Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from one Proventia M series appliance to another. Intended use This document provides an example for configuring VPN from one Proventia M series appliance to another, where both appliances are running a Firmware 1.1 operating system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation block in this topic. Related documentation Refer to the Proventia Manager Help and the Proventia M Series Appliances User Guide for more information about the following: IKE and IKE policies IPSEC and IPSEC policies Firewall policies In this document This document contains the following topics: Topic Page Before You Begin 3 Configuring the Appliance IKE Policy for Unit A 5 Internet Security Systems, Inc. 2003. All rights reserved worldwide. 1
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Topic Page Configuring the Appliance IPSEC Policy for Unit A 6 Antivirus Protection with VPN Connection for Unit A 8 Creating Related Firewall Rules for Unit A 10 Configuring the Appliance IKE Policy for Unit B 13 Configuring the Appliance IPSEC Policy for Unit B 14 Antivirus Protection with VPN Connection for Unit B 16 Creating Related Firewall Rules for Unit B 18 2
Before You Begin Before You Begin Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M series appliances. Topography The following graphic illustrates the network topography of gateway-to-gateway VPN tunnel between two Proventia M series appliances. The example used in this document is based on the topography depicted. Subnet A 192.168.1.0/24 Subnet B 10.1.0.0/16 192.168.1.1 a.a.a.a b.b.b.b 10.1.0.1 Internet Proventia Unit A Proventia Unit B Figure 1: Topography for VPN tunnel for Proventia M Series appliances 3
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Checklist The following checklist indicates the information that you need before configuring your VPN tunnel. Proventia M series Unit A External IP address Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia M series Unit A Internal IP Address Subnet A IP address Proventia M series Unit B External IP address Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. Proventia M series Unit B Internal IP Address Subnet B IP address Preshared key (minimum of 16 characters) Note: Use signed certificates identifying the Proventia M series VPN peers for better security. IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds IKE Phase 1 Key Lifetime Kbytes IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5 IKE Phase 2 (Quick Mode) Authentication MD5 SHA1 IKE Phase 2 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 2 Key Lifetime Seconds IKE Phase 2 Key Lifetime Kbytes IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5 Firewall Policies 4
Configuring the Appliance IKE Policy for Unit A Configuring the Appliance IKE Policy for Unit A Introduction You must configure the IKE policy on Unit A for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm Authentication Algorithm Authentication Mode Pre-Shared Key To_Proventia_UnitB. Both Main Mode IP Address The external interface IP address of Unit A Example: a.a.a.a The external interface IP address of Unit A Example: a.a.a.a The external interface IP address of Unit B Example: b.b.b.b 3DES SHA1 Pre Shared Key A text string value of at least 16-characters Example: 1234567890abcdef Note: You will use the same text string for Unit B. Lifetime in Secs 7200 Lifetime in Kbs 10000 DH Group Group 2 Table 1: IKE policy settings for unit A Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of Unit B Example: b.b.b.b Table 2: Remote ID settings for unit A 5
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Configuring the Appliance IPSEC Policy for Unit A Introduction You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information to make IP packets secure. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_Proventia_UnitB Apply All Tunnel Type the network mask for subnet A. Example: 192.168.1.0/24 Type the network mask for subnet B. Example: 10.1.0.0/16 The external interface IP address of Unit B Example: b.b.b.b Group 2 Table 3: IPSEC policy settings for unit A 6
Configuring the Appliance IPSEC Policy for Unit A Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 4: Security Proposal settings for unit A Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule. 7
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Antivirus Protection with VPN Connection for Unit A Introduction The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_Unit _B Apply All Tunnel Single IP Address Type the external interface IP address of the Unit A Example: a.a.a.a Note: This setting encapsulates traffic from the Proventia appliance external interface. Type the network mask for subnet B. Example: 10.1.0.0/16 The external interface IP address of Unit B Example: b.b.b.b Group 2 Table 5: IPSEC rule settings for antivirus protection for VPN for unit A 8
Antivirus Protection with VPN Connection for Unit A Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 6: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 9
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Creating Related Firewall Rules for Unit A Introduction Creating related firewall rules includes the following tasks: enabling Internet Security Association and Key Management Protocol (ISAKMP) traffic to WAN interface enabling traffic from subnet A to subnet B Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need network address translation (NAT) for the subnets that are behind the Proventia M series appliances. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to WAN interface Although you have created a VPN tunnel between two Proventia M series appliances, you must configure the Firewall to accept or deny traffic between the VPN peers. To do this, enable ISAKMP traffic to the WAN interface. To enable ISAKMP traffic to the WAN interface, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Action Log Network Protocol Source Address Source Port Destination Address Destination Port Accept Not selected (optional) EXT UDP The external interface IP address of Unit B Example: b.b.b.b 500 (ISAKMP_UDP) Table 7: Self policy firewall rule settings for unit A 10
Creating Related Firewall Rules for Unit A Enabling traffic from subnet A to subnet B To enable all traffic from subnet A to subnet B, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port Accept Not selected (optional) Not selected Type the network mask for subnet B. Example: 10.1.0.0/16 Type the network mask for subnet A. Example: 192.168.1.0/24 Table 8: Internal inbound firewall rule settings for unit A 11
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port Accept Not selected (optional) not selected Type the network mask for subnet A. Example: 192.168.1.0/24 Type the network mask for subnet B. Example: 10.1.0.0/16 Table 9: Internal outbound firewall rule settings for unit A 12
Configuring the Appliance IKE Policy for Unit B Configuring the Appliance IKE Policy for Unit B Introduction You must configure the IKE policy on Unit B for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm Authentication Algorithm Authentication Mode Pre-Shared Key To_Proventia_UnitA Both Main Mode IP Address The external interface IP address of Unit B Example: b.b.b.b The external interface IP address of Unit B Example: b.b.b.b The external interface IP address of Unit A Example: a.a.a.a 3DES SHA1 Pre Shared Key A text string value of at least 16-characters Example: 1234567890abcdef Note: This must be the same text string that you typed for Unit A. Lifetime in Secs 7200 Lifetime in Kbs 10000 DH Group Group 2 Table 10: IKE policy settings for unit B Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of Unit A Example: a.a.a.a Table 11: Remote ID settings for unit B 13
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Configuring the Appliance IPSEC Policy for Unit B Introduction You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information needed to make IP packets secure. Creating an IPSec rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_Proventia_UnitA Apply All Tunnel Type the network mask for subnet B. Example: 10.1.0.0/16 Type the network mask for subnet A. Example: 192.168.1.0/24 The external interface IP address of Unit A Example: a.a.a.a Group 2 Table 12: IPSEC policy settings for unit B 14
Configuring the Appliance IPSEC Policy for Unit B Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 13: Security Proposal settings for unit B 15
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Antivirus Protection with VPN Connection for Unit B Introduction The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet A, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_Unit _A Apply All Tunnel Single IP Address Type the external interface IP address of the Unit B Example: b.b.b.b Note: This setting encapsulates traffic from the Proventia appliance external interface. Type the network mask for subnet A. Example: 192.168.1.0/24 The external interface IP address of Unit a Example: a.a.a.a Group 2 Table 14: IPSEC rule settings for antivirus protection for VPN for unit B 16
Antivirus Protection with VPN Connection for Unit B Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 15: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 17
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Creating Related Firewall Rules for Unit B Introduction Creating related firewall rules includes the following tasks: enabling ISAKMP traffic to WAN interface enabling traffic from subnet A to subnet B Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need network address translation (NAT) for the subnets that are behind the Proventia M series appliances. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to WAN interface Although you have created a VPN tunnel between two Proventia M series appliances, you must configure the firewall to accept or deny traffic between the VPN peers. To do this, enable ISAKMP traffic to the WAN interface. To enable ISAKMP traffic to the WAN interface, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Action Log Network Protocol Source Address Source Port Destination Address Destination Port Accept Not selected (optional) EXT UDP The external interface IP address of Unit A Example: a.a.a.a 500 (ISAKMP_UDP) Table 16: Self policy firewall rule settings for unit B 18
Creating Related Firewall Rules for Unit B Enabling traffic from subnet B to subnet A To enable all traffic from subnet B to subnet A, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port Accept Not selected (optional) Not selected Type the network mask for subnet A. Example: 192.168.1.0/24 Type the network mask for subnet B. Example: 10.1.0.0/16 Table 17: Internal inbound firewall rule settings for unit B 19
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port selected Accept not selected (optional) not selected Type the network mask for subnet B. Example: 10.1.0.0/16 Type the network mask for subnet A. Example: 192.168.1.0/24 Table 18: Internal outbound firewall rule settings for unit B 20