Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Configuring VPN from ProventiaM Series Appliance to NetScreen SystemsJanuary 13, 2004

Overview

Introduction This document describes how to configure a VPN tunnel from a Proventia™ M series appliance to NetScreen 208 systems.

Intended use This document provides an example for configuring VPN from a Proventia M series appliance to a NetScreen system running a version 4.0.0r6 operating system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use.

Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic.

Related documentation

Refer to the Proventia Manager Help and the Proventia M Series Appliances User Guide for more information about the following:

� IKE and IKE policies

� IPSEC and IPSEC policies

� Firewall policies

For procedures for configuring the NetScreen system, refer to the documentation provided with your system.

In this document This document contains the following topics:

Topic Page

Before You Begin 3

1

© Internet Security Systems, Inc. 2003. All rights reserved worldwide.

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Configuring the Proventia Appliance IKE Policy 5

Configuring the Proventia Appliance IPSEC Policy 6

Creating Related Firewall Rules for Proventia Appliance 10

Creating Network Objects for the NetScreen System 13

Configuring VPN on the NetScreen System Using the VPN Wizard 14

Configuring VPN on the NetScreen System Manually 15

Configuring IKE Phase 2 Policy on the NetScreen System 17

Creating Firewall Rules on the NetScreen System 18

Topic Page

2

Contents of document subject to change.

Before You Begin

Before You Begin

Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M series appliance and NetScreen system.

Topography The following graphic illustrates the network topography of a Proventia M series appliance configured for VPN with a NetScreen system. The example used in this document is based on the topography depicted.

Table 1: Topography for VPN tunnel from Proventia M Series appliance to NetScreen

Interneta.a.a.a b.b.b.b

Proventia Netscreen

192.168.1.1 10.1.0.1

10.1.0.0/16192.168.1.0/24

Subnet A Subnet B

3



Checklist The following checklist indicates the information that you need before configuring your VPN tunnel.

Proventia M series External IP address _____________________________

Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document.

Proventia M series Internal IP Address _____________________________

Subnet A IP address _____________________________

NetScreen External IP address _____________________________

Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document.

NetScreen Internal IP address _____________________________

Subnet B IP address _____________________________

Preshared key (minimum of 16 characters) _____________________________

Note: Use signed certificates to identify the Proventia M series appliance and NetScreen VPN server for better security.

IKE Phase 1 (Main Mode) Authentication MD5 SHA1

IKE Phase 1 Encryption 3DES DES AES

Note: If you select AES, select an AES key length: 128 192 256

IKE Phase 1 Key Lifetime Seconds _____________________________

IKE Phase 1 Key Lifetime Kbytes _____________________________

IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5

IKE Phase 2 (Quick Mode) Authentication MD5 SHA1

IKE Phase 2 Encryption 3DES DES AES

Note: If you select AES, select an AES key length: 128 192 256

IKE Phase 2 Key Lifetime Seconds _____________________________

IKE Phase 2 Key Lifetime Kbytes _____________________________

IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5

Firewall Policies

4


Configuring the Proventia Appliance IKE Policy

Configuring the Proventia Appliance IKE Policy

Introduction You must configure the IKE policy for Phase I (Main Mode) negotiation.

Creating an IKE policy rule

To configure the IKE policy, create an IKE rule with the following settings:

Adding a remote ID In the Remote ID area, add a remote ID with the following settings:

Item Setting

Name To_NetScreen

Enabled Selected

Direction Both

Exchange Type Main Mode

Local ID Type IP Address

Local ID Data The external interface IP address of the Proventia M series appliance

Example: a.a.a.a

Local IP The external interface IP address of the Proventia M series appliance

Example: a.a.a.a

Remote IP The external interface IP address of the NetScreen system

Example: b.b.b.b

Encryption Algorithm AES

AES key length 128

Authentication Algorithm

SHA1

Authentication Mode Pre Shared Key

Pre-Shared Key A text string value of at least 16-characters

Example: 1234567890abcdef

Note: You will use the same text string for the NetScreen system.

Lifetime in Secs 28800

Lifetime in Kbs 0

DH Group Group 2

Table 2: IKE policy settings for Proventia M series appliance

Item Setting

Remote ID Type IP Address

Remote ID Data The external interface IP address of the NetScreen system

Example: b.b.b.b

Table 3: Remote ID settings for Proventia M series appliance

5



Configuring the Proventia Appliance IPSEC Policy

Introduction You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information needed to provide security to IP packets. The IPSEC policy is configured without network address translation (NAT).

Creating an IPSEC rule

To configure the IPSEC policy, create an IPSEC rule with the following settings:

Item Setting

Name To_NetScreen

Enabled Selected

Security Process Apply

Protocol All

Encapsulation Mode Tunnel

Source Address Network Address/#Network Bits (CIDR)

Type the network mask for subnet A.

Example: 192.168.1.0/24

Source Port Any

Destination Address Network Address/#Network Bits (CIDR)

Type the network mask for subnet B.

Example: 10.1.0.0/16

Destination Port Any

Automatic Key Management

Selected

Peer S.G. The external interface IP address of the NetScreen system

Example: b.b.b.b

Perfect Forward Secrecy

Group 2

Table 4: IPSEC policy settings for Proventia M series appliance

6


Configuring the Proventia Appliance IPSEC Policy

Adding a security proposal

In the Security Proposal area, add a security proposal with the following settings:

Item Setting

Security Protocol ESP with Auth

Auth Algorithm SHA1

ESP Algorithm AES

ESP AES Key Length

128


Lifetime in Kbs 0

Table 5: Security Proposal settings for Proventia M series appliance

7



Configuring Antivirus Protection with VPN Connection

Introduction The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols:

� HTTP

� FTP

� SMTP

� POP3

To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy rule.

Creating an IPSEC rule

To configure the IPSEC policy, create an IPSEC rule with the following settings:

Item Setting

Name AV_To_NetScreen

Enabled Selected

Security Process Apply

Protocol All

Encapsulation Mode Tunnel

Source Address Single IP Address

Type the external interface IP address of the Proventia M series appliance

Example: a.a.a.a

Note: This setting encapsulates traffic from the Proventia appliance external interface.

Source Port Any



Example: 10.1.0.0/16


Automatic Key Management

Selected

Peer S.G. The external interface IP address of the NetScreen system

Example: b.b.b.b

Perfect Forward Secrecy

Group 2

Table 6: IPSEC rule settings for antivirus protection for VPN

8


Configuring Antivirus Protection with VPN Connection

Adding a security proposal

In the Security Proposal area, add a security proposal with the following settings:

Mirror inbound policy rule

The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN.

Item Setting

Security Protocol ESP with Auth

Auth Algorithm SHA1

ESP Algorithm AES

ESP AES Key Length

128


Lifetime in Kbs 0

Table 7: Security Proposal settings for antivirus protection for VPN

9



Creating Related Firewall Rules for Proventia Appliance

Introduction Creating related firewall rules includes the following tasks:

� enabling Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia M series appliance external interface

� enabling traffic from subnet A to subnet B without NAT

Guidelines You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets.

Order of firewall rules

Firewall rules are processed in the order that they appear in the list.

Enabling ISAKMP traffic to the Proventia M series appliance

Although you have created a VPN tunnel from the NetScreen server to the Proventia VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia M series appliance external interface.

To enable ISAKMP traffic to the Proventia M series appliance, enable the self policy firewall rule with the following settings:

Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic.

Item Setting

Enabled Selected

Action Accept

Log Enabled Not selected (optional)

Network EXT

Protocol UDP

Source Address The external interface IP address of the NetScreen system

Example: b.b.b.b

Source Port Any

Destination Address Any

Destination Port 500

Table 8: Self policy firewall rule settings for Proventia M series appliance

10


Creating Related Firewall Rules for Proventia Appliance

Enabling traffic from subnet A to subnet B

To enable all traffic from subnet A to subnet B, add inbound and outbound internal policy firewall rules.

Add an Inbound rule

In the Inbound Rules area, add a rule with the following settings:

Item Setting

Enabled Selected

Action Accept


Protocol Any

NAT Enabled Not selected



Example: 10.1.0.0/16

Source Port Any



Example: 192.168.1.0/24


Table 9: Internal inbound firewall rule settings for Proventia M series appliance

11



Add an Outbound rule

In the Outbound Rules area, add a rule with the following settings:

Item Setting

Enabled Selected

Action Accept


Protocol Any

NAT Enabled Not selected



Example: 192.168.1.0/24

Source Port Any



Example: 10.1.0.0/16


Table 10: Internal outbound firewall rule settings for Proventia M series appliance

12


Creating Network Objects for the NetScreen System

Creating Network Objects for the NetScreen System

Introduction You must create network objects on the NetScreen management console.

Creating address list object for subnet A

To create an address list object for subnet A:

1. In the left pane, select Objects Addresses List.

2. Select Untrust.

3. Click New, and then configure the following settings:

4. Click OK.

Creating address list object for subnet B

To create an address list object for subnet B:

1. In the left pane, select Objects Addresses List.

2. Select Trust.


4. Click OK.

Item Setting

Address Name Subnet A

IP/Netmask 192.168.1.0/24

Zone Untrust

Item Setting

Address Name Subnet B

IP/Netmask 10.1.0.0/16

Zone Trust

13



Configuring VPN on the NetScreen System Using the VPN Wizard

Introduction Configuring VPN on the NetScreen system involves the following tasks:

� setting up VPN using the VPN wizard

� disabling NAT traversal

Setting up VPN To set up VPN:

1. In the left pane, select Wizards VPN.

2. Select LAN-to-LAN.

3. Select Local Static IP <-> Remote Static IP.

4. In the Remote Gateway IP Address field, type the external interface IP address of the Proventia M series appliance.

Example: a.a.a.a

5. Select Standard (128/168-bit encryption strength).

6. In the Preshared Secret field, type the same pre-shared key that you used for the Proventia appliance.


7. Choose Select from the untrust zone address book, and then select Subnet A from the drop-down list.

8. Choose Select from the trust zone address book, and then select Subnet B from the drop-down list.

9. Review the configuration, and then click Next to accept.

Disabling NAT traversal

To disable NAT traversal:

1. In the left pane, select VPN Autokey Advanced Gateway.

2. In the right pane, click Edit next to Gateway to Subnet A.

3. Click Advanced.

4. Clear the Enable NAT-Traversal check box.

5. Click Return.

6. Click OK.

14


Configuring VPN on the NetScreen System Manually

Configuring VPN on the NetScreen System Manually

Introduction If you do not want to use the VPN wizard, or if the wizard does not properly configure your VPN settings, you can configure the settings manually. The remainder of this document describes how to configure VPN on the NetScreen system manually.

Creating gateway object and IKE phase 1 policy

To create the gateway object and IKE phase 1 policy:

1. Select VPNs AutoKey Advanced Gateway.

2. In the right pane, click New.

3. Configure the following settings:

4. Click Advanced.

5. Clear the Enable NAT-Traversal check box.

6. Click Return.

7. Click OK.

Item Setting

Gateway Name Gateway for Subnet A

Security Level Standard

Reference: For information about the Standard Security Level, refer to “Description of Standard Security Level” on page 16.

Remote Gateway Type Static IP Address

IP Address The external interface IP address of the Proventia M series appliance

Example: a.a.a.a

Peer ID The external interface IP address of the Proventia M series appliance

Example: a.a.a.a

User None

Group None

Preshared Key The same pre-shared key that you used for the Proventia appliance


Local ID Leave blank

Outgoing Interface Select the interface configured as Untrust under NetworkInterfaces

Example: ethernet3

15



Description of Standard Security Level

The Standard Security Level setting includes the following policy settings:

� Policy 1

� Identity Authentication: Preshared Secret

� Perfect Forward Secrecy: Diffie-Hellman Group 2

� Encryption: 3DES

� Authentication: SHA-1

� Policy 2

� Identity Authentication: Preshared Secret

� Perfect Forward Secrecy: Diffie-Hellman Group 2

� Encryption: AES 128

� Authentication: SHA-1

Note: The Proventia M series settings match Policy 2 settings.

16


Configuring IKE Phase 2 Policy on the NetScreen System

Configuring IKE Phase 2 Policy on the NetScreen System

Introduction This topic describes how to configure IKE Phase 2 or Quick Mode on the NetScreen system.

Creating an IKE policy rule

To create an IKE policy rule:

1. Select VPNs AutoKey IKE.

2. In the right pane, click New.

3. Configure the following settings:

4. Click OK.

Item Setting

VPN Name Tunnel for Subnet A

Security Level Standard

Reference: For information about the Standard Security Level, refer to “Description of Standard Security Level” on page 16.

Remote Gateway Predefined

Select Gateway for Subnet A.

17



Creating Firewall Rules on the NetScreen System

Introduction This topic describes how to create inbound and outbound firewall rules for the NetScreen system.

Note: IKASMP and UDP port 500 rules for IKE negotiations are enabled by default.

Creating the outbound firewall rule

To create the outbound firewall rule:

1. In the left pane, select Polices.

2. Select Trust from the From drop-down list.

3. Select Untrust from the To drop-down list.

4. Click Go.


6. Click OK.

Item Setting

Name Proventia

Source Address Address Book

Select Subnet B from the drop-down list.

Destination Address Address Book

Select Subnet A from the drop-down list.

Service Any

Action Tunnel

Tunnel Tunnel for Subnet A

Modify matching bidirectional VPN policy

Selected

L2TP None

Position at Top Selected

18


Creating Firewall Rules on the NetScreen System

Verifying the inbound firewall rule

The mirror policy for inbound traffic is automatically created when you select Modify matching bidirectional VPN policy. However, you may want to verify that it was created.

To verify that the inbound rule was created:

1. Select Untrust from the From drop-down list.

2. Select Trust from the To drop-down list.

3. Click Go.

You should see an enabled policy with the following settings:

� Source: Subnet A

� Destination: Subnet B

� Service: Any

� Action: Tunnel

19



20


Documents

Configuring VPN from Proventia M Series Appliance to NetScreen Systems