Setting Up the Screen

This section describes how you set up a Screen to use IKE to communicated with a remote Administration Station. Much of the instructions are given using command line examples while others use the administration GUI. In each case, the easiest method of performing the required task was chosen.

If you need further instructions on how to perform a specific task, try looking at the SunScreen Administration Guide and also the SunScreen Configuration Examples for detailed instructions.

To Set Up IKE on the Firewall Screen

After adding certificates on the administrative Screen or Administration Station, you create the IKE certificate on the firewall Screen.

1. Create the IKE self-generated certificate.

   # ssadm certlocal -Iks -m 512 -t rsa-md5 -D "C=US, O=YOUR_ORG, CN=screen_name"

2. Export the firewall Screen's IKE certificate to a file by typing.

   # ssadm certdb -I -e "C=US, O=YOUR_ORG, CN=screen_name" > /tmp/screen_cert

3. Import the administrative Screen's certificate by typing.

   # ssadm certdb -I -a < /tmp/admin_cert

4. Create certificate objects for the certificates

   # ssadm edit PolicyName then using ssadm edit edit> add certificate admin_cert SINGLE IKE "C=US, O=SUN, CN=admin_name" edit> add certificate screen_cert SINGLE IKE "C=US, O=SUN, CN=screen_name"

5. Mark the imported certificate as trusted.

   Using ssadm edit edit>add member certificate "IKE manually verified certificates" "admin_cert"

6. Start the Administration GUI.

   From this point on, it is easier to use the administration GUI to do the remaining steps.

   http://localhost:3852

   After you log in, edit the appropriate policy then continue with the following steps.

7. Add the Administration Station's IP address as an address object.

8. Add the Administration Station as a screen object and allow routing traffic and naming service.

9. Edit the firewall Screen's screen object by selecting the primary/secondary tab and establishing the Administration Station's IP address as the administrative IP address in the IKE administrative certificate field, and add the firewall Screen's certificate.

10. Stealth Mode Only - Return to the miscellaneous tab and make sure routing traffic and name service are No or None (certificate discovery is on).

11. From a command line, mark the administrative certificate as trusted by typing:

    # ssadm edit PolicyName then, using ssadm edit edit>add member certificate "IKE manually verified certificates" "admin_cert"

12. From th GUI, add a remote access rule by selecting the administrative access tab and under the Access rules for remote administration table, click the add new rule button.

    screen: screen name address object: remote admin address user: admin access level: all encryption: IPSEC IKE

13. Select the one algorithm that matches the packet filtering rule on the firewall Screen's source certificate: screen cert.

14. Click on the Options tab, source screen: screen name.

    When done, you have a remote access rule like the following:

    1 SCREEN "screen_name" USER "admin" "admin_addr" IPSEC ESP("DES-CBC", "MD5") AH("SHA1") IKE("DES-CBC", "MD5", 1, RSA-SIGNATURES, "screen_cert") PERMISSION ALL

15. Activate the policies.

16. Finish the Administration Station.