How to setup Client to Site VPN with BorderManager

(Last modified: 09Dec2005)

This document (10098306) is provided subject to the disclaimer at the end of this document.

fact

Novell Bordermanager 3.8

symptom

Client to Site VPN does not work

fix

  1. Install BorderManager support pack 3 or later AND put on the latest TCP/IP stack (Domestic version, sometimes called NICI version).  On the workstation use VPN Client 3.8.9 or later and NetWare Client 4.91 or later.

  2. Make sure the right filters are installed.  Go into FILTCFG | Configure TCP/IP Filters | Packert Forwarding Filters | Exceptions.  Look for the following filters: AH-st, ESP-st, IKE-NAT-st, IKE-st, VPN-SKIP-st, VPTUNNEL-st, VPN-AuthGW-st, VPN-KeepAlive-st.  If you are missing any of these filters please restore default filters with iManager (TID 10097678) and reboot.

  3. Enable routing and disable RIP on vpn server: In inetcfg | Protocols | TCP/IP
    A) Make sure IP Packet Forwarding is: Enabled (Router)
    B) RIP is set to: Disabled.

  4. While in INETCFG, go into Protocols and change IPX to "Enabled" state or "Disabled" state.  A state of "Unconfigured" can have issues.  

  5.  At the server console type: FILTCFG and select "Configure Interface Options" and change the public interface to a status of "Public" and change the private interface to a status of "Private".  The tab key will change the status.  VPTunnel should remain as "Private". 

  6. Edit the HOSTS file so that the only the internal IP addess is listed with the server's name.  If the DNS name is listed on the line with the private IP, delete it.  IE. 10.0.0.1   Server1  If this line had the servers Public IP or DNS name and IKEand AuthGW does not load after setup, you may need to recreate the filters with iManager (TID 10097678) and reboot.

  7. The BorderManager server must be the default gateway for workstations and servers on the private network OR the default gateway for the private network must also include a route (next hop) to the BorderManager private interface for traffic is that is destined for the Client to Site "Address Pool" network.  Example:  Network 1.0.0.0 (Address Pool example network) next hop 10.0.0.1 (BorderManager Private example IP). 

  8.  Open iManager: NBM VPN Configuration | VPN Server Configuration | Select VPN server from listing.   Make sure Server address is the public IP address of BM server, the mask is correct for public IP address of BM server and the Tunnel address is not on the same network as the private NIC of the BM server.  At the bottom check the "Server Certificate" listed. Default is ServerCert - <Server Name>, the "Trusted Root" listed. Default is TRC - <Server Name. their org> and "Perfect Forward Secrecy" check box is checked.

  9. Open iManager: NBM VPN Configuration | VPN Client to Site Configuration | Select "Default_C2S_Service.<org>".   Should come up on the General Tab. Make sure the "Trusted Root" is the one from the Server Config page.  DeFault is "TRC - <Server Name.org>".  The Address Pool is not on the same network as the Private network of the BM box. It is good to go with the default of 1.0.0.0. This means the first client to connect to the VPN will be know on the private network as 1.0.0.1, next one will be 1.0.0.2.

  10. Switch to the Traffic Rules Tab and change the Default rule action is "Bypass(Split Tunnel)".  Then hit the new Button | name rule "AllowAll" | Select  "Define Destination" | Click on Radio button "Only Use IP List" | Click the "Add" button | Put in the Private side Network the VPN will be connecting to  | hit "Apply" | hit "OK". A different rule will need to be made for every network the VPN client needs to connect to thru the VPN tunnel.

    11.  

  11. Click on the Authentication Rules tab. If the only only rule is "Default_Authentication_Rule", click on the new button and add a rule called "NMAS". Click on the drop down for Authentication Condition.   Check the box called "Allow NMAS Authentication" Check that the "Minimum allowed authentication grade" is set to "Logged" and nothing else (very important).  Click "Apply" and then click "OK".

  12. Select the DNS/SLP Configuration tab and put in the private side address of the DA.

  13. In iManager go: NBM VPN Configuration | NBM VPN Server Configuration | Select Server | Check the box "Client to Site" box.  Click the Details button.  Select the service "Default_C2S_Serivice.<org>" 

  14. Set up the VPN Client on the workstation.

    A) Go to the "Configuration" Tab and select "NMAS".
    B) Go to the VPN tab and put in the public IP address of the VPN server in the SPN Server ip address space.  Then in the Sequence space in the drop down and select " NDS".
    C) Go to the eDirectory Tab and put in the user name, password and eDir context of the user that is logging in.  Where it says NetWare Server, put in the Private Side IP  of the Netware Server that the VPN user will be logging into for their drive mappings.

The VPN Client can now log in to the VPN server.

.

document

Document Title: How to setup Client to Site VPN with BorderManager
Document ID: 10098306
Solution ID: NOVL102753
Creation Date: 18Jul2005
Modified Date: 09Dec2005
Novell Product Class:Novell BorderManager Services

disclaimer

The Origin of this information may be internal or external to Novell. Novell makes all reasonable efforts to verify this information. However, the information provided in this document is for your information only. Novell makes no explicit or implied claims to the validity of this information.
Any trademarks referenced in this document are the property of their respective owners. Consult your product manuals for complete trademark information.