-up To disable the nailed up feature: CES(config-bo_group/con)#no nailed-up CES(config-bo_group/con)#exit CG September 2003 Page: 9 of 29

10 To view the branch group connectivity parameters: CES(config)#show bo-group connectivity "/Base/Branch Group" Connectivity Settings: Access Hours Call Admission Priority : Anytime : highest Forwarding Priority : low Idle Timeout Forced Logoff : 00:15:00 : 00:00:00 Nailed Up : Enabled RSVP RSVP: Token Bucket Depth : Disabled : 3000 RSVP: Token Bucket Rate : 28 User Bandwidth Policy: Committed Rate User Bandwidth Policy: Excess Rate : : User Bandwidth Policy: Excess Action : MARK CES(config)#exit CES# Sample Configuration Setup / / /24 CES1 CES2 CES1, code version V04_80, management IP /24, private IP /24, public IP /24; CES2, code version V04_80, management IP /24, private IP /24, public IP /24. The goal is to configure a nailed up IPSec ABOT branch office connection with CES1 being the initiator and CES2 the responder. CG September 2003 Page: 10 of 29

11 Configuring CES1 Set the IP address for the management ( ), private ( ) and public ( ) interfaces: Configure BO. Navigate Profiles Branch Office. Click Add under the Connections tab: CG September 2003 Page: 11 of 29

12 Enter the Connection Name (Initiator BO), select the connection type to be the Initiator, leave the rest of the fields to their defaults. Click OK: The Connection Configuration screen appears: CG September 2003 Page: 12 of 29

13 Check the box next to Enable to enable the connection: Leave the Local Gateway Interface to (None). Set the public IP address of the CES2 ( ) to be the Remote IP Address: Let the Authentication be the Text Pre-Shared Key. Enter the Initiator ID (ces) and the Text pre-shared key (test): Let the routing be Static. Click the Create Local Network button: Type in the name for the network ( ) and click Create: CG September 2003 Page: 13 of 29

14 Enter the IP Address and the Mask for the local network (CES1 private network /24). Click Add: The network is listed under the Current Subnets. Click Close: CG September 2003 Page: 14 of 29

15 Follow the link in the top-right corner to return to the BO configuration: Select the created network from the drop-down list next to Local Network: Click Add under the Remote Networks tab to add remote network: Enter the IP Address and Mask for the remote network (CES2 private network /24), make sure Enabled is selected. Click OK: CG September 2003 Page: 15 of 29

16 The network is listed under the Remote Networks tab: Once all the parameters have been set, click OK at the bottom of the page: CG September 2003 Page: 16 of 29

17 At this point the configuration of initiator BO is complete: Configure the connection to be nailed-up. Click Configure next to the group the tunnel belongs to: CG September 2003 Page: 17 of 29

18 Click Configure under the Connectivity tab: CG September 2003 Page: 18 of 29

19 Select Enabled from the drop-down list next to Nailed Up and click OK at the bottom of the screen: The connections in this group will be nailed up: CG September 2003 Page: 19 of 29

20 Configuring CES2 Configure IP address for the management ( ), private ( ) and public ( ) interfaces: CG September 2003 Page: 20 of 29

21 Configure the BO. Navigate Profiles Branch Office. Click Add under the Connection tab: Enter the Connection Name (Responder BO); select the Responder Connection Type; leave the rest of the fields to their defaults. Click OK: CG September 2003 Page: 21 of 29

22 Check the box next to Enable, leave the authentication to Text Pre-Shared Key, type in the Initiator ID (ces) and Text Pre-Shared Key (test). Create and select the Local Network (CES2 private network /24) and add the Remote Network (CES1 private network /24) in the same manner as for the CES1: CG September 2003 Page: 22 of 29

23 The responder BO is configured: CG September 2003 Page: 23 of 29

24 Testing the configuration Before the CES1 establishes the connection check the routing table. If the connection has been established Logoff the connection first on the Status Sessions screen: Click OK on the confirmation screen to log off the tunnel: Or log off the branch office location via CLI: CES#forced-logoff bo-conn all CG September 2003 Page: 24 of 29

25 Check the routing table on CES1. To check the routing table via GUI navigate Routing Route table. Click Route Table: CG September 2003 Page: 25 of 29

26 Note the absence of the static branch office connection to the CES2 private side: To check the routing table via CLI: CES#show ip route Protocol IP Address Mask Cost Next Hop Interface DIRECT [0] DIRECT [0] DIRECT [0] DIRECT [0] DIRECT [0] Total route(s) 5 CG September 2003 Page: 26 of 29

27 Let CES1 bring the connection up and check the routing table again on CES1. Note, once the connection has been established the branch office route is inserted in the routing table: CES#show ip route Protocol IP Address Mask Cost Next Hop Interface DIRECT [0] DIRECT [0] DIRECT [0] STATIC [10] DIRECT [0] DIRECT [0] Total route(s) 6 CG September 2003 Page: 27 of 29

28 Check the log on CES1: 10/10/ :32:35 0 Branch Office [01] IPSEC branch office connection initiated to rem[ ]@[ ] loc[ ] 10/10/ :32:35 0 Security [11] Session: IPSEC[ ] attempting login 10/10/ :32:35 0 Security [01] Session: IPSEC[ ] has no active sessions 10/10/ :32:35 0 Security [01] Session: IPSEC[ ] Initiator BO has no active accounts 10/10/ :32:35 0 Security [01] Session: IPSEC[ ]:104 SHARED-SECRET authenticate attempt... 10/10/ :32:35 0 Security [01] Session: IPSEC[ ]:104 attempting authentication using LOCAL 10/10/ :32:35 0 Security [11] Session: IPSEC[ ]:104 authenticated using LOCAL 10/10/ :32:35 0 Security [11] Session: IPSEC[ ]:104 bound to group /Base/Initiator BO 10/10/ :32:35 0 Security [01] Session: IPSEC[ ]:104 Building group filter permit all 10/10/ :32:35 0 Security [01] Session: IPSEC[ ]:104 Applying group filter permit all 10/10/ :32:35 0 Security [11] Session: IPSEC[ ]:104 authorized 10/10/ :32:35 0 McRelay [00] Received circuit up for circuit num = 67. local /10/ :32:35 0 McRelay [00] MC circuit enabled. circuit num = 67, ifp 184cb94 10/10/ :32:35 0 RTM [10] netwrite RTM_RouteDef: N M NumNH 1 NH CM 0x74513d0 10/10/ :32:35 0 RTM [00] writenewentry: adding new: to /10/ :32:35 0 RTM [00] NextHop:newEntry NextHop: NHI C 67 CM 0x74513d0 PR (6c191f4) /10/ :32:35 0 Branch Office [01] BranchOfficeCtxtCls::InstallRoute: Route installed for rem[ ]@ /10/ :32:35 0 RTM [00] Best::nextRoute fini for 0x40 10/10/ :32:35 0 ISAKMP [02] ISAKMP SA (aggressive-mode) established with /10/ :32:35 0 BaseCmsClient [00] RipCmsClient::New() : handling new circuit event for circuit 67 [0x59507a0]. 10/10/ :32:35 0 RTM [00] Best::nextRoute fini for 0x1 10/10/ :32:35 0 DHCP Relay Table [00] Circuit config node for interface inserted 10/10/ :32:36 0 Security [11] Session: network IPSEC[ ] attempting login 10/10/ :32:36 0 Security [11] Session: network IPSEC[ ] logged in from gateway [ ] 10/10/ :32:36 0 Security [12] Session: IPSEC[ ]:104 physical addresses: remote local /10/ :32:36 0 Security [12] Session: IPSEC[-]:105 physical addresses: remote local /10/ :32:36 0 Outbound ESP from to SPI 0x0012f8c0 [03] ESP encap session SPI 0xc0f81200 bound to cpu 0 10/10/ :32:36 0 Inbound ESP from to SPI 0x0018e687 [03] ESP decap session SPI 0x87e61800 bound to cpu 0 10/10/ :32:36 0 Branch Office [00] CG September 2003 Page: 28 of 29

29 BranchOfficeCtxtCls::RegisterTunnel: loc[ ] overwriting tunnel context [ffffffff] with [6fa87e0] 10/10/ :32:36 0 ISAKMP [03] Established IPsec SAs with : 10/10/ :32:36 0 ISAKMP [03] ESP 56-bit DES-CBC-HMAC-MD5 outbound SPI 0x12f8c0 10/10/ :32:36 0 ISAKMP [03] IPcomp LZS outbound CPI 0x /10/ :32:36 0 ISAKMP [03] ESP 56-bit DES-CBC-HMAC-MD5 inbound SPI 0x18e687 10/10/ :32:36 0 ISAKMP [03] IPcomp LZS inbound CPI 0x4885 Copyright 2005 Nortel Networks Limited - All Rights Reserved. Nortel, Nortel Networks, the Nortel logo, Globemark, and Contivity are trademarks of Nortel Networks Limited. The information in this document is subject to change without notice. The statements, configurations, technical data, and recommendations in this document are believed to be accurate and reliable, but are presented without express or implied warranty. Users must take full responsibility for their applications of any products specified in this document. The information in this document is proprietary to Nortel Networks Limited. To access more technical documentation, search our knowledge base, or open a service request online, please visit Nortel Networks Technical Support on the web at: If after following this guide you are still having problems, please ensure you have carried out the steps exactly as in this document. If problems still persist, please contact Nortel Networks Technical Support (contact information is available online at: We welcome you comments and suggestions on the quality and usefulness of this document. If you would like to leave a feedback please send your comments to: CRCONT@nortel.com Author: Kristina Senkova CG September 2003 Page: 29 of 29