BayRS Version 14.00Part No. 308606-14.00 Rev 00September 19994401 Great America ParkwaySanta Clara, CA 95054Configuring and Troubleshooting Bay Dial
x308606-14.00 Rev 00Operation and Troubleshooting Layer 2 Tunnels ... C-25Troubleshooting the
Configuring and Troubleshooting Bay Dial VPN Services6-6 308606-14.00 Rev 00Table 6-2 summarizes the user stop messages that the NAS sends to the pro
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-7 RADIUS Attributes That Support TunnelingThe RADIUS attributes that support TMS come from two g
Configuring and Troubleshooting Bay Dial VPN Services6-8 308606-14.00 Rev 00Table 6-4 lists the RADIUS attributes that the Layer 3 gateway supports.T
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-9 RADIUS Attributes for Backup and Distributed GatewaysBackup and distributed gateways use the f
Configuring and Troubleshooting Bay Dial VPN Services6-10 308606-14.00 Rev 00Table 6-5 describes these attributes.Table 6-5. BSAC TMS Attributes for
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-11 Annex-Secondary-Srv-Endpoint (Nortel Networks VSA 79)Allows an ordered list of up to 10 secon
Configuring and Troubleshooting Bay Dial VPN Services6-12 308606-14.00 Rev 00Configuring Secondary GatewaysTo configure one or more secondary gateway
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-13 For example, to configure load distribution with three gateways, use the following format:Ann
Configuring and Troubleshooting Bay Dial VPN Services6-14 308606-14.00 Rev 00TMS Parameters for erpcd-Based and All-RADIUS Tunnels While TMS operatio
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-15 TMS System Log (Syslog) MessagesTMS writes its system and error messages to the system log fi
308606-14.00 Rev 00xiFiguresFigure 1-1. Dial VPN Network with Layer 3 and Layer 2 Tunnels ...1-3Figure 1-2. Dial VPN Netwo
308606-14.00 Rev 00 7-1 Chapter 7Configuring Layer 3 GatewaysOnly Layer 3 tunnels use a gateway. To configure a Nortel Networks router at the service
Configuring and Troubleshooting Bay Dial VPN Services7-2 308606-14.00 Rev 005.Specify the IP address for this frame relay or PPP interface.This is th
Configuring Layer 3 Gateways308606-14.00 Rev 00 7-3 c.Specify the keys associated with this SPI value.Each SPI value has a 128-bit key associated with
Configuring and Troubleshooting Bay Dial VPN Services7-4 308606-14.00 Rev 00h.Enter the IP address of the RADIUS server to which this client will con
Configuring Layer 3 Gateways308606-14.00 Rev 00 7-5 Gateway Accounting MessagesThe gateway sends messages to the customer RADIUS server accounting for
308606-14.00 Rev 00 8-1 Chapter 8Requirements Outside the ISP NetworkAlthough the responsibility for configuring network elements outside the Dial VPN
Configuring and Troubleshooting Bay Dial VPN Services8-2 308606-14.00 Rev 00Configuring a Static Route and an Adjacent HostA static route is a manual
Requirements Outside the ISP Network308606-14.00 Rev 00 8-3 In Figure 8-1, the IP addresses and the frame relay DLCI are in bold type. The dashed line
Configuring and Troubleshooting Bay Dial VPN Services8-4 308606-14.00 Rev 00Dynamic mode lets you make changes to the currently running configuration
Requirements Outside the ISP Network308606-14.00 Rev 00 8-5 Configuring the Adjacent Host and Static RoutesThe next step is to create a single adjacen
Configuring and Troubleshooting Bay Dial VPN Services8-6 308606-14.00 Rev 00For a Nortel Networks router with frame relay, the complete static route
Requirements Outside the ISP Network308606-14.00 Rev 00 8-7 • The IP address of the CPE router’s network interface to the adjacent host (next hop)• Th
Configuring and Troubleshooting Bay Dial VPN Services8-8 308606-14.00 Rev 00Configuring Frame Relay on the CPE RouterIf the CPE router is a Nortel Ne
Requirements Outside the ISP Network308606-14.00 Rev 00 8-9 • Use the Site Manager Statistics Manager to verify that the frame relay connection is ope
Configuring and Troubleshooting Bay Dial VPN Services8-10 308606-14.00 Rev 00Configuring the CPE Router for IPX Support (Layer 3 Only)When configurin
Requirements Outside the ISP Network308606-14.00 Rev 00 8-11 6. Enter the Novell Configured Network Number (in hexadecimal notation) of your Ethernet
Configuring and Troubleshooting Bay Dial VPN Services8-12 308606-14.00 Rev 00Table 8-1 shows the relationship between interface types and encapsulati
Requirements Outside the ISP Network308606-14.00 Rev 00 8-13 This completes the CPE router Ethernet and Serial interface configuration for IPX.Configu
308606-14.00 Rev 00xiiiTablesTable 1-1. Layer 3 and Layer 2 Dial VPN Feature Implementation ...1-5Table 4-1. Where to Find Con
Configuring and Troubleshooting Bay Dial VPN Services8-14 308606-14.00 Rev 00Enabling L2TP on an Unconfigured WAN InterfaceTo enable L2TP on an uncon
Requirements Outside the ISP Network308606-14.00 Rev 00 8-15 Enabling L2TP on an Existing PPP InterfaceTo enable L2TP on an interface with PPP and IP
Configuring and Troubleshooting Bay Dial VPN Services8-16 308606-14.00 Rev 00Enabling L2TP on an Existing Frame Relay InterfaceTo enable L2TP on an i
Requirements Outside the ISP Network308606-14.00 Rev 00 8-17 Installing and Configuring BSAC on the Home NetworkBSAC can run on a server running UNIX,
Configuring and Troubleshooting Bay Dial VPN Services8-18 308606-14.00 Rev 00Configuring IPX on the Home Network RADIUS ServerBaySecure Access Contro
Requirements Outside the ISP Network308606-14.00 Rev 00 8-19 Defining Assignable DHCP Address RangesThe following sections pertain to configuring DHCP
Configuring and Troubleshooting Bay Dial VPN Services8-20 308606-14.00 Rev 00Creating Scopes and a SuperscopeThe following sections describe the proc
Requirements Outside the ISP Network308606-14.00 Rev 00 8-21 Creating the Scope of Assignable AddressesNext, create the scope of addresses that you wa
Configuring and Troubleshooting Bay Dial VPN Services8-22 308606-14.00 Rev 00Once you have completed these procedures, the DHCP is configured to dyna
308606-14.00 Rev 00 9-1 Chapter 9Managing a Dial VPN NetworkManaging a Dial VPN network consists mainly of managing its elements, in particular the No
Configuring and Troubleshooting Bay Dial VPN Services9-2 308606-14.00 Rev 00You must also ensure that remote users have the information they need to
308606-14.00 Rev 00 A-1 Appendix APlanning WorksheetThis appendix consists of a network planning worksheet. You may not have enough information yet to
Configuring and Troubleshooting Bay Dial VPN ServicesA-2 308606-14.00 Rev 00At the Dial VPN Service Provider’s SiteRecord the equipment you have at y
Planning Worksheet308606-14.00 Rev 00 A-3 • If this is a RADIUS-only configuration, list the IP address of the RADIUS TMS server.(name) ______________
Configuring and Troubleshooting Bay Dial VPN ServicesA-4 308606-14.00 Rev 00• For the static route between the CPE router and the remote node: -- Wha
308606-14.00 Rev 00 B-1 Appendix BSyslog MessagesThe Remote Access Concentrator and the TMS write system and error messages to the system logfile, sys
Configuring and Troubleshooting Bay Dial VPN ServicesB-2 308606-14.00 Rev 00Information ppp:<port#>:DVS:user authentication succeededThe user h
Syslog Messages308606-14.00 Rev 00 B-3 TMS Syslog MessagesWhen an error occurs in the embedded code or TMS portion of erpcd, Dial VPN records a messag
Configuring and Troubleshooting Bay Dial VPN ServicesB-4 308606-14.00 Rev 00Table B-2. TMS Syslog MessagesType Message MeaningWarning tms: could not
Syslog Messages308606-14.00 Rev 00 B-5 Critical tms: RAS database not found This is a serious problem indicating that the database file containing the
308606-14.00 Rev 00xv PrefaceThis guide describes Bay Networks Dial Virtual Private Network (VPN) and what you do to start and customize Bay Dial VPN
Configuring and Troubleshooting Bay Dial VPN ServicesB-6 308606-14.00 Rev 00Notice tms: <domain/DNIS> RAS <NAS_IP_address> count already
Syslog Messages308606-14.00 Rev 00 B-7 Error Messages in this category may include the following <reason> codes:• "Connection timed out&quo
Configuring and Troubleshooting Bay Dial VPN ServicesB-8 308606-14.00 Rev 00Error(continued)ppp:<port#>:DVS:tunnel registration failed: <rea
308606-14.00 Rev 00 C-1 Appendix CTroubleshootingThis appendix assumes that you have a working knowledge of Site Manager and the Remote Access Concent
Configuring and Troubleshooting Bay Dial VPN ServicesC-2 308606-14.00 Rev 00Preventing ProblemsThe suggestions that follow can help you anticipate an
Troubleshooting308606-14.00 Rev 00 C-3 5.Back up your files.Store backup copies of the configuration files on the Site Manager workstation. Use a log
Configuring and Troubleshooting Bay Dial VPN ServicesC-4 308606-14.00 Rev 00Troubleshooting WorksheetThis section poses the initial questions you sho
Troubleshooting308606-14.00 Rev 00 C-5 4.Are you using a workaround to prevent the symptoms from occurring? If so, what?______________________________
Configuring and Troubleshooting Bay Dial VPN ServicesC-6 308606-14.00 Rev 00Table C-1. Problem Symptoms and Likely CausesIf the symptoms are limited
Troubleshooting308606-14.00 Rev 00 C-7 Using the System Logs (syslogs) to Diagnose ProblemsThe Remote Access Concentrator provides two mechanisms for
Configuring and Troubleshooting Bay Dial VPN Servicesxvi308606-14.00 Rev 00Text ConventionsThis guide uses the following text conventions:angle bracke
Configuring and Troubleshooting Bay Dial VPN ServicesC-8 308606-14.00 Rev 00• Displaying RAC statistics• Monitoring serial line activityYou can displ
Troubleshooting308606-14.00 Rev 00 C-9 If a software entity experiences a fault and fails to recover:a.Disable and reenable the port.Watch the event l
Configuring and Troubleshooting Bay Dial VPN ServicesC-10 308606-14.00 Rev 003.Display and change configuration settings and statistics.You can use t
Troubleshooting308606-14.00 Rev 00 C-11 • Screen Builder - Lets you build windows of statistics from scratch or customize statistics windows you copie
Configuring and Troubleshooting Bay Dial VPN ServicesC-12 308606-14.00 Rev 005.Display the encapsulated packet statistics using the netstat - s comma
Troubleshooting308606-14.00 Rev 00 C-13 7.Use Packet Capture to save data packets for later analysis.The Technician Interface Packet Capture tool allo
Configuring and Troubleshooting Bay Dial VPN ServicesC-14 308606-14.00 Rev 009.Document each step you do in the troubleshooting process.An effective
Troubleshooting308606-14.00 Rev 00 C-15 Troubleshooting Specific ProtocolsRead the following section if you have isolated the problem to a network pro
Configuring and Troubleshooting Bay Dial VPN ServicesC-16 308606-14.00 Rev 00Table C-2. Remote Access Concentrator Troubleshooting ChartProblem/Sympt
Troubleshooting308606-14.00 Rev 00 C-17 Hosts don’t appear in hosts display.The Remote Access Concentrator hosts command should list any hosts that br
Preface308606-14.00 Rev 00xvii Acronymsitalic text Indicates file and directory names, new terms, book titles, and variables in command syntax descrip
Configuring and Troubleshooting Bay Dial VPN ServicesC-18 308606-14.00 Rev 00Network logins to BSD hosts are invisible.The Remote Access Concentrator
Troubleshooting308606-14.00 Rev 00 C-19 Remote Access Concentrator does not advertise updates.1. Is the RAC parameter routed set to N?2. Did you reboo
Configuring and Troubleshooting Bay Dial VPN ServicesC-20 308606-14.00 Rev 00Remote Access Concentrator does not advertise updates.(continued)6. If y
Troubleshooting308606-14.00 Rev 00 C-21 RAC does not receive updates.1. Are the routes really being advertised?Check whether other routers on the netw
Configuring and Troubleshooting Bay Dial VPN ServicesC-22 308606-14.00 Rev 00Tracing a Packet’s Path at the Remote Access ConcentratorYou can use the
Troubleshooting308606-14.00 Rev 00 C-23 Figure C-1 shows a sample network topology used in the examples that follow.Figure C-1. Network Topology for p
Configuring and Troubleshooting Bay Dial VPN ServicesC-24 308606-14.00 Rev 00Troubleshooting Tunnel ProblemsSince the TMS is an extension of the prop
Troubleshooting308606-14.00 Rev 00 C-25 Operation and Troubleshooting Layer 2 TunnelsUse the log files to troubleshoot your network. The following des
Configuring and Troubleshooting Bay Dial VPN ServicesC-26 308606-14.00 Rev 00Once the tunnel has been established, an entry is placed in the RAC’s Tu
Troubleshooting308606-14.00 Rev 00 C-27 The following example shows how you can display the configuration of the LNS using commands that the L2TP scri
Configuring and Troubleshooting Bay Dial VPN Servicesxviii308606-14.00 Rev 00erpcd expedited remote procedure call daemonFTP File Transfer ProtocolGRE
Configuring and Troubleshooting Bay Dial VPN ServicesC-28 308606-14.00 Rev 00RADIUS session for line 300046 sending access request using identifier 1
Troubleshooting308606-14.00 Rev 00 C-29 # 23: 03/16/98 15:32:27.597 TRACE SLOT 3 PPP Code: 63IPCP Rejecting Unknown option on circuit 46.Th
Configuring and Troubleshooting Bay Dial VPN ServicesC-30 308606-14.00 Rev 00[2:1]$ show l2tp statL2TP Statistics---------------Slot: 3 SCCRQ
Troubleshooting308606-14.00 Rev 00 C-31 Listing the IP circuits configured on the box shows the entry that corresponds with the assigned network.[2:1]
Configuring and Troubleshooting Bay Dial VPN ServicesC-32 308606-14.00 Rev 00Accounting Log"03/16/1998","15:36:31","LNS_LABN
308606-14.00 Rev 00 D-1 Appendix DTips and TechniquesThis appendix contains some examples, tips, and techniques drawn from case studies and lab notes
Configuring and Troubleshooting Bay Dial VPN ServicesD-2 308606-14.00 Rev 00CISCO-MI#sho confUsing 1486 out of 32762 bytes!version 11.2service udp-sm
Tips and Techniques308606-14.00 Rev 00 D-3 encapsulation ppp shutdown dialer map ip 10.10.1.5 name cisco dialer map ip 10.10.1.6 name aar1 0015106433
Configuring and Troubleshooting Bay Dial VPN ServicesD-4 308606-14.00 Rev 00Dial-In Network Access ExamplesA common application of Bay Dial Virtual P
Tips and Techniques308606-14.00 Rev 00 D-5 Figure D-1. ASN with one subnet as Dial-in ClientDial-In Router ConfigurationThe ASN router is configured w
Preface308606-14.00 Rev 00xix Hard-Copy Technical ManualsYou can print selected technical manuals and release notes free, directly from the Internet.
Configuring and Troubleshooting Bay Dial VPN ServicesD-6 308606-14.00 Rev 00The IP address of the ASN’s ISDN dial-on-demand interface is unnumbered a
Tips and Techniques308606-14.00 Rev 00 D-7 Another significant reply parameter is Port-Limit. This parameter specifies the maximum number of ports ava
Configuring and Troubleshooting Bay Dial VPN ServicesD-8 308606-14.00 Rev 00Estimating the Feasible Number of Dial VPN UsersThe following example sho
308606-14.00 Rev 00 Glossary-1 GlossaryAccess Control Protocol (ACP)Nortel Networks software utility that provides a wide range of security features
Configuring and Troubleshooting Bay Dial VPN ServicesGlossary-2 308606-14.00 Rev 00Customer Premise Equipment (CPE)A device at a customer site that c
Glossary308606-14.00 Rev 00 Glossary-3 home agentA process running on the gateway on the Dial VPN network that tunnels packets to Remote Annex and mai
Configuring and Troubleshooting Bay Dial VPN ServicesGlossary-4 308606-14.00 Rev 00mobile nodeA dial-up host or router that changes its point of atta
Glossary308606-14.00 Rev 00 Glossary-5 Remote AnnexOne of several Nortel Networks network access server models that provides transparent, dial-in acce
Configuring and Troubleshooting Bay Dial VPN ServicesGlossary-6 308606-14.00 Rev 00TMSSee Tunnel Management System.TMS databaseThe TMS database (by d
308606-14.00 Rev 00Index-1AAccess Control Protocollog file, C-7server, 1-10Access Stack Node (ASN), 1-2accountinggateway and tunnel, 7-5RADIUS, 6-4acc
ii308606-14.00 Rev 00 Copyright © 1999 Nortel NetworksAll rights reserved. Printed in the USA. September 1999.The information in this document is subj
Configuring and Troubleshooting Bay Dial VPN Servicesxx308606-14.00 Rev 00How to Get HelpIf you purchased a service contract for your Nortel Networks
Index-2308606-14.00 Rev 00configuringadjacent host, 8-6adjacent host and static route, 8-2as CPE, D-1Dial VPN, 1-7Remote Access Concentrator (RAC) sof
308606-14.00 Rev 00Index-3event message, C-8system log, C-8Events Manager, C-8Expedited Remote Procedure Call Daemon. See erpcdFfault event, C-8, C-9f
Index-4308606-14.00 Rev 00list tms_dbm command, 5-4LNSconfiguring, 8-13configuring router as, 8-13description, 1-12L2TP security, 2-7Nortel Networks i
308606-14.00 Rev 00Index-5primary secret, 8-1primary_accounting_server_addr, TMS parameter, 5-9primary_authentication_ server_addr, TMS parameter, 5-9
Index-6308606-14.00 Rev 00Ssacct, TMS parameter, 5-9saddr, TMS parameter, 5-9sauth, TMS parameter, 5-9scope, 8-19Screen Builder tool, C-11Screen Manag
308606-14.00 Rev 00Index-7telnet command, C-18text conventions, xviTMScommands, 5-4database, 5-1alternatives, 5-13description, 3-6troubleshooting, C-2
308606-14.00 Rev 00 1-1 Chapter 1Tunneling OverviewBay Networks Dial Virtual Private Network Services provides secure dial-access services for corpora
Configuring and Troubleshooting Bay Dial VPN Services1-2 308606-14.00 Rev 00Dial VPN encapsulates multiprotocol data within an IP datagram. It then s
Tunneling Overview308606-14.00 Rev 00 1-3 Dial VPN dynamically creates a tunnel when it connects to the remote node’s home network. One end point of t
Configuring and Troubleshooting Bay Dial VPN Services1-4 308606-14.00 Rev 00Layer 3 TunnelingIn Layer 3 tunneling, the tunnel exists between the Netw
Tunneling Overview308606-14.00 Rev 00 1-5 How a Dial VPN Network FunctionsAny authorized remote user (using a PC or dial-up router) who has access to
Configuring and Troubleshooting Bay Dial VPN Services1-6 308606-14.00 Rev 00Figure 1-2. Dial VPN Network with Connections to Different Destination Ty
Tunneling Overview308606-14.00 Rev 00 1-7 For Nortel Networks routers used with a Layer 3 Dial VPN tunnel, you must specify an adjacent host and a sta
Configuring and Troubleshooting Bay Dial VPN Services1-8 308606-14.00 Rev 00The following considerations apply only to Layer 2 (L2TP) tunnels:• If th
Tunneling Overview308606-14.00 Rev 00 1-9 GatewayUsed only in Layer 3 networks, the gateway can be an ASN, BLN, BLN-2, BCN, or System 5000 MSX equippe
308606-14.00 Rev 00iiiNortel Networks NA Inc. Software License AgreementNOTICE: Please carefully read this license agreement before copying or using t
Configuring and Troubleshooting Bay Dial VPN Services1-10 308606-14.00 Rev 00Tunnel Management Server (TMS)The mechanism for identifying tunneled use
Tunneling Overview308606-14.00 Rev 00 1-11 L2TP Access Concentrator (LAC)The L2TP access concentrator (LAC) resides at the ISP network. The LAC establ
Configuring and Troubleshooting Bay Dial VPN Services1-12 308606-14.00 Rev 00Enterprise subscribers of this service must configure the CPE router to
Tunneling Overview308606-14.00 Rev 00 1-13 The RADIUS server has three main functions in a Dial VPN L2TP network:• Authenticating remote users• Assign
Configuring and Troubleshooting Bay Dial VPN Services1-14 308606-14.00 Rev 00DHCP ServerIf you implement the optional Dynamic Host Configuration Prot
308606-14.00 Rev 00 2-1 Chapter 2Dial VPN Layer 2 TunnelingThis chapter describes how a Layer2 Dial VPN tunnel functions. Among these concepts are how
Configuring and Troubleshooting Bay Dial VPN Services2-2 308606-14.00 Rev 00Figure 2-1. Layer 2 Tunnel Packet PathBuilding a Network for Layer 2 Tunn
Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-3 2.Install and configure any intermediate nodes on the WAN.The WAN can include intermediate nodes. Fo
Configuring and Troubleshooting Bay Dial VPN Services2-4 308606-14.00 Rev 008.Make sure that the home network is configured to connect to the Dial VP
Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-5 Figure 2-2. L2TP Packet Encapsulation ProcessNortel Networks L2TP ImplementationIn an L2TP tunnel, t
iv308606-14.00 Rev 00for the security of its own data and information and for maintaining adequate procedures apart from the Software to reconstruct
Configuring and Troubleshooting Bay Dial VPN Services2-6 308606-14.00 Rev 00• The LNS performs user authentication with a RADIUS server to prevent un
Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-7 When the LAC receives a call, it forwards the domain name to the TMS. The domain name is the portion
Configuring and Troubleshooting Bay Dial VPN Services2-8 308606-14.00 Rev 00During tunnel authentication, the LNS identifies the L2TP client or LAC b
Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-9 Figure 2-3. Tunnel Authentication Control MessagesAfter tunnel authentication is complete, it need n
Configuring and Troubleshooting Bay Dial VPN Services2-10 308606-14.00 Rev 00RADIUS AccountingThe RADIUS server can provide accounting services in ad
Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-11 Remote Router ConfigurationIf the host at the remote site is a Nortel Networks router, you may need
Configuring and Troubleshooting Bay Dial VPN Services2-12 308606-14.00 Rev 00Examples of L2TP TunnelsFigure 2-4 shows an L2TP network that uses a LAC
Dial VPN Layer 2 Tunneling308606-14.00 Rev 00 2-13 Making a Connection Across an L2TP NetworkThe following steps explain how a remote user connects ac
Configuring and Troubleshooting Bay Dial VPN Services2-14 308606-14.00 Rev 00When Does Dial VPN Tear Down the Tunnel?The LAC brings down the tunnel f
308606-14.00 Rev 00 3-1 Chapter 3Dial VPN Layer 3 TunnelingThis chapter describes how a Layer 3 Dial VPN tunnel functions. Among these concepts are ho
308606-14.00 Rev 00vContents PrefaceBefore You Begin ...
Configuring and Troubleshooting Bay Dial VPN Services3-2 308606-14.00 Rev 00Figure 3-1. Layer 3 Tunnel Packet PathBuilding a Network for Layer 3 Tunn
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-3 2.Install and configure any intermediate nodes on the WAN.The WAN can include intermediate nodes. Fo
Configuring and Troubleshooting Bay Dial VPN Services3-4 308606-14.00 Rev 008.Configure the gateway, including the RADIUS client, using Site Manager,
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-5 How Tunnel Management WorksTunnel management operates differently on erpcd-based and RADIUS-only net
Configuring and Troubleshooting Bay Dial VPN Services3-6 308606-14.00 Rev 00Tunnel Management in an All-RADIUS NetworkThe all-RADIUS solution integra
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-7 Since ndbm does not have a locking feature, Nortel Networks has implemented application-level lockin
Configuring and Troubleshooting Bay Dial VPN Services3-8 308606-14.00 Rev 00• Both Dial VPN (tunneled) and non-tunneled users• Getting IP addresses t
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-9 Figure 3-2. DHCP Operational TimelineLCP negotiationCHAP initiationRemoteNodeLocalNodeAccountingServ
Configuring and Troubleshooting Bay Dial VPN Services3-10 308606-14.00 Rev 00Using RADIUS for Dynamic IP Address AllocationEach dial-in user retains
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-11 The BSAC (RADIUS) administrator at the customer’s site must enter one or more IP address ranges to
vi308606-14.00 Rev 00RADIUS Accounting Server ...1-13DHCP Server ...
Configuring and Troubleshooting Bay Dial VPN Services3-12 308606-14.00 Rev 00Figure 3-3. Dial VPN Dynamic IP Address Management SequenceAt the start
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-13 server, which sends back an acknowledgment that it has received the packet. At the end of service d
Configuring and Troubleshooting Bay Dial VPN Services3-14 308606-14.00 Rev 00Figure 3-4. Dial VPN Network with Secondary Gateways on the Frame Relay
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-15 Using a Backup GatewayWhen you have configured Dial VPN to use a backup gateway, the NAS first trie
Configuring and Troubleshooting Bay Dial VPN Services3-16 308606-14.00 Rev 00Starting the ConnectionWhen a user at a remote node dials in to a Dial V
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-17 If the TMS determines that the user is not a tunnel candidate, the NAS first treats the request as
Configuring and Troubleshooting Bay Dial VPN Services3-18 308606-14.00 Rev 00If the home network is configured to assign IP addresses using RADIUS, e
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-19 Figure 3-5. Packet Encapsulation and Decapsulation ProcessFlag FlagAddress Control Protocol Data F
Configuring and Troubleshooting Bay Dial VPN Services3-20 308606-14.00 Rev 00How a Packet Moves Through a Dial VPN NetworkA data packet moves from a
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-21 5.The CPE router decapsulates the frame relay or PPP packet and routes the data to the intended rec
308606-14.00 Rev 00viiUsing Secondary Gateways ...3-13Using a B
Configuring and Troubleshooting Bay Dial VPN Services3-22 308606-14.00 Rev 00The data packet travels from the home network to the remote node using a
Dial VPN Layer 3 Tunneling308606-14.00 Rev 00 3-23 When Does Dial VPN Tear Down the Tunnel?Dial VPN tears down the tunnel when any of the following si
308606-14.00 Rev 00 4-1 Chapter 4Configuring the Remote Access ConcentratorThis chapter describes how to use the command line interface (CLI) commands
Configuring and Troubleshooting Bay Dial VPN Services4-2 308606-14.00 Rev 001.Install the RAC software.Use the installation script supplied for the R
Configuring the Remote Access Concentrator308606-14.00 Rev 00 4-3 If running IPX (Layer 3 only), include the following command:set port ppp_ncp all (&
Configuring and Troubleshooting Bay Dial VPN Services4-4 308606-14.00 Rev 004.Enable the appropriate options.To display the options that are enabled,
Configuring the Remote Access Concentrator308606-14.00 Rev 00 4-5 begin_session v120bearer datacalled_no <called_number>call_action v.120set mod
Configuring and Troubleshooting Bay Dial VPN Services4-6 308606-14.00 Rev 00For a default route, the syntax is: route add<default> <next_hop
Configuring the Remote Access Concentrator308606-14.00 Rev 00 4-7 During the initial boot of the operational code, the ROM monitor requires the addres
viii308606-14.00 Rev 00TMS Parameters for erpcd-Based and All-RADIUS Tunnels ...6-14TMS System Log (Syslog) Mess
Configuring and Troubleshooting Bay Dial VPN Services4-8 308606-14.00 Rev 00Configuring the RAC to Advertise RIP 1 and/or RIP 2 UpdatesBy default, ac
308606-14.00 Rev 00 5-1 Chapter 5Configuring TMS and Security for erpcd NetworksIn a Dial VPN network, tunnel users are authenticated by a RADIUS serv
Configuring and Troubleshooting Bay Dial VPN Services5-2 308606-14.00 Rev 00Managing TMS Using the TMS Default DatabaseTunnel management in an erpcd-
Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-3 The syntax of the command that creates a TMS entry is:tms_dbm add <domain>
Configuring and Troubleshooting Bay Dial VPN Services5-4 308606-14.00 Rev 00Using Tunnel Management CommandsThe following sections describe the synta
Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-5 All commands except add and help return an error if the entry is not found.remo
Configuring and Troubleshooting Bay Dial VPN Services5-6 308606-14.00 Rev 00Command ArgumentsThe tunnel management commands use common arguments to s
Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-7 ha=<ha_addr>Not used in Dial VPN. Supported only for compatibility with p
Configuring and Troubleshooting Bay Dial VPN Services5-8 308606-14.00 Rev 00hwtype=<hw_type>hwaddr=<hw_addr>hwalen=<hw_addr_len>hwt
Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-9 pauth=<primary_authentication_server_addr>Specifies the IP address of the
308606-14.00 Rev 00ixChapter 9 Managing a Dial VPN NetworkEnabling and Activating Dial VPN ...
Configuring and Troubleshooting Bay Dial VPN Services5-10 308606-14.00 Rev 00acctp=<accounting_protocol>Specifies the accounting protocol used
Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-11 passwd=<password>Relevant only for Layer 2 tunnels, this parameter speci
Configuring and Troubleshooting Bay Dial VPN Services5-12 308606-14.00 Rev 00Configuring Local Authentication Using the ACPDial VPN relies on the rem
Configuring TMS and Security for erpcd Networks308606-14.00 Rev 00 5-13 For IPX, use the network and node address combination; for example:0013ABC0:00
308606-14.00 Rev 00 6-1 Chapter 6Configuring the TMS Using RADIUSYou can configure the TMS database to use a RADIUS server on the service provider (IS
Configuring and Troubleshooting Bay Dial VPN Services6-2 308606-14.00 Rev 00The NAS recognizes the returned tunnel attributes of the authentication r
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-3 Figure 6-1. Message Exchanges Supporting RADIUS TMS OperationsLCP negotiateCHAP initiationRemo
Configuring and Troubleshooting Bay Dial VPN Services6-4 308606-14.00 Rev 00The user session’s authorization information flows from the remote custom
Configuring the TMS Using RADIUS308606-14.00 Rev 00 6-5 Table 6-1 summarizes the user start messages that the NAS sends to the service provider’s RADI
Comments to this Manuals