Configuring VPN from Proventia M Series Appliance to NetScreen Systems January 13, 2004 Overview This document describes how to configure a VPN tunnel from a Proventia M series appliance to NetScreen 208 systems. Intended use This document provides an example for configuring VPN from a Proventia M series appliance to a NetScreen system running a version 4.0.0r6 operating system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic. Related documentation Refer to the Proventia Manager Help and the Proventia M Series Appliances User Guide for more information about the following: IKE and IKE policies IPSEC and IPSEC policies Firewall policies For procedures for configuring the NetScreen system, refer to the documentation provided with your system. In this document This document contains the following topics: Topic Page Before You Begin 3 Internet Security Systems, Inc. 2003. All rights reserved worldwide. 1
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Topic Page Configuring the Proventia Appliance IKE Policy 5 Configuring the Proventia Appliance IPSEC Policy 6 Creating Related Firewall Rules for Proventia Appliance 10 Creating Network Objects for the NetScreen System 13 Configuring VPN on the NetScreen System Using the VPN Wizard 14 Configuring VPN on the NetScreen System Manually 15 Configuring IKE Phase 2 Policy on the NetScreen System 17 Creating Firewall Rules on the NetScreen System 18 2
Before You Begin Before You Begin This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M series appliance and NetScreen system. Topography The following graphic illustrates the network topography of a Proventia M series appliance configured for VPN with a NetScreen system. The example used in this document is based on the topography depicted. Subnet A 192.168.1.0/24 Subnet B 10.1.0.0/16 192.168.1.1 a.a.a.a b.b.b.b 10.1.0.1 Internet Proventia Netscreen Table 1: Topography for VPN tunnel from Proventia M Series appliance to NetScreen 3
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Checklist The following checklist indicates the information that you need before configuring your VPN tunnel. Proventia M series External IP address Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia M series Internal IP Address Subnet A IP address NetScreen External IP address Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. NetScreen Internal IP address Subnet B IP address Preshared key (minimum of 16 characters) Note: Use signed certificates to identify the Proventia M series appliance and NetScreen VPN server for better security. IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds IKE Phase 1 Key Lifetime Kbytes IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5 IKE Phase 2 (Quick Mode) Authentication MD5 SHA1 IKE Phase 2 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 2 Key Lifetime Seconds IKE Phase 2 Key Lifetime Kbytes IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5 Firewall Policies 4
Configuring the Proventia Appliance IKE Policy Configuring the Proventia Appliance IKE Policy You must configure the IKE policy for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Enabled Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm To_NetScreen Selected Both Main Mode IP Address The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the NetScreen system Example: b.b.b.b AES AES key length 128 Authentication Algorithm Authentication Mode Pre-Shared Key SHA1 Pre Shared Key A text string value of at least 16-characters Example: 1234567890abcdef Note: You will use the same text string for the NetScreen system. Lifetime in Secs 28800 Lifetime in Kbs 0 DH Group Group 2 Table 2: IKE policy settings for Proventia M series appliance Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of the NetScreen system Example: b.b.b.b Table 3: Remote ID settings for Proventia M series appliance 5
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring the Proventia Appliance IPSEC Policy You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information needed to provide security to IP packets. The IPSEC policy is configured without network address translation (NAT). Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Enabled Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_NetScreen Selected Apply All Tunnel Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Selected The external interface IP address of the NetScreen system Example: b.b.b.b Group 2 Table 4: IPSEC policy settings for Proventia M series appliance 6
Configuring the Proventia Appliance IPSEC Policy Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 128 Lifetime in Secs 3600 Lifetime in Kbs 0 Table 5: Security Proposal settings for Proventia M series appliance 7
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring Antivirus Protection with VPN Connection The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Enabled Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_NetScreen Selected Apply All Tunnel Single IP Address Type the external interface IP address of the Proventia M series appliance Example: a.a.a.a Note: This setting encapsulates traffic from the Proventia appliance external interface. Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Selected The external interface IP address of the NetScreen system Example: b.b.b.b Group 2 Table 6: IPSEC rule settings for antivirus protection for VPN 8
Configuring Antivirus Protection with VPN Connection Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP AES Key Length ESP with Auth SHA1 AES 128 Lifetime in Secs 3600 Lifetime in Kbs 0 Table 7: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 9
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Creating Related Firewall Rules for Proventia Appliance Creating related firewall rules includes the following tasks: enabling Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia M series appliance external interface enabling traffic from subnet A to subnet B without NAT Guidelines You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to the Proventia M series appliance Although you have created a VPN tunnel from the NetScreen server to the Proventia VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia M series appliance external interface. To enable ISAKMP traffic to the Proventia M series appliance, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Enabled Action Log Enabled Network Protocol Source Address Source Port Destination Address Selected Accept Not selected (optional) EXT UDP The external interface IP address of the NetScreen system Example: b.b.b.b Destination Port 500 Table 8: Self policy firewall rule settings for Proventia M series appliance 10
Creating Related Firewall Rules for Proventia Appliance Enabling traffic from subnet A to subnet B To enable all traffic from subnet A to subnet B, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Enabled Action Log Enabled Protocol NAT Enabled Source Address Source Port Destination Address Destination Port Selected Accept Not selected (optional) Not selected Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Table 9: Internal inbound firewall rule settings for Proventia M series appliance 11
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Enabled Action Log Enabled Protocol NAT Enabled Source Address Source Port Destination Address Destination Port Selected Accept Not selected (optional) Not selected Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Table 10: Internal outbound firewall rule settings for Proventia M series appliance 12
Creating Network Objects for the NetScreen System Creating Network Objects for the NetScreen System You must create network objects on the NetScreen management console. Creating address list object for subnet A To create an address list object for subnet A: 1. In the left pane, select ObjectsAddressesList. 2. Select Untrust. 3. Click New, and then configure the following settings: Address Name Subnet A IP/Netmask 192.168.1.0/24 Zone Untrust 4. Click OK. Creating address list object for subnet B To create an address list object for subnet B: 1. In the left pane, select ObjectsAddressesList. 2. Select Trust. 3. Click New, and then configure the following settings: Address Name Subnet B IP/Netmask 10.1.0.0/16 Zone Trust 4. Click OK. 13
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Configuring VPN on the NetScreen System Using the VPN Wizard Configuring VPN on the NetScreen system involves the following tasks: setting up VPN using the VPN wizard disabling NAT traversal up VPN To set up VPN: 1. In the left pane, select WizardsVPN. 2. Select LAN-to-LAN. 3. Select Local Static IP <-> Remote Static IP. 4. In the Remote Gateway IP Address field, type the external interface IP address of the Proventia M series appliance. Example: a.a.a.a 5. Select Standard (128/168-bit encryption strength). 6. In the Preshared Secret field, type the same pre-shared key that you used for the Proventia appliance. Example: 1234567890abcdef 7. Choose Select from the untrust zone address book, and then select Subnet A from the drop-down list. 8. Choose Select from the trust zone address book, and then select Subnet B from the drop-down list. 9. Review the configuration, and then click Next to accept. Disabling NAT traversal To disable NAT traversal: 1. In the left pane, select VPNAutokey AdvancedGateway. 2. In the right pane, click Edit next to Gateway to Subnet A. 3. Click Advanced. 4. Clear the Enable NAT-Traversal check box. 5. Click Return. 6. Click OK. 14
Configuring VPN on the NetScreen System Manually Configuring VPN on the NetScreen System Manually If you do not want to use the VPN wizard, or if the wizard does not properly configure your VPN settings, you can configure the settings manually. The remainder of this document describes how to configure VPN on the NetScreen system manually. Creating gateway object and IKE phase 1 policy To create the gateway object and IKE phase 1 policy: 1. Select VPNsAutoKey AdvancedGateway. 2. In the right pane, click New. 3. Configure the following settings: Gateway Name Security Level Remote Gateway Type IP Address Peer ID User Group Preshared Key Local ID Outgoing Interface Gateway for Subnet A Standard Reference: For information about the Standard Security Level, refer to Description of Standard Security Level on page 16. Static IP Address The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the Proventia M series appliance Example: a.a.a.a None None The same pre-shared key that you used for the Proventia appliance Example: 1234567890abcdef Leave blank Select the interface configured as Untrust under Network Interfaces Example: ethernet3 4. Click Advanced. 5. Clear the Enable NAT-Traversal check box. 6. Click Return. 7. Click OK. 15
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Description of Standard Security Level The Standard Security Level setting includes the following policy settings: Policy 1 Identity Authentication: Preshared Secret Perfect Forward Secrecy: Diffie-Hellman Group 2 Encryption: 3DES Authentication: SHA-1 Policy 2 Identity Authentication: Preshared Secret Perfect Forward Secrecy: Diffie-Hellman Group 2 Encryption: AES 128 Authentication: SHA-1 Note: The Proventia M series settings match Policy 2 settings. 16
Configuring IKE Phase 2 Policy on the NetScreen System Configuring IKE Phase 2 Policy on the NetScreen System This topic describes how to configure IKE Phase 2 or Quick Mode on the NetScreen system. Creating an IKE policy rule To create an IKE policy rule: 1. Select VPNsAutoKey IKE. 2. In the right pane, click New. 3. Configure the following settings: VPN Name Security Level Remote Gateway Tunnel for Subnet A Standard Reference: For information about the Standard Security Level, refer to Description of Standard Security Level on page 16. Predefined Select Gateway for Subnet A. 4. Click OK. 17
Configuring VPN from Proventia M Series Appliance to NetScreen Systems Creating Firewall Rules on the NetScreen System This topic describes how to create inbound and outbound firewall rules for the NetScreen system. Note: IKASMP and UDP port 500 rules for IKE negotiations are enabled by default. Creating the outbound firewall rule To create the outbound firewall rule: 1. In the left pane, select Polices. 2. Select Trust from the From drop-down list. 3. Select Untrust from the To drop-down list. 4. Click Go. 5. Click New, and then configure the following settings: Name Source Address Destination Address Service Action Tunnel Proventia Address Book Select Subnet B from the drop-down list. Address Book Select Subnet A from the drop-down list. Tunnel Tunnel for Subnet A Modify matching bidirectional VPN policy L2TP Position at Top Selected None Selected 6. Click OK. 18
Creating Firewall Rules on the NetScreen System Verifying the inbound firewall rule The mirror policy for inbound traffic is automatically created when you select Modify matching bidirectional VPN policy. However, you may want to verify that it was created. To verify that the inbound rule was created: 1. Select Untrust from the From drop-down list. 2. Select Trust from the To drop-down list. 3. Click Go. You should see an enabled policy with the following settings: Source: Subnet A Destination: Subnet B Service: Action: Tunnel 19
Configuring VPN from Proventia M Series Appliance to NetScreen Systems 20