SunScreen 3.1 Administration Guide

Virtual Private Network (VPN) Rules

When you configure a Screen to use a Virtual Private Network (VPN) between two locations, all packets traveling from one location to another are encrypted and encapsulated before they are sent over the public internetwork. A VPN ensures that the contents of the packets remain private, and conceals the topology of the internal network.

The packet contents remain private because anyone capturing packets between the two locations sees only unreadable, encrypted packets. When these packets arrive at the remote location the Screen decrypts them and forwards them to their final destination in a readable form.

A VPN conceals the details of its network topology by encrypting the original packets (including their IP headers) and creating new IP headers using addresses specified by the VPN Gateways. When these packets arrive at the remote location, the Screen removes the new IP headers, and after decrypting the packets, restores the original headers so the packets can reach their final destination.

A VPN is typically used when companies have offices in more than one location. Such companies often want to use public networks for a secure private network, and avoid the need for dedicated lines or any changes to their user applications.

Before You Begin

Before you configure a VPN, you must complete several preliminary tasks including the following:

Install the SunScreen software on all Screens involved in the VPN. For detailed information on Screen installation, refer to the SunScreen 3.1 Installation Guide.
Each Screen must have with its own local certificate. If you installed a Screen with Remote Administration, this certificate was automatically generated. If not, you can refer to "To Generate Screen Certificates" on page 87 of this manual for details on how to create this certificate.
Add a certificate object to each Screen for every other Screen in the VPN. For more information on adding certificates, refer to"To Associate Certificate IDs" on page 91 of this manual.
Create Address objects (host, group or range) on each Screen for any address in the VPN; including an Address object for each screen as well. Refer to "Address Objects" on page 61 of this manual for more information.

Once you successfully complete these tasks, you set up the VPN by defining VPN gateways and creating packet filtering rules as described in the following sections.

Configuring a VPN

You need to create a "VPN Gateway" for each Screen involved in the VPN to define the systems that are taking part in a particular VPN. You create these Gateway definitions are using the VPN tab in the Policy Rules area of the Policy Rules page.

Each VPN Gateway definition associates a particular certificate with a set of hosts that are "protected" by that gateway. The protected hosts will have their traffic encrypted/decrypted by that certificate. In addition, the defined gateways are associated with each other by giving them each the same VPN name.

To Add a VPN Gateway Definition

To Add a VPN Gateway definition, perform the following steps:

Click the VPN tab in the Policy Rules area of the Policy Rules page.

Click the Add New... button in the VPN area.

The VPN Definition dialog window appears.

In the Name field, type the name of the VPN to which the gateway belongs.

Type the same name for each gateway included in the VPN.

Click the down arrow in the Address field to select the machine to be included in the VPN.

Click the down arrow in the Certificate field to select the gateway's Certificate ID.

Click the down arrow in the Key Algorithm field to select the key algorithm (or "none") to be used by the VPN.

All gateways in the same VPN must use the same key algorithm.

Click the down arrow in the Data Algorithm field to select the data algorithm (or "none") to be used by the VPN.

All gateways in the same VPN must use the same data algorithm.

Click the down arrow in the MAC Algorithm field to select the MAC algorithm (or "none") to be used by the VPN.

All gateways in the same VPN must use the same MAC algorithm.

Click the down arrow in the Tunnel Address field to select the tunnel address to be used by the VPN.

(Optional) Type a description of the VPN gateway.

Click the OK button.

Note -
Repeat steps 2 through 11 to define a VPN Gateway for each Screen in the VPN. Be sure to give each of them the same VPN name to include them all in this particular VPN.

To Create Packet Filter Rules to Use a VPN

Once you define the VPN by creating VPN Gateways, you must add Packet Filtering rules in order to utilize the VPN. To add the VPN rule, perform the following steps:

Click on the Packet Filtering tab of the Policy Rules area of the Policy Rules page.

Click on the "Add New..." button at the bottom of the rules.

The Rule Definition dialog window appears.

Type the information into the fields as desired.

The source and destination fields can contain "*". This configuration will check all traffic to see if it is part of the specified VPN. Be sure to select SECURE in the action field. When the Action Details popup window asks you to supply a VPN, select the name of the VPN used when defining the VPN Gateways.

The one VPN-based rule will then generate all the VPN Gateway pair-wise rules so that the hosts at each site can communicate with each other securely. Any host that cannot be secured (for example, it is not protected by a VPN gateway) will not be allowed to communicate by the VPN-based rule. You can create a separate rule that allows that particular host to communicate, but you must set that up separately.

Click the OK button for both the Action Details and the Add Rule dialog boxes.

Note -
If you did not use "*" for source, destination and service, repeat steps 2 through 4 for any additional rules. You must add VPN rules to each Screen that is part of the VPN.