Nortel 1010 用户指南
76 Chapter 4 Configuring user tunnels
NN46110-500
The Nortel VPN Router associates all remote users with a group, which dictates
the attributes that are assigned to a remote user session. A group can even consist
of a single user, thereby creating a personal connection.
the attributes that are assigned to a remote user session. A group can even consist
of a single user, thereby creating a personal connection.
The Nortel VPN Router organizes groups in a hierarchical manner. At the top of
the hierarchy is the base group. The base group \Base contains the default
characteristics that each new group inherits. You add additional groups to the
hierarchy as children of the base group.
the hierarchy is the base group. The base group \Base contains the default
characteristics that each new group inherits. You add additional groups to the
hierarchy as children of the base group.
The Nortel VPN Router takes precautions against unauthorized users potentially
hacking tunneled information when the Nortel VPN Router is operating in split
tunnel mode. The primary precaution is to drop packets that do not have the IP
address that is assigned to the tunnel connection as its source address. For
example, you establish a PPP dial-up connection to the Internet with an IP address
of 192.168.21.3. When you start the tunneled connection to a Nortel VPN Router,
you are assigned a tunnel IP address of 192.192.192.192. Now, any packets that
attempt to pass through the tunnel connection with a source IP address of
192.168.21.3 (or any address other than 192.192.192.192) are dropped.
Furthermore, you can enable filters on the Nortel VPN Router to limit the protocol
types that can pass through a tunneled connection.
hacking tunneled information when the Nortel VPN Router is operating in split
tunnel mode. The primary precaution is to drop packets that do not have the IP
address that is assigned to the tunnel connection as its source address. For
example, you establish a PPP dial-up connection to the Internet with an IP address
of 192.168.21.3. When you start the tunneled connection to a Nortel VPN Router,
you are assigned a tunnel IP address of 192.192.192.192. Now, any packets that
attempt to pass through the tunnel connection with a source IP address of
192.168.21.3 (or any address other than 192.192.192.192) are dropped.
Furthermore, you can enable filters on the Nortel VPN Router to limit the protocol
types that can pass through a tunneled connection.
Password aging does not work for administrator accounts. Also, the following are
client-specific password management symptoms:
client-specific password management symptoms:
•
If you are using the IPsec client, you are warned three times that there will be
an impending password expiration. You should change the password
immediately. IPsec clients using versions earlier than 1.5.2 do not receive a
password expiration warning.
an impending password expiration. You should change the password
immediately. IPsec clients using versions earlier than 1.5.2 do not receive a
password expiration warning.
•
If you are using the PPTP client with the Connection Manager, the
Connection Manager generates an impending password expiration warning.
Connection Manager generates an impending password expiration warning.
•
Other clients (L2TP and L2F) and PPTP client users who are not using the
Connection Manager have no warning and no longer can log on. You must
contact your system administrator if this happens. In this case, the Nortel
VPN Router is unable to notify the client because it has no actual control over
the client. With PPTP, use the Connection Manager to establish a connection.
With L2TP or L2F, set the Password Maximum Age to zero (never expires).
Connection Manager have no warning and no longer can log on. You must
contact your system administrator if this happens. In this case, the Nortel
VPN Router is unable to notify the client because it has no actual control over
the client. With PPTP, use the Connection Manager to establish a connection.
With L2TP or L2F, set the Password Maximum Age to zero (never expires).
Note: PPP multilink is not supported with branch office tunnels. It is
only supported with end user tunnels.
only supported with end user tunnels.