Avaya Configuring Branch Office Tunnel between a Contivity and a BayRS Router User's Manual
Contents
1. _ _ OK TT040916 1 00 September 2004 Page 8 of 29 Tech Tip ge Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 13 Click the New Proposal button to set up a proposal list defining the encryption integrity capabilities of the CES The CES and the ARN need to have at least one option in common in order to establish a tunnel For simplicity only 3DES MD5 is selected in this example however as many selections can be checked as needed Click Done when finished i o Proposal Name 3330 CTESI Routers supporting 3DES only 3DES SHAL 3DES All Routers DES MDS 56bit DES SHAL 56bit DES NONE 56bit NONE MDS M NONE SHAL A Edit Proposal Delete Proposal Expiry Type C Megabytes fe Minutes 480 Help Cancel Done 14 Click the button labeled None next to Priority 1 select the proposal just created and click OK Add Proposal to Policy 10 1 1 1 a Add Proposal to Policy Tuned to CES SA Attributes DISA pa um Anti Replay Window Size 64 F SA Destination 108 1 1 2 cl lt click button to select ne Proposals lt click buttc ee ECES Tunnel i Priority TT040916 1 00 September 2004 Page 9 of 29 NORTEL Tech Tip NETWORKS Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 15 The c2. 01 Session IPSEC 10 1 1 1 11 Building group filter permit all 09 16 2004 14 45 37 0 Security 01 Session IPSEC 10 1 1 1 11 Applying group filter permit all 09 16 2004 14 45 37 0 Security 11 Session IPSEC 10 1 1 1 11 authorized 09 16 2004 14 45 37 0 ISAKMP 02 ISAKMP SA established with 10 1 1 1 09 16 2004 14 45 37 0 Security 11 Session network IPSEC 2 1 1 0 255 255 255 0 attempting login 09 16 2004 14 45 37 0 Security 11 Session network IPSEC 2 1 1 0 255 255 255 0 logged in from gateway 10 1 1 1 09 16 2004 14 45 37 0 Security 12 Session IPSEC 10 1 1 1 11 physical addresses remote 10 1 1 1 local 10 1 1 2 09 16 2004 14 45 37 0 Security 12 Session IPSEC 12 physical addresses remote 10 1 1 1 local 10 1 1 2 09 16 2004 14 45 37 0 Outbound ESP from 10 1 1 2 to 10 1 1 1 SPI 0x57 a39fd 03 ESP encap session SPI 0xfd39fa57 bound to s w on cpu 0 09 16 2004 14 45 37 0 Inbound ESP from 10 1 1 1 to 10 1 1 2 SPI 0x00206994 03 ESP decap session SPI 0x94692000 bound to s w on cpu 0 09 16 2004 14 45 37 0 Branch Office 00 4f 5eb08 BranchOfficeCtxtCls RegisterTunnel rem 2 1 1 0 255 255 255 0 10 1 1 1 loc 3 1 1 0 255 255 255 0 overwriting tunnel context 0 with 4 51290 TT040916 1 00 September 2004 Page 16 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 09 16 2004 14 45 37 0 ISAKMP 03 Established IPsec SA
3. 0x303952c0 bound to s w on cpu 0 09 16 2004 14 48 49 0 Inbound ESP from 10 1 1 1 to 10 1 1 2 SPI 0x00140fa3 03 ESP decap session SPI 0xa30f1400 bound to s w on cpu 0 09 16 2004 14 48 49 0 Branch Office 00 4f 5eb08 BranchOfficeCtxtCls RegisterTunnel rem 2 1 1 0 255 255 255 0 10 1 1 1 loc 3 1 1 0 255 255 255 0 overwriting tunnel context ffffffff with 6ea7a30 09 16 2004 14 48 49 0 ISAKMP 03 Established IPsec SAs with 10 1 1 1 09 16 2004 14 48 49 0 ISAKMP 03 ESP 56 bit DES CBC HMAC MD5 outbound SPI 0xc0523930 09 16 2004 14 48 49 0 ISAKMP 03 ESP 56 bit DES CBC HMAC MD5 inbound SPI 0x140fa3 Below is a log of a successful tunnel establishment when the ARN initiates the connection 09 16 2004 14 45 35 0 Security 11 Session IPSEC 10 1 1 1 attempting login 09 16 2004 14 45 35 0 Security 01 Session IPSEC 10 1 1 1 has no active sessions 09 16 2004 14 45 35 0 Security 01 Session IPSEC 10 1 1 1 To ARN has no active accounts 09 16 2004 14 45 35 0 ISAKMP 02 Oakley Main Mode proposal accepted from 10 1 1 1 09 16 2004 14 45 37 0 Security 01 Session IPSEC 10 1 1 1 11 SHARED SECRET authenticate attempt 09 16 2004 14 45 37 0 Security 01 Session IPSEC 10 1 1 1 11 attempting authentication using LOCAL 09 16 2004 14 45 37 0 Security 11 Session IPSEC 10 1 1 1 11 authenticated using LOCAL 09 16 2004 14 45 37 0 Security 11 Session IPSEC 10 1 1 1 11 bound to group Base To ARN 09 16 2004 14 45 37 0 Security
4. Site Manager and then open Image Builder through the Tools drop down menu TT040916 1 00 September 2004 Page 25 of 29 Tech Tip NORTEL Contivity Secure IP Services Gateway NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router 2 Once Image Builder is opened for the first time it will create a builder dir subdirectory within your Site Manager directory Move the image file arn exe bn exe etc to this directory When the Image Builder application opens up go to File Open and locate the image file Click Open to open up the selected image im Image Builder a open Look in Sy builder dir y e ce Files of type All Files x CREA TT040916 1 00 September 2004 Page 26 of 29 Tech Tip Contivity Secure IP Services Gateway NORTEL NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router TTO 3 Check the Details button on the right hand column find the capi exe file highlight it and click lt lt Remove Note that the size of the capi exe is very small 2039 bytes in this case lal Image Builder Filename Archive Format Release Compressed Size Uncompressed Size arn exe ARN Format Carn exe gt re1 15 5 6 07 6 978 546 6 65M gt 13 663 398 lt 12 97M gt Available Components E Details Component Release Compressed Size Uncompressed Size F10 Component Information capi exe rel i15
5. This process will define the endpoint address and pre shared key for the Branch Office Tunnel Configure a Name For example To CES the Destination IP address of the endpoint of the tunnel CES public IP address and either an Ascii or Hex Pre shared Key This Pre shared Key must match the key configured on the CES When finished click Done Add IKE SA Destination SA Name To CES SA Destination 1 1 1 2 Pre shared Key Ascii 12345 Hex Done Cancel Help 7 Click Done on the Edit IKE SA Destination screen TT040916 1 00 September 2004 Page 5 of 29 Tech Tip NORTEL Contivity Secure IP Services Gateway NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router 8 From the drop down menu go to Protocols Edit IP IP Security Outbound Policies First we need to make a template to define the IPSec policy so click on the Template button and then Create on the IPSec Policy Template Management screen Done Apply Template Add Policy Edit Policy Edit Prop Reorder Delete Values Help TT040916 1 00 September 2004 Page 6 of 29 TeC IP a e a Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 9 Using the drop down menus create a policy containing Action gt Protect and Criteria gt Source amp Destination IP address ranges corresponding to the Local ARN local network 2 1 1 0 2
6. the capi exe file 5 09 13 2004 11 56 22 437 WARNING SLOT 1 IPSEC Code 17 All IPsec traffic on slot 1 will be dropped since validation of the NPK hash has failed Please synchronize config with NPK and enable disable IPSEC on affected interfaces This message indicates that the NPK on the router does not match the NPK of the config This will occasionally happen when booting from a different configuration changing your NPK or starting from scratch In order to correct this problem you need to get into the secure shell through the console Follow these steps 1 Enter the Secure Shell with the ksession command S ksession Please enter password Entering Secure Shell Session 2 Use the ktranslate command followed by the NPK save the config and then exit the Secure Shell SSHELL gt ktranslate 0x1234567812345678 SSHELL gt save config config TT040916 1 00 September 2004 Page 20 of 29 Tech Tip NRE ORKS Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router SSHELL gt kexit Exiting Secure Shell session 3 Bounce IPSec with the follow commands s wfIpsecBase 2 0 2 commit S s wfIpsecBase 2 0 1 commit Contivity troubleshooting tips Interpreting Log Messages on the Contivity 09 16 2004 15 09 40 0 ISAKMP 13 Diffie Hellman group mismatch for 10 1 1 1 terminating connection attempt This message indicates a mism
7. 4 in this case and Remote CES local network 3 1 1 0 24 in this case networks respectively This is an example of what the template should look like when done EE Edit IPSec Outbound Policies es EUU ETH Actions NOTE It is important to include the network and broadcast addresses in the range i e x X X 0 and x x x 255 for a 24 bit subnet 10 Click Done and then Done again on the previous screen to return to the IPSec Outbound Policies screen TT040916 1 00 September 2004 Page 7 of 29 Tech Tip NORT orks Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 11 Click Add Policy Supply the policy a name making sure the correct interface and the template just created are highlighted and then click OK E Create Outbound Policy xj Policy Name Tunnel to CES Interfaces Templates Cancel 4 gt 12 On the next screen click Automated SA which indicates the tunnel will use IKE for the key exchange Click the button next to SA Destination and select the entry for the CES This endpoint was defined in the IKE configuration process Add Proposal to Policy 10 1 1 1 7 Add Proposal to Policy Tunes to CES Sn fekeitaras i a PFS DISABLE 8 1 1 2 gt Anti Replay Window Size 64 Pack amp lt click button to select new Priority Proposals lt click button 1 1 None None 3 None fa 4 None
8. 5 6 0 2 039 lt 1K gt 8068 3K gt apn exe ARN Format lt Carn exe gt gt wel 15 5 0 0 6 968 487 6 65M 13 599 322 lt 12 97M gt HvalLanie Components 4003x Baseline Router Softwar y capi exe IP u Details 40916 1 00 Security Pro IP Security Protocol Application Current Components aot exe AOT Service Apply bec exe BAY Command Con _ BOT Service App IP Security Pro COPS Common Ope CRM Protocol Ap DCM Interface A debug exe DEBUG Protocol dhep exe DHCP Protocol A diffserv exe Differentiated crm exe dcmnw exe Details eres See Current Components copsc exe COPS Common Opell crm exe CRM Protocol Ap demmw exe DCM Interface A debug exe DEBUG Protocol dhcp exe DHCP Protocol A diffserv exe Differentiated dns exe DNS Protocol Ap DiffServ Queue DUS Protocol Ap DUMRP Multicast b lt dsqms exe dus exe dumrp exe y Details Component Information September 2004 Page 27 of 29 NORTEL Tech Tip NETWORKS Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 5 There are now 2 addition subdirectories in the WF builder dir directory One for the version of your image 15 5 0 0 in this case and one for the platform ARN in this case The platform subdirectory contains all the modules found in the image Find the dummy capi exe the one that is roughly 2000 bytes and replace it with the real cap
9. ES and Router In this case 3DES MD5 is checked Diffie Hellman Group The BayRS router only supports 56 bit DES with Group 1 768 bit prime This option must be selected Perfect Forward Secrecy This must match on both the CES and the Router Compression This should be disabled Group Name Base Field Value ESP Triple DES with MDS Integrity M ESP 56 bit DES with MDS Integrity L Encryption ESP 40 bit DES with MDS Integrity E AH Authentication Only HMAC SHA1 I AH Authentication Only HMAC MDS5 I IKE Encryption and Diffie Hellman Group Vendor ID Enabled Aggressive Mode ISAKMP Initial Disabled gt Contact Payload Disabled Perfect Forward Secrecy Disabled gt Compression Disabled gt Rekey Timeout 08 00 00 Rekey Data Count o o Kb ISAKMP Retransmission Interval he ISAKMP Retransmission Max Attempts aO Range 0 10 Keepalive interval 00 01 00 Keepalive On Demand connections Disabled gt Anti Replay Enabled gt IPsec DFBit Clear gt 56 bit DES with Group 1 768 bit prime Ne Cancel TT040916 1 00 September 2004 Page 11 of 29 Tech Tip N RTEL Contivity Secure IP Services Gateway NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router Branch Office Connection Configuration Configure branch office tunnel navigate Profiles gt Branch Office select the configured in previous step Group and click Add Local Ip Address This is the IP addres
10. T 1 IKE Code 115 TT040916 1 00 September 2004 Page 14 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router Notification received Source 10 1 1 2 Dest 10 1 1 1 Message ID 0x0 SPI length 16 SPI 0 Initial Contact 6 09 13 2004 15 59 17 907 INFO SLOT 1 IKE Code 21 IKE SA from 10 1 1 1 to 10 1 1 2 is up Cipher DES Hash SHA1 Life Type Minutes Life Time 480 7 09 13 2004 15 59 18 021 INFO SLOT 1 IKE Code 27 Establishing IPsec SA from 10 1 1 1 to 10 1 1 2 using responder role without perfect forward secrecy Quick Mode ID Ox3f4a938e 8 09 13 2004 15 59 18 170 INFO SLOT 1 IKE Code 28 Quick Mode exchange ID 0x3f4a938e from 10 1 1 1 to 10 1 1 2 is up Sending negotiated SA information for policy 1 to IPsec Reviewing the Contivity event log The log of the Contivity can be viewed from the GUI through Status gt Event Log Below is a log of a successful tunnel establishment when the Contivity initiates the tunnel 09 16 2004 14 48 48 0 Branch Office 01 IPSEC branch office connection initiated to rem 2 1 1 0 255 255 255 0 10 1 1 1 loc 3 1 1 0 255 255 255 0 09 16 2004 14 48 48 0 Security 11 Session IPSEC 10 1 1 1 attempting login 09 16 2004 14 48 48 0 Security 01 Session IPSEC 10 1 1 1 has no active sessions 09 16 2004 14 48 48 0 Security 01 Session IPSEC 10 1 1 1 To ARN has no active ac
11. Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router Contents COMEM 2s cessudere cies cacccaseaeccsseceectonandacsnadieecdebsagecatedcencaeadecacenasueuecasseuanedessutersastuancdsasugecee senyacdsnavecussantacs 1 OV EIVICW N TEE bean EE A T A T N T E E EE A E N 1 Sample Contiguratioms cececiiiis tetas in n ine eee nla ek 1 Set arrar ia eA tebitend seetudts A A A A NAA 1 Configuring ARN sirenaren edhe AS Adee eld ee ec dees 2 COMIQUIING CES E E beter detti hs tanceess erected E E E E seh deeetayes dean 11 Branch Office Group IPSec Settings ccecccesceceeceeceneeeeeaeeeeeeeceeeeeeaaeeseaeeseeeesaeeesaeeeenees 11 Branch Office Connection Configuration cccceccceceeeceeeeeeeeeeseeeeecaeeeeeneeseaeeeseaeeesaeeeenees 12 Reviewing the BayRS Router event 10g ceccceeeseceeneeceneeeeaeeeeeeeceaeeeeeaaeeseaeeseaeeesaeeeeaaeenenees 14 Reviewing the Contivity event log ceccceeeceseeeceeneeceeeeeceaeeeeaaeeseeeeeceaeeesaaeeseaeeseaeeesaeeseaaeennees 15 Router TroubleShooting Tips vici cscceccssedevesnesdeceeeiben cosneeweet cekens ccuiit pwchepheaveediateeeanseesaecavin hav EEE 17 R tter SCHPIS sisusse seaun idane e Aaa aSa aE aa Aaaa Aa ERA EAA AEAEE 17 Interpreting Log Messages on the Router c ccceeceeceeeeeeeeeeeeeeeceeeesaaeeseeeeeseaeeeeaeeneneeee 18 Contivity troubleshooting TIPS css ses ecccccnetetensed cesicnehacanceeseecdiee
12. atch in the Diffie Hellman configuration The Diffie Hellman Group is configurable on the Contivity through the GUI under Profiles gt Branch Office gt IPSec Group Configuration 09 16 2004 15 22 58 0 tIsakmp 34 Failed Remote Network Login Username Date Time 09 16 2004 15 22 58 This message generally indicates a mismatch in the Local Remote network pairs between the Contivity and the Router These are configurable through Profiles gt Branch Office gt Connections 09 16 2004 15 17 39 0 tIsakmp 34 Failed Login Attempt Username 10 1 1 1 Date Time 09 16 2004 15 17 39 The Failed Login Attempt message generally indicates a mismatch in the Pre Shared Key or possibly a mismatch in the Local Remote network pairs The Pre Shared Key and the Local Remote networks are configurable on the Contivity through the GUI under Profiles gt Branch Office gt Connections TT040916 1 00 September 2004 Page 21 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 09 16 2004 15 12 49 0 ISAKMP 13 Error notification No proposal chosen received from 10 1 1 1 09 16 2004 15 02 21 0 ISAKMP 13 No proposal chosen in message from 10 1 1 1 These No proposal chosen messages are generic and usually precede or follow one of the more descriptive log messages noted above It generally indicates IPSec configuration mismatch such as Encryption level and Diffie Hellman gro
13. counts 09 16 2004 14 48 49 0 Security 01 Session IPSEC 10 1 1 1 13 SHARED SECRET authenticate attempt 09 16 2004 14 48 49 0 Security 01 Session IPSEC 10 1 1 1 13 attempting authentication using LOCAL 09 16 2004 14 48 49 0 Security 11 Session IPSEC 10 1 1 1 13 authenticated using LOCAL 09 16 2004 14 48 49 0 Security 11 Session IPSEC 10 1 1 1 13 bound to group Base To ARN 09 16 2004 14 48 49 0 Security 01 Session IPSEC 10 1 1 1 13 Building group filter permit all 09 16 2004 14 48 49 0 Security 01 Session IPSEC 10 1 1 1 13 Applying group filter permit all 09 16 2004 14 48 49 0 Security 11 Session IPSEC 10 1 1 1 13 authorized 09 16 2004 14 48 49 0 Security 11 Session network IPSEC 2 1 1 0 255 255 255 0 attempting login 09 16 2004 14 48 49 0 Security 11 Session network IPSEC 2 1 1 0 255 255 255 0 logged in from gateway 10 1 1 1 09 16 2004 14 48 49 0 ISAKMP 02 ISAKMP SA established with 10 1 1 1 09 16 2004 14 48 49 0 Security 12 Session IPSEC 10 1 1 1 13 physical addresses remote 10 1 1 1 local 10 1 1 2 TT040916 1 00 September 2004 Page 15 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 09 16 2004 14 48 49 0 Security 12 Session IPSEC 14 physical addresses remote 10 1 1 1 local 10 1 1 2 09 16 2004 14 48 49 0 Outbound ESP from 10 1 1 2 to 10 1 1 1 SPI 0xc0523930 03 ESP encap session SPI
14. heetcteed baxeu te evedec enssdenevbaseedtinlacenshiaaaedl 21 Interpreting Log Messages on the Comtivity cccccceceeeeeeeeeeeeeeeceeeeeeaeeeeeeeeseaeeeeaeeneneeees 21 Appendix A Setting the NPK on the BayRS routelr eccceceseeeeeeeceeeeeeeaeeeeeaeseeeeeesaeeeeaeeeenees 23 Appendix B Adding the capi exe file to the router image ecececeeeeeeteeeeneeeeeeeeseeeeseaaeeennees 25 Overview This technical tip illustrates a sample branch office tunnel configuration between Contivity Secure IP Services Gateway and BayRS router Sample Configuration Setup In this sample configuration a Contivity 1010 running V04_85 160 code and an ARN running 15 5 0 0 code were used in the following configuration 10 1 1 1 2 1 1 2 ooa fo ARN 2 1 1 0 24 CES code version V04_85 160 Private IP 3 1 1 2 Mgmt IP 3 1 1 254 Public IP 10 1 1 2 ARN code version V15 5 0 0 Private IP 2 1 1 2 Public IP 10 1 1 1 TT040916 1 00 September 2004 Page 1 of 29 Tech Tip NORTEL Contivity Secure IP Services Gateway NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router Configuring ARN 1 First both IPSec and IKE must be loaded on the public side Ethernet interface of the ARN Click on corresponding Ethernet connector Description Connectors Ethernet TRI Serial Ce ce ISDN U IsDN2 ISDN U EGH Ethe
15. how ipsec selectors out IPSEC Outbound Selector Table Information ol Ie LakLeyy Cert Interface Mode State Matches Num Name 2 WOSST Enabled Up 23 1 Tunnel to CES Interpreting Log Messages on the Router 9 09 14 2004 08 17 57 900 INFO SLOT 1 IPSEC Code 124 IPSec received inbound SA request No proposal attribute chosen Last validation mismatch Received mismatching cipher algorithm Policy number 1 Rcv proposal 1 Our proposal 1 Rev transform 1 Our transform 1 This message generally indicates that there is no compatible encryption setting configured between the Router and the IPSec peer The proposal list containing the encryption capabilities for the SA was defined in step 11 of the Configuring ARN section of this guide Verify both ends have compatible settings configured otherwise they won t be able to negotiate the SA TT040916 1 00 September 2004 Page 18 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 4 09 14 2004 08 27 19 287 WARNING SLOT 1 IKE Code 9 Cookies did not match properly for IKE peer 10 1 1 2 interface 10 1 1 1 This message generally indicates an incompatibility in the Diffie Hellman settings The BayRS router uses Diffie Hellman Group 56 bit DES with Group 1 768 bit prime and there is no way to change it Check the IPSec peer and verify that the SA is configured for Diffie Hell
16. i exe file The real one should be considerably larger BN C WF builder dir rel15500 arn File Edit Yiew Favorites Tools Help Back gt Qsearch yrolders lt 3 AF OF X A Ea Address E C WF builder dirrelt 500 arn gt ao Folders B 63 PCSRP22 C a Esh fr exe Application ClarifyCRM12i5R1 05 Elsh_ip exe 15KB Application H 0 Dell l E sh_snmp exe 6KB Application Documents and Settings Elsh_sync exe 17KB Application O ot capi exe lsh_tep exe SKB Application C Global Web Prefs Application Elsh_tftp exe 2KB Application logfiles Modified 9 14 2004 10 36 AM Elsnmp exe 24KB Application modelchk Esysl exe 8KB Application HE ms Ske 923KB Eltagiq exe 6KB Application 2 My Downloads Attributes normal Eltcp exe 41KB Application C My Music Eltn exe 25KB Application openidap Eitnc exe 31KB Application O oracle Pltreectrl exe 98 KB Application i e pesrp E vcct exe 11K6 Application Program Files Flvines exe 103KB Application OQ temp E vrrp exe 15KB Application WF Ewan exe 11KB Application E ve builder dir E wcp exe 24KB Application S rel15500 E x25 exe 123KB Application i lt 3 arn lxm exe 15KB Application CONFIG Elxns exe 25KB Application a uB X capi exe Application 4 gt Type Application Size 82 5 KB fe2 5 KB B My Computer A TT040916 1 00 September 2004 Page 28 of 29 Tech Tip MOT WORKS Contivity Secure IP Services Gateway Configu
17. man Group 1 3 09 14 2004 08 53 17 549 INFO SLOT al IKE Code 124 Invalid Flags Source 10 1 1 2 Dest 10 1 1 1 Message ID 0x0 SPI length 0 SPI 0 2 09 14 2004 08 54 22 108 INFO SLOT 1 IKE Code 117 Invalid Payload Type Source 10 1 1 2 Dest 10 1 1 1 Message ID 0x0 SPI length 0 SPI 0 Both these messages are generally an indication of a mismatch of the Pre Shared Key on both sides of the connection Depending on whether the ARN was the initiator or the responder of this particular SA the message will be different The Pre Shared Key for the ARN was configured in step 6 of the Configuring ARN section of this guide and in the Profiles gt Branch Office gt Connections section of the Contivity GUI 16 09 14 2004 08 58 31 927 INFO SLOT 1 IKE Code 99 Notification received Source 10 1 1 2 Dest 10 1 1 1 Message ID 0x3c441a39 SPI length 4 SPI 3240933836 Invalid ID Information 2 09 14 2004 08 59 59 469 INFO SLOT 1 IPSEC Code 122 PSec received inbound SA request Start end destination address oes not match descriptor start end source address olicy number 1 D payload start end dest address 2 1 1 0 2 1 1 255 Descriptor start end source address 2 1 1 0 2 1 1 20 HU Q H These messages generally indicate a mismatch in the Local Remote network pairs on both sides of the connection The Local Remote network pairs for the ARN were configured as a Template Policy in steps 7 8 and 9 of the Co
18. nfiguring ARN section of this guide and in the Profiles gt Branch Office gt Connections section of the Contivity GUI TT040916 1 00 September 2004 Page 19 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 3 09 14 2004 08 59 59 485 INFO SLOT 1 IKE Code 130 No Proposal Chosen Source 10 1 1 2 Dest 10 1 1 1 Message ID 0xd962094b SPI length 4 SPI 12600 The No Proposal Chosen message is a generic message that usually directly follows one of the log messages noted above Sometimes though usually when the router initiates a connection and it fails only this message will appear in the log It generally indicates some type of configuration mismatch so you may have to just double check everything An alternative troubleshooting tactic would be to do a test initiating the SA from the other end which generally results in more descriptive messages in the log 1 09 15 2004 15 53 47 662 WARNING SLOT 1 IPSEC Code 10 No Cryptographic API capi exe in this image IPSec cannot proceed interface 10 1 1 1 circuit 2 code 1 2 09 15 2004 15 53 49 267 WARNING SLOT 1 IKE Code 4 No Cryptographic API capi exe in this image IKE cannot proceed code 15 In order to run IPSec a valid capi exe must be installed in the image Both these messages indicates that the file is not installed Refer to Appendix B for instructions on how to install
19. o initialize the seed for the cryptographic random number generator please now enter a series of characters which you would consider to be random As you enter them dots will be displayed to indicate progress If your string is not random enough questions will be displayed In that case modify the pattern you are entering When enough data is input you will be prompted to stop near 3 lines of input All done thank you SSHELL gt Now you can set the NPK using the kset npk command as follows The NPK is a 16 digit hexadecimal number SSHELL gt kset npk 0x1234567812345678 SSHELL gt kexit Now save the configuration and exit the Secure Shell using kexit SSHELL gt save config config SSHELL gt kexit Exiting Secure Shell session TT040916 1 00 September 2004 Page 24 of 29 Tech Tip NORTEL Contivity Secure IP Services Gateway NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router Appendix B Adding the capi exe file to the router image By default the router image i e arn exe asn exe bn exe etc do not come installed with the modules necessary to run IPSec These modules must be purchased separately and installed in the image using a Site Manager utility called Image Builder The module needed is the capi exe Cryptographic API Once this module is obtained use the following process to add it into the image 1 Launch
20. om 10 1 1 1 to 10 1 1 2 using initiator role 3 09 13 2004 15 51 23 632 INFO SLOT 1 IKE Code 115 Notification received Source 10 1 1 2 Dest 10 1 1 1 Message ID 0x0 SPI length 16 SPI 0 Initial Contact 4 09 13 2004 15 51 23 642 INFO SLOT 1 IKE Code 21 IKE SA from 10 1 1 1 to 10 1 1 2 is up Cipher 3DES Hash SHA1 Life Type Minutes Life Time 480 5 09 13 2004 15 51 23 643 INFO SLOT 1 IKE Code 27 Establishing IPsec SA from 10 1 1 1 to 10 1 1 2 for policy 1 using initiator role without perfect forward secrecy Quick Mode ID Ox820be868 6 09 13 2004 15 51 23 818 INFO SLOT 1 IKE Code 28 Quick Mode exchange ID 0x820be868 from 10 1 1 1 to 10 1 1 2 is up Sending negotiated SA information for policy 1 to IPsec Below is the log of a successful tunnel establishment when the ARN responds to the connection 1 09 13 2004 15 59 16 715 INFO SLOT 1 IKE Code 20 Establishing IKE SA from 10 1 1 1 to 10 1 1 2 using responder rol 2 09 13 2004 15 59 16 733 INFO SLOT 1 IKE Code 117 Invalid Payload Type Source 10 1 1 2 Dest 10 1 1 1 Message ID 0x0 SPI length 0 SPI 0 3 09 13 2004 15 59 16 735 INFO SLOT l IKE Code 22 IKE SA not established from 10 1 1 1 to 10 1 1 2 4 09 13 2004 15 59 16 739 INFO SLOT 1 IKE Code 20 Establishing IKE SA from 10 1 1 1 to 10 1 1 2 using responder rol 5 09 13 2004 15 59 17 873 INFO SLO
21. om support If after following this guide you are still having problems please ensure you have carried out the steps exactly as in this document If problems still persist please contact Nortel Networks Technical Support contact information is available online at http www nortel com cgi bin comments comments cgi key techsupport cu We welcome you comments and suggestions on the quality and usefulness of this document If you would like to leave a feedback please send your comments to CRCONT nortel com Author Christopher Costa TT040916 1 00 September 2004 Page 29 of 29
22. onfiguration for the Branch Office Tunnel is complete at this point Simply click OK and Done until you are back on the front screen The last step is to configure a static route directing traffic for the Remote network 3 1 1 0 24 in this case out the public interface Using the drop down menus go to Protocols IP Static Routes and click Add Enter the Destination IP Address remote network Address Mask and Next Hop Address so that this traffic will be directed out the public interface An entry will need to be added for each remote network or at least enough entries to cover every remote network unused i IP CONFIGURATION Cancel Configuration Mode dynamic Ox SNMP Agent f2 died ea Values Help Enable Cost T Next Hop Addr i Preference Unnumbered CCT Na TT040916 1 00 Destination IP Address Address Mask Cost Next Hop Add Preference Unnumbered CCT Name September 2004 3 1 1 8 3 4 4 8 s 255 255 255 8 Sas 16 SESE Page 10 of 29 Tech Tip NRE ORKS Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router Configuring CES Branch Office Group IPSec Settings Configure appropriate branch office group setting Navigate Profiles gt Branch Office select appropriate Group and click Configure next to it scroll down to the IPSec section and click Configure under it Encryption A compatible setting must be selected on both the C
23. ring Branch Office Tunnel between a Contivity and a BayRS router 6 Reenter Image Builder through Tools Image Builder and open up the original image file in the builder dir directory the same way as in step 2 Check the Details button on the left hand side of the screen and highlight capi exe Note the size of this file is much larger than the dummy file In this case about 82K Click Add gt gt to install the real capi exe file into the image Once done Save and Exit image builder and retrieve the image file from the builder dir directory This image is now ready to load onto the router io x File Edit View Options Version E Image Builder Copyright 2005 Nortel Networks Limited All Rights Reserved Nortel Nortel Networks the Nortel logo Globemark and Contivity are trademarks of Nortel Networks Limited The information in this document is subject to change without notice The statements configurations technical data and recommendations in this document are believed to be accurate and reliable but are presented without express or implied warranty Users must take full responsibility for their applications of any products specified in this document The information in this document is proprietary to Nortel Networks Limited To access more technical documentation search our knowledge base or open a service request online please visit Nortel Networks Technical Support on the web at http www nortel c
24. rnet scum 2 Click on Edit Circuit in the window that pops up Edit Connector EEE py Edit Line TT040916 1 00 September 2004 Page 2 of 29 Tech Tip NORT orks Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 3 Inthe Protocols drop down menu select Add Delete Check the boxes next to IPSEC and IKE on the Select Protocols window that appears and then click OK A Nortel Networks Configuration Manager NAT T2TP IPSEC IKE DiffServ Decnet IV VINES IPX RIP SAP XNS M 1s coy M Isp TT040916 1 00 September 2004 Page 3 of 29 Tech Tip iia r Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 4 Click Done to exit out of the next screen that appears Next from the drop down menus go to Protocols Edit IP IKE Enter the Node Protection Key NPK configured on the router and click OK Note The NPK is configured from the secure shell in the console P IPSEC IKE Used Node Protection Key Cancel Configuration Mode dynamic OK SNMP Agent 2 1 1 2 Help 5 The Edit IKE SA Destination screen will appear Click Add ia Edit IKE SA Destination Delete Values TT040916 1 00 September 2004 Page 4 of 29 Tech Tip Be ons Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router 6
25. s of the CES public interface 10 1 1 2 in this case Remote Ip Address This is the IP address of the ARN public interface 10 1 1 1 Pre Shared Key Must match on both the CES and router Both sides must use either Text Ascii or Hex and have the same Key configured Local amp Remote Networks Local network CES private network 3 1 1 0 24 in this case Remote network ARN private network 2 1 1 0 24 in this case Peerto Peer v Text Pre Shared Key v TT040916 1 00 September 2004 Page 12 of 29 Tech Tip N RTEL Contivity Secure IP Services Gateway NETWORKS Configuring Branch Office Tunnel between a Contivity and a BayRS router Continuation of the Branch Tunnel Connection Configuration screen Private Network gt te TT040916 1 00 September 2004 Page 13 of 29 Tech Tip NO RTR WORKS Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router Reviewing the BayRS Router event log The log of the tunnel establishment on the ARN can be viewed from the TI command line of console or telnet by using Log ffwdit eIKE eIPSEC This is the log of a successful tunnel establishment when ARN initiates the connection 1 09 13 2004 15 51 21 257 TRACE SLOT 1 IKE Code 35 IKE SA not found for IKE peer 10 1 1 2 interface 10 1 1 1 E beginning negotiation for new IKE SA 2 09 13 2004 15 51 21 258 INFO SLOT 1 IKE Code 20 Establishing IKE SA fr
26. s with 10 1 1 1 09 16 2004 14 45 37 0 ISAKMP 03 ESP 56 bit DES CBC HMAC MD5 outbound SPI 0x57fa39fd 09 16 2004 14 45 37 0 ISAKMP 03 ESP 56 bit DES CBC HMAC MD5 inbound SPI 0x206994 Router Troubleshooting Tips Router Scripts Load the show bat and ipsec bat script files on to the router flash card for quick troubleshooting and configuration information The following are some useful troubleshooting commands for the Router The show ipsec esp sa command gives a listing of IPSec tunnels that have been established For example show ipsec esp sa IPSEC ESP SA Table Information Cipher Integrity state See PESE SPL Alg Alg Mode No Manual SAs established edb Up I pele aie 369140 3DES HMAC MD5 Tunnel Up i ILO iL 4 iL IO ded 2101758 Sis 2 7 DES HMAC MD5 Tunnel ILO at KORTI 2 Automated SA s established TT040916 1 00 September 2004 Page 17 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router The show ipsec policy command gives a listing of all IPSec policies and proposals configured within each For example show ipsec policy IPSEC Policy Table Information Policy Proposal Transform Cipher Integrity Number Number Number Type Alg Alg il 1 i ESP 3DES MD5 The show ipsec selectors out command gives a list of all interfaces and the policies configured on each s
27. up so you may have to just double check IPSec settings An alternative troubleshooting tactic would be to do a test initiating the SA from the Router which generally results in more descriptive messages in the log TT040916 1 00 September 2004 Page 22 of 29 Tech Tip NO RE ORKS Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router Appendix A Setting the NPK on the BayRS router Firstly if it hasn t been done already a password for the Secure Shell must be created If you don t have one configured and you try to enter the Secure Shell you will receive an error message as such ksession Must set secure shell password To change the Secure Shell password use the kpassword command and follow the instructions as such kpassword Changing password for Secure Shell Old password INGHY IPEISISUIOINCLE wt eset tietes Retype new password xx x Secure Shell password changed Once the password is established enter the Secure Shell using the ksession command ksession Please enter password Entering Secure Shell Session SSHELL gt TT040916 1 00 September 2004 Page 23 of 29 Tech Tip ii ORK Contivity Secure IP Services Gateway Configuring Branch Office Tunnel between a Contivity and a BayRS router Firstly you need to create a random number seed Use the kseed command and follow the instructions as follows SSHELL gt kseed T
Download Pdf Manuals
Related Search