On bos-screen1

1. Decide on a tunnel address for the Screen.

   This is the IP address that is used to send packets over the Internet. The tunnel address should be on the local network that bos-screen1 is connected to (192.168.1.100 in this example).

2. Define the tunnel address of bos-screen1 as an address object called bos-tunnel.

Make sure that the interface group definition for the external interface contains the tunnel address object (that is, hme2_grp contains bos-tunnel).

1. Define an address object for the other Screen in the configuration (hk-screen in this example).

   The address of this object is the IP address of the interface nearest the Internet (192.168.6.2 in this example).

   ---

   Note -

   It is possible to define a tunnel address for hk-screen1 as well.

   ---

2. Define the networks (bos-net and hk-net in this example) behind both Screens as address objects.

   ---

   Note -

   Make sure the interface groups for the interfaces on bos-screen are correctly defined.

   ---

The interface definition for the interface nearest the Internet (hme2) needs to have the router field filled in, as shown in Figure 6-2, with the address of a default router on this network (192.168.1.1 in this example). This is required because the stealth Screen is actually generating packets with a source IP address set to the tunnel address, but it has no routing table (because it is not a router) and therefore needs to send the packets to a router that knows where "hk-screen1" is.

Figure 6-2 Interface Definition Screen

1. Add the certificate name of hk-screen1.

   To generate a certificate object called hk-screen1.cert, use Certificate --> Associate MKID.

2. Add a rule to encrypt the traffic between bos-net and hk-net.

   The following figure, Figure 6-4, and Figure 6-5 show the parameters used. The example uses Common Services, but the actual service you use reflects the security policy that you are implementing.

   Figure 6-3 Encryption Configuration

   
   

   Figure 6-4 Rule Definition Window

   
   

   Figure 6-5 Rule Index, Action Details Window

   
   

The configuration shows a second rule as well. The first rule enables connections from bos-net to be established to hk-net, and the return packets to pass, but does not enable connections to be established from hk-net to bos-net. If this is required, add a second rule, but reverse the source and destination addresses, and the certificates.

1. Save and activate the policy.

   ---

   Tip -

   For SunScreen SKIP encryption to work, both Screens must have the same system time set. When they are located in different parts of the world, the time set should be correct for that part of the world. Also, set the TimeZone for that part of the world. That is, the local time that is corrected with the TimeZone must be the same on both machines.

   ---

2. Check that the pass-CDP (Certificate Discovery Protocol) option is selected under the Screen object.