VPNC Interoperability Profile

StoneGate Firewall/VPN 4.2 and StoneGate Management Center 4.2 VPNC Interoperability Profile For VPN Consortium Example Scenario 1

Introduction This document describes how to configure a StoneGate Firewall/VPN as a VPN gateway according to VPN Consortium's interoperability Scenario 1. The scenario is not intended as an example that you can use for checking how a full range of VPN settings are configured in two different devices. Using the document may help alleviate problems related to mismatched settings when creating VPNs. Scenario 1 is outlined below. A detailed description of the two scenarios and their purpose can be found at http:// www.vpnc.org/interopprofiles/interop-01.html. These scenarios were developed by the VPN Consortium. Scenario 1: Gateway-to-Gateway with Pre-Shared Secrets The following is a typical gateway-to-gateway VPN that uses a pre-shared secret for authentication. Illustration 1 Example Network Diagram Gateway A connects the internal LAN 10.5.6.0/24 to the Internet. Gateway A's LAN interface has the address 10.5.6.1, and its WAN (Internet) interface has the address 14.15.16.17. Gateway B connects the internal LAN 172.23.9.0/24 to the Internet. Gateway B's WAN (Internet) interface has the address 22.23.24.25. Gateway B's LAN interface address, 172.23.9.1, can be used for testing IPsec but is not needed for configuring Gateway A. In this example, Gateway A was selected to be a StoneGate VPN gateway. The IKE Phase 1 parameters used in Scenario 1 are: Main mode TripleDES SHA-1 MODP group 2 (1024 bits) Pre-shared secret of "hr5xb84l6aa9r6" SA lifetime of 28800 seconds (eight hours) with no kbytes rekeying The IKE Phase 2 parameters used in Scenario 1 are: TripleDES SHA-1 ESP tunnel mode MODP group 2 (1024 bits) Perfect forward secrecy for rekeying SA lifetime of 3600 seconds (one hour) with no kbytes rekeying Selectors for all IP protocols, all ports, between 10.5.6.0/24 and 172.23.9.0/24, using IPv4 subnets Configuration Outline The recommended procedure for setting up a VPN is as follows: 1. Configure the Firewall/VPN engine s interfaces for the network environment (see Configuring the Interfaces, on page 3 and Configuring Routing, on page 6). 2. Test the basic connectivity without a VPN (see Testing General Network Connectivity, on page 7). 3. Define the VPN settings for the scenario (see Configuring the VPN, on page 8). 4. Activate the VPN in the firewall s policy (see Activating the VPN in the Firewall Policy, on page 17). 5. Verify that connections can use the VPN as expected. Introduction 2

Configuring the Interfaces Prerequisites: Management Center and the firewall engine are installed and licensed For information on installing and licensing the components of the StoneGate system, see the Installation Guide. Note The interface configuration below assumes a single firewall is used in this configuration, but the clustered configuration is similar. In a cluster, the LAN and WAN IP addresses are defined as CVI interfaces. An NDI address is also recommended for each network, but NDI addresses are not used in the VPN configuration. To define the interfaces for the scenario Illustration 2 Adding a Physical Interface 1. Open the properties of the Firewall element. 2. Switch to the Interfaces tab. 2. Click Add and select Physical Interface. The Physical Interface Properties dialog opens. Illustration 3 Filling in Physical Interface Properties for the LAN Interface Select an Interface ID for the LAN interface. In this example, we select 0. Click OK. Configuring the Interfaces 3

Illustration 4 Filling in the Physical Interface Properties for the WAN Interface 1. Add a second Physical Interface definition (as shown in Illustration 2). Select an Interface ID for the WAN interface. In this example, we select 1. 2. Click OK. Illustration 5 Adding the LAN IP Address Right-click the LAN interface (in this example, NIC 0) and select New IP Address. The IP Address Properties dialog opens. Illustration 6 LAN IP Address Properties 1. Enter the LAN IP address 10.5.6.1. 2. Click OK. The rest of the information is generated automatically based on the IP address (the resulting values are shown in this illustration for your reference). Configuring the Interfaces 4

Illustration 7 Adding the WAN IP Address 1. Back on the Interfaces tab, right-click the WAN interface (in this example, NIC 1) and select New IP Address. The IP Address Properties dialog opens. 2. Enter the WAN IP address 14.15.16.17. 3. Click OK. Illustration 8 Completed Interface Configuration The firewall/vpn engine expects the Management Server to be reachable through the Control interface. Also, IP address bound licenses are tied to this address. The Options button below the listing allows you to change the Control interface. Click OK. A notification is displayed. Illustration 9 Confirmation Click Yes. The Routing view opens. Configuring the Interfaces 5

Configuring Routing To add a single-link default route for the firewall/vpn gateway Illustration 10 Creating a New Router in the Routing View Right-click the network of the WAN interface (14.15.16.0/24) and select New Router. The Router Properties dialog opens. Illustration 11 Router Element Properties 1. Name the element. 2. Type in the IP address of the next-hop router to the internet (the router would use some address within the network 14.15.16.0/24 in this example scenario). 3. Click OK. To define a default route Illustration 12 Configuring the Default Route Right-click the Router you just added and select New Any Network from the menu that opens. Configuring Routing 6

The routing view should now look like Illustration 13 Illustration 13 Routing View: Default gateway defined See the StoneGate Firewall/VPN Installation Guide for more configuration instructions. Testing General Network Connectivity Prerequisites: The firewall is installed and connected to the Management Server This section instructs you how to test network connectivity before the VPN is set up. The example Access rule allows ICMP echo requests from any address to any address so that ping can be used for testing the connectivity from either gateway or any host in either network. To test network connectivity between the gateways, you need to configure also the remote gateway to allow the test traffic (ping in this case). The instructions below explain how to ping Gateway B from Gateway A, the StoneGate firewall engine. If you need more instructions for creating the Access rule, select Help Help Topics from the Management Client s top menu to open the Online Help. To test network connectivity 1. Create a new firewall policy or open an exiting policy for editing. 2. Add the Access rule shown in Illustration 14 as the first rule in the policy. Caution Do not install a rule such as depicted here (allowing pinging from any host to any other host) on a device that is used as a firewall between an actual internal network and the Internet. In such a setting, only include the particular hosts that are used for testing. Illustration 14 Rule For Testing Connectivity There is no need to allow StoneGate s management connections separately in the policy if the policy is based on the Default policy template (as all policies are unless specifically configured otherwise). 3. Install the policy on the firewall. During policy installation, all configuration changes are transferred to the firewall, including the interface and route definitions. 4. Connect to the firewall/vpn gateway: You can make a console connection (using a serial cable or directly connected display and keyboard). With SSH access enabled, you can connect also remotely using an SSH client (such as PuTTY). 5. Login using the root username and the password that you defined during the engine installation. 6. Give the command ping 22.23.24.25. Successful replies indicate that the network connection between the gateways works properly. If no replies arrive from the remote gateway, do not proceed with the VPN configuration; solve the problems in the network connectivity first. Testing General Network Connectivity 7

Configuring the VPN Prerequisites: The firewall is operational and verified to have connectivity to Gateway B The Online Help of the Management Client contains complete instructions on how to configure VPN s and the meaning of the various settings. This document only instructs you on the specific scenario described in the introduction. The VPN settings are stored in elements that can be reused in several VPNs. The following elements are needed for this scenario: A VPN Profile element sets the correct IKE Phase 1 and Phase 2 settings. A VPN element is a central container for the VPN settings and defines the topology. All other VPN-related elements can be reused in multiple VPNs, so the VPN element determines which combination of the elements are used in one particular VPN. An Internal Security Gateway element is created for Gateway A ( internal as it is managed by your StoneGate Management Server). This defines the end-point settings and establishes that the WAN IP address is used as the gateway s identity in the VPN. An External Security Gateway element for Gateway B ( external as it is not managed by this StoneGate Management Server). It contains the end-point and identity information for Gateway B. A Site element is created for each gateway. The Site defines the IP addresses of the internal networks behind Gateway A and Gateway B and thus makes those addresses valid for use within the VPN. To create the VPN Profile for IKE settings Illustration 15 Creating a New VPN Profile 1. Click the Configuration icon to switch to the Configuration View. 2. Expand Virtual Private Networks. 3. Right-click Profiles and select New VPN Profile. The VPN Profile Properties dialog opens. Configuring the VPN 8

Illustration 16 VPN Profile Properties - General Tab Give the element a name. The Overview displays a summary of currently selected settings from all tabs. As you see, some of the default settings must be changed for this scenario. Illustration 17 VPN Profile Properties - IKE (Phase 1) 1. Switch to the IKE (Phase 1) tab. 2. Deselect AES-256. 3. Select 3DES. 4. Deselect 5 (1536 bits) 5. Select 2 (1024 bits). 6. Change SA Lifetime in Minutes to 480 (8 hours). Your settings should now be identical to those in this illustration. Note that the SA lifetime is set in minutes in StoneGate. Other products may use seconds as the unit. Doublecheck this value if you need to convert between different units. A mismatch in lifetime values may cut off the VPN until both gateways agree that the lifetime has elapsed. Note The 3DES setting corresponds to TripleDES and the Diffie-Hellman Groups setting to the MODP group in the scenario description (see Introduction, on page 2). Configuring the VPN 9

Illustration 18 VPN Profile Properties - IPsec (Phase 2) 1. Switch to the IPsec (Phase 2) tab. 2. Deselect AES-256. 3. Set lifetime to 60 minutes (one hour). 4. Select Use PFS with Diffie- Hellman Group and then select 2 (1024 bits) from the list. Your settings should now be identical to those in this illustration. 5. Click OK. The VPN Profile is complete. Note The Use PFS with Diffie-Hellman Group setting with the associated drop-down list corresponds to MODP group 2 (1024 bits) and Perfect forward secrecy for rekeying in the scenario description (see Introduction, on page 2). To create a VPN element Illustration 19 Creating a New VPN Element Right-click VPNs and select New VPN. The VPN Properties dialog opens. Configuring the VPN 10

Illustration 20 VPN Properties 1. Name the element. 2. Select the VPN profile you just created. 3. Click OK. The VPN opens for editing. Note that address translation rules are not applied to tunneled traffic by default. To define the properties of the internal security gateway (Gateway A) Illustration 21 VPN Editing View - Overall Topology Tab Right-click Central Gateways and select New Internal Security Gateway. The Internal Security Gateway Properties dialog opens. Illustration 22 Internal Security Gateway Properties - General Tab 1. Name the element. 2. Select the Firewall element that this Gateway represents. No further configuration is needed for this example scenario. The next few illustrations review the other settings in this dialog and explain where the correct default settings came from. Configuring the VPN 11

Illustration 23 Internal Security Gateway Properties - End-Points Tab 1. Switch to the End-Points tab. The correct IP address (14.15.16.17) is already selected because the default gateway is behind this interface in routing. 2. Right-click the end-point s row and select Properties. The End-Point Properties dialog opens. Illustration 24 End-Point Properties The type and value for IKE Phase 1 identity are selected here. IP Address is the correct ID for this scenario. The IP address is always that of the end-point. Click OK. Illustration 25 Internal Security Gateway Properties - Sites Tab 1. Switch to the Sites tab. By default, all internal networks are included and updated based on the Routing view. These can still be edited, but there is no need for that in this example. 2. Click OK. Configuring the VPN 12

To define the properties of the external security gateway (Gateway B) Illustration 26 VPN Editing View - Overall Topology Tab Right-click Central Gateways and select New External Security Gateway. The External Security Gateway Properties dialog opens. Illustration 27 External Security Gateway Properties - General Tab Type Gateway B as the name. Illustration 28 External Security Gateway Properties - End-Points Tab Click the New icon and select External End-Point. The External End-Point properties dialog opens. Configuring the VPN 13

Illustration 29 External End-Point Properties 1. Type in Gateway B s WAN IP address 22.23.24.25. IP address (default selection) is the correct ID type for this scenario. 2. Click OK. Illustration 30 External Security Gateway Properties - Sites Tab 1. Switch to the Sites tab. 2. Right-click New Site and select Properties. The Site Properties dialog opens. Illustration 31 Site Properties 1. Change the name to something more descriptive, for example, Gateway B LAN. 2. Click Networks. Configuring the VPN 14

Illustration 32 Site Properties Right click an element or in the empty space and select New Network. The Network Properties dialog opens. Illustration 33 Network Properties 1. Name the element. 2. Type in the Gateway B s LAN network: 172.23.9.0. 3. Click OK. Note The scenario description (Scenario 1: Gateway-to-Gateway with Pre-Shared Secrets, on page 2) refers to configuration of selectors between the two LAN networks. This remote LAN definition (together with the local LAN definition derived automatically from the Routing view) allows those selectors to be created. Illustration 34 Site Properties 1. Select the Network you just created. 2. Click Add. 3. Click OK. Configuring the VPN 15

Illustration 35 External Security Gateway Properties - Sites Tab Click OK. Gateway B is now configured. Illustration 36 VPN Editing View - Tunnels Tab 1. Switch to the Tunnels tab. 2. Right-click the Key cell and select Edit Key. The Preshared Key dialog opens. Illustration 37 Preshared Key 1. Delete the automatically generated key and replace with the correct key. The scenario uses hr5xb84l6aa9r6. 2. Click OK. Configuring the VPN 16

Illustration 38 VPN Editing View - Tunnels Tab The VPN is now configured. Click the Save button in the toolbar. Automatic validation works in the background. Green icon in Issues tab heading means that configuration passed validation. If any problems are found, a red icon is shown instead. After the VPN is configured, you can direct traffic through the VPN tunnel by referring to the VPN in the firewall Access rules. Continue by Activating the VPN in the Firewall Policy. Activating the VPN in the Firewall Policy The final phase in the VPN configuration is to define the connections that are allowed in and out of the VPN using Access rules. If you need more instructions for creating the Access rule, select Help Help Topics from the Management Client s top menu to open the Online Help. To add a VPN Access rule Illustration 39 Selecting the Matching Criteria 1. Add the Gateway A and Gateway B LAN networks in both Source and Destination cells. 2. Right-click and select Set to ANY. 3. Click the default Discard action in the Action cell. Illustration 40 Selecting the Action Select Use VPN. The VPN Action dialog opens. Activating the VPN in the Firewall Policy 17

Illustration 41 VPN Action 1. Select Enforce. 2. Select the VPN you just created. 3. Click OK. At this point, the rule should look like in Illustration 42. Illustration 42 VPN rule To activate the changed configuration, save the policy and install it on the firewall. The VPN configuration is also transferred at this time. The VPN is established when there is traffic that matches the Access rule you created (any LAN A to LAN B traffic in the example network). VPN traffic is inspected in the same way as all other traffic and some protocols may require the correct Protocol Agent to be allowed through the firewall when stateful inspection is used for inspecting the connection. Diagnostics Following the instructions, you have Gateway A configured for the gateway-to-gateway VPN. When Gateway B has been configured and you make a connection between the two LAN networks, the VPN is activated. You can monitor the VPN in the Status/Statistics view and see view information about VPN traffic in the Logs view. To view more detailed logging information when troubleshooting a VPN, you can enable diagnostic logging for IPsec. To enable VPN diagnostics 1. Right-click the Firewall element and select Options Diagnostics. The Diagnostics dialog opens. 2. Select Diagnostic. 3. Select IPsec. 4. Click OK to confirm your selection. The diagnostics you selected are applied immediately. 5. Check the Logs view for IPsec-related log entries. 6. Disable the diagnostics when you are done examining the detailed information to reduce the number of generated logs. Tip: The online help system contains VPN troubleshooting information and explanations of the most common VPN-related log messages. Diagnostics 18

Trademarks and Patents Stonesoft, the Stonesoft logo and StoneGate are all trademarks or registered trademarks of Stonesoft Corporation. Multi-link technology, multi-link VPN, and the StoneGate clustering technology-as well as other technologies included in StoneGate-are protected by patents or pending patent applications in the U.S. and other countries. All other trademarks or registered trademarks are property of their respective owners. Copyright and Disclaimer Copyright 2000 2008 Stonesoft Corporation. All rights reserved. These materials, Stonesoft products and related documentation are protected by copyright and other laws, international treaties and conventions. All rights, title and interest in the materials, Stonesoft products and related documentation shall remain with Stonesoft and its licensors. All registered or unregistered trademarks in these materials are the sole property of their respective owners. No part of this document or related Stonesoft products may be reproduced in any form, or by any means without written authorization of Stonesoft Corporation. Stonesoft provides these materials for informational purposes only. They are subject to change without notice and do not represent a commitment on the part of Stonesoft. Stonesoft assumes no liability for any errors or inaccuracies that may appear in these materials or for incompatibility between different hardware components, required BIOS settings, NIC drivers, or any NIC configuration issues. Use these materials at your own risk. Stonesoft does not warrant or endorse any third party products described herein. THESE MATERIALS ARE PROVIDED "AS-IS." STONESOFT MAKES NO WARRANTIES, EXPRESS OR IMPLIED, AS TO, THE INFORMA- TION CONTAINED HEREIN. IN ADDITION, STONESOFT MAKES NO EXPRESS OR IMPLIED WARRANTIES OF MERCHANTABILITY OR FITNESS FOR A PARTICULAR PURPOSE OR USE WITH RESPECT THE INFORMATION CONTAINED IN THESE MATERIALS. IN NO EVENT SHALL STONESOFT BE LIABLE FOR ANY INDIRECT, SPECIAL, CONSEQUENTIAL OR INCIDENTAL DAMAGES, INCLUD- ING, BUT NOT LIMITED TO, LOST PROFITS OR LOSS OR DAMAGE TO DATA ARISING FROM THE USE OF THESE MATERIALS, EVEN IF ADVISED IN ADVANCE OF THE POSSIBILITY OF SUCH DAMAGES. Revision: 20080403 www.stonesoft.com Stonesoft Corp. Itälahdenkatu 22a FIN-00210 Helsinki Finland tel. +358 9 4767 11 fax +358 9 4767 1234 Stonesoft Inc. 1050 Crown Pointe Parkway Suite 900 Atlanta, GA 30338 USA tel. +1 770 668 1125 fax +1 770 668 1131 19