Setting up a VPN requires you to have a certificate per screen, and define the address groups involved. For descriptions and concepts of the Virtual Private network, the SunScreen Reference Manual.
At the command line prompt, type:
edit> add vpngateway vpn-net addrgrp-a SKIP cert-a KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE |
Where vpn-net is the name of the VPN network, addrgrp-a is an address group that uses the following certificate, and SKIP cert-a is the certificate.
If you are using a tunnel, append TUNNEL address name to the add/replace.
To setup the VPN completely, you should have all the keys, address groups, and vpngateways on each screen. So in a VPN configuration that has two networks connected, you would see something like the following:
edit> list vpngateway 1 "vpn-net" "addrgrp-a" SKIP "cert-a" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" 2 "vpn-net" "addrgrp-b" SKIP "cert-b" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" |
Create an address group containing the address groups for both networks, for example:
edit> add address vpn-grp GROUP { addrgrp-a addrgrp-b } {} |
Define a rule specifying the VPN Gateway:
edit> add rule common vpn-grp vpn-grp ALLOW VPN vpn-net |
VPN Gateways are setup in an ordered manner. To change values, at the command line prompt, type (for example):
edit> replace vpngateway 1 vpn-net addrgrp-a SKIP cert-new KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE |
To remove the VPN gateway you must delete the rules and VPN object.
At the command line prompt, type (for example):
edit> del vpngateway 1 |