Configuring a VPN between a Sidewinder G2 and a NetScreen



Similar documents
Creating a Gateway to Client VPN between Sidewinder G2 and a Mac OS X Client

VPN Configuration Guide. Juniper Networks NetScreen / SSG / ISG Series

Creating a Gateway to Gateway VPN between Sidewinder G2 and Linux

Fireware How To VPN. Introduction. Is there anything I need to know before I start? Configuring a BOVPN Gateway

Configuring Windows 2000/XP IPsec for Site-to-Site VPN

Configuring an IPSec Tunnel between a Firebox & a Check Point FireWall-1

Lab 4.4.8a Configure a Cisco GRE over IPSec Tunnel using SDM

Configuring IPsec VPN with a FortiGate and a Cisco ASA

Application Note: Integrate Juniper IPSec VPN with Gemalto SA Server. October

How To Industrial Networking

Configuring IPSec VPN Tunnel between NetScreen Remote Client and RN300

VPN. VPN For BIPAC 741/743GE

Use Shrew Soft VPN Client to connect with IPSec VPN Server on RV130 and RV130W

Configuring a Lan-to-Lan VPN with Overlapping Subnets with Juniper NetScreen/ISG/SSG Products

Configure an IPSec Tunnel between a Firebox Vclass & a Check Point FireWall-1

Configuring a Check Point FireWall-1 to SOHO IPSec Tunnel

Netgear ProSafe VPN firewall (FVS318 or FVM318) to Cisco PIX firewall

Using IKEv2 on Juniper Networks Junos Pulse Secure Access Appliance

VNS3 to Cisco ASA Instructions. ASDM 9.2 IPsec Configuration Guide

VPNC Interoperability Profile

Configuring a GB-OS Site-to-Site VPN to a Non-GTA Firewall

Configuration Guide. How to set up the IPSec site-to-site Tunnel between the D-Link DSR Router and the Cisco Firewall. Overview

Windows XP VPN Client Example

ISG50 Application Note Version 1.0 June, 2011

Chapter 5 Virtual Private Networking Using IPsec

VPN SECURITY POLICIES

STONEGATE IPSEC VPN 5.1 VPN CONSORTIUM INTEROPERABILITY PROFILE

VPN Configuration Guide. Cisco Small Business (Linksys) WRV210

VPN Configuration Guide. ZyWALL USG Series / ZyWALL 1050

Configure IPSec VPN Tunnels With the Wizard

Configuring the Juniper SSG as an IPSec VPN Head-end to Support the Avaya VPNremote Phone and Avaya Phone Manager Pro with Avaya IP Office Issue 1.

VPN Wizard Default Settings and General Information

Configuring TheGreenBow VPN Client with a TP-LINK VPN Router

What information will you find in this document?

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Lab Configure a PIX Firewall VPN

Scenario: Remote-Access VPN Configuration

ZyWALL 5. Internet Security Appliance. Quick Start Guide Version 3.62 (XD.0) May 2004

Juniper NetScreen 5GT

How to configure VPN function on TP-LINK Routers

Chapter 6 Virtual Private Networking

RAP Installation - Updated

Cyberoam Configuration Guide for VPNC Interoperability Testing using DES Encryption Algorithm

How to configure VPN function on TP-LINK Routers

Create a VPN on your ipad, iphone or ipod Touch and SonicWALL NSA UTM firewall - Part 1: SonicWALL NSA Appliance

CREATING AN IKE IPSEC TUNNEL BETWEEN AN INTERNET SECURITY ROUTER AND A WINDOWS 2000/XP PC

GNAT Box VPN and VPN Client

TechNote. Configuring SonicOS for Amazon VPC

Netopia TheGreenBow IPSec VPN Client. Configuration Guide.

VPN Configuration Guide. Cisco ASA 5500 Series

REMOTE ACCESS VPN NETWORK DIAGRAM

Application Note. Providing Secure Remote Access to Industrial Control Systems Using McAfee Firewall Enterprise (Sidewinder )

Chapter 4 Virtual Private Networking

Lab a Configure Remote Access Using Cisco Easy VPN

How To Set Up Checkpoint Vpn For A Home Office Worker

Chapter 8 Lab B: Configuring a Remote Access VPN Server and Client

VPN Consortium Scenario 1: Gateway-to-Gateway with Preshared Secrets

Configuring SSH Sentinel VPN client and D-Link DFL-500 Firewall

Chapter 8 Virtual Private Networking

Cisco QuickVPN Installation Tips for Windows Operating Systems

HOWTO: How to configure IPSEC gateway (office) to gateway

Firewall Troubleshooting

Using IPSec in Windows 2000 and XP, Part 2

VPN Quick Configuration Guide. Astaro Security Gateway V8

GB-OS. VPN Gateway. Option Guide for GB-OS 4.0. & GTA Mobile VPN Client Version 4.01 VPNOG

VPN Configuration Guide WatchGuard Fireware XTM

How To Set Up A Vpn Tunnel Between Winxp And Zwall On A Pc 2 And Winxp On A Windows Xp 2 On A Microsoft Gbk2 (Windows) On A Macbook 2 (Windows 2) On An Ip

F-SECURE MESSAGING SECURITY GATEWAY

TechNote. Configuring SonicOS for MS Windows Azure

Basic ViPNet VPN Deployment Schemes. Supplement to ViPNet Documentation

Viewing VPN Status, page 335. Configuring a Site-to-Site VPN, page 340. Configuring IPsec Remote Access, page 355

VPN Configuration Guide LANCOM

Configuration Professional: Site to Site IPsec VPN Between Two IOS Routers Configuration Example

Astaro Security Gateway V8. Remote Access via SSL Configuring ASG and Client

LAN-Cell to Cisco Tunneling

How To Configure Multiburb Smt On A Sidewinder G2 In A Load Sharing Environment

Lab Configuring Access Policies and DMZ Settings

Scenario: IPsec Remote-Access VPN Configuration

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

IPsec VPN Security between Aruba Remote Access Points and Mobility Controllers

VPN Configuration Guide. Dell SonicWALL

Ingate Firewall. TheGreenBow IPSec VPN Client Configuration Guide.

Planet CS TheGreenBow IPSec VPN Client. Configuration Guide.

Technical Document. Creating a VPN. GTA Firewall to WatchGuard Firebox SOHO 6 TD: GB-WGSOHO6

UTM - VPN: Configuring a Site to Site VPN Policy using Main Mode (Static IP address on both sites) i...

This topic discusses Cisco Easy VPN, its two components, and its modes of operation. Cisco VPN Client > 3.x

Virtual Private Network and Remote Access Setup

How To Establish IPSec VPN connection between Cyberoam and Mikrotik router

Microsoft Azure Configuration

Establishing a VPN tunnel to CNet CWR-854 VPN router using WinXP IPSec client

Introduction. Technology background

IPSec Pass through via Gateway to Gateway VPN Connection

Configuring IPsec VPN between a FortiGate and Microsoft Azure

axsguard Gatekeeper IPsec XAUTH How To v1.6

Configure VPN between ProSafe VPN Client Software and FVG318

Configuring a Dial-up VPN Using Windows XP Client with L2TP Over IPSec (without NetScreen-Remote)

Apliware firewall. TheGreenBow IPSec VPN Client. Configuration Guide.

Virtual Private Network and Remote Access

VPN Configuration Guide SonicWALL with SonicWALL Simple Client Provisioning

ZyWALL Support Notes. Internet Security Appliance. ZyWALL 1050 Support Notes. Revision 2.02 July. 2007

Transcription:

A PPLICATION N O T E Configuring a VPN between a Sidewinder G2 and a NetScreen This document explains how to create a basic gateway to gateway VPN between a Sidewinder G 2 Security Appliance and a Juniper Networks NetScreen integrated firewall/ipsec VPN appliance. www.securecomputing.com

Table of Contents Overview... 3 Configuring VPNs on the Sidewinder G 2 firewall... 4 Setting up the VPN on the NetScreen... 6 Verifying the VPN connection...11 2 86-0944329-A

Overview This document explains how to create a basic gateway to gateway VPN between a Sidewinder G 2 Security Appliance and a Juniper/ NetScreen integrated firewall/ipsec VPN appliance. Both the Sidewinder G 2 and NetScreen firewalls are IKE compatible. This document steps through suggested configurations on both firewalls for creating a fixed password inside tunnel VPN. This document was written and tested using a 6.1 Sidewinder G2 Security Appliance and a NetScreen 5 GT integrated firewall/ipsec VPN appliance. Note: For more information on creating a Sidewinder VPN, see the VPN chapter in the Sidewinder G 2 Administration Guide. This example assumes a network configuration that resembles Figure 1. Figure 1. Basic gateway to gateway VPN diagram Sidewinder G 2 Internet NetScreen 172.23.1.1 111.1.1.8 111.1.1.7 192.168.1.1 172.23.1.0 192.168.1.0 Note: All example networks are 24 bit. 86-0944329-A 3

Configuring VPNs on the Sidewinder G 2 firewall This section describes the set up of a Security Association (SA) to protect traffic between a Sidewinder G 2 gateway and a NetScreen gateway. It assumes the following items are configured as required: Note: The second and third bullet points are only required if your security policy calls for terminating the VPN in a virtual, or DMZ, burb. The ISAKMP server. When you create the first Sidewinder G 2 VPN, you must enable the server, set it to listen on the appropriate burb, and add a rule to the active rule group that allows ISAKMP traffic. Any virtual burbs you may need. If the termination point is not in the internal burb, rules needed to move traffic from the VPN termination point to the local network s burb. To create a Sidewinder G 2 SA for connecting to the NetScreen, do the following: Figure 2. Security Associations: General tab 1. Select VPN Configuration -> Security Associations. 2. Click New. A window similar to the following appears. 3. On the General tab, enter the following settings: Name = NetScreen (pick a site appropriate name) Enabled = Yes Burb = internal (or the virtual burb s name) Mode = Fixed IP Remote IP= NetScreen s external/untrusted interface, 111.1.1.7 Local Network/IP = Sidewinder G 2 internal network, 172.23.1.0/24 (same as in step 11 on page 7) Remote Network/IP = NetScreen s internal/trusted network, 192.168.1.0/24 (same as in step 13 on page 8) 4 86-0944329-A

4. Click the Authentication tab. The following window appears. Figure 3. Security Associations: Authentication tab 5. Enter the following information: In the Authentication Method field, select Password. Enter and verify the same shared key you enter in step 9 on page 7. Leave the Identities tab set to its defaults. 6. Click the Advanced tab. A window similar to the following appears. Figure 4. Security Associations: Advanced tab Select these if using PFS 7. On the Advanced tab, do one of the following: If you turned off PFS on the NetScreen, do not modify this tab. If you leave the default on the NetScreen, turn on PFS and use the arrows to choose Oakley Group 2. 86-0944329-A 5

Setting up the VPN on the NetScreen The Sidewinder G 2 firewall and the NetScreen firewall use different terminology for their configuration parameters. NetScreen refers to its external side as its untrusted interface. On Sidewinder G 2, this is known as the external, or Internet, burb or interface. The NetScreen also has 4 separate interfaces that reside in the same (trusted) virtual area. On initial setup, configuration of these interfaces and the NetScreen will, by default, pass all traffic from the trusted to untrusted side using network address translation (NAT). NetScreen provides a VPN configuration wizard option at the bottom of the configuration screen to guide users through setting up VPN parameters. Activate the VPN Wizard and enter the following information. Adjust the IP addresses as appropriate for your configuration: 1. In the left hand pane, select Wizards -> VPN and start the VPN Configuration wizard. The following window appears. Figure 5. VPN tunnel type 2. Select Lan-to-Lan. 3. Click Next. The following window appears. Figure 6. Local and remote gateway IP address types 4. Select Local Static IP <-> Remote Static IP, as you will always know the IP addresses of both gateways in a firewall to firewall. 5. Click Next. The following window appears: 6 86-0944329-A

Figure 7. Remote Gateway IP address 6. In the Remote Gateway IP Address field, specify the external IP address of the Sidewinder G 2 firewall. 7. Click Next. The following window appears. Figure 8. Security level and shared password 8. Choose Standard Encryption. This indicates that the NetScreen will try 3DES or AES encryption. (Compatible encryption uses DES, which is less secure.) 9. Specify the same shared password enter in step 5 on page 5. 10. Click Next. The following window appears: Figure 9. Addresses of remote networks 11. Specify the Sidewinder G 2 internal network. In Figure 1, this is 172.23.1.0/24 Tip: In a VPN connection, keep in mind that the definition of remote depends on perspective. From each firewall s point of view, the remote end is a system connecting to it from the Internet. When you configure the other VPN gateway, the terms reverse. 12. Click Next. The following window appears: 86-0944329-A 7

Figure 10. Addresses of local networks Figure 11. VPN tunnel properties 13. Specify the subnets of the (NetScreen s) internal networks. In Figure 1, this is 192.168.1.0/24. Caution: Ensure you are consistent when specifying network information. For example, 192.168.1.0/24 is not the same as 192.168.1.1/24 14. Click Next. The following window appears. 15. Click Next to submit the changes. Once NetScreen has accepted the changes, you have successfully configured a basic gateway to gateway VPN. Some additional parameters are required to successfully negotiate a VPN connection. 8 86-0944329-A

16. View the VPN properties by navigating to the left hand pane and selecting VPN -> AutoKey Ike. The following window appears. Figure 12. VPN -> AutoKey IKe main 17. Click Edit to edit some of the VPN s basic properties. Figure 13. Autokey Edit window 86-0944329-A 9

Figure 14. Autokey Advanced window 18. Click Advanced to view the Phase 2 proposals At this point, NetScreen, by default, tries 3DES and AES with PFS (Perfect Forward Security) using Oakley group 2. These parameters will not work with the Sidewinder G 2 firewall, and need to be adjusted. Switch to the User Defined: Custom option and then use the drop down list to select 3DES with either the MD5 or SHA1 hashing algorithm. You have two options for the PFS setting: Note: Your PFS setting needs to match the PFS setting selected in step 7 on page 5. Use PFS. PFS generates more rekeying overhead and should be used when Sidewinder G 2 will be hosting a small number of VPN connections. Menu options that begin g2 use Group 2 and PFS. No PFS. This will sync up with a Sidewinder G 2 firewall configured to use its default key settings. This is best when Sidewinder G 2 will be hosting many VPN connections. Use the pull down menu to select the nopfs esp 3des sha option, as shown in Figure 15. 10 86-0944329-A

Figure 15. Custom policy with NOPFS/3DES selected Select this option if you are not using PFS. 19. Click Return. Verifying the VPN connection Your VPN tunnels should now pass traffic between the two gateways. The following is a GUI based method of verifying that your VPN connection is active: 1. Using the Admin Console, go to VPN Configuration -> Security Associations. 2. Verify that an asterisk appears in the Active column. To gather more detailed information about a connection, use either or both of these commands: 1. Start a command line session to the Sidewinder G 2 firewall. 2. Enter either of the following commands: tcpdump npi external interface port 500 or proto 50 Use this command to monitor output while generating traffic between the protected networks. showaudit kv Use this command to view real time audit of the tunnel output on the Sidewinder G 2 firewall. If traffic isn t passing properly, troubleshoot the results as normal. If necessary, contact Secure Computing Technical Support for more assistance. 86-0944329-A 11

Product names used within are trademarks of their respective owners. Copyright 2004 Secure Computing Corporation. All rights reserved.

2026 © DocPlayer.net Privacy Policy | Terms of Service | Feedback  | Do Not Sell My Personal Information