Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Similar documents
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Configuration of an IPSec VPN Server on RV130 and RV130W

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

FAQ about Communication

How to create the IPSec VPN between 2 x RS-1200?

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Configuring IPSec tunnels on Vocality units

Virtual Tunnel Interface

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

VPNC Scenario for IPsec Interoperability

Configuring LAN-to-LAN IPsec VPNs

Integration Guide. Oracle Bare Metal BOVPN

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Abstract. Avaya Solution & Interoperability Test Lab

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Virtual Private Cloud. User Guide. Issue 03 Date

IPSec Site-to-Site VPN (SVTI)

Configuring a Hub & Spoke VPN in AOS

Case 1: VPN direction from Vigor2130 to Vigor2820

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

VPN Auto Provisioning

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Virtual Private Network. Network User Guide. Issue 05 Date

Configuring VPNs in the EN-1000

Digi Connect Family Application Guide How to Create a VPN between Digi and Juniper Netscreen

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

Efficient SpeedStream 5861

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

VPN Overview. VPN Types

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

Configuration Summary

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Table of Contents 1 IKE 1-1

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Cisco ASA 5500 LAB Guide

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

HOW TO CONFIGURE AN IPSEC VPN

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuring IPsec and ISAKMP

LAN-to-LAN IPsec VPNs

Firepower Threat Defense Site-to-site VPNs

Sample excerpt. Virtual Private Networks. Contents

VPN Ports and LAN-to-LAN Tunnels

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Site-to-Site VPN with SonicWall Firewalls 6300-CX

Virtual Private Networks

IKE and Load Balancing

Chapter 6 Virtual Private Networking

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Netscreen NS-5GT. TheGreenBow IPSec VPN Client. Configuration Guide.

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

WLAN Handset 2212 Installation and Configuration for VPN

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Virtual Private Network

IKE. Certificate Group Matching. Policy CHAPTER

KB How to Configure IPSec Tunneling in Windows 2000

QUICKSTART GUIDE FOR BRANCH SRX SERIES SERVICES GATEWAYS

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Site-to-Site VPN. VPN Basics

A. Verify that the IKE gateway proposals on the initiator and responder are the same.

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

How to Configure IPSec Tunneling in Windows 2000

Google Cloud VPN Interop Guide

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Administrator's Guide

Configuring VPN Policies

How to configure IPSec VPN between a CradlePoint router and a Fortinet router

Firewalls, Tunnels, and Network Intrusion Detection

Top 30 AWS VPC Interview Questions and Answers Pdf

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

Virtual Tunnel Interface

Manual Key Configuration for Two SonicWALLs

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

Application Note 11. Main mode IPSec between a Windows 2000 / XP (responder) and a Digi Transport Router (initiator)

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Configuring Remote Access IPSec VPNs

The EN-4000 in Virtual Private Networks

Netscreen Remote VPN To Netscreen Device With XAuth

Chapter 5 Virtual Private Networking

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Transcription:

Configuring VPN from Proventia M Series Appliance to NetScreen Systems January 13, 2004 Overview This document describes how to configure a VPN tunnel from a Proventia M series appliance to NetScreen 208 systems. Intended use This document provides an example for configuring VPN from a Proventia M series appliance to a NetScreen system running a version 4.0.0r6 operating system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic. Related documentation Refer to the Proventia Manager Help and the Proventia M Series Appliances User Guide for more information about the following: IKE and IKE policies IPSEC and IPSEC policies Firewall policies For procedures for configuring the NetScreen system, refer to the documentation provided with your system. In this document This document contains the following topics: Topic Page Before You Begin 3 Internet Security Systems, Inc. 2003. All rights reserved worldwide. 1

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Topic Page Configuring the Proventia Appliance IKE Policy 5 Configuring the Proventia Appliance IPSEC Policy 6 Creating Related Firewall Rules for Proventia Appliance 10 Creating Network Objects for the NetScreen System 13 Configuring VPN on the NetScreen System Using the VPN Wizard 14 Configuring VPN on the NetScreen System Manually 15 Configuring IKE Phase 2 Policy on the NetScreen System 17 Creating Firewall Rules on the NetScreen System 18 2

Before You Begin Before You Begin This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M series appliance and NetScreen system. Topography The following graphic illustrates the network topography of a Proventia M series appliance configured for VPN with a NetScreen system. The example used in this document is based on the topography depicted. Subnet A 192.168.1.0/24 Subnet B 10.1.0.0/16 192.168.1.1 a.a.a.a b.b.b.b 10.1.0.1 Internet Proventia Netscreen Table 1: Topography for VPN tunnel from Proventia M Series appliance to NetScreen 3

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Checklist The following checklist indicates the information that you need before configuring your VPN tunnel. Proventia M series External IP address Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia M series Internal IP Address Subnet A IP address NetScreen External IP address Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. NetScreen Internal IP address Subnet B IP address Preshared key (minimum of 16 characters) Note: Use signed certificates to identify the Proventia M series appliance and NetScreen VPN server for better security. IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds IKE Phase 1 Key Lifetime Kbytes IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5 IKE Phase 2 (Quick Mode) Authentication MD5 SHA1 IKE Phase 2 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 2 Key Lifetime Seconds IKE Phase 2 Key Lifetime Kbytes IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5 Firewall Policies 4

Configuring the Proventia Appliance IKE Policy Configuring the Proventia Appliance IKE Policy You must configure the IKE policy for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Enabled Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm To_NetScreen Selected Both Main Mode IP Address The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the NetScreen system Example: b.b.b.b AES AES key length 128 Authentication Algorithm Authentication Mode Pre-Shared Key SHA1 Pre Shared Key A text string value of at least 16-characters Example: 1234567890abcdef Note: You will use the same text string for the NetScreen system. Lifetime in Secs 28800 Lifetime in Kbs 0 DH Group Group 2 Table 2: IKE policy settings for Proventia M series appliance Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of the NetScreen system Example: b.b.b.b Table 3: Remote ID settings for Proventia M series appliance 5

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring the Proventia Appliance IPSEC Policy You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information needed to provide security to IP packets. The IPSEC policy is configured without network address translation (NAT). Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Enabled Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_NetScreen Selected Apply All Tunnel Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Selected The external interface IP address of the NetScreen system Example: b.b.b.b Group 2 Table 4: IPSEC policy settings for Proventia M series appliance 6

Configuring the Proventia Appliance IPSEC Policy Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 128 Lifetime in Secs 3600 Lifetime in Kbs 0 Table 5: Security Proposal settings for Proventia M series appliance 7

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring Antivirus Protection with VPN Connection The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Enabled Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_NetScreen Selected Apply All Tunnel Single IP Address Type the external interface IP address of the Proventia M series appliance Example: a.a.a.a Note: This setting encapsulates traffic from the Proventia appliance external interface. Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Selected The external interface IP address of the NetScreen system Example: b.b.b.b Group 2 Table 6: IPSEC rule settings for antivirus protection for VPN 8

Configuring Antivirus Protection with VPN Connection Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 128 Lifetime in Secs 3600 Lifetime in Kbs 0 Table 7: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 9

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Creating Related Firewall Rules for Proventia Appliance Creating related firewall rules includes the following tasks: enabling Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia M series appliance external interface enabling traffic from subnet A to subnet B without NAT Guidelines You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to the Proventia M series appliance Although you have created a VPN tunnel from the NetScreen server to the Proventia VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia M series appliance external interface. To enable ISAKMP traffic to the Proventia M series appliance, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Enabled Action Log Enabled Network Protocol Source Address Source Port Destination Address Selected Accept Not selected (optional) EXT UDP The external interface IP address of the NetScreen system Example: b.b.b.b Destination Port 500 Table 8: Self policy firewall rule settings for Proventia M series appliance 10

Creating Related Firewall Rules for Proventia Appliance Enabling traffic from subnet A to subnet B To enable all traffic from subnet A to subnet B, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Enabled Action Log Enabled Protocol NAT Enabled Source Address Source Port Destination Address Destination Port Selected Accept Not selected (optional) Not selected Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Table 9: Internal inbound firewall rule settings for Proventia M series appliance 11

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Enabled Action Log Enabled Protocol NAT Enabled Source Address Source Port Destination Address Destination Port Selected Accept Not selected (optional) Not selected Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Table 10: Internal outbound firewall rule settings for Proventia M series appliance 12

Creating Network Objects for the NetScreen System Creating Network Objects for the NetScreen System You must create network objects on the NetScreen management console. Creating address list object for subnet A To create an address list object for subnet A: 1. In the left pane, select ObjectsAddressesList. 2. Select Untrust. 3. Click New, and then configure the following settings: Address Name Subnet A IP/Netmask 192.168.1.0/24 Zone Untrust 4. Click OK. Creating address list object for subnet B To create an address list object for subnet B: 1. In the left pane, select ObjectsAddressesList. 2. Select Trust. 3. Click New, and then configure the following settings: Address Name Subnet B IP/Netmask 10.1.0.0/16 Zone Trust 4. Click OK. 13

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring VPN on the NetScreen System Using the VPN Wizard Configuring VPN on the NetScreen system involves the following tasks: setting up VPN using the VPN wizard disabling NAT traversal up VPN To set up VPN: 1. In the left pane, select WizardsVPN. 2. Select LAN-to-LAN. 3. Select Local Static IP <-> Remote Static IP. 4. In the Remote Gateway IP Address field, type the external interface IP address of the Proventia M series appliance. Example: a.a.a.a 5. Select Standard (128/168-bit encryption strength). 6. In the Preshared Secret field, type the same pre-shared key that you used for the Proventia appliance. Example: 1234567890abcdef 7. Choose Select from the untrust zone address book, and then select Subnet A from the drop-down list. 8. Choose Select from the trust zone address book, and then select Subnet B from the drop-down list. 9. Review the configuration, and then click Next to accept. Disabling NAT traversal To disable NAT traversal: 1. In the left pane, select VPNAutokey AdvancedGateway. 2. In the right pane, click Edit next to Gateway to Subnet A. 3. Click Advanced. 4. Clear the Enable NAT-Traversal check box. 5. Click Return. 6. Click OK. 14

Configuring VPN on the NetScreen System Manually Configuring VPN on the NetScreen System Manually If you do not want to use the VPN wizard, or if the wizard does not properly configure your VPN settings, you can configure the settings manually. The remainder of this document describes how to configure VPN on the NetScreen system manually. Creating gateway object and IKE phase 1 policy To create the gateway object and IKE phase 1 policy: 1. Select VPNsAutoKey AdvancedGateway. 2. In the right pane, click New. 3. Configure the following settings: Gateway Name Security Level Remote Gateway Type IP Address Peer ID User Group Preshared Key Local ID Outgoing Interface Gateway for Subnet A Standard Reference: For information about the Standard Security Level, refer to Description of Standard Security Level on page 16. Static IP Address The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the Proventia M series appliance Example: a.a.a.a None None The same pre-shared key that you used for the Proventia appliance Example: 1234567890abcdef Leave blank Select the interface configured as Untrust under Network Interfaces Example: ethernet3 4. Click Advanced. 5. Clear the Enable NAT-Traversal check box. 6. Click Return. 7. Click OK. 15

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Description of Standard Security Level The Standard Security Level setting includes the following policy settings: Policy 1 Identity Authentication: Preshared Secret Perfect Forward Secrecy: Diffie-Hellman Group 2 Encryption: 3DES Authentication: SHA-1 Policy 2 Identity Authentication: Preshared Secret Perfect Forward Secrecy: Diffie-Hellman Group 2 Encryption: AES 128 Authentication: SHA-1 Note: The Proventia M series settings match Policy 2 settings. 16

Configuring IKE Phase 2 Policy on the NetScreen System Configuring IKE Phase 2 Policy on the NetScreen System This topic describes how to configure IKE Phase 2 or Quick Mode on the NetScreen system. Creating an IKE policy rule To create an IKE policy rule: 1. Select VPNsAutoKey IKE. 2. In the right pane, click New. 3. Configure the following settings: VPN Name Security Level Remote Gateway Tunnel for Subnet A Standard Reference: For information about the Standard Security Level, refer to Description of Standard Security Level on page 16. Predefined Select Gateway for Subnet A. 4. Click OK. 17

Configuring VPN from Proventia M Series Appliance to NetScreen Systems Creating Firewall Rules on the NetScreen System This topic describes how to create inbound and outbound firewall rules for the NetScreen system. Note: IKASMP and UDP port 500 rules for IKE negotiations are enabled by default. Creating the outbound firewall rule To create the outbound firewall rule: 1. In the left pane, select Polices. 2. Select Trust from the From drop-down list. 3. Select Untrust from the To drop-down list. 4. Click Go. 5. Click New, and then configure the following settings: Name Source Address Destination Address Service Action Tunnel Proventia Address Book Select Subnet B from the drop-down list. Address Book Select Subnet A from the drop-down list. Tunnel Tunnel for Subnet A Modify matching bidirectional VPN policy L2TP Position at Top Selected None Selected 6. Click OK. 18

Creating Firewall Rules on the NetScreen System Verifying the inbound firewall rule The mirror policy for inbound traffic is automatically created when you select Modify matching bidirectional VPN policy. However, you may want to verify that it was created. To verify that the inbound rule was created: 1. Select Untrust from the From drop-down list. 2. Select Trust from the To drop-down list. 3. Click Go. You should see an enabled policy with the following settings: Source: Subnet A Destination: Subnet B Service: Action: Tunnel 19

Configuring VPN from Proventia M Series Appliance to NetScreen Systems 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback