Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

Similar documents
Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Configuration of an IPSec VPN Server on RV130 and RV130W

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

VPNC Scenario for IPsec Interoperability

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Integration Guide. Oracle Bare Metal BOVPN

Configuring VPNs in the EN-1000

How to Configure an IPsec Site-to-Site VPN to a Windows Azure VPN Gateway

Configuring IPSec tunnels on Vocality units

Windows 2000 Pre-shared IKE Dialup VPN Setup Procedures

FAQ about Communication

Virtual Tunnel Interface

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

Case 1: VPN direction from Vigor2130 to Vigor2820

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

Configuration Summary

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

How to create the IPSec VPN between 2 x RS-1200?

IPSec Site-to-Site VPN (SVTI)

Network Security 2. Module 4 Configure Site-to-Site VPN Using Pre-Shared Keys

Abstract. Avaya Solution & Interoperability Test Lab

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Configuring LAN-to-LAN IPsec VPNs

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

Table of Contents 1 IKE 1-1

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Configuring IPsec and ISAKMP

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

Virtual Private Cloud. User Guide. Issue 03 Date

VPN Auto Provisioning

IKE and Load Balancing

Virtual Private Network. Network User Guide. Issue 05 Date

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Fortinet Firewall. Overview

HOW TO CONFIGURE AN IPSEC VPN

VPN Overview. VPN Types

ZyWALL 70. Internet Security Appliance. Quick Start Guide Version 3.62 December 2003

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the SonicWall Firewall.

SonicWALL Addendum. A Supplement to the SonicWALL Internet Security Appliance User's Guide

Virtual Private Networks

Configuring a Hub & Spoke VPN in AOS

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

VPN Ports and LAN-to-LAN Tunnels

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

Efficient SpeedStream 5861

PPTP Server: This guide will show how an IT administrator can configure the VPN-PPTP server settings.

Site-to-Site VPN with SonicWall Firewalls 6300-CX

DFL-210, DFL-800, DFL-1600 How to setup IPSec VPN connection with DI-80xHV

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Firepower Threat Defense Site-to-site VPNs

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Manual Key Configuration for Two SonicWALLs

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

LAN-to-LAN IPsec VPNs

Cisco ASA 5500 LAB Guide

WLAN Handset 2212 Installation and Configuration for VPN

Use Shrew Soft VPN Client to Connect with IPSec VPN Server on RV130 and RV130W

The EN-4000 in Virtual Private Networks

VPN Between Sonicwall Products and Cisco Security Appliance Configuration Example

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

KB How to Configure IPSec Tunneling in Windows 2000

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Section 1. Checklist for the set-up of an AO on the AO Hub. * Mandatory Sections. 1.1 AO Name(The name that the AO is to be known as on the system)*

Google Cloud VPN Interop Guide

Virtual Tunnel Interface

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

IKE. Certificate Group Matching. Policy CHAPTER

CSCE 715: Network Systems Security

Chapter 6 Virtual Private Networking

How to Configure IPSec Tunneling in Windows 2000

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

iii PPTP... 7 L2TP/IPsec... 7 Pre-shared keys (L2TP/IPsec)... 8 X.509 certificates (L2TP/IPsec)... 8 IPsec Architecture... 11

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

IPsec and ISAKMP. About Tunneling, IPsec, and ISAKMP

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Defining IPsec Networks and Customers

Site-to-Site VPN. VPN Basics

Configuring a site-to-site VPN with a VPN-1 Gateway using the VPN-1 Edge VPN Wizard

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Administrator's Guide

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

Virtual Private Network

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

Internet Key Exchange

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

IP Security II. Overview

Configuring Cisco VPN Concentrator to Support Avaya 96xx Phones Issue 1.0. Issue th October 2009 ABSTRACT

Transcription:

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems January 13, 2004 Overview Introduction This document describes how to configure a VPN tunnel from a Proventia M series appliance to Symantec Gateway 5310 systems. Intended use This document provides an example for configuring VPN from a Proventia M series appliance to a Symantec 5310 system. The example is not designed for operational use without modification. A knowledgeable IPSEC network administrator or advanced user should design new, custom polices for operational use. Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the Related documentation section of this topic. Related documentation Refer to the Proventia Manager Help and the Proventia M Series Appliances User Guide for more information about the following: IKE and IKE policies IPSEC and IPSEC policies Firewall policies For procedures for configuring the Symantec system, refer to the documentation provided with your system. In this document This document contains the following topics: Topic Page Before You Begin 3 Internet Security Systems, Inc. 2003. All rights reserved worldwide. 1

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Topic Page Configuring the Proventia Appliance IKE Policy 5 Configuring the Proventia Appliance IPSEC Policy 6 Configuring Antivirus Protection with VPN Connection 8 Creating Related Firewall Rules for Proventia Appliance 10 Creating Security Gateway Objects for the Symantec System 13 Creating Subnet Objects on the Symantec System 15 Creating the VPN Tunnel on the Symantec System 16 Configuring Address Transforms on the Symantec System 18 2

Before You Begin Before You Begin Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia M series appliance and Symantec system. Topography The following graphic illustrates the network topography of a Proventia M series appliance configured for VPN with a Symantec system. The example used in this document is based on the topography depicted. Subnet A 192.168.1.0/24 Subnet B 10.1.0.0/16 192.168.1.1 a.a.a.a b.b.b.b 10.1.0.1 Internet Proventia Symantec Table 1: Topography for VPN tunnel from Proventia M Series appliance to Symantec 3

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Checklist The following checklist indicates the information that you need before configuring your VPN tunnel. Proventia M series External IP address Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document. Proventia M series Internal IP Address Subnet A IP address Symantec External IP address Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document. Symantec Internal IP address Subnet B IP address Preshared key (minimum of 20 characters) Note: Use signed certificates to identify the Proventia M series appliance and Symantec VPN server for better security. IKE Phase 1 (Main Mode) Authentication MD5 SHA1 IKE Phase 1 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 1 Key Lifetime Seconds IKE Phase 1 Key Lifetime Kbytes IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5 IKE Phase 2 (Quick Mode) Authentication MD5 SHA1 IKE Phase 2 Encryption 3DES DES AES Note: If you select AES, select an AES key length: 128 192 256 IKE Phase 2 Key Lifetime Seconds IKE Phase 2 Key Lifetime Kbytes IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5 Firewall Policies 4

Configuring the Proventia Appliance IKE Policy Configuring the Proventia Appliance IKE Policy Introduction You must configure the IKE policy for Phase I (Main Mode) negotiation. Creating an IKE policy rule To configure the IKE policy, create an IKE rule with the following settings: Name Enabled Direction Exchange Type Local ID Type Local ID Data Local IP Remote IP Encryption Algorithm Authentication Algorithm Authentication Mode Pre-Shared Key To_Symantec Selected Both Main Mode IP Address The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the Proventia M series appliance Example: a.a.a.a The external interface IP address of the Symantec system Example: b.b.b.b 3DES SHA1 Pre Shared Key A text string value of at least 20-characters Example: 1234567890abcdef1234 Note: You will use the same text string for the Symantec system. Lifetime in Secs 7200 Lifetime in Kbs 0 DH Group Group 2 Table 2: IKE policy settings for Proventia M series appliance Adding a remote ID In the Remote ID area, add a remote ID with the following settings: Remote ID Type Remote ID Data IP Address The external interface IP address of the Symantec system Example: b.b.b.b Table 3: Remote ID settings for Proventia M series appliance 5

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Configuring the Proventia Appliance IPSEC Policy Introduction You must configure the IPSEC policy to define the IPSEC protocol, key exchange method, and other necessary information needed to provide security to IP packets. The IPSEC policy is configured without network address translation (NAT). Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Enabled Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy To_Symantec Selected Apply All Tunnel Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Selected The external interface IP address of the Symantec system Example: b.b.b.b Group 2 Table 4: IPSEC policy settings for Proventia M series appliance 6

Configuring the Proventia Appliance IPSEC Policy Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP with Auth SHA1 3DES Lifetime in Secs 7200 Lifetime in Kbs 0 Table 5: Security Proposal settings for Proventia M series appliance 7

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Configuring Antivirus Protection with VPN Connection Introduction The antivirus software proxies traffic to the external interface of the Proventia M series appliance for the following protocols: HTTP FTP SMTP POP3 To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPSEC policy rule. Creating an IPSEC rule To configure the IPSEC policy, create an IPSEC rule with the following settings: Name Enabled Security Process Protocol Encapsulation Mode Source Address Source Port Destination Address Destination Port Automatic Key Management Peer S.G. Perfect Forward Secrecy AV_To_Symantec Selected Apply All Tunnel Single IP Address Type the external interface IP address of the Proventia M series appliance Example: a.a.a.a Note: This setting encapsulates traffic from the Proventia appliance external interface. Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Selected The external interface IP address of the Symantec system Example: b.b.b.b Group 2 Table 6: IPSEC rule settings for antivirus protection for VPN 8

Configuring Antivirus Protection with VPN Connection Adding a security proposal In the Security Proposal area, add a security proposal with the following settings: Security Protocol Auth Algorithm ESP Algorithm ESP with Auth SHA1 3DES Lifetime in Secs 7200 Lifetime in Kbs 0 Table 7: Security Proposal settings for antivirus protection for VPN Mirror inbound policy rule The appliance automatically creates the mirror inbound policy rule for antivirus protection for VPN. 9

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Creating Related Firewall Rules for Proventia Appliance Introduction Creating related firewall rules includes the following tasks: enabling Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia M series appliance external interface enabling traffic from subnet A to subnet B without NAT Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets. Order of firewall rules Firewall rules are processed in the order that they appear in the list. Enabling ISAKMP traffic to the Proventia M series appliance Although you have created a VPN tunnel from the Symantec server to the Proventia VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia M series appliance external interface. To enable ISAKMP traffic to the Proventia M series appliance, enable the self policy firewall rule with the following settings: Note: This firewall rule is included in the self policy. However, it is disabled by default. You must enable it to allow VPN traffic. Enabled Action Log Enabled Network Protocol Source Address Source Port Destination Address Selected Accept Not selected (optional) EXT UDP The external interface IP address of the Symantec system Example: b.b.b.b Destination Port 500 Table 8: Self policy firewall rule settings for Proventia M series appliance 10

Creating Related Firewall Rules for Proventia Appliance Enabling traffic from subnet A to subnet B To enable all traffic from subnet A to subnet B, add inbound and outbound internal policy firewall rules. Add an Inbound rule In the Inbound Rules area, add a rule with the following settings: Enabled Action Log Enabled Protocol NAT Enabled Source Address Source Port Destination Address Destination Port Selected Accept Not selected (optional) Not selected Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Table 9: Internal inbound firewall rule settings for Proventia M series appliance 11

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Add an Outbound rule In the Outbound Rules area, add a rule with the following settings: Enabled Action Log Enabled Protocol NAT Enabled Source Address Source Port Destination Address Destination Port Selected Accept Not selected (optional) Not selected Network Address/#Network Bits (CIDR) Type the network mask for subnet A. Example: 192.168.1.0/24 Network Address/#Network Bits (CIDR) Type the network mask for subnet B. Example: 10.1.0.0/16 Table 10: Internal outbound firewall rule settings for Proventia M series appliance 12

Creating Security Gateway Objects for the Symantec System Creating Security Gateway Objects for the Symantec System Introduction You must create security gateway objects on the Symantec management console. Creating the Proventia gateway object To create the Proventia gateway object: 1. Select Base ComponentsNetwork Entities. 2. In the left pane, right-click Network Entities, and then select NewSecurity Gateway. 3. Configure the following on the General tab: Name Description Type Proventia Subnet A Gateway Security Gateway 4. Configure the following on the Security Gateway tab: IP Address Enable IKE Phase 1 ID Shared Secret The external interface IP address of the Proventia M series appliance Example: a.a.a.a Selected Leave this field blank to use IP address. The same pre-shared key that you used for the Proventia appliance Example: 1234567890abcdef1234 5. Click OK. 13

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Creating the Symantec gateway object To create the Symantec gateway object: 1. In the left pane, right-click Network Entities, and select NewSecurity Gateway. 2. Configure the following on the General tab: Name Description Type Symantec Subnet B Gateway Security Gateway 3. Configure the following on the Security Gateway tab: IP Address Enable IKE Phase 1 ID Shared Secret The external interface IP address of the Symantec system Example: b.b.b.b Selected Leave this field blank to use IP address. This field is not available. 4. Click OK. 14

Creating Subnet Objects on the Symantec System Creating Subnet Objects on the Symantec System Introduction You must create objects for subnet A and subnet B on the Symantec system. Creating subnet A object To create the subnet A object: 1. In the left pane, right-click Network Entities, and then select NewSubnet. 2. Configure the following on the General tab: Name Description Type SubnetA Type a meaningful description. Subnet 3. Configure the following on the Address tab: Address 192.168.1.0 Netmask 255.255.255.0 4. Click OK. Creating subnet B object To create the subnet B object: 1. In the left pane, right-click Network Entities, and then select NewSubnet. 2. Configure the following on the General tab: Name Description Type SubnetB Type a meaningful description. Subnet 3. Configure the following on the Address tab: Address 10.1.0.0 Netmask 255.255.0.0 4. Click OK. 15

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Creating the VPN Tunnel on the Symantec System Introduction This topic describes how to create the VPN tunnel on the Symantec system. Creating the VPN tunnel To create the VPN tunnel: 1. Select Virtual Private NetworksSecure Tunnels. 2. In the left pane, right-click Secure Tunnels, and then select NewSecure Tunnel. 3. Configure the following on the Description tab: Name Description Local Entity Local Gateway Remote Entity Remote Gateway VPN Policy IKE Policy TunnelToProventia Type a meaningful description. SubnetB Symantec SubnetA Proventia ike_default_ crypto_strong Note: This policy is for IKE Quick Mode (phase 2) negotiations for the IPSEC tunnel. Refer to ike_default_crypto_ strong settings on page 16 for more information. global_ike_policy Note: This is for IKE Main Mode (phase 1) negotiations. Refer to global_ike_policy settings on page 17 for more information. 4. Click OK. ike_default_crypto_ strong settings The ike_default_crypto_strong VPN policy includes the following policy settings: Encapsulation Mode Encapsulation Protocol Tunnel ESP with Auth Perfect Forward Secrecy Group 2 Encryption Algorithm Authentication Algorithm 3DES SHA1 Timeout in Secs 28800 Timeout in KB 2,100,000 Table 11: ike_default_crypto_strong policy settings 16

Creating the VPN Tunnel on the Symantec System global_ike_policy settings The global_ike_policy includes the following multiple policy settings: Algorithm 1st 2nd Authenication Algorithm SHA1 MD5 Encryption Algorithm 3DES DES Perfect Forward Secrecy Group 2 Group 1 Table 12: global_ike_policy settings Note: Timeout in Secs is set to 7200. There is only one Timeout in Secs setting. 17

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems Configuring Address Transforms on the Symantec System Introduction This topic describes how to configure address transforms on the Symantec system. Configuring address transforms involves the following tasks: creating an outbound address transform creating an inbound address transform Create outbound address transform To create an outbound address transform: 1. Select Access ControlsAddress Transforms. 2. In the left pane, right-click Address Transforms, and then select NewAddress Transform. 3. Configure the following on the General tab: Name Description VPNOutbound Outbound traffic for VPN tunnel 4. Configure the following on the Definition tab: Coming in Via From Client To Server Going out Via Client Address Transform <ANY> Universe Universe <ANY VPN> Use Original Client Address 5. Click OK. 18

Configuring Address Transforms on the Symantec System Create inbound address transform To create an inbound address transform: 1. In the left pane, right-click Address Transforms, and then select NewAddress Transform. 2. Configure the following on the General tab: Name Description VPNInbound Inbound traffic for VPN tunnel 3. Configure the following on the Definition tab: Coming in Via From Client To Server Going out Via Client Address Transform <ANY VPN> Universe Universe <ANY> Use Original Client Address 4. Click OK. Saving and reconfiguring To save and reconfigure: Click Save and Reconfigure. 19

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems 20

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback