Configuring group IPSec settings

1. Select ProfilesGroups and then click Edit for the group whose IPSec settings you want to configure. The GroupsEdit screen appears.
2. Click Configure in the IPSec section of the screen. The GroupsEditIPSec screen appears (Figure 2).

Figure 2 ProfilesGroupsEditIPSec screen



3. Click the Configure button for a specific parameter to make changes to that parameter. Click Configure in the All Fields section to edit all parameters at the same time. Use the Inherited button to set all fields to their inherited values.
4. Configure Split Tunneling. All IPSec client traffic is tunneled through the gateway by default. Split Tunneling allows you to configure specific network routes that are downloaded to the client. Only these network routes are then tunneled; any other traffic goes to the local PC interface. Split tunneling allows you to print locally, for example, even while you are tunneled into the gateway.
5. Configure Split Tunnel Networks. Click to select one of the networks to which you want to send encrypted tunnel traffic only. These networks are designated from the ProfilesNetworks screen.
6. Configure Client Selection. The Client Selection feature enables you to configure your gateway to accept tunnel connections from third-party clients, in addition to the Nortel Networks Contivity VPN Client. Refer to the Contivity Secure IP Services Gateway Release Notes for a list of supported third-party clients.
   
   If you choose the Configure for Both Contivity and non-Contivity Clients selection, the gateway provides support as described above, depending upon the type of client being used. For example, if you enable RADIUS Authentication, it is only used for Contivity clients, and you must have either preshared keys or RSA digital signature authentication enabled for non-Contivity clients.
7. Specify the Allowed Clients parameter. Use the menu to specify the type of clients that are allowed to create tunnels to your gateway.
8. Set the Allow undefined networks for non-Contivity clients parameter. Enabling this selection allows supported third-party clients to create IPSec tunnels to any internal networks. Nortel Networks recommends that you not allow undefined networks for third-party clients, and use Split Tunneling instead. This selection is ignored for Contivity clients.
9. Configure Authentication. Authentication is performed with a protected User ID and Password through the ISAKMP key management protocol. When you click configure, the Group Security Credentials (RADIUS) dialog box appears.
10. Configure Database Authentication (LDAP).
11. Specify User Name and Password. Click to enable the LDAP User Name and Password to authenticate user identity. Authentication is performed with a protected User ID and Password through the ISAKMP key management protocol.
12. Click to enable the Entrust certificate authentication. You must then click the drop-down list box to choose a Default Server Certificate. Servers are configured from the SystemCertificates screen.
13. Configure RADIUS Authentication. The following attributes are associated with RADIUS Authentication when using IPSec tunneling. This is a two step process where (1) the gateway authenticates the remote user with the User Name and Password authentication mechanism, AXENT or SecurID hardware or software tokens, and (2) the client uses the Group ID and Group Password to authenticate the gateway's identity.
    
    User Name and Password
    
    Click to enable the RADIUS User Name and Password to authenticate user identity. Authentication is performed with a protected User ID and Password through the ISAKMP key management protocol.
    
    AXENT Technologies Defender
    
    Click to enable the AXENT OmniGuard/Defender challenge response token security authentication. The AXENT OmniGuard/Defender uses a personal identification number (PIN) and password, coupled with a challenge response security dialog, to authenticate user identity.
    
    Security Dynamics SecurID
    
    Click to enable the Security Dynamics SecurID token security authentication. The SecurID uses a PIN and the current code generated by a token assigned to the user to authenticate user identity.
    
    Enter the Group ID and Password, which are encrypted for transmission. The Group ID provides access to the gateway. Subsequent LDAP and RADIUS authentication is verified against the User ID.
    
    

    Note: The Group ID and User ID must not be the same.

    
    
    Enter and confirm the Group Password, which provides access to the gateway. Subsequent LDAP and RADIUS authentication is verified against the User Password .
14. Configure Encryption. Click Configure, then click the checkbox to either enable or disable the supported Encryption methods for this group.
    
    The encryption methods are presented in order of strength, from strongest to weakest. All of the following encryption methods ensure that the packet came from the original source at the secure end of the tunnel. Some of the encryption types do not appear on non-US models that are restricted by US Domestic export laws. Also, MD5 (Message Digest) provides integrity that detects packet modifications.
    
    

    Note: Using higher-level encryption, such as Triple DES, decreases performance.

    
    
15. Select the Diffie-Hellman Group level to apply to IKE (Internet Key Exchange) encryptions.
    
    

    Note: The choice of the IKE encryption algorithm does not affect the choice of the encryption algorithm used to encrypt data in IPSec. For example, you can use DES to encrypt the IKE exchanges, and then negotiate Triple DES for use in IPSec. The ServicesIPSec screen contains a section labeled "IKE Encryption and Diffie-Hellman Group."

    
    
16. Click to enable Perfect Forward Secrecy (PFS). With PFS, keys are not derived from previous keys. This ensures that one key being compromised cannot result in the compromise of subsequent keys.
17. Configure Forced Logoff. For IPSec tunneling, you can specify a time after which all active users are automatically logged off. The default is 0, which means the option is turned off. The possible range is 00:00:01 to 23:59:59.
18. Configure Client Auto Connect. The Client Auto Connect feature enables remote Contivity VPN Clients to connect their IPSec tunnel sessions in a single step. With Auto Connect, client users simply click on the desired destination, for example, a Web page on the private internal network. This first starts their ISP connection, then makes the tunnel connection to the gateway, and finally makes the connection to the requested destination.
    
    Click on Any Network Traffic to use the autoconnect feature for all client connection requests to authorized destinations. Now, when any network activity is detected on the user's workstation, a tunnel connection is automatically launched to the gateway.
19. Configure the Specify Networks and/or Domains parameters. Click on this selection to limit autoconnection use to specific domains or networks. Specify the authorized domains or networks in the following two fields.
    
    Use the Domains selection to designate specific domains or host names that trigger the autoconnect feature. The domains that you specify must be configured on the ProfilesDomains page. Select None if you want to limit the autoconnection feature to specific networks, which you specify in the following Networks field.
    
    Use the Networks selection to designate specific networks that trigger the autoconnect feature (the networks must be configured on the ProfilesNetworks page). Select None if you do not want to designate any networks.
20. Configure the Banner setting. You can customize an enterprise login banner for the Contivity VPN Client by entering text into the space provided. This banner appears at the top of the IPSec client upon login.
21. Enable the Display Banner. Click to enable the banner and have it appear when a remote user logs into the gateway.
22. Set the Client Screen Saver Password Required parameter. Setting this security feature forces the client to use a password in association with a screen saver. When enabled, if the user leaves the system and is connected to a tunnel, the system then gets locked out of the tunnel once the screen saver kicks in. The end user would enable this feature from the StartSettingsControl PanelDisplayScreen Saver Password Protected checkbox. Default is Disabled.
23. Set the Client Screen Saver Activation Time. This setting is used together with the Client Screen Saver Password Required setting. It defines the maximum time (in minutes) before the client's screen saver is activated. The value on the Client PC can be changed from the StartSettingsControl PanelDisplayStrengthener Wait list box. Default is 5 Minutes.
24. Configure Client Fail-Over Tuning.
    
    Check the Enabled box to enable client fail-over. Client fail-over uses small packets to check and maintain, or keep alive, the connection between the client and the gateway.
    
    In the Interval section, specify the time interval that the client waits between VPN activity checks. Nortel Networks recommends a low interval when users are connecting via the client. You should use a higher setting for situations such as when a lease line is used and charges are based on traffic.
    
    Specify the maximum number of retransmissions. This is the number of times that the client re-transmits a keepalive packet to the gateway to check for connectivity.
25. Set the Allow Password Storage on Client parameter. You can allow client systems to save the login password in its password list, or you can require that the remote user enters the password each time he requests authentication and access to an IPSec tunnel. Click Enable to allow client systems to save the login password.
    
    

    Note: When using certificates, saving the password on the client is not allowed.

    
    
26. Configure Compression. Click to enable Compression for IPSec tunneling.
27. Set the Rekey Timeout. You should limit the lifetime of a single key used to encrypt data or else you compromise the effectiveness of a single session key. Use the Rekey Timeout setting to control how often new session keys are exchanged between a client and a server. You should set the Rekey Timeout setting to no less than 1 hour. The default is 08:00:00 (8 hours); a setting of 00:00:00 disables the Rekey Timeout setting. The maximum setting is 23:59:59.
28. Set the Rekey Data Count. You can choose to set a Rekey Data Count depending on how much data you expect to transmit via the tunnel with a single key. Default is 0 Kbytes; a setting of 0 disables the Rekey Data Count.
29. Configure the Domain Name setting. This setting enables you to specify the name of the domain that is used while an IPSec tunnel is connected. Specifying the domain name in this field ensures that domain lookup operations point to the correct domain. This is particularly important for clients that use Microsoft Outlook or Exchange, to ensure that the mail server is mapped to the correct domain.
    
    When a tunnel is connected, the remote client's registry is updated to use the specified domain. When the client disconnects the tunnel, the remote client's original domain is again used.
30. Enter the Primary DNS. Enter the address of the Primary Domain Name System (DNS) server that is located on your private network. This DNS address is provided by the server to tunnel clients at setup and is used through the tunnel. The DNS server translates textual host names into IP addresses for the gateway. For example, DNS can translate the fully qualified host www.mycompany.com to its IP address 192.19.2.33.
    
    The Primary DNS server is the first one addressed for servicing name resolution requests from a remote user; if the Primary DNS server is unavailable, service is requested of the Secondary DNS server. Recent versions of Microsoft Windows operating systems can simultaneously query multiple DNS servers.
    
    Always use the IP address for setting a DNS server host instead of a domain name.
31. Enter the Secondary DNS. Enter an address for the Secondary Domain Name System (DNS) server. If the Primary DNS server is unavailable, service is requested of the Secondary DNS server.
32. Enter the Primary WINS. Enter an address for the primary Windows Internet Naming Service (WINS ) server. A WINS server resolves NetBIOS names (for Windows networking file and print services) to IP addresses. Using a WINS server enables normal Windows file and print services to be accessed correctly through a tunnel connection.
    
    Windows NT Server Version 4.0 and later supports a built-in WINS server. The WINS server eliminates the need to manually map NetBIOS names to IP addresses (for example, using the textual LMHOSTS file on Windows) by updating a name-to-address mapping file dynamically on the WINS server.
    
    The Primary WINS server is the first one addressed for servicing name resolution requests from a remote user; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server. Always use the IP address for setting a WINS server host instead of a name.
    
    

    Note: If no WINS servers are specified, the client is forced to broadcast for NetBIOS names.

    
    
33. Enter an address for the Secondary Windows Internet Naming Service (WINS) server; if the Primary WINS server is unavailable, service is requested of the Secondary WINS server.
34. Configure the Nortel Client Requirements settings.
    
    In the Minimum Version field, select the minimum version of Contivity VPN Client that is required.
    
    In the Action field, specify the action to take upon detection of a noncompliant client.
    
    In the Message field, type a message giving users the URL for a Web site or FTP site from which they can download the required version of the Contivity VPN Client software.
    
    Select a filter to apply from the list of available filters.
    
    Click on the New Filter link to create a new filter, if needed.
35. Configure the Client Policy setting. Select a client policy as appropriate. Client Policy helps prevent potential security violations that could occur when you are using the split tunneling feature. Split tunneling allows client data to travel either through a tunnel to the enterprise network or directly to the Internet.
36. Set the Allow IPSec Data Protection parameter. Enable or disable IPSec.