Novell Documentation: Novell BorderManager 3.8 - Virtual Private Network Prerequisites

Virtual Private Network Prerequisites

Before you start to set up the VPN component of the Novell BorderManager 3.8 software, you must meet the prerequisites described in this section.

This section contains the following topics:

Site-to-Site VPN Prerequisites

Before you set up a site-to-site VPN, your network must meet the following requirements:

The NetWare routing software must be installed and configured on each VPN server. Configuring the routing software includes, but is not limited to, setting up the LAN or WAN links to the other VPN members, and configuring static or dynamic routing for Internet Packet Exchange^TM (IPX) and IP packets.
Verify connectivity between your VPN servers as required by your selected VPN topology. Any associated firewall software should be configured and connectivity should be verified before the VPN software is installed and before each VPN server is attached to the private networks it will protect.
If your VPN sites are not on the same intranet, each VPN server must have a connection to the Internet, either directly or indirectly. If your VPN server is connected directly to the Internet, obtain the public IP address provided by your Internet Service Provider (ISP) to use when connecting to the Internet. Each VPN server uses the public IP address to exchange encrypted information with other VPN servers.
Obtain the public IP address before you set up the VPN. The ISP connection should also be tested before the VPN software is installed and before the VPN server is attached to any private networks. In the case of an intranet VPN, an ISP connection is not required.
If your VPN server is connected directly to the Internet, you must obtain a permanent IP address for the ISP connection.
The VPN server must have only one connection to the Internet. Otherwise, you risk sending and receiving your confidential data unencrypted if your data is routed to the other connection.
If you are configuring a VPN server for the first time in an NDS^® or Novell eDirectory tree, you must be able to log in to the server's NDS or eDirectory tree with administrative rights in order to extend the Server object schema.
If the VPN server is also the firewall machine that protects your private network from the Internet, select the Setup Novell BorderManager 3.8 for Secure Access to the Public Interface option during the initial Novell BorderManager 3.8 installation and configuration. Otherwise, load BDRCFG to configure the required filters.
If your VPN server is behind a firewall, be sure to configure the firewall with the proper packet forwarding filters, as determined by your security policy.
If the firewall is also running the Novell BorderManager 3.8 software, select the Setup Novell BorderManager 3.8 for Secure Access to the Public Interface option during the initial Novell BorderManager 3.8 installation and configuration to automatically configure firewall filters.

These firewall filters must then be altered as determined by your security policy. In general, the filters must be altered to allow VPN members to communicate with each other and allow encrypted packets to pass through. Refer Setting Up VPN Filters.

The filters listed in can be used as a guideline for how the firewall filters should be altered for VPN. The filters might also have to be altered to allow communication with other Novell BorderManager 3.8 services.

The firewall filters can also be configured after installation by loading BDRCFG. If the firewall is not running the Novell BorderManager 3.8 software, you must configure these filters manually as described in the documentation provided with the third-party firewall product.
If you have set up two VPN servers on the same network, or the hop count between the two VPN servers is one, you must use FILTCFG to prevent all private network routes from being advertised through the public interfaces.
If your network uses Open Shortest Path First (OSPF) dynamic routing, your VPN server must be located on a pure OSPF backbone area.

Client-to-Site VPN Prerequisites

Before you install the VPN client software, verify that the following pre requisites have been met:

The workstation must be running Windows 98, Windows 2000, Windows XP, Windows Me or Windows NT.
If the VPN client will be using a dial-up connection, Microsoft Dial-Up Networking must be installed before installing the VPN client software. Refer to the VPN client Readme for limitations.
If you are using the VPN client with the Novell Client^TM software, Novell Client version 4.83 or later is recommended.
If you are using the VPN LAN client, you must have an Ethernet adapter.
If you are using Windows NT, you must use an Intel-based workstation. The VPN client does not support Alpha workstations.
If you are using Windows NT, use the latest support pack Windows NT SP4.
If you are using Windows NT, you must log in to Windows NT as a user with administrative rights in order to install the VPN client.
The VPN server must have only one connection to the Internet. Otherwise, you may risk sending and receiving your confidential data unencrypted if your data is routed to the other connection.
If your VPN server is behind a firewall, be sure to configure the firewall with the proper packet forwarding filters, as determined by your security policy. If the firewall is also running the Novell BorderManager 3.8 software, select the Setup Novell BorderManager 3.8 for Secure Access to the Public Interface option during the initial installation and configuration to automatically configure firewall filters.
These firewall filters must then be altered as determined by your security policy. In general, the filters must be altered to allow VPN clients to communicate with the server and allow encrypted packets to pass through. The filters listed in the following table can be used as a guideline for how the firewall filters should be altered. The filters might also have to be altered to allow communication with other Novell BorderManager 3.8 services.

The firewall filters can also be configured after installation by loading BDRCFG. If the firewall is not running the Novell BorderManager 3.8 software, you must configure these filters manually as described in the documentation provided with the third-party firewall product.

Setting Up VPN Filters

These tables provide details on exceptions required for a Novell BorderManager 3.8 in a BorderManager server to keep different types of VPN connections up.

Client-to-Site

Source Address	Source Port(Service Type)	Destination Address	Destination Port (Service Type)	Protocol
Any	Any	Public IP Address	353 (VPN-AuthGW-st)	TCP(6)
Any	Any	Public IP Address	353 (VPN-KeepAlive)	UDP(17)
Any	Any	Public IP Address	(VPN-SKIP)	SKIP(57)*
Any	Any	Public IP Address	(ESP-st)	ESP(50)
Any	Any	Public IP Address	500 (IKE-st)	IKE(UDP)

Site-to-Site

Source Address	Source Port(Service Type)	Destination Address	Destination Port (Service Type)	Protocol
Public IP Address	Any	Any	213 (ipx/tcp-st)	TCP(6)
Any	Any	Public IP Address	(VPN-SKIP)	SKIP(57)*
Public IP Address	Any	Any	(VPN-SKIP)	SKIP(57)*
Any	Any	Public IP Address	2010 (VPTUNNEL-st)	UDP(17)
Public IP Address	Any	Any	2010 (VPTUNNEL-st)	UDP(17)
Any	Any	Public IP Address	213 (ipx/tcp-st)	TCP(6)
Any	Any	Public IP Address	(ESP-st)	ESP(50)
Public IP Address	Any	Any	(ESP-st)	ESP(50)
Any	Any	Public IP Address	500 (IKE-st)	IKE(UDP)
Public IP Address	Any	Any	500 (IKE-st)	IKE(UDP)

Special cases: Behind NAT

S No	Source Address	Source Port(Service Type)	Destination Address	Destination Port (Service Type)	Protocol
1	Any	Any	Public IP Address	2010 (VPTUNNEL-st)	UDP(17)**
2	Public IP Address	Any	Any	2010 (VPTUNNEL-st)	UDP(17)**
3	Public IP Address	Any	Any	4500 (IKE-NAT-st)	IKE-NAT-ST
4	Any	Any	Public IP Address	4500 (IKE-NAT-st)	IKE-NAT-ST

* Required only for backward compatibility with Novell BorderManager 3.7 VPN servers.

** Required only for backward compatibility with Novell BorderManager 3.7 VPN servers for client-to-site connections.

Serial number 3 & 4 are applicable when servers are behind NAT in a site-to-site connection, they are required in place of destination port 500 (IKE-st) in the site-to-site table. Only serial number 4 is requuired when servers/client is behind NAT for a client-to-site connection, it is required in place of destination port 500 (IKE-st) in the client-to-site table.

NOTE: When IKE completes use KeepAlive port (udp 353) to indicate that the connection is through from the client side to the server side. It can also be used to indicate to the server that the connection timeouts have to be reset, whenever we start traffic from the client end. For these reasons, we will have to keep this port enabled, even for NMAS/IKE and even when keepalives are disabled.

On VPN Master Site

Following are the list of filters that need to be opened on the Firewall to allow the Incoming packets

Protocol ID	Source Address: Port	Destination Address: Port	Remarks
TCP(6)	Any: Any	Any: 353	NAT-ed and non-NAT-ed VPN clients connect to this port so as to authenticate the user to authgw.nlm.The destination address could be made more specific by specifying as the VPN public IP address.
TCP(6)	Any: 213	Any: Any	VP Slave responds to VP Master through this port after VP Master makes the connection on VP Slave at port 213.The destination address could be made more specific by specifying as the VPN public IP address.
SKIP (57)	Any: Any	Any: Any	Allow any packets with protocol ID = 57. These are SKIP/IPsec VPN packets and IANA has assigned protocol ID of 57 for SKIP. This is for Site-to-Site as well as non-NAT-ed Client-to-Site tunnel.
UDP (17)	Any: Any	Any: 2010	The VPN sites communicate over this UDP port to handshake a VPN connection disconnect. NAT-ed Client-to-Site uses this port for tunnel.The destination address could be made more specific by specifying it as the VPN public IP address.
UDP (17)	Any: Any	Any: 353	This port is used by the (NAT-ed and non-NAT-ed) VPN client and authentication gateway (authgw.nlm) for keep alive and disconnect packets.

Following are the list of filters that need to be opened on the Firewall to allow the Outgoing packets.

Protocol ID	Source Address: Port	Destination Address: Port	Remarks
TCP(6)	Any: 353	Any: Any	Authgw communicates with (NAT-ed and non-NAT-ed) VPN clients over this port during the authentication of the user. The VPN client first connects to authgw on this port.The source address could be made more specific by specifying as the VPN public IP address.
TCP(6)	Any: Any	Any: 213	VP Master connects to VP Slave on this port to resynchronize or receive activity updates.The source address could be made more specific by specifying as the VPN public IP address.
SKIP (57)	Any: Any	Any: Any	Allow any packets with protocol ID = 57. These are SKIP/IPsec VPN packets and IANA has assigned protocol ID of 57 for SKIP. This is for Site-to-Site as well as non-NAT-ed Client-to-Site Tunnel.
UDP (17)	Any: 2010	Any: Any	The VPN sites communicates over this UDP port to handshake a VPN connection disconnect. NAT-ed Client-to-Site uses this port for Tunnel.The source address could be made more specific by specifying as the VPN public IP address.
UDP (17)	Any: 353	Any: Any	This port is used by the (NAT-ed and non-NAT-ed) VPN client and authentication gateway (authgw.nlm) for keep alive and disconnect packets.

On VPN Slave Site

Following are the list of filters that need to be opened on the Firewall to allow the Incoming packets.

Protocol ID	Source Address: Port	Destination Address: Port	Remarks
TCP(6)	Any: Any	Any: 353	NAT-ed and non-NAT-ed VPN clients connect to this port so as to authenticate the user to authgw.nlm.The destination address could be made more specific by specifying as the VPN public IP address.
TCP(6)	Any: Any	Any: 213	VP Master connects to this port to communicate to VP Slave. VP Slave will be listening on this port.The destination address could be made more specific by specifying as the VPN public IP address.
SKIP (57)	Any: Any	Any: Any	Allow any packets with protocol ID = 57. These are SKIP/IPsec VPN packets and IANA has assigned protocol ID of 57 for SKIP. This is for Site-to-Site as well as non-NAT-ed Client-to-Site Tunnel.
UDP (17)	Any: Any	Any: 2010	The VPN sites communicate over this UDP port to handshake a VPN connection disconnects. Nated Client-to-Site uses this port for Tunnel.The destination address maybe made more specific by specifying as the VPN public IP address.
UDP (17)	Any: Any	Any: 353	This port is used by the (NAT-ed and non-NAT-ed) VPN client and authentication gateway (authgw.nlm) for keep alive and disconnect packets.

Following are the list of filters that need to be opened on the Firewall to allow the Outgoing packets

Protocol ID	Source Address: Port	Destination Address: Port	Remarks
TCP(6)	Any: 353	Any: Any	AUTHGW communicates with (NAT-ed and non-NAt-ed) VPN clients over this port during the authentication of the user. The VPN client first connects to authgw on this port.The source address could be made more specific by specifying as the VPN public IP address.
TCP(6)	Any: 213	Any: Any	VP Slave responds to VP Master on this port after VP Master connects to VP Slave listening on this port.The source address could be made more specific by specifying as the VPN public IP address.
SKIP (57)	Any: Any	Any: Any	Allow any packets with protocol ID = 57. These are SKIP/IPsec VPN packets and IANA has assigned protocol ID of 57 for SKIP. This is for Site-to-Site as well as non-NAT-ed Client-to-Site Tunnel.
UDP (17)	Any: 2010	Any: Any	The VPN sites communicate over this UDP port to handshake a VPN connection disconnects. NAT-ed Client-to-Site uses this port for Tunnel.The source address maybe made more specific by specifying as the VPN public IP address.
UDP (17)	Any: 353	Any: Any	This port is used by the (NAT-ed and non-NAT-ed) VPN client and authentication gateway (authgw.nlm) for keep alive and disconnect packets.

Exceptions required to keep a Client-toSite and a Site-to-Site Connection Up

Source Address	Source Port(Service Type)	Destination Address	Destination Port (Service Type)	Protocol	Description
Any	Any	Public IP Address	353	TCP(6)	VPN-Authgw
Any	Any	Public IP Address	353	UDP(17)	VPN-Authgw
Any	213	Public IP Address	Any	TCP(6)
Any	Any	Public IP Address	Any	SKIP(57)*
Public IP Address	Any	Any	Any	SKIP(57)*
Any	Any	Public IP Address	2010	UDP (17)
Public IP Address	Any	Any	2010	UDP (17)
Public IP Address	Any	Any	213	TCP(6)
Any	Any	Public IP Address	Any	AH (51)
Public IP Address	Any	Any	Any	AH (51)
Any	Any	Public IP Address	Any	ESP (50)
Public IP Address	Any	Any	Any	ESP (50)
Any	Any	Public IP Address	500	IKE (UDP)
Public IP Address	Any	Any	500	IKE (UDP)
Public IP Address	Any	Any	4500	IKE-NAT-ST
Any	Any	Public IP Address	4500	IKE-NAT-ST