C o n f i g u r i n g a V P N
b e t w e e n a
S i d e w i n d e r G 2 ™
a n d a N e t S c r e e n ®
Table of Contents
Overview
This document explains how to create a basic gateway–to–gateway VPN between a Sidewinder G2 Security Appliance and a Juniper/ NetScreen integrated firewall/IPSec VPN appliance. Both the Sidewinder G2 and NetScreen firewalls are IKE compatible. This document steps through suggested configurations on both firewalls for creating a fixed password inside tunnel VPN.This document was written and tested using a 6.1 Sidewinder G2 Security Appliance and a NetScreen 5–GT integrated firewall/IPSec VPN appliance.
Note:For more information on creating a Sidewinder VPN, see the VPN chapter in the
Sidewinder G2 Administration Guide.
This example assumes a network configuration that resembles Figure 1.
Figure 1. Basic gateway– to–gateway VPN diagram 172.23.1.1 172.23.1.0 192.168.1.0 192.168.1.1 Internet 111.1.1.8 111.1.1.7 Sidewinder G2 NetScreen
Configuring VPNs
on the Sidewinder
G
2
firewall
This section describes the set up of a Security Association (SA) to protect traffic between a Sidewinder G2 gateway and a NetScreen gateway. It assumes the following items are configured as required:
Note:The second and third bullet points are only required if your security policy calls for terminating the VPN in a virtual, or DMZ, burb.
The ISAKMP server. When you create the first Sidewinder G2 VPN, you must enable the server, set it to listen on the appropriate burb, and add a rule to the active rule group that allows ISAKMP traffic.
Any virtual burbs you may need.
If the termination point is not in the internal burb, rules needed to move traffic from the VPN termination point to the local network’s burb.To create a Sidewinder G2 SA for connecting to the NetScreen, do the following:
1. Select VPN Configuration -> Security Associations.
2. Click New. A window similar to the following appears.
Figure 2. Security Associations: General tab
3. On the General tab, enter the following settings:
Name = NetScreen (pick a site appropriate name)
Enabled = Yes
Burb = internal (or the virtual burb’s name)
Mode = Fixed IP
Remote IP= NetScreen’s external/untrusted interface, 111.1.1.7
Local Network/IP = Sidewinder G2 internal network, 172.23.1.0/24 (same as in step 11 on page 7)
Remote Network/IP = NetScreen’s internal/trusted network,4. Click the Authentication tab. The following window appears.
Figure 3. Security Associations: Authentication tab
5. Enter the following information:
In the Authentication Method field, select Password.
Enter and verify the same shared key you enter in step 9 on page 7.
Leave the Identities tab set to its defaults.6. Click the Advanced tab. A window similar to the following appears.
Figure 4. Security Associations: Advanced tab
7. On the Advanced tab, do one of the following:
If you turned off PFS on the NetScreen, do not modify this tab.
If you leave the default on the NetScreen, turn on PFS and use the arrows to choose Oakley Group 2.Setting up the
VPN on the
NetScreen
The Sidewinder G2 firewall and the NetScreen firewall use different terminology for their configuration parameters. NetScreen refers to its external side as its “untrusted” interface. On Sidewinder G2, this is known as the external, or Internet, burb or interface. The NetScreen also has 4 separate interfaces that reside in the same (trusted) virtual area. On initial setup, configuration of these interfaces and the NetScreen will, by default, pass all traffic from the trusted to untrusted side using network address translation (NAT). NetScreen provides a VPN configuration wizard option at the bottom of the configuration screen to guide users through setting up VPN parameters.
Activate the VPN Wizard and enter the following information. Adjust the IP addresses as appropriate for your configuration:
1. In the left hand pane, select Wizards -> VPN and start the VPN Configuration wizard. The following window appears.
Figure 5. VPN tunnel type
2. Select Lan-to-Lan.
3. Click Next. The following window appears.
Figure 6. Local and remote gateway IP address types
4. Select Local Static IP <-> Remote Static IP, as you will always know the IP addresses of both gateways in a firewall–to–firewall.
Figure 7. Remote Gateway IP address
6. In the Remote Gateway IP Address field, specify the external IP address of the Sidewinder G2 firewall.
7. Click Next. The following window appears.
Figure 8. Security level and shared password
8. Choose Standard Encryption. This indicates that the NetScreen will try 3DES or AES encryption. (Compatible encryption uses DES, which is less secure.)
9. Specify the same shared password enter in step 5 on page 5.
10. Click Next. The following window appears:
Figure 9. Addresses of remote networks
11. Specify the Sidewinder G2 internal network. In Figure 1, this is 172.23.1.0/24
Figure 10. Addresses of local networks
13. Specify the subnets of the (NetScreen’s) internal networks. In Figure 1, this is 192.168.1.0/24.
Caution: Ensure you are consistent when specifying network information. For example, 192.168.1.0/24 is not the same as 192.168.1.1/24
14. Click Next. The following window appears.
Figure 11. VPN tunnel properties
16. View the VPN properties by navigating to the left hand pane and selecting VPN -> AutoKey Ike. The following window appears.
Figure 12. VPN -> AutoKey IKe main
17. Click Edit to edit some of the VPN’s basic properties.
18. Click Advanced to view the Phase 2 proposals
Figure 14. Autokey Advanced window
At this point, NetScreen, by default, tries 3DES and AES with PFS (Perfect Forward Security) using Oakley group 2. These parameters will not work with the Sidewinder G2 firewall, and need to be adjusted.
Switch to the User Defined: Custom option and then use the drop– down list to select 3DES with either the MD5 or SHA1 hashing algorithm. You have two options for the PFS setting:
Note:Your PFS setting needs to match the PFS setting selected in step 7 on page 5.
Use PFS. PFS generates more rekeying overhead and should beused when Sidewinder G2 will be hosting a small number of VPN connections. Menu options that begin “g2” use Group 2 and PFS.
Figure 15. Custom policy with NOPFS/3DES selected 19. Click Return.
Verifying the VPN
connection
Your VPN tunnels should now pass traffic between the two gateways. The following is a GUI–based method of verifying that your VPN connection is active:
1. Using the Admin Console, go to VPN Configuration -> Security Associations.
2. Verify that an asterisk appears in the Active column.
To gather more detailed information about a connection, use either or both of these commands:
1. Start a command line session to the Sidewinder G2 firewall.
2. Enter either of the following commands:
tcpdump –npi external interface port 500 or proto 50Use this command to monitor output while generating traffic between the protected networks.
showaudit –kvUse this command to view real time audit of the tunnel output on the Sidewinder G2 firewall.
If traffic isn’t passing properly, troubleshoot the results as normal. If necessary, contact Secure Computing Technical Support for more assistance.