Detailed VPN Configuration

To configure VPN using SunScreen, you must complete the following steps:

1. Install the SunScreen software on Screens sf-screen1 and hk-screen1.

   If these Screens were configured in routing mode with remote administration (as described in the Routing example), local certificates named sf-screen1.cert and hk-screen1.cert, respectively, were already generated.

2. Add the remote Screen's certificate object to each Screen.

   1. On sf-screen1, add a certificate object for hk-screen1.cert.

   2. On hk-screen1, add a certificate object for sf-screen1.cert.

      For detailed information on adding certificates, see the SunScreen 3.1 Administration Guide.

   3. Ensure that each Screen includes address objects for the following hosts:

      • hk-screen1

      • sf-screen1

      • hk-host1 (can be part of a group or range)

      • sf-host1 (can be part of a group or range)

      For detailed information on adding address objects, see the SunScreen 3.1 Administration Guide.

3. On Screen sf-screen1, under Policy Rules, click the VPN tab and add two entries (one for sf-host1 and one for hk-host1).

   Figure 4-2 shows what the VPN definition window might look like when adding the entry for sf-host1.

   Figure 4-2 VPN Definition Window

   
   

   The name, address, certificate, and three algorithm fields are required for each entry. Notice that a tunnel address (sf-screen1) has also been specified, which enables the network topology to be concealed, and also allows the unregistered address of sf-host1 ( 10.0.1.1) to be used without it being seen on the Internet.

   Once the VPN definitions have been completed for both hosts sf-host1 and hk-host1, the VPN tab, under the Policy Rules section of the administration GUI, should look like as shown in the following figure. Observe that the two entries contain the same name (sf-hk-vpn for this example).

   Figure 4-3 VPN Tab, Under Policy Rules

   
   

   ---

   Note -

   It is critical that any entries associated with a particular VPN all have the same VPN name. The VPN name is referenced again when you create the packet filtering rules, which will only accept a packet if both addresses in the IP header are associated with the same VPN.

   ---

4. To add a new rule on Screen sf-screen1, under the Policy Rules area, click the Packet Filtering tab and then the Add New button.

   Complete the information as needed, and select SECURE as the action. The Action Details popup window asks you to supply a VPN. Type "sf-hk-vpn" in the VPN field, as shown in the dialog window in the following figure. This is where the hosts in the VPN are associated to the Packet Filtering rule.

   Figure 4-4 Initial Rule Index Dialog Window

   
   

   ---

   Note -

   It is recommended (at least for testing) to use an "*" for the source and destination addresses, which enables any packet that reaches this rule, and has both source and destination in the specified VPN, to be securely transported to the remote site.

   ---

5. Save and activate the policy.

6. Repeat steps 4 through 6 on Screen hk-screen1.

   You can easily test the configuration by creating a SECURE packet-filtering rule that enables ICMP traffic to pass through the VPN, and then running a ping between hosts sf-host1 and hk-host1.

   If you ran snoop on the network in San Francisco, Hong Kong, and out on the Internet, the results would be as follows:

   Inside either the San Francisco or Hong Kong Screen:

   sf-host1 -> hk-host1 ICMP Echo request hk-host1 -> sf-host1 ICMP Echo reply

   Outside the Screen on the Internet:

   sf-screen1 -> hk-screen1 IP D=192.168.6.2 S=192.168.1.2 ... hk-screen1 -> sf-screen1 IP D=192.168.1.2 S=192.168.6.2 ...