This appnote provides detailed configuration & implementation steps to set up a site-to-site (Net to Net) connection between Novell Security Manager (NSM) 5.1 and Novell Border Manager 3.8 servers.
Novell Security Manager, powered by Astaro, is the latest offering from Novell in perimeter security. NSM offers packet filtering, intrusion detection, virus and spam filtering, and content filtering, along with VPN services. In addition to PPTP- and L2TP- over-IPsec-based VPN, Novell Security Manager 5.1 also offers IPsec-based VPN service. If NSM 5.1 is deployed in any environment where it needs to securely communicate with an NBM 3.8 server, then a site-to-site (S2S) VPN connection can be established between the two.
This AppNote describes steps for configuring an S2S IPsec tunnel between NSM 5.1 and NBM 3.8. The network setup and IPsec configuration are explained first, followed by the configuration of the IPsec tunnel, using both Certificate and PSK mode. See also the Glossary of Terms at the end of this AppNote.
The overall setup for the IPsec tunnel is pictured below.
Figure 1 – x
This Appnote assumes certain conditions as described below.
work configuration done for configuring NSM using a web-based interface, such as WebAdmin.
The NBM 3.8 server connects the internal LAN 192.168.10.0/24 to the Internet. The NBM 3.8 server’s WAN (Internet) interface has the address 18.104.22.168.
The NSM 5.1 server connects the internal LAN 192.168.99.0/24 to the Internet. The NSM 5.1 server’s WAN (Internet) interface has the address 22.214.171.124.
For this test scenario we use a router to connect the WAN networks of the NBM 3.8 server (126.96.36.199) and the NSM 5.1 server (188.8.131.52). Addresses of the two interfaces of the router connecting the NBM 3.8 and NSM 5.1 server are: 184.108.40.206 and 220.127.116.11.
For smooth interoperability between NSM 5.1 and NBM 3.8, it is recommended you use the following IPsec parameters for IKE Phase-1 and IKE Phase-2 SA negotiations. If you want to configure another set of parameters, ensure that the configuration at both ends (NBM 3.8 and NSM 5.1) is similar.
Here are the IKE Phase-1 parameters:
Here are the IKE Phase-2 parameters
There are two types of authentication methods available for configuring Site-to-Site VPN between NBM 3.8 & NSM 5.1: X.509 Certificates and Pre-Shared Key (PSK).
Using the Pre-Shared Key is a relatively easy way to configure, but it is less secure and more difficult to maintain, compared to the X.509 certificate mode. Because configuring VPN is largely a one-time effort, it is recommended to use Certificate method. The following sections gives step-by-step procedures to configure VPN using both Certificate and PSK.
For the benefit of new users of NSM 5.1, it is worth introducing the configuration part. NSM 5.1 provides a web-based interface for configuration management. When you connect to NSM 5.1 Server by accessing “https://Your-NSM-Server-Address/” (in our case 192.168.99.1) and providing the username/password, you get the interface shown in Figure 2. The rest of this AppNote refers to menu items shown in the left panel of the browser/interface as shown in Figure-1.
Figure 2 – WebAdmin for Novell Security Manager powered by Astaro
Configuring Definitions and Rules for NSM 5.1
Novell Security Manager 5.1 uses definitions for configuring services. So before configuring IPsec VPN service on NSM 5.1, you should create the definitions needed for VPN service configuration. These are:
Creating Network Definitions
To create network definition objects,
1. Go to Definitions on the left menu panel
2. Select Networks.
The list of default network definitions appears. Assuming that names given during configuring network interfaces are internal (default) and external respectively, this would create Internal (Network) and External (Interface) definitions by default.
Now you need to configure definitions for NBM server as given in the table below.
|NBM_PUB_Interface||Host||18.104.22.168||Public Interface of NBM|
|NBM_PVT_Network||Network||192.168.10.0 / 24||Protected N/W of NBM|
|External (Interface)||Host||22.214.171.124||Public Iface of NSM|
|Internal (Network)||Network||192.168.99.0 / 24||Protected N/W of NSM|
Table: Network Definitions
3. Select the drop down-box New Definition from the top panel.
4. Add the network definitions for the NBM server as shown in Figure 3.
Figure 3 – Adding Network Definition
Creating Packet Filter Rule
By default, NSM 5.1 only allows traffic to the management interface. To allow traffic across a protected network after the VPN tunnel is up, you need to create traffic rules (Packet Filter Rules).
Note: There is an option in the VPN configuration for Auto Packet Filtering, but if you want to have specific traffic rules they must be created manually.
Table: Packet Filter Rules
Figure 4 – Configuring Packet Filter Rules
Creating the IPsec Policy
An IPsec policy object defines parameters for the IKE and IPsec negotiations. To create a new IPsec policy for NBM 3.8 server,
|ISAKMP (IKE) Settings|
|IKE Mode||Main Mode|
|Authentication Algorithm||3DES 168bit|
|Encryption Algorithm||MD5 160bit|
|IKE DH Group||DH Group 5 (MODP1536)|
|SA Lifetime (secs)||14400|
|Encryption Algorithm||3DES-CBC 168bit|
|Authentication Algorithm||MD5 160bit|
|SA Lifetime (secs)||3600|
|PFS||PFS Group 2 (MODP1024)|
Table: New Ipsec Policy for NBM
Figure 5 – Adding an IPsec policy on NSM
Configuring IPsec Connection using Certificates
Setting Up Certificates for NSM 5.1
There are three basic steps involved in setting up a Certificate for NSM 5.1:
In this scenario we use the dedicated Certificate Authority (CA) for each VPN server. To configure CA and certificates for the NSM 5.1 server,
Figure 6 – CA Management Interface
To add a new Signing CA (as shown in Figure-6),
Figure 7 – Creating a new Certificate Authority
Once the CA is created, you can create a Certificate Signing Request (CSR). To add a new CSR (shown in Figure 8),
Figure 8 – Generating a Certificate Request for the Server Certificate
After generating the CSR, the next step is to issue the certificate for NSM 5.1 server. To issue the certificate (as shown in Figure 9),
Figure 9 – Issuing and Exporing Certificate from CA Management
Configuring the VPN Service on NBM 3.8
The procedure for configuring the VPN service on the NBM 3.8 Server is shown in Figure 10.
Figure 10 – NBM 3.8 VPN Server Configurationn
For more information, refer to the online documentation at:
Configuring the Verification CA on Both Servers
For the X509 certificate mode of authentication, both sides verify the authenticity of the certificates. This requires configuring verification CA on both the NBM 3.8 and the NSM 5.1 servers.
*To configure the NBM 3.8 Verification CA on the NSM 5.1 Server, follow the steps below.
First, from iManager, export the Trusted Root certificate (without private key) as “F4E-TrustedRoot.der”:
Then, also in iManager, export the Public Key certificate as “F4E-PubKey-Cert.der”:
Next, upload the Trusted Root certificate as the Verification CA on NSM 5.1:
Finally, upload the Public Key certificate as the Host certificate on NSM 5.1:
*To configure the NSM 5.1 Verification CA on the NBM 3.8 Server, you will need the NSM-Host-Cert.der certificate file you exported earlier.
From iManager, use the exported file NSM-Host-Cert.der to create Trusted Root Object (TRO) in the defalt TRC of NBM 3.8 server:
1. Add and activate the Local Ipsec Key on NSM 5.1.
NSM 5.1 requires setting local IPsec host key. To set and activate local IPSec key for NSM 5.1 server,
2. Go to “IPSec VPN” in the left menu panel.
3. Select “Local Keys” and go to the Local IPSec X.509 Key section.
4. Select NSM-Server from Local Certificates.
5. Enter the passphrase for host certificate and click Save.
This sets the local X.509 IPsec key as the NSM host certificate. The Activated Local key is shown in Figure 11.
Figure 11 – Activating Local Key at NSM Server
Creating a New VPN connection on NSM 5.1
As the final step in configuration on NSM 5.1 server, you need to define a VPN connection to the NBM 3.8 Server. To create a new IPSec connection between the NSM 5.1 and NBM 3.8 servers,
This expands the new connection dialog box as shown in Figure 12.
Figure 12 – Creating new Ipsec connection on NSM Server
5. Enter the parameters shown in the table below to define a new connection, then click Add.
|Type||Standard (Already Selected)|
|IPSec Policy||NBM-Policy (created previously)|
|Auto Packet Filter||Off|
|End Point Definition|
|Subnet Definition (optional)|
|Local Subnet||Internal (Network)|
|Authentication of Remote Subnet(s)|
Table: Parameters for new Ipsec definition on NSM Server
Adding NSM 5.1 as a Slave Server to NBM 3.8
From iManager, go to the Member Lists tab and then click Add. Configure the following parameters as shown in Figure 13.
Figure 13 – Adding NSM 5.1 as 3rd Party VPN server to NBM 3.8
Adding Third-Party Traffic Rules for NSM 5.1 on NBM 3.8
The steps below should produce the results shown in Figure 14.
Figure 14 – Adding a 3rd Party Traffic rule for NSM 5.1
Verifying the Tunnel
Configuring the IPSec Connection using PSK
Setting up the S2S IPsec tunnel between NBM 3.8 and PSK is more or less same as described above, but the certificate configuration step can be omitted. Configuring the VPN service on NBM 3.8 is the same as described above.
Adding a Pre-Shared Key on NSM 5.1
NSM 5.1 requires you to create a remote Pre-Shared Key object for the PSK mode of authentication. To create a new Remote Key,
Creating a New VPN Connection on NSM 5.1
Creating a new VPN connection for Pre-Shared key is similar to creating connection with X.509 – the difference is in the NAME and KEY fields. To create new IPSec connection between NSM 5.1 – NBM 3.8 server,
Adding NSM 5.1 as a Slave Server to NBM 3.8, for PSK
This process is similar to the one described above in “Adding an NSM 5.1 Server as Slave Server to NBM 3.8,” with minor differences in the authentication mode configuration.
The 3rd Party Traffic rule configuration is the same as described above.
Verifying the Tunnel
If the tunnel negotiation is failing, you can view the logs in the NSM 5.1 server to determine the cause. To do this,
Make sure all the IPsec parameters configured on both sides are the same for both Phase-1 and Phase-2 tunnel negotiations.
If the IPsec tunnel is coming up but protected network machines cannot communicate, then verify that firewalls on both NBM 3.8 and NSM 5.1 servers are configured to allow corresponding traffic.
Verify that protected networks are added for both NBM 3.8 and NSM 5.1 servers in the NBM 3.8 VPN configuration.
NBM 3.8 can interoperate with NSM 5.1 VPN on Linux in both Certificate Mode and PSK mode. Moreover, there is no need for both servers to be issued certificates from same certficates authority. Both the CAs can be different.
Disclaimer: As with everything else at NetIQ Cool Solutions, this content is definitely not supported by NetIQ, so Customer Support will not be able to help you if it has any adverse effect on your environment. It just worked for at least one person, and perhaps it will be useful for you too. Be sure to test in a non-production environment.