Avaya Bay Dial VPN Networks User Manual

BayRS Version 14.00Part No. 308606-14.00 Rev 00September 19994401 Great America ParkwaySanta Clara, CA 95054Configuring and Troubleshooting Bay Dial

x308606-14.00 Rev 00Operation and Troubleshooting Layer 2 Tunnels ... C-25Troubleshooting the

Configuring and Troubleshooting Bay Dial VPN Services6-6 308606-14.00 Rev 00Table 6-2 summarizes the user stop messages that the NAS sends to the pro

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-7 RADIUS Attributes That Support TunnelingThe RADIUS attributes that support TMS come from two g

Configuring and Troubleshooting Bay Dial VPN Services6-8 308606-14.00 Rev 00Table 6-4 lists the RADIUS attributes that the Layer 3 gateway supports.T

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-9 RADIUS Attributes for Backup and Distributed GatewaysBackup and distributed gateways use the f

Configuring and Troubleshooting Bay Dial VPN Services6-10 308606-14.00 Rev 00Table 6-5 describes these attributes.Table 6-5. BSAC TMS Attributes for

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-11 Annex-Secondary-Srv-Endpoint (Nortel Networks VSA 79)Allows an ordered list of up to 10 secon

Configuring and Troubleshooting Bay Dial VPN Services6-12 308606-14.00 Rev 00Configuring Secondary GatewaysTo configure one or more secondary gateway

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-13 For example, to configure load distribution with three gateways, use the following format:Ann

Configuring and Troubleshooting Bay Dial VPN Services6-14 308606-14.00 Rev 00TMS Parameters for erpcd-Based and All-RADIUS Tunnels While TMS operatio

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-15 TMS System Log (Syslog) MessagesTMS writes its system and error messages to the system log fi

308606-14.00 Rev 00xiFiguresFigure 1-1. Dial VPN Network with Layer 3 and Layer 2 Tunnels ...1-3Figure 1-2. Dial VPN Netwo

308606-14.00 Rev 00 7-1 Chapter 7Configuring Layer 3 GatewaysOnly Layer 3 tunnels use a gateway. To configure a Nortel Networks router at the service

Configuring and Troubleshooting Bay Dial VPN Services7-2 308606-14.00 Rev 005.Specify the IP address for this frame relay or PPP interface.This is th

Configuring Layer 3 Gateways308606-14.00 Rev 00 7-3 c.Specify the keys associated with this SPI value.Each SPI value has a 128-bit key associated with

Configuring and Troubleshooting Bay Dial VPN Services7-4 308606-14.00 Rev 00h.Enter the IP address of the RADIUS server to which this client will con

Configuring Layer 3 Gateways308606-14.00 Rev 00 7-5 Gateway Accounting MessagesThe gateway sends messages to the customer RADIUS server accounting for

308606-14.00 Rev 00 8-1 Chapter 8Requirements Outside the ISP NetworkAlthough the responsibility for configuring network elements outside the Dial VPN

Configuring and Troubleshooting Bay Dial VPN Services8-2 308606-14.00 Rev 00Configuring a Static Route and an Adjacent HostA static route is a manual

Requirements Outside the ISP Network308606-14.00 Rev 00 8-3 In Figure 8-1, the IP addresses and the frame relay DLCI are in bold type. The dashed line

Configuring and Troubleshooting Bay Dial VPN Services8-4 308606-14.00 Rev 00Dynamic mode lets you make changes to the currently running configuration

Requirements Outside the ISP Network308606-14.00 Rev 00 8-5 Configuring the Adjacent Host and Static RoutesThe next step is to create a single adjacen

Configuring and Troubleshooting Bay Dial VPN Services8-6 308606-14.00 Rev 00For a Nortel Networks router with frame relay, the complete static route

Requirements Outside the ISP Network308606-14.00 Rev 00 8-7 • The IP address of the CPE router’s network interface to the adjacent host (next hop)• Th

Configuring and Troubleshooting Bay Dial VPN Services8-8 308606-14.00 Rev 00Configuring Frame Relay on the CPE RouterIf the CPE router is a Nortel Ne

Requirements Outside the ISP Network308606-14.00 Rev 00 8-9 • Use the Site Manager Statistics Manager to verify that the frame relay connection is ope

Configuring and Troubleshooting Bay Dial VPN Services8-10 308606-14.00 Rev 00Configuring the CPE Router for IPX Support (Layer 3 Only)When configurin

Requirements Outside the ISP Network308606-14.00 Rev 00 8-11 6. Enter the Novell Configured Network Number (in hexadecimal notation) of your Ethernet

Configuring and Troubleshooting Bay Dial VPN Services8-12 308606-14.00 Rev 00Table 8-1 shows the relationship between interface types and encapsulati

Requirements Outside the ISP Network308606-14.00 Rev 00 8-13 This completes the CPE router Ethernet and Serial interface configuration for IPX.Configu

308606-14.00 Rev 00xiiiTablesTable 1-1. Layer 3 and Layer 2 Dial VPN Feature Implementation ...1-5Table 4-1. Where to Find Con

Configuring and Troubleshooting Bay Dial VPN Services8-14 308606-14.00 Rev 00Enabling L2TP on an Unconfigured WAN InterfaceTo enable L2TP on an uncon

Requirements Outside the ISP Network308606-14.00 Rev 00 8-15 Enabling L2TP on an Existing PPP InterfaceTo enable L2TP on an interface with PPP and IP

Configuring and Troubleshooting Bay Dial VPN Services8-16 308606-14.00 Rev 00Enabling L2TP on an Existing Frame Relay InterfaceTo enable L2TP on an i

Requirements Outside the ISP Network308606-14.00 Rev 00 8-17 Installing and Configuring BSAC on the Home NetworkBSAC can run on a server running UNIX,

Configuring and Troubleshooting Bay Dial VPN Services8-18 308606-14.00 Rev 00Configuring IPX on the Home Network RADIUS ServerBaySecure Access Contro

Requirements Outside the ISP Network308606-14.00 Rev 00 8-19 Defining Assignable DHCP Address RangesThe following sections pertain to configuring DHCP

Configuring and Troubleshooting Bay Dial VPN Services8-20 308606-14.00 Rev 00Creating Scopes and a SuperscopeThe following sections describe the proc

Requirements Outside the ISP Network308606-14.00 Rev 00 8-21 Creating the Scope of Assignable AddressesNext, create the scope of addresses that you wa

Configuring and Troubleshooting Bay Dial VPN Services8-22 308606-14.00 Rev 00Once you have completed these procedures, the DHCP is configured to dyna

308606-14.00 Rev 00 9-1 Chapter 9Managing a Dial VPN NetworkManaging a Dial VPN network consists mainly of managing its elements, in particular the No

Configuring and Troubleshooting Bay Dial VPN Services9-2 308606-14.00 Rev 00You must also ensure that remote users have the information they need to

308606-14.00 Rev 00 A-1 Appendix APlanning WorksheetThis appendix consists of a network planning worksheet. You may not have enough information yet to

Configuring and Troubleshooting Bay Dial VPN ServicesA-2 308606-14.00 Rev 00At the Dial VPN Service Provider’s SiteRecord the equipment you have at y

Planning Worksheet308606-14.00 Rev 00 A-3 • If this is a RADIUS-only configuration, list the IP address of the RADIUS TMS server.(name) ______________

Configuring and Troubleshooting Bay Dial VPN ServicesA-4 308606-14.00 Rev 00• For the static route between the CPE router and the remote node: -- Wha

308606-14.00 Rev 00 B-1 Appendix BSyslog MessagesThe Remote Access Concentrator and the TMS write system and error messages to the system logfile, sys

Configuring and Troubleshooting Bay Dial VPN ServicesB-2 308606-14.00 Rev 00Information ppp:<port#>:DVS:user authentication succeededThe user h

Syslog Messages308606-14.00 Rev 00 B-3 TMS Syslog MessagesWhen an error occurs in the embedded code or TMS portion of erpcd, Dial VPN records a messag

Configuring and Troubleshooting Bay Dial VPN ServicesB-4 308606-14.00 Rev 00Table B-2. TMS Syslog MessagesType Message MeaningWarning tms: could not

Syslog Messages308606-14.00 Rev 00 B-5 Critical tms: RAS database not found This is a serious problem indicating that the database file containing the

308606-14.00 Rev 00xv PrefaceThis guide describes Bay Networks Dial Virtual Private Network (VPN) and what you do to start and customize Bay Dial VPN

Configuring and Troubleshooting Bay Dial VPN ServicesB-6 308606-14.00 Rev 00Notice tms: <domain/DNIS> RAS <NAS_IP_address> count already

Syslog Messages308606-14.00 Rev 00 B-7 Error Messages in this category may include the following <reason> codes:• "Connection timed out&quo

Configuring and Troubleshooting Bay Dial VPN ServicesB-8 308606-14.00 Rev 00Error(continued)ppp:<port#>:DVS:tunnel registration failed: <rea

308606-14.00 Rev 00 C-1 Appendix CTroubleshootingThis appendix assumes that you have a working knowledge of Site Manager and the Remote Access Concent

Configuring and Troubleshooting Bay Dial VPN ServicesC-2 308606-14.00 Rev 00Preventing ProblemsThe suggestions that follow can help you anticipate an

Troubleshooting308606-14.00 Rev 00 C-3 5.Back up your files.Store backup copies of the configuration files on the Site Manager workstation. Use a log

Configuring and Troubleshooting Bay Dial VPN ServicesC-4 308606-14.00 Rev 00Troubleshooting WorksheetThis section poses the initial questions you sho

Troubleshooting308606-14.00 Rev 00 C-5 4.Are you using a workaround to prevent the symptoms from occurring? If so, what?______________________________

Configuring and Troubleshooting Bay Dial VPN ServicesC-6 308606-14.00 Rev 00Table C-1. Problem Symptoms and Likely CausesIf the symptoms are limited

Troubleshooting308606-14.00 Rev 00 C-7 Using the System Logs (syslogs) to Diagnose ProblemsThe Remote Access Concentrator provides two mechanisms for

Configuring and Troubleshooting Bay Dial VPN Servicesxvi308606-14.00 Rev 00Text ConventionsThis guide uses the following text conventions:angle bracke

Configuring and Troubleshooting Bay Dial VPN ServicesC-8 308606-14.00 Rev 00• Displaying RAC statistics• Monitoring serial line activityYou can displ

Troubleshooting308606-14.00 Rev 00 C-9 If a software entity experiences a fault and fails to recover:a.Disable and reenable the port.Watch the event l

Configuring and Troubleshooting Bay Dial VPN ServicesC-10 308606-14.00 Rev 003.Display and change configuration settings and statistics.You can use t

Troubleshooting308606-14.00 Rev 00 C-11 • Screen Builder - Lets you build windows of statistics from scratch or customize statistics windows you copie

Configuring and Troubleshooting Bay Dial VPN ServicesC-12 308606-14.00 Rev 005.Display the encapsulated packet statistics using the netstat - s comma

Troubleshooting308606-14.00 Rev 00 C-13 7.Use Packet Capture to save data packets for later analysis.The Technician Interface Packet Capture tool allo

Configuring and Troubleshooting Bay Dial VPN ServicesC-14 308606-14.00 Rev 009.Document each step you do in the troubleshooting process.An effective

Troubleshooting308606-14.00 Rev 00 C-15 Troubleshooting Specific ProtocolsRead the following section if you have isolated the problem to a network pro

Configuring and Troubleshooting Bay Dial VPN ServicesC-16 308606-14.00 Rev 00Table C-2. Remote Access Concentrator Troubleshooting ChartProblem/Sympt

Troubleshooting308606-14.00 Rev 00 C-17 Hosts don’t appear in hosts display.The Remote Access Concentrator hosts command should list any hosts that br

Preface308606-14.00 Rev 00xvii Acronymsitalic text Indicates file and directory names, new terms, book titles, and variables in command syntax descrip

Configuring and Troubleshooting Bay Dial VPN ServicesC-18 308606-14.00 Rev 00Network logins to BSD hosts are invisible.The Remote Access Concentrator

Troubleshooting308606-14.00 Rev 00 C-19 Remote Access Concentrator does not advertise updates.1. Is the RAC parameter routed set to N?2. Did you reboo

Configuring and Troubleshooting Bay Dial VPN ServicesC-20 308606-14.00 Rev 00Remote Access Concentrator does not advertise updates.(continued)6. If y

Troubleshooting308606-14.00 Rev 00 C-21 RAC does not receive updates.1. Are the routes really being advertised?Check whether other routers on the netw

Configuring and Troubleshooting Bay Dial VPN ServicesC-22 308606-14.00 Rev 00Tracing a Packet’s Path at the Remote Access ConcentratorYou can use the

Troubleshooting308606-14.00 Rev 00 C-23 Figure C-1 shows a sample network topology used in the examples that follow.Figure C-1. Network Topology for p

Configuring and Troubleshooting Bay Dial VPN ServicesC-24 308606-14.00 Rev 00Troubleshooting Tunnel ProblemsSince the TMS is an extension of the prop

Troubleshooting308606-14.00 Rev 00 C-25 Operation and Troubleshooting Layer 2 TunnelsUse the log files to troubleshoot your network. The following des

Configuring and Troubleshooting Bay Dial VPN ServicesC-26 308606-14.00 Rev 00Once the tunnel has been established, an entry is placed in the RAC’s Tu

Troubleshooting308606-14.00 Rev 00 C-27 The following example shows how you can display the configuration of the LNS using commands that the L2TP scri

Configuring and Troubleshooting Bay Dial VPN Servicesxviii308606-14.00 Rev 00erpcd expedited remote procedure call daemonFTP File Transfer ProtocolGRE

Configuring and Troubleshooting Bay Dial VPN ServicesC-28 308606-14.00 Rev 00RADIUS session for line 300046 sending access request using identifier 1

Troubleshooting308606-14.00 Rev 00 C-29 # 23: 03/16/98 15:32:27.597 TRACE SLOT 3 PPP Code: 63IPCP Rejecting Unknown option on circuit 46.Th

Configuring and Troubleshooting Bay Dial VPN ServicesC-30 308606-14.00 Rev 00[2:1]$ show l2tp statL2TP Statistics---------------Slot: 3 SCCRQ

Troubleshooting308606-14.00 Rev 00 C-31 Listing the IP circuits configured on the box shows the entry that corresponds with the assigned network.[2:1]

Configuring and Troubleshooting Bay Dial VPN ServicesC-32 308606-14.00 Rev 00Accounting Log"03/16/1998","15:36:31","LNS_LABN

308606-14.00 Rev 00 D-1 Appendix DTips and TechniquesThis appendix contains some examples, tips, and techniques drawn from case studies and lab notes

Configuring and Troubleshooting Bay Dial VPN ServicesD-2 308606-14.00 Rev 00CISCO-MI#sho confUsing 1486 out of 32762 bytes!version 11.2service udp-sm

Tips and Techniques308606-14.00 Rev 00 D-3 encapsulation ppp shutdown dialer map ip 10.10.1.5 name cisco dialer map ip 10.10.1.6 name aar1 0015106433

Configuring and Troubleshooting Bay Dial VPN ServicesD-4 308606-14.00 Rev 00Dial-In Network Access ExamplesA common application of Bay Dial Virtual P

Tips and Techniques308606-14.00 Rev 00 D-5 Figure D-1. ASN with one subnet as Dial-in ClientDial-In Router ConfigurationThe ASN router is configured w

Preface308606-14.00 Rev 00xix Hard-Copy Technical ManualsYou can print selected technical manuals and release notes free, directly from the Internet.

Configuring and Troubleshooting Bay Dial VPN ServicesD-6 308606-14.00 Rev 00The IP address of the ASN’s ISDN dial-on-demand interface is unnumbered a

Tips and Techniques308606-14.00 Rev 00 D-7 Another significant reply parameter is Port-Limit. This parameter specifies the maximum number of ports ava

Configuring and Troubleshooting Bay Dial VPN ServicesD-8 308606-14.00 Rev 00Estimating the Feasible Number of Dial VPN UsersThe following example sho

308606-14.00 Rev 00 Glossary-1 GlossaryAccess Control Protocol (ACP)Nortel Networks software utility that provides a wide range of security features

Configuring and Troubleshooting Bay Dial VPN ServicesGlossary-2 308606-14.00 Rev 00Customer Premise Equipment (CPE)A device at a customer site that c

Glossary308606-14.00 Rev 00 Glossary-3 home agentA process running on the gateway on the Dial VPN network that tunnels packets to Remote Annex and mai

Configuring and Troubleshooting Bay Dial VPN ServicesGlossary-4 308606-14.00 Rev 00mobile nodeA dial-up host or router that changes its point of atta

Glossary308606-14.00 Rev 00 Glossary-5 Remote AnnexOne of several Nortel Networks network access server models that provides transparent, dial-in acce

Configuring and Troubleshooting Bay Dial VPN ServicesGlossary-6 308606-14.00 Rev 00TMSSee Tunnel Management System.TMS databaseThe TMS database (by d

308606-14.00 Rev 00Index-1AAccess Control Protocollog file, C-7server, 1-10Access Stack Node (ASN), 1-2accountinggateway and tunnel, 7-5RADIUS, 6-4acc

ii308606-14.00 Rev 00 Copyright © 1999 Nortel NetworksAll rights reserved. Printed in the USA. September 1999.The information in this document is subj

Configuring and Troubleshooting Bay Dial VPN Servicesxx308606-14.00 Rev 00How to Get HelpIf you purchased a service contract for your Nortel Networks

Index-2308606-14.00 Rev 00configuringadjacent host, 8-6adjacent host and static route, 8-2as CPE, D-1Dial VPN, 1-7Remote Access Concentrator (RAC) sof

308606-14.00 Rev 00Index-3event message, C-8system log, C-8Events Manager, C-8Expedited Remote Procedure Call Daemon. See erpcdFfault event, C-8, C-9f

Index-4308606-14.00 Rev 00list tms_dbm command, 5-4LNSconfiguring, 8-13configuring router as, 8-13description, 1-12L2TP security, 2-7Nortel Networks i

308606-14.00 Rev 00Index-5primary secret, 8-1primary_accounting_server_addr, TMS parameter, 5-9primary_authentication_ server_addr, TMS parameter, 5-9

Index-6308606-14.00 Rev 00Ssacct, TMS parameter, 5-9saddr, TMS parameter, 5-9sauth, TMS parameter, 5-9scope, 8-19Screen Builder tool, C-11Screen Manag

308606-14.00 Rev 00Index-7telnet command, C-18text conventions, xviTMScommands, 5-4database, 5-1alternatives, 5-13description, 3-6troubleshooting, C-2

308606-14.00 Rev 00 1-1 Chapter 1Tunneling OverviewBay Networks Dial Virtual Private Network Services provides secure dial-access services for corpora

Configuring and Troubleshooting Bay Dial VPN Services1-2 308606-14.00 Rev 00Dial VPN encapsulates multiprotocol data within an IP datagram. It then s

Tunneling Overview308606-14.00 Rev 00 1-3 Dial VPN dynamically creates a tunnel when it connects to the remote node’s home network. One end point of t

Configuring and Troubleshooting Bay Dial VPN Services1-4 308606-14.00 Rev 00Layer 3 TunnelingIn Layer 3 tunneling, the tunnel exists between the Netw

Tunneling Overview308606-14.00 Rev 00 1-5 How a Dial VPN Network FunctionsAny authorized remote user (using a PC or dial-up router) who has access to

Configuring and Troubleshooting Bay Dial VPN Services1-6 308606-14.00 Rev 00Figure 1-2. Dial VPN Network with Connections to Different Destination Ty

Tunneling Overview308606-14.00 Rev 00 1-7 For Nortel Networks routers used with a Layer 3 Dial VPN tunnel, you must specify an adjacent host and a sta

Configuring and Troubleshooting Bay Dial VPN Services1-8 308606-14.00 Rev 00The following considerations apply only to Layer 2 (L2TP) tunnels:• If th

Tunneling Overview308606-14.00 Rev 00 1-9 GatewayUsed only in Layer 3 networks, the gateway can be an ASN, BLN, BLN-2, BCN, or System 5000 MSX equippe

308606-14.00 Rev 00iiiNortel Networks NA Inc. Software License AgreementNOTICE: Please carefully read this license agreement before copying or using t

Configuring and Troubleshooting Bay Dial VPN Services1-10 308606-14.00 Rev 00Tunnel Management Server (TMS)The mechanism for identifying tunneled use

Tunneling Overview308606-14.00 Rev 00 1-11 L2TP Access Concentrator (LAC)The L2TP access concentrator (LAC) resides at the ISP network. The LAC establ

Configuring and Troubleshooting Bay Dial VPN Services1-12 308606-14.00 Rev 00Enterprise subscribers of this service must configure the CPE router to

Tunneling Overview308606-14.00 Rev 00 1-13 The RADIUS server has three main functions in a Dial VPN L2TP network:• Authenticating remote users• Assign

Configuring and Troubleshooting Bay Dial VPN Services1-14 308606-14.00 Rev 00DHCP ServerIf you implement the optional Dynamic Host Configuration Prot

308606-14.00 Rev 00 2-1 Chapter 2Dial VPN Layer 2 TunnelingThis chapter describes how a Layer2 Dial VPN tunnel functions. Among these concepts are how

Configuring and Troubleshooting Bay Dial VPN Services2-2 308606-14.00 Rev 00Figure 2-1. Layer 2 Tunnel Packet PathBuilding a Network for Layer 2 Tunn

Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-3 2.Install and configure any intermediate nodes on the WAN.The WAN can include intermediate nodes. Fo

Configuring and Troubleshooting Bay Dial VPN Services2-4 308606-14.00 Rev 008.Make sure that the home network is configured to connect to the Dial VP

Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-5 Figure 2-2. L2TP Packet Encapsulation ProcessNortel Networks L2TP ImplementationIn an L2TP tunnel, t

iv308606-14.00 Rev 00for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct

Configuring and Troubleshooting Bay Dial VPN Services2-6 308606-14.00 Rev 00• The LNS performs user authentication with a RADIUS server to prevent un

Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-7 When the LAC receives a call, it forwards the domain name to the TMS. The domain name is the portion

Configuring and Troubleshooting Bay Dial VPN Services2-8 308606-14.00 Rev 00During tunnel authentication, the LNS identifies the L2TP client or LAC b

Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-9 Figure 2-3. Tunnel Authentication Control MessagesAfter tunnel authentication is complete, it need n

Configuring and Troubleshooting Bay Dial VPN Services2-10 308606-14.00 Rev 00RADIUS AccountingThe RADIUS server can provide accounting services in ad

Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-11 Remote Router ConfigurationIf the host at the remote site is a Nortel Networks router, you may need

Configuring and Troubleshooting Bay Dial VPN Services2-12 308606-14.00 Rev 00Examples of L2TP TunnelsFigure 2-4 shows an L2TP network that uses a LAC

Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-13 Making a Connection Across an L2TP NetworkThe following steps explain how a remote user connects ac

Configuring and Troubleshooting Bay Dial VPN Services2-14 308606-14.00 Rev 00When Does Dial VPN Tear Down the Tunnel?The LAC brings down the tunnel f

308606-14.00 Rev 00 3-1 Chapter 3Dial VPN Layer 3 TunnelingThis chapter describes how a Layer 3 Dial VPN tunnel functions. Among these concepts are ho

308606-14.00 Rev 00vContents PrefaceBefore You Begin ...

Configuring and Troubleshooting Bay Dial VPN Services3-2 308606-14.00 Rev 00Figure 3-1. Layer 3 Tunnel Packet PathBuilding a Network for Layer 3 Tunn

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-3 2.Install and configure any intermediate nodes on the WAN.The WAN can include intermediate nodes. Fo

Configuring and Troubleshooting Bay Dial VPN Services3-4 308606-14.00 Rev 008.Configure the gateway, including the RADIUS client, using Site Manager,

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-5 How Tunnel Management WorksTunnel management operates differently on erpcd-based and RADIUS-only net

Configuring and Troubleshooting Bay Dial VPN Services3-6 308606-14.00 Rev 00Tunnel Management in an All-RADIUS NetworkThe all-RADIUS solution integra

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-7 Since ndbm does not have a locking feature, Nortel Networks has implemented application-level lockin

Configuring and Troubleshooting Bay Dial VPN Services3-8 308606-14.00 Rev 00• Both Dial VPN (tunneled) and non-tunneled users• Getting IP addresses t

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-9 Figure 3-2. DHCP Operational TimelineLCP negotiationCHAP initiationRemoteNodeLocalNodeAccountingServ

Configuring and Troubleshooting Bay Dial VPN Services3-10 308606-14.00 Rev 00Using RADIUS for Dynamic IP Address AllocationEach dial-in user retains

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-11 The BSAC (RADIUS) administrator at the customer’s site must enter one or more IP address ranges to

vi308606-14.00 Rev 00RADIUS Accounting Server ...1-13DHCP Server ...

Configuring and Troubleshooting Bay Dial VPN Services3-12 308606-14.00 Rev 00Figure 3-3. Dial VPN Dynamic IP Address Management SequenceAt the start

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-13 server, which sends back an acknowledgment that it has received the packet. At the end of service d

Configuring and Troubleshooting Bay Dial VPN Services3-14 308606-14.00 Rev 00Figure 3-4. Dial VPN Network with Secondary Gateways on the Frame Relay

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-15 Using a Backup GatewayWhen you have configured Dial VPN to use a backup gateway, the NAS first trie

Configuring and Troubleshooting Bay Dial VPN Services3-16 308606-14.00 Rev 00Starting the ConnectionWhen a user at a remote node dials in to a Dial V

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-17 If the TMS determines that the user is not a tunnel candidate, the NAS first treats the request as

Configuring and Troubleshooting Bay Dial VPN Services3-18 308606-14.00 Rev 00If the home network is configured to assign IP addresses using RADIUS, e

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-19 Figure 3-5. Packet Encapsulation and Decapsulation ProcessFlag FlagAddress Control Protocol Data F

Configuring and Troubleshooting Bay Dial VPN Services3-20 308606-14.00 Rev 00How a Packet Moves Through a Dial VPN NetworkA data packet moves from a

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-21 5.The CPE router decapsulates the frame relay or PPP packet and routes the data to the intended rec

308606-14.00 Rev 00viiUsing Secondary Gateways ...3-13Using a B

Configuring and Troubleshooting Bay Dial VPN Services3-22 308606-14.00 Rev 00The data packet travels from the home network to the remote node using a

Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-23 When Does Dial VPN Tear Down the Tunnel?Dial VPN tears down the tunnel when any of the following si

308606-14.00 Rev 00 4-1 Chapter 4Configuring the Remote Access ConcentratorThis chapter describes how to use the command line interface (CLI) commands

Configuring and Troubleshooting Bay Dial VPN Services4-2 308606-14.00 Rev 001.Install the RAC software.Use the installation script supplied for the R

Configuring the Remote Access Concentrator308606-14.00 Rev 00 4-3 If running IPX (Layer 3 only), include the following command:set port ppp_ncp all (&

Configuring and Troubleshooting Bay Dial VPN Services4-4 308606-14.00 Rev 004.Enable the appropriate options.To display the options that are enabled,

Configuring the Remote Access Concentrator308606-14.00 Rev 00 4-5 begin_session v120bearer datacalled_no <called_number>call_action v.120set mod

Configuring and Troubleshooting Bay Dial VPN Services4-6 308606-14.00 Rev 00For a default route, the syntax is: route add<default> <next_hop

Configuring the Remote Access Concentrator308606-14.00 Rev 00 4-7 During the initial boot of the operational code, the ROM monitor requires the addres

viii308606-14.00 Rev 00TMS Parameters for erpcd-Based and All-RADIUS Tunnels ...6-14TMS System Log (Syslog) Mess

Configuring and Troubleshooting Bay Dial VPN Services4-8 308606-14.00 Rev 00Configuring the RAC to Advertise RIP 1 and/or RIP 2 UpdatesBy default, ac

308606-14.00 Rev 00 5-1 Chapter 5Configuring TMS and Security for erpcd NetworksIn a Dial VPN network, tunnel users are authenticated by a RADIUS serv

Configuring and Troubleshooting Bay Dial VPN Services5-2 308606-14.00 Rev 00Managing TMS Using the TMS Default DatabaseTunnel management in an erpcd-

Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-3 The syntax of the command that creates a TMS entry is:tms_dbm add <domain>

Configuring and Troubleshooting Bay Dial VPN Services5-4 308606-14.00 Rev 00Using Tunnel Management CommandsThe following sections describe the synta

Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-5 All commands except add and help return an error if the entry is not found.remo

Configuring and Troubleshooting Bay Dial VPN Services5-6 308606-14.00 Rev 00Command ArgumentsThe tunnel management commands use common arguments to s

Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-7 ha=<ha_addr>Not used in Dial VPN. Supported only for compatibility with p

Configuring and Troubleshooting Bay Dial VPN Services5-8 308606-14.00 Rev 00hwtype=<hw_type>hwaddr=<hw_addr>hwalen=<hw_addr_len>hwt

Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-9 pauth=<primary_authentication_server_addr>Specifies the IP address of the

308606-14.00 Rev 00ixChapter 9 Managing a Dial VPN NetworkEnabling and Activating Dial VPN ...

Configuring and Troubleshooting Bay Dial VPN Services5-10 308606-14.00 Rev 00acctp=<accounting_protocol>Specifies the accounting protocol used

Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-11 passwd=<password>Relevant only for Layer 2 tunnels, this parameter speci

Configuring and Troubleshooting Bay Dial VPN Services5-12 308606-14.00 Rev 00Configuring Local Authentication Using the ACPDial VPN relies on the rem

Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-13 For IPX, use the network and node address combination; for example:0013ABC0:00

308606-14.00 Rev 00 6-1 Chapter 6Configuring the TMS Using RADIUSYou can configure the TMS database to use a RADIUS server on the service provider (IS

Configuring and Troubleshooting Bay Dial VPN Services6-2 308606-14.00 Rev 00The NAS recognizes the returned tunnel attributes of the authentication r

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-3 Figure 6-1. Message Exchanges Supporting RADIUS TMS OperationsLCP negotiateCHAP initiationRemo

Configuring and Troubleshooting Bay Dial VPN Services6-4 308606-14.00 Rev 00The user session’s authorization information flows from the remote custom

Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-5 Table 6-1 summarizes the user start messages that the NAS sends to the service provider’s RADI