Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Similar documents
Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Configuration of an IPSec VPN Server on RV130 and RV130W

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Case 1: VPN direction from Vigor2130 to Vigor2820

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuring IPSec tunnels on Vocality units

Configuration Summary

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

FAQ about Communication

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Configuring a Hub & Spoke VPN in AOS

Configuring VPNs in the EN-1000

VPNC Scenario for IPsec Interoperability

How to create the IPSec VPN between 2 x RS-1200?

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Virtual Tunnel Interface

IPSec Site-to-Site VPN (SVTI)

VPN Auto Provisioning

Abstract. Avaya Solution & Interoperability Test Lab

Configuring LAN-to-LAN IPsec VPNs

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Table of Contents 1 IKE 1-1

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

VPN Overview. VPN Types

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

VPN Ports and LAN-to-LAN Tunnels

HOW TO CONFIGURE AN IPSEC VPN

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Efficient SpeedStream 5861

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

Virtual Private Networks

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Integration Guide. Oracle Bare Metal BOVPN

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring IPsec and ISAKMP

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

Virtual Tunnel Interface

LAN-to-LAN IPsec VPNs

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Google Cloud VPN Interop Guide

IKE and Load Balancing

Chapter 6 Virtual Private Networking

Virtual Private Network. Network User Guide. Issue 05 Date

Virtual Private Cloud. User Guide. Issue 03 Date

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Manual Key Configuration for Two SonicWALLs

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

Sample excerpt. Virtual Private Networks. Contents

Virtual Private Network

The EN-4000 in Virtual Private Networks

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

WLAN Handset 2212 Installation and Configuration for VPN

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Configuring Remote Access IPSec VPNs

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

CSCE 715: Network Systems Security

VPN Tracker for Mac OS X

KB How to Configure IPSec Tunneling in Windows 2000

IPv6 over IPv4 GRE Tunnel Protection

Greenbow VPN Client Example

Firepower Threat Defense Site-to-site VPNs

Site-to-Site VPN. VPN Basics

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

L2TP over IPsec. About L2TP over IPsec/IKEv1 VPN

VPN Configuration Guide. NETGEAR FVS318v3

Internet Key Exchange

Configuring a VPN Using Easy VPN and an IPSec Tunnel, page 1

How to Configure IPSec Tunneling in Windows 2000

Chapter 5 Virtual Private Networking

IKE. Certificate Group Matching. Policy CHAPTER

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Cisco Exam Questions & Answers

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Transcription:

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from one Proventia M series appliance to another. Intended use This document provides an example for configuring VPN from one Proventia M series appliance to another, where both appliances are running a Firmware 1.1 operating system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation block in this topic. Related documentation Refer to the Proventia Manager Help and the Proventia M Series Appliances User Guide for more information about the following: IKE and IKE policies IPSEC and IPSEC policies Firewall policies In this document This document contains the following topics: Topic Page Before You Begin 3 Configuring the Appliance IKE Policy for Unit A 5 Internet Security Systems, Inc. 2003. All rights reserved worldwide. 1

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Topic Page Configuring the Appliance IPSEC Policy for Unit A 6 Antivirus Protection with VPN Connection for Unit A 8 Creating Related Firewall Rules for Unit A 10 Configuring the Appliance IKE Policy for Unit B 13 Configuring the Appliance IPSEC Policy for Unit B 14 Antivirus Protection with VPN Connection for Unit B 16 Creating Related Firewall Rules for Unit B 18 2

Before You Begin Before You Begin Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M series appliances. Topography The following graphic illustrates the network topography of gateway-to-gateway VPN tunnel between two Proventia M series appliances. The example used in this document is based on the topography depicted. Subnet A 192.168.1.0/24 Subnet B 10.1.0.0/16 192.168.1.1 a.a.a.a b.b.b.b 10.1.0.1 Internet Proventia Unit A Proventia Unit B Figure 1: Topography for VPN tunnel for Proventia M Series appliances 3

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Checklist The following checklist indicates the information that you need before configuring your VPN tunnel. Proventia M series Unit A External IP address Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia M series Unit A Internal IP Address Subnet A IP address Proventia M series Unit B External IP address Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. Proventia M series Unit B Internal IP Address Subnet B IP address Preshared key (minimum of 16 characters) Note: Use signed certificates identifying the Proventia M series VPN peers for better security. IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds IKE Phase 1 Key Lifetime Kbytes IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5 IKE Phase 2 (Quick Mode) Authentication MD5 SHA1 IKE Phase 2 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 2 Key Lifetime Seconds IKE Phase 2 Key Lifetime Kbytes IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5 Firewall Policies 4

Configuring the Appliance IKE Policy for Unit A Configuring the Appliance IKE Policy for Unit A Introduction You must configure the IKE policy on Unit A for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm Authentication Algorithm Authentication Mode Pre-Shared Key To_Proventia_UnitB. Both Main Mode IP Address The external interface IP address of Unit A Example: a.a.a.a The external interface IP address of Unit A Example: a.a.a.a The external interface IP address of Unit B Example: b.b.b.b 3DES SHA1 Pre Shared Key A text string value of at least 16-characters Example: 1234567890abcdef Note: You will use the same text string for Unit B. Lifetime in Secs 7200 Lifetime in Kbs 10000 DH Group Group 2 Table 1: IKE policy settings for unit A Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of Unit B Example: b.b.b.b Table 2: Remote ID settings for unit A 5

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Configuring the Appliance IPSEC Policy for Unit A Introduction You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information to make IP packets secure. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_Proventia_UnitB Apply All Tunnel Type the network mask for subnet A. Example: 192.168.1.0/24 Type the network mask for subnet B. Example: 10.1.0.0/16 The external interface IP address of Unit B Example: b.b.b.b Group 2 Table 3: IPSEC policy settings for unit A 6

Configuring the Appliance IPSEC Policy for Unit A Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 4: Security Proposal settings for unit A Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule. 7

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Antivirus Protection with VPN Connection for Unit A Introduction The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_Unit _B Apply All Tunnel Single IP Address Type the external interface IP address of the Unit A Example: a.a.a.a Note: This setting encapsulates traffic from the Proventia appliance external interface. Type the network mask for subnet B. Example: 10.1.0.0/16 The external interface IP address of Unit B Example: b.b.b.b Group 2 Table 5: IPSEC rule settings for antivirus protection for VPN for unit A 8

Antivirus Protection with VPN Connection for Unit A Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 6: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 9

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Creating Related Firewall Rules for Unit A Introduction Creating related firewall rules includes the following tasks: enabling Internet Security Association and Key Management Protocol (ISAKMP) traffic to WAN interface enabling traffic from subnet A to subnet B Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need network address translation (NAT) for the subnets that are behind the Proventia M series appliances. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to WAN interface Although you have created a VPN tunnel between two Proventia M series appliances, you must configure the Firewall to accept or deny traffic between the VPN peers. To do this, enable ISAKMP traffic to the WAN interface. To enable ISAKMP traffic to the WAN interface, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Action Log Network Protocol Source Address Source Port Destination Address Destination Port Accept Not selected (optional) EXT UDP The external interface IP address of Unit B Example: b.b.b.b 500 (ISAKMP_UDP) Table 7: Self policy firewall rule settings for unit A 10

Creating Related Firewall Rules for Unit A Enabling traffic from subnet A to subnet B To enable all traffic from subnet A to subnet B, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port Accept Not selected (optional) Not selected Type the network mask for subnet B. Example: 10.1.0.0/16 Type the network mask for subnet A. Example: 192.168.1.0/24 Table 8: Internal inbound firewall rule settings for unit A 11

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port Accept Not selected (optional) not selected Type the network mask for subnet A. Example: 192.168.1.0/24 Type the network mask for subnet B. Example: 10.1.0.0/16 Table 9: Internal outbound firewall rule settings for unit A 12

Configuring the Appliance IKE Policy for Unit B Configuring the Appliance IKE Policy for Unit B Introduction You must configure the IKE policy on Unit B for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm Authentication Algorithm Authentication Mode Pre-Shared Key To_Proventia_UnitA Both Main Mode IP Address The external interface IP address of Unit B Example: b.b.b.b The external interface IP address of Unit B Example: b.b.b.b The external interface IP address of Unit A Example: a.a.a.a 3DES SHA1 Pre Shared Key A text string value of at least 16-characters Example: 1234567890abcdef Note: This must be the same text string that you typed for Unit A. Lifetime in Secs 7200 Lifetime in Kbs 10000 DH Group Group 2 Table 10: IKE policy settings for unit B Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of Unit A Example: a.a.a.a Table 11: Remote ID settings for unit B 13

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Configuring the Appliance IPSEC Policy for Unit B Introduction You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information needed to make IP packets secure. Creating an IPSec rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_Proventia_UnitA Apply All Tunnel Type the network mask for subnet B. Example: 10.1.0.0/16 Type the network mask for subnet A. Example: 192.168.1.0/24 The external interface IP address of Unit A Example: a.a.a.a Group 2 Table 12: IPSEC policy settings for unit B 14

Configuring the Appliance IPSEC Policy for Unit B Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 13: Security Proposal settings for unit B 15

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Antivirus Protection with VPN Connection for Unit B Introduction The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet A, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_Unit _A Apply All Tunnel Single IP Address Type the external interface IP address of the Unit B Example: b.b.b.b Note: This setting encapsulates traffic from the Proventia appliance external interface. Type the network mask for subnet A. Example: 192.168.1.0/24 The external interface IP address of Unit a Example: a.a.a.a Group 2 Table 14: IPSEC rule settings for antivirus protection for VPN for unit B 16

Antivirus Protection with VPN Connection for Unit B Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 256 Lifetime in Secs 7200 Lifetime in Kbs 10000 Table 15: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 17

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Creating Related Firewall Rules for Unit B Introduction Creating related firewall rules includes the following tasks: enabling ISAKMP traffic to WAN interface enabling traffic from subnet A to subnet B Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need network address translation (NAT) for the subnets that are behind the Proventia M series appliances. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to WAN interface Although you have created a VPN tunnel between two Proventia M series appliances, you must configure the firewall to accept or deny traffic between the VPN peers. To do this, enable ISAKMP traffic to the WAN interface. To enable ISAKMP traffic to the WAN interface, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Action Log Network Protocol Source Address Source Port Destination Address Destination Port Accept Not selected (optional) EXT UDP The external interface IP address of Unit A Example: a.a.a.a 500 (ISAKMP_UDP) Table 16: Self policy firewall rule settings for unit B 18

Creating Related Firewall Rules for Unit B Enabling traffic from subnet B to subnet A To enable all traffic from subnet B to subnet A, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port Accept Not selected (optional) Not selected Type the network mask for subnet A. Example: 192.168.1.0/24 Type the network mask for subnet B. Example: 10.1.0.0/16 Table 17: Internal inbound firewall rule settings for unit B 19

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Action Log Protocol NAT Source Address Source Port Destination Address Destination Port selected Accept not selected (optional) not selected Type the network mask for subnet B. Example: 10.1.0.0/16 Type the network mask for subnet A. Example: 192.168.1.0/24 Table 18: Internal outbound firewall rule settings for unit B 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback