Configuring VPN from Proventia

Configuring VPN from Proventia®

M Series Appliance to NetScreen SystemsAugust 12, 2005

Overview

Introduction This document describes how to configure a VPN tunnel from a Proventia M Series appliance running a Firmware 2.1 operating system or later to NetScreen 208 systems.

Intended use This document provides an example for configuring VPN from a Proventia M Series appliance to a NetScreen system running a version 4.0.0r6 operating system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use.

Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic.

Related documentation

Refer to the Proventia Manager Online Help and the Proventia M Series Appliances User Guide for more information about the following:

● IKE settings

● IPSEC and IPSEC policies

● security gateways

● access policies

● NAT policies

For procedures for configuring the NetScreen system, refer to the documentation provided with your system.

1

© Internet Security Systems, Inc. 2005. All rights reserved worldwide.

Configuring VPN from Proventia® M Series Appliance to NetScreen Systems

In this document This document contains the following topics:

Topic Page

Before You Begin 3

Configuring the Proventia Appliance Security Gateway 5

Configuring the Proventia Appliance IPSEC Policy 7

Creating an IPSEC Policy for Antivirus Protection with VPN Connection 8

Creating Related Access Policies for the Proventia M Series Appliance 10

Creating an Access Policy to Enable ISAKMP Traffic to the Proventia M Series Appliance

11

Creating Access Policies to Enable Traffic from Subnet A to Subnet B 12

Creating NAT Rules 14

Creating Network Objects for the NetScreen System 16

Configuring VPN on the NetScreen System Using the VPN Wizard 18

Configuring VPN on the NetScreen System Manually 20

Configuring IKE Phase 2 Policy on the NetScreen System 22

Creating Firewall Rules on the NetScreen System 23

2

Contents of document subject to change.

Before You Begin

Before You Begin

Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M Series appliance and NetScreen system.

Topography The following graphic illustrates the network topography of a Proventia M Series appliance configured for VPN with a NetScreen system. The example used in this document is based on the topography depicted.

Table 1: Topography for VPN tunnel from Proventia appliance to NetScreen

3



Checklist The following checklist indicates the information that you need before configuring your VPN tunnel.

Task Description

Proventia M Series External IP address _____________________________

Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document.

Proventia M Series Internal IP Address _____________________________

Subnet A IP address _____________________________

Netscreen External IP address _____________________________

Note: This is the IP address that you will use where b.b.b.b appears in the examples in

this document.

Netscreen Internal IP address _____________________________

Subnet B IP address/mask _____________________________

Preshared key (minimum of 16 characters) _____________________________

Note: Use signed certificates to identify the Proventia appliance and Check Point VPN server for better security.

IKE Phase 1 (Main Mode) Authentication MD5 SHA1

IKE Phase 1 Encryption 3DES DES AES

Note: If you select AES, select an AES key length: 128 192 256

IKE Phase 1 Key Lifetime Seconds _____________________________

IKE Phase 1 Key Lifetime Kbytes _____________________________

IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5

IKE Phase 2 (Quick Mode) Authentication MD5 SHA1

IKE Phase 2 Encryption 3DES DES AES

Note: If you select AES, select an AES key length: 128 192 256

IKE Phase 2 Key Lifetime Seconds _____________________________

IKE Phase 2 Key Lifetime Kbytes _____________________________

IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5

Access Policies

Table 2: Checklist before configuring VPN tunnel

4


Configuring the Proventia Appliance Security Gateway

Configuring the Proventia Appliance Security Gateway

Introduction You must configure the security gateway that represents the NetScreen appliance. The security gateway contains the IKE and IPSEC communication settings. To configure the security gateway, create an Auto Key IPSEC Security Gateway with the settings shown below.

Security gateway IKE Configuration settings

Define the security gateway name, and configure IKE settings on the IKE Configuration tab, as shown in the following table:

Item Setting

Name To_NetScreen

Enabled Selected

Comment IPSEC tunnel to NetScreen system

Direction Both Directions

Exchange Type Main Mode

Encryption Algorithm AES

AES Key Length 128

Authentication Algorithm

SHA1

Authentication Mode Pre Shared Key

Pre-Shared Key A text string value of at least 16 alphanumeric characters

Example

1234567890abcdefNote: Use the same text string for the NetScreen system.

Life Time Secs 28800

Life Time KBytes 0

DH Group Group2

Local IP Address Static Address

Note: In the IP Address field, type the external interface IP address of the Proventia appliance.

Example

a.a.a.a

Remote IP Address Static Address

Note: In the IP Address field, type the external interface IP address of the Symantec system.

Example

b.b.b.b

Table 3: IKE Configuration settings for the Proventia appliance

5



IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled checkbox is disabled by default. Make sure that this checkbox is cleared to disable the XAuth settings.

IPSEC Configuration general settings

Define the IPSEC Configuration general settings on the IPSEC Configuration tab, as shown in the following table:

Adding a security proposal

In the Security Proposal area of the IPSEC Configuration tab, add a security proposal with the settings shown in the following table:

Advanced settings In the Advanced Settings area of the IPSEC Configuration tab, the Enabled checkbox is cleared by default. Make sure that this checkbox is cleared to disable the advanced settings.

Local ID Static Address

Note: In the IP Address field, type the external interface IP address of the Proventia appliance.

Example

a.a.a.a

Remote ID Static Address

Note: In the IP Address field, type the external interface IP address of the NetScreen system.

Example

b.b.b.b

Item Setting

Table 3: IKE Configuration settings for the Proventia appliance

Item Setting

Encapsulation Mode Tunnel

Perfect Forward Secrecy

Group2

Advanced Settings Disabled

Table 4: IPSEC Configuration general settings for the Proventia appliance

Item Setting

Security Protocol ESP with Auth

Auth Algorithm SHA1

ESP Algorithm AES

ESP AES Key Length

128

Life Time Secs 3600

Life Time KBytes 0

Table 5: Security Proposal settings for the Proventia appliance

6


Configuring the Proventia Appliance IPSEC Policy

Configuring the Proventia Appliance IPSEC Policy

Introduction You must configure the IPSEC policy to define what is encrypted between the Proventia appliance and the NetScreen system. The IPSEC policy is configured without network address translation (NAT).

Reference: See “Creating NAT Rules” on page 14.

IPSEC policy general settings

Define the IPSEC policy general settings as shown in the following table:

IPSEC policy remaining settings

Define the remaining IPSEC policy settings as shown in the following table:

Item Setting

Name To_NetScreen

Enabled Selected

Comment IPSEC tunnel to NetScreen

Security Process Encrypt

Protocol All

Table 6: IPSEC general policy settings for the Proventia appliance

On this subtab... Select this item... With this setting...

Security Gateway Auto Key Security Gateway To_NetScreen

Source Address Network Address/#Network Bits (CIDR)

The network address and subnet mask for subnet A

Example

192.168.1.0/24

Source Port Any N/A

Destination Address Network Address/#Network Bits (CIDR)

The network address and subnet mask for subnet B

Example

10.1.0.0/16

Destination Port Any N/A

Table 7: IPSEC policy settings for the Proventia appliance

7



Creating an IPSEC Policy for Antivirus Protection with VPN Connection

Introduction The antivirus software proxies traffic to the external interface of the Proventia appliance for the following protocols:

● HTTP

● FTP

● SMTP

● POP3

To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy.

Note: The Proventia appliance automatically creates the mirror inbound policy for antivirus protection for VPN.

IPSEC policy general settings

Define the IPSEC policy general settings as shown in the following table:

IPSEC policy remaining settings

Define the remaining IPSEC policy settings as shown in the following table:

Item Setting

Name AV_To_NetScreen

Enabled Selected

Comment IPSEC policy to protect AV traffic to NetScreen

Security Process Encrypt

Protocol All

Table 8: IPSEC Configuration general settings for antivirus protection for VPN


Security Gateway Auto Key Security Gateway To_NetScreen

Source Address Single IP Address The external interface IP address of the Proventia appliance

Example

a.a.a.aNote: This setting encapsulates traffic from the Proventia appliance external interface.

Source Port Any N/A


The network mask for subnet B

Example

10.1.0.0/16Table 9: IPSEC Configuration remaining settings for antivirus protection for VPN

8


Creating an IPSEC Policy for Antivirus Protection with VPN Connection



Table 9: IPSEC Configuration remaining settings for antivirus protection for VPN (Continued)

9



Creating Related Access Policies for the Proventia M Series Appliance

Introduction You must create additional access policies on the Proventia appliance to do the following:

● enable Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia appliance external interface

Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia M Series Appliance” on page 11.

● enable traffic from subnet A to subnet B without NAT (Network Address Translation)

Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 12.

Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. See “Creating NAT Rules” on page 14.

Order of access policies

The appliance processes access policies in the order that they appear in the Access Policy list.

10




Introduction Although you have created a VPN tunnel from the NetScreen server to the Proventia VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia appliance external interface.

To enable ISAKMP traffic to the Proventia appliance, enable the access policy that allows VPN traffic. You can identify this policy by the Comment field that includes the following default text:

Enable this rule for VPN Connectivity

Note: This access policy is disabled by default. You must enable it to allow VPN traffic.

ISAKMP access policy general settings

Define the access policy general settings as defined in the following table:

ISAKMP access policy remaining settings

Define the remaining access policy settings as shown in the following table:

Item Setting

Enabled Selected

Action Allow

Log Enabled Not selected (optional)

Comment Enable this rule for VPN Connectivity

Table 10: ISAKMP access policy general settings for the Proventia appliance


Protocol Any N/A

Source Address Single IP Address The external interface IP address for the NetScreen server (Unit B)

Example

b.b.b.b

Source Port Any N/A

Destination Address Self N/A

Destination Port Specify Network Objects ISAKMP_UDP

Table 11: ISAKMP access policy settings for the Proventia appliance

11



Creating Access Policies to Enable Traffic from Subnet A to Subnet B

Introduction You must create two additional access policies on the Proventia appliance to allow all traffic from subnet A to subnet B:

● a policy to allow inbound traffic

● a policy to allow outbound traffic

Inbound access policy general settings

Define the inbound access policy general settings as defined in the following table:

Inbound access policy remaining settings

Define the remaining inbound access policy settings as shown in the following table:

Outbound access policy general settings

Define the outbound access policy general settings as defined in the following table:

Item Setting

Enabled Selected

Action Allow


Comment Access policy to allow traffic from remote NetScreen network

Table 12: Inbound access policy general settings


Protocol Any N/A


The network IP address and mask for subnet B

Example

10.1.0.0/16

Source Port Any N/A


The network IP address and mask for subnet A

Example

192.168.1.0/24


Table 13: Inbound access policy remaining settings

Item Setting

Enabled Selected

Action Allow


Table 14: Outbound access policy general settings

12


Creating Access Policies to Enable Traffic from Subnet A to Subnet B

Outbound access policy remaining settings

Define the remaining outbound access policy settings as shown in the following table:

Comment Access policy to allow traffic out to remote NetScreen network

Item Setting

Table 14: Outbound access policy general settings (Continued)


Protocol Any N/A


The network mask for subnet A

Example

192.168.1.0/24

Source Port Any N/A


The network mask for subnet B

Example

10.1.0.0/16


Table 15: Outbound access policy remaining settings

13



Creating NAT Rules

Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rules to bypass NAT and insure that the appliance does not translate packets that travel between subnets. The additional NAT rules are as follows:

● a Source NAT Rule

● a Destination NAT Rule

Source NAT Rule general settings

Create a Source NAT Rule with general settings as defined in the following table:

Source NAT Rule remaining settings

Define the remaining Source NAT Rule settings as shown in the following table:

Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules table.

Destination NAT Rule general settings

Create a Destination NAT Rule with general settings as defined in the following table:

Item Setting

Name NetScreen_BypassNAT_Src

Enabled Selected

Comment Source NAT Rule to bypass NAT

Table 16: Source NAT Rule general settings


Protocol Any N/A


The network mask for subnet A.

Example

192.168.1.0/24


The network mask for subnet B.

Example

10.1.0.0/16


Translated Address Do Not Translate N/A

Table 17: Source NAT Rule remaining settings

Item Setting

Name NetScreen_BypassNAT_Dst

Enabled Selected

Comment Destination NAT Rule to bypass NAT

Table 18: Destination NAT Rule general settings

14


Creating NAT Rules

Destination NAT Rule remaining settings

Define the remaining Destination NAT Rule settings as shown in the following table:

Note: Make sure that the Destination NAT Rule is in the first position in the Destination NAT Rules table.


Protocol Any N/A


The network mask for subnet B.

Example

10.1.0.0/16


The network mask for subnet A.

Example

192.168.1.0/24


Translated Address Do Not Translate N/A

Translated Port Do Not Translate N/A

Table 19: Destination NAT Rule remaining settings

15



Creating Network Objects for the NetScreen System

Introduction You must create network objects on the NetScreen management console.

Creating an address list object for subnet A

To create an address list object for subnet A:

1. In the left pane, select Objects Addresses List.

2. Select Untrust.

3. Click New, and then configure the following settings:

4. Click OK.

Creating an address list object for subnet B

To create an address list object for Subnet B:


2. Select Trust.


4. Click OK.

Creating an address list object for the Proventia appliance external IP address

To create an address list object for the Proventia appliance external IP address:


2. Select Untrust.

Item Setting

Address Name Subnet A

IP/Netmask The network address and subnet mask for subnet A

Example

192.168.1.0/24

Zone Untrust

Table 20: NetScreen address list object settings for Subnet A

Item Setting

Address Name Subnet B

IP/Netmask The network address and subnet mask for subnet B

Example

10.1.0.0/16

Zone Trust

Table 21: NetScreen address list object settings for Subnet B

16


Creating Network Objects for the NetScreen System


4. Click OK.

Item Setting

Address Name ProventiaM

IP/Netmask The external interface IP address of the Proventia appliance

Example

a.a.a.a/32

Zone Untrust

Table 22: Netscreen address list object settings for the Proventia appliance

17



Configuring VPN on the NetScreen System Using the VPN Wizard

Introduction Configuring VPN on the NetScreen system involves the following tasks:

● setting up VPN using the VPN wizard

● setting up the VPN rules to allow antivirus software to function

● disabling NAT traversal

Setting up VPN To set up VPN:

1. In the left pane, select Wizards VPN.

2. Select LAN-to-LAN.

3. Select Local Static IP <-> Remote Static IP.

4. In the Remote Gateway IP Address field, type the external interface IP address of the Proventia appliance.

Example

a.a.a.a

5. Select Standard (128/168-bit encryption strength).

6. In the Preshared Secret field, type the same pre-shared key that you used for the Proventia appliance.

Example

1234567890abcdef

7. Choose Select from the untrust zone address book, and then select Subnet A from the list.

8. Choose Select from the trust zone address book, and then select Subnet B from the list.

9. Review the configuration, and then click Next to accept.

Setting up VPN rules to allow antivirus software to function

To set up VPN rules to allow the antivirus software to function:

1. In the left pane, select Wizards VPN.

2. Select LAN-to-LAN.

3. Select Local Static IP <-> Remote Static IP.

4. In the Remote Gateway IP Address field, type the external interface IP address of the Proventia appliance.

Example

a.a.a.a

5. Select Standard (128/168-bit encryption strength).

6. In the Preshared Secret field, type the same pre-shared key that you used for the Proventia appliance.

Example

18


Configuring VPN on the NetScreen System Using the VPN Wizard

1234567890abcdef

7. Choose Select from the untrust zone address book, and then select ProventiaM from the list.

8. Choose Select from the trust zone address book, and then select Subnet B from the list.

9. Review the configuration, and then click Next to accept.

Disabling NAT traversal

To disable NAT traversal:

1. In the left pane, select VPN Autokey Advanced Gateway.

2. In the right pane, click Edit next to Gateway to Subnet A.

3. Click Advanced.

4. Clear the Enable NAT-Traversal check box.

5. Click Return.

6. Click OK.

19



Configuring VPN on the NetScreen System Manually

Introduction If you do not want to use the VPN wizard, or if the wizard does not properly configure your VPN settings, you can configure the settings manually. The remainder of this document describes how to configure VPN on the NetScreen system manually.

Creating gateway object and IKE phase 1 policy

To create the gateway object and IKE phase 1 policy:

1. Select VPNs AutoKey Advanced Gateway.

2. In the right pane, click New.

3. Configure the following settings:

4. Click Advanced.

5. Clear the Enable NAT-Traversal check box.

6. Click Return.

7. Click OK.

Item Setting

Gateway Name Gateway for Subnet A

Security Level Standard

Reference: For information about the Standard Security Level, refer to “Description of Standard Security Level” on page 21.

Remote Gateway Type Static IP Address

IP Address The external interface IP address of the Proventia appliance

Example

a.a.a.a

Peer ID The external interface IP address of the Proventia appliance

Example

a.a.a.a

User None

Group None

Preshared Key The same pre-shared key that you used for the Proventia appliance

Example

1234567890abcdef

Local ID Leave blank

Outgoing Interface Select the interface configured as Untrust under NetworkInterfaces

Exampleethernet3

Table 23: NetScreen gateway object and IKE Phase 1 policy settings

20


Configuring VPN on the NetScreen System Manually

Description of Standard Security Level

The Standard Security Level setting includes the following policy settings:

● Policy 1

■ Identity Authentication: Preshared Secret

■ Perfect Forward Secrecy: Diffie-Hellman Group 2

■ Encryption: 3DES

■ Authentication: SHA-1

● Policy 2

■ Identity Authentication: Preshared Secret

■ Perfect Forward Secrecy: Diffie-Hellman Group 2

■ Encryption: AES 128

■ Authentication: SHA-1

Note: The Proventia M Series settings match Policy 2 settings.

21



Configuring IKE Phase 2 Policy on the NetScreen System

Introduction This topic describes how to configure IKE Phase 2 or Quick Mode on the NetScreen system.

Creating an IKE policy rule

To create an IKE policy rule:

1. Select VPNs AutoKey IKE.

2. In the right pane, click New.

3. Configure the following settings:

4. Click OK.

Item Setting

VPN Name Tunnel for Subnet A

Security Level Standard

Reference: For information about the Standard Security Level, refer to “Description of Standard Security Level” on page 21.

Remote Gateway Predefined

Select Gateway for Subnet A.

Table 24: NetScreen IKE Phase 2 policy settings

22


Creating Firewall Rules on the NetScreen System


Introduction This topic describes how to create inbound and outbound firewall rules for the NetScreen system.

Note: IKASMP and UDP port 500 rules for IKE negotiations are enabled by default.

Creating the outbound firewall rule

To create the outbound firewall rule:

1. In the left pane, select Polices.

2. Select Trust from the From drop-down list.

3. Select Untrust from the To drop-down list.

4. Click Go.


6. Click OK.

Verifying the inbound firewall rule

The mirror policy for inbound traffic is automatically created when you select Modify matching bidirectional VPN policy. However, you may want to verify that it was created.

To verify that the inbound rule was created:

1. Select Untrust from the From list.

2. Select Trust from the To list.

3. Click Go.

You should see an enabled policy with the following settings:

Item Setting

Name Proventia

Source Address Address Book

Select Subnet B from the drop-down list.

Destination Address The external interface IP address of the Proventia appliance

Example

a.a.a.a.

Service Any

Action Tunnel

Tunnel Tunnel for Subnet A

Modify matching bidirectional VPN policy

Selected

L2TP None

Position at Top Selected

Table 25: NetScreen outbound firewall rule settings

23



■ Source: Subnet A

■ Destination: Subnet B

■ Service: Any

■ Action: Tunnel

Creating the outbound firewall rule for the antivirus software to function

To create the outbound firewall rule to allow the antivirus software to function:

1. In the left pane, select Polices.

2. Select Trust from the From drop-down list.

3. Select Untrust from the To drop-down list.

4. Click Go.


6. Click OK.

Verifying the inbound firewall rule

The mirror policy for inbound traffic is automatically created when you select Modify matching bidirectional VPN policy. However, you may want to verify that it was created.

To verify that the inbound rule was created:

1. Select Untrust from the From list.

2. Select Trust from the To list.

3. Click Go.

You should see an enabled policy with the following settings:

■ Source: Subnet A

■ Destination: Subnet B

Item Setting

Name Proventia

Source Address Address Book

Select Subnet B from the list.

Destination Address Address Book

Select Subnet A from the list.

Service Any

Action Tunnel

Tunnel Tunnel for ProventiaM

Modify matching bidirectional VPN policy

Selected

L2TP None

Position at Top Selected

Table 26: NetScreen antivirus outbound firewall rule settings

24



■ Service: Any

■ Action: Tunnel

Copyright © 2003-2005, Internet Security Systems, Inc. All rights reserved worldwide.

Internet Security Systems, the Internet Security Systems logo, and Proventia are trademarks of Internet Security Systems, Inc. Other marks and trade names mentioned are marks and names of their owners as indicated. All marks are the property of their respective owners and used in an editorial context without intent of infringement. Specifications and content are subject to change without notice.

25



26


Documents

Configuring VPN from Proventia