Chapter 3 Creating and Managing Rules

This chapter describes:

• Packet filtering rules

• Viewing and editing the details of an object in the packet filtering table

• Adding, editing, deleting, and reordering rules

• Administrative access rules

• Network Address Translation (NAT)

• Virtual private networks (VPN)

• Verifying a policy

The following information describes the administration GUI. Chapter 10, Using the Command Line Interface contains information about the command line interface.

The following table list the procedures in this chapter.

Packet Filtering Rules

To Modify Rules

1. Choose a policy in the Policies List page.

   

2. Click the Edit button.

   The Policy Rules page appears.

   

   To display the controls on a tab, click the tab header. The following table describes the tabs that are available from the Policy Rules panel.

   Table 3-2 Policy Rules Panel Tabs

   Tab	Description
   Packet Filtering	Shows the packet filtering rule or rules.
   Administration Access	Defines access rules for local administration and remote Administration Stations through the administration GUI or the command line (see Chapter 10, Using the Command Line Interface).
   NAT (Network Address Translation)	Maps private network addresses to public network addresses.
   VPN (Virtual Private Network)	Maps name, address, certificate, issued certificate (key) algorithm, data algorithm, MAC algorithm, tunnel address, and description.

To View and Edit the Details of an Object

Execute the steps in "To Modify Rules".

In the packet filtering table, click on the cell that contains the object you want to view or edit.

The dialog box for the chosen object appears.



---

Note -

The packet filtering table does not allow you to click and get a popup menu; you get a pulldpwn where you can select another value.

---

To Edit a Rule

1. Execute the steps in "To Modify Rules".

2. Click the Packet Filtering tab in the Policy Rules area.

3. Select the rule to edit.

4. Click the Edit button.

   The Rule Definition dialog box for the selected policy appears.

   

5. Edit each field by clicking the down arrow to display the list.

   You can add a new address, range of addresses, or list of addresses for both the Source and Destination addresses.

   Rule Index

   Assigns a number to a rule. When editing or adding a new rule, by default, this field displays a number one greater than the last rule (indicating this rule will be placed at the bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.

   Screen

   (Optional) Specifies the Screen for which you want the rule to apply. Select a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen.

   Service

   Identifies the network service or service group to which this rule applies.

   Source

   The value to which the source address of a packet is compared. If an asterisk (*) appears, any source address meets the criteria of the rule.

   Destination

   The value to which the destination address of a packet is compared to determine whether the rule should apply. If an asterisk (*) appears, any destination address meets the criteria of the rule.

   Action

   Displays the action for the rule and permits setting the logging behavior. The options are ALLOW, DENY, ENCRYPT, and VPN.

   Time

   Specifies the time object which restricts the applicability of the rule. If an asterisk (*) appears, the rule applies at all times.

   Description

   (Optional) Provides a brief description of the Administrative Access rule.

6. Click the OK button in the Rule Definition dialog box when you have finished editing the rule.

7. (Optional) Click the Verify Policy button at the top of the Policy Rules page to ensure that you have created a valid policy.

8. Click the Save Changes button to be sure the changes are saved.

   ---

   Note -

   Each Save creates a version.

   ---

If a filtering rule fails to detect any issued certificate (key) encryption algorithms, it may display the following error message:

An error occurred in detecting the Encryption algorithms. 
Please check if skipd process is running.

If this occurs, restart the SKIP daemon process with the skipd_restart command. See the "Configuration Editor Reference" in SunScreen 3.2 Administrator's Overview for more information on the skipd_restart command.

To Add a New Rule

1. Execute the steps in "To Modify Rules".

2. Click the Add New Rule button in the Policy Rules area.

   The Rule Definition dialog box for the selected policy appears.

   

3. Edit each field by clicking the down arrow to display the list.

4. Click the OK button in the Rule Definition dialog box when you have finished editing the rule.

5. (Optional) Click the Verify Policy button at the top of the Policy Rules page to ensure that you have created a valid policy.

To Move a Rule

1. Execute the steps in "To Modify Rules".

2. Select the policy rule to be moved.

3. Click the Move button.

   The Move Rule dialog box appears.

   

4. Type the number of the rule that you want to move in the From Rule Index field.

5. Type the number of the position to which you want to move the rule in the To Rule Index field.

6. Click the OK button.

   The rules reorder themselves to reflect the change you made. You must move each rule whose position you want to change.

7. (Optional) Click the Verify Policy button at the top of the Policy Rules page to ensure that you have created a valid policy.

Edits do not affect the behavior of the Screen, nor of established connections with state entries, until you activate the policy.

To Delete a Rule

Do not delete all the packet filtering rules or you may lose complete access to the Screen.

1. Execute the steps in "To Modify Rules".

2. Select the rule you want to delete from the table in the Packet Filtering area.

3. Click the Delete button.

   The Delete Rule dialog box appears.

   

4. Click the Yes button.

Administrative Access Rules

You use administrative access rules to:

• Provide access to the Screen from additional remote Administration Stations

• Provide access for local administration from the administration GUI.

You can add new users that you have created, re-add users for whom new passwords have been defined, or change SecurID assigned names on the Administrative Access page. You can also add an access rule for users and change the encryption parameters.

You must activate a new policy for any changes to take effect.

The fields of the Administrative access rules tab are described in the SunScreen 3.2 Administrator's Overview.

The following information describes using the administration GUI. Chapter 10, Using the Command Line Interface contains information about the command line interface.

To Add or Change an Administrative Access Rule for Local Administration

1. Execute the steps in "To Modify Rules".

2. Click the Administrative Access tab to display the Administrative Access area.

   

3. Click the Add New Rule button, or Edit button, below the Access Rules for GUI Local Administration area.

   The Local Access Rules dialog box appears.

   

   The following table describes the controls for the Local Access Rules dialog box.

   Table 3-3 Controls for the Local Access Rules Dialog Box

   Control	Description
   Rule Index	Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.
   Description	(Optional) Provides a brief description of the Administrative Access rule.
   Screen	(Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.
   User	Lists the user names of SunScreen administrators. Use the names that you defined for the Administrative User object.
   Access Level	Specifies what actions the designated user can perform.  ALL - Allows the administrator to display and modify all setting for the Screen. WRITE - The administrator can perform all operations except modifying the Administration Access rules for any Policy. READ - The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data. STATUS - The administrator can display status information (logs, statistics, status information) but cannot display or modify management settings. NONE - The administrator no longer has any access. This switch prevents an administrator who had access from logging in without having to remove that administrator from the database.

To Add or Change an Administrative Access Rule for Remote Administration

If you are adding an additional remote Administration Station, you must add a rule for it.

If you change the encryption parameters, make a note of them; they have to match the encryption parameters on the remote Administration Station.

1. Execute the steps in "To Modify Rules".

2. Click the Administrative Access tab in the Policy Rules area.

   

3. Click the Add New Rule button in the Access Rules for Remote Administration area.

   The Remote Access Rule dialog box appears.

   

   The following table describes the controls for the Remote Access Rules dialog box.

   Table 3-4 Controls for the Remote Access Rules Dialog Box

   Control	Description
   Rule Index	(Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed bottom of the list). If you type a lower number, the new rule is inserted into the specified position in the list, and the rules currently in the configuration are renumbered.
   Description	(Optional) Provides a brief description of the remote administrative access rule.
   Screen	(Optional) Specifies the Screen for which you want the rule to apply. Type a specific Screen name in this field if you use centralized management and want a rule to apply to a specific Screen. The default All applies to all Screens.
   Address Object	Restricts addresses(es) from which users may initiate a connection..
   User	Lists the user names of SunScreen administrators. Use the names that you defined for the Administrative User object.
   Access Level	Specifies what actions the designated user can perform:  ALL - The administrator can display and modify all settings for the Screen. WRITE - The administrator can perform all operations except modifying the Administration Access rules for any Policy. READ - The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data. STATUS - The administrator can display status information (logs, statistics, status) but cannot display or modify management settings. NONE - The administrator does not have access.
   Encryption	Specifies the type and version of encryption (SKIP or IKE) being used to encrypt traffic between the Screen and the Administration Station.
   Certificate Group	(SKIP only) Specifies the name of the certificate group, which can correspond to a single certificate or a certificate group, allowed over this interface.
   Key Algorithm	(SKIP only) Identifies the algorithm used to encrypt traffic-encrypting keys. The algorithms available depend on the strength of encryption (128 bit, or 56 bit) that you are using with SunScreen.
   Data Algorithm	(SKIP only) Identifies the algorithm used to encrypt message traffic between the Screen and the Administration Station. The algorithms available depend on the strength of encryption (128 bit or 56 bit) that you are using with SunScreen.
   MAC Algorithm	(SKIP only) Identifies the algorithm used to authenticate traffic.
   Tunnel	Identifies the tunnel address used for the communication between the remote Administration Station and the Screen.
   Move button	Enables you to assign a new rule index number for the rule that you highlighted in the Access Rules for Remote Administration panel of the Administrative Access tab.
   Delete button	Deletes the access rule that you highlighted in the Access Rules for Remote Administration panel of the Administrative Access tab.
   Help button	Displays the online help.

4. Select the user or group of administration users to which this access rule applies.

5. To associate this entry with a specific Screen, choose a Screen from the Screen list.

   ---

   Note -

   If you are using the CMG (centralized management group) feature, and this field is left blank or contains an asterisk ("*"), the access rule being defined will, by default, allow access to all Screens in the cluster.

   ---

6. Select the address you want to use from the Address Object list.

7. Select the type of encryption you want to use from the Encryption list.

   To use IPsec IKE, see "To Specify a SKIP/IPsec/IKE Action on a Remote Access Rule".

   To use SKIP (Simple Key-Management for Internet Protocol), follow these substeps:

   1. Select the version of SKIP you want to use from the Encryption list.

      Use SKIP_VERSION_1 for communicating with an SPF-100. For later versions, choose SKIP_VERSION_2.

      The required fields for SKIP_VERSION_1 are:

      • Certificate Group

      • Key Algorithm

      • Data Algorithm

      The required fields for SKIP_VERSION_2 are:

      • MAC Algorithm

      • Certificate Group

      • Key Algorithm

      • Data Algorithm

   2. Select the certificate group that you want to use from the Certificate Group list.

      Specify the Screen's certificate or certificate group (in this case, the certificate or certificate group that includes the remote Administration Station's certificate) and administration IP address in the Screen's Administration Certificate field.

   3. Select the key algorithm that you want to use from the Key Algorithm list.

   4. Select the data algorithm you want to use from the Data Algorithm list.

   5. (For SKIP_VERSION_2 only) Select the MAC algorithm that you want to use from the list of MAC algorithms.

   6. (Optional) Select the tunnel address of the remote Administration Station from the Tunnel list.

8. Type a description in the Description field.

9. Select the level of access you wish to authorize for this user from the Access Level list.

   There are five access levels for remote administrators:

   ALL --The administrator can display and modify all settings for the Screen.

   
   

   STATUS -- The administrator can display status information (logs, statistics, status) but cannot display or modify management settings

   
   

   READ -- The administrator can view both the Information and Policy. This level also allows the user to save and clear logs on the information page. With this access level users cannot modify any Policy data

   
   

   WRITE --The administrator can perform all operations except modifying the Administration Access rules for any Policy.

   
   

   NONE (Default) -- The administrator does not have access.

   
   

10. Click the OK button.

11. Repeat the previous steps until you have added all the access rules for remote administration.

12. Click the Save Changes button.

13. Add the Screen's certificate MKID in the SKIP database of the remote Administration Station, and configure it to use SKIP to communicate with the Screen.

To Specify a SKIP/IPsec/IKE Action on a Remote Access Rule

1. Execute the steps in "To Modify Rules".

2. Select the Administration Access tab in the Policy Rules area.

   The Administration Access panel appears.

   

3. Click Add New Rule under the Access Rules for Remote Administration

   The Remote Access Rules panel appears.

   

4. Select IPSEC IKE from the Encryption pulldown.

   The Remote Access Rules panel for IPsec/IKE appears.

   

5. (Optional) Type a brief description for this rule.

6. Select the user or group of administration users to which this access rule applies.

7. To associate this entry with a specific Screen, choose a Screen from the Screen list.

   ---

   Note -

   If you are using the CMG (centralized management group) feature, and this field is left blank or contains an asterisk ("*"), the access rule being defined will, by default, allow access to all Screens in the cluster.

   ---

8. Select the address you want to use from the Address Object list,

9. Select the level of access you wish to authorize for this user from the Access Level list.

   There are five access levels for remote administrators:

   ALL. Master administrators, who have the access level ALL, grant the various access levels to the other administrators.

   
   

   STATUS. Status administrators, who have the access level STATUS, can monitor SunScreens, but cannot view the policies.

   
   

   READ. Local administrators, who have the access level READ, are users responsible for reviewing their individual Screen's policy. Local Administrators are allowed to read policies, but cannot change them; to do so they must make a request for changes to executive or master administrators.

   
   

   WRITE. Executive administrators, who have the access level WRITE, can define and change policies.

   
   

   NONE (Default--obviously not for remote administrators)

   
   

10. If you are using IPsec, follow Step 11 through Step 17. If you are using IKE, follow Step 18 through Step 23.

    ---

    Note -

    You must complete Step 11 through Step 17 plus Step 18 through Step 23 to perform remote administration for IKE.

    ---

11. (IPsec) To define the ESP, click the Edit button.

    The ESP Header panel appears.

    

12. (IPsec) Select the Encryption Algorithm to be used. The options are none, Null, DES, 3DES, BLOWFISH, and AES.

13. (IPsec) Select the Authentication Algorithm to be used. The options are none, MD5, and SHA1.

14. (IPsec) Click the OK button

15. (IPsec) To define the authentication header (AH), click the Edit button.

    The AH header appears.

    

16. (IPsec) Select the Authentication Algorithm to be used. The options are none, MD5, and SHA1.

17. (IPsec) Click the OK button

18. (IKE) Select the Encryption Algorithm to be used. The options are none, Null, DES, 3DES, BLOWFISH, and AES.

19. (IKE) Select the Hash Algorithm to be used. The options are none, MD5, and SHA1.

20. (IKE) Select the Oakley Group. The options are 1, 2, and 5.

21. (IKE) Select the Authentication Method to be used. The options are:

    • RSA-SIGNATURES
    • RSA-ENCRYPTION
    • DSS-SIGNATURES

22. (IKE) Select the name of the Source Certificate. You can click on the arrow to see a list of certificates that are defined.

23. (IKE) Click the OK button.

Network Address Translation (NAT) Rules

You can use NAT with encryption to provide communication in an encrypted tunnel (secure virtual private network). Encryption at the source tunnel address takes place after the NAT mapping; decryption at the destination tunnel address must take place before the NAT translation.

NAT Mapping Overview

You use the NAT tab to set up mapping rules that translate IP addresses according to specific rules. These rules interpret the source and destination addresses of incoming IP packets, then translate either the apparent source or the intended destination and send the packets on. You can map hosts, lists of addresses, ranges of addresses, or specific groups, depending on what you have configured in your SunScreen installation.

The map used during the translation of a packet consists of rules. In general, you would translate addresses to:

• Ensure that internal addresses appear as registered addresses on the Internet

• Send traffic for a specific destination to a different, predetermined destination

When defining NAT rules, the first rule (lowest number) that matches a packet applies, and no other rules can apply. Therefore, you might define specific rules first, then broader cases later.

You can define the mappings of internal addresses to external addresses. Use the NAT tab in the Policy Rules area of the Policy Rules page to specify the address that is to be translated to a particular address and to specify static mapping or dynamic mapping. For additional information on NAT, see "Network Address Translation" in SunScreen 3.2 Administrator's Overview.

All network address translations take place before a packet is tested against any of the screening rules. In this way, you can define all screening rules using only internal addresses.

NAT Administration Page

The meanings and uses of the specific fields in the NAT page are described in the following table.

All static NAT rules are unidirectional. They work precisely as defined and are not interpreted as also applying in the reverse direction. Thus, if you map an internal source address to an external source address and you want the mapping to apply in the reverse direction, you must use a second rule to map the external destination address to the internal destination address explicitly.

Dynamic NAT requires only one rule.

Your NAT Scenario

When building security policies using NAT, define the security policy rules in terms of internal addresses. All packets that are destined for external addresses used in NAT must be routed to the Screen.

If you use static NAT to map a machine's address, a machine on any other network can initiate traffic to that machine, given a properly defined reverse rule.

In routing mode (unlike stealth mode), the Screen does not automatically answer ARP requests for destination address. Consequently, the Screen must either route to a separate network that has a destination address, or a proxy ARP entry must be configured manually.

Static NAT is a one-to-one mapping of the internal address to an external address. Dynamic NAT is many-to-one or many-to-few mapping of internal addresses to an external address.

For more information on NAT and the possible set up, see "Network Address Translation" in SunScreen 3.2 Administrator's Overview. For an example that uses NAT, see SunScreen 3.2 Configuration Examples manual.

In cases where NAT will occur between the Administration station and the Screen, do not include the address of a remote Administration Station in any of your NAT rules.

If Centralized Management is in place, each NAT rule must be associated explicitly with the Screen to which it applies.

To Manually Add an ARP Entry

For networks that attach to the Screen on the inside and have NAT mappings applied, use the following command.

This is recommended for any network on which there are addresses to which you want to allow public access.

# arp -s IP_Address ether_address pub

You must add this entry each time you reboot the Screen, so you may want to modify a startup script to do this automatically when you reboot.

---

Note -

This entry is not necessary in stealth mode.

---

The following information describes how to use the administration GUI. Chapter 10, Using the Command Line Interface contains information about the command line interface.

To Define NAT Rules

When you design a static NAT mapping, be sure that the ranges and groups used in the Source and Translated Source fields and the ranges and groups used in the Destination and Translated Destination fields are exactly the same size.

1. Execute the steps in "To Modify Rules".

2. Select the NAT tab in the Policy Rules area.

   The Network Address Translation area is displayed.

   

3. Click Add New Rule below the Network Address Translation area.

   The NAT Definition dialog box is displayed.

   

4. Select the Screen that should use NAT mapping.

   The default is NAT applied to the policies of all Screens.

5. Select all four addresses in the NAT Definition dialog box.

6. Click the OK button.

7. Repeat the previous steps until you have configured all the rules as required.

8. Click the Save Changes button to save the edited mappings.

   You must click the Activate button for the changes take effect.

   In most cases, when you define a static mapping, the internal address and external address are both single addresses.

To Edit the NAT Rules

1. Execute the steps in "To Modify Rules".

2. Select the NAT tab in the Policy Rules area.

   The Network Translation area appears.

   

3. In the Mapping field, select the mapping on the table that you want to edit.

4. Click the Edit button below the Network Address Translation area.

   The NAT Definition dialog box for that mapping appears.

   

5. Select the type of mapping that you want in the Mapping field.

6. Select the address that you want in the Source field.

   The source address in the Source field should match the packet.

7. Select the address that you want in the Destination field

   The destination address in the Destination field should match the packet.

8. Select the translated source that you want.

9. Select the translated destination that you want.

10. Click the OK button of the NAT Definition dialog box to save your edits.

11. Repeat the previous steps until you have edited all the mappings as required.

12. Click the Save Changes button to save the edited mappings to a file.

    You must click the Activate button for the changes take effect.

Example: Static NAT of a Host to a Host

The following example translates the address of laguna to nathost for all destination addresses for all outgoing traffic.

Example: Reverse Rule

The following example translates the address nathost to laguna for all source addresses for all incoming traffic.

Although one-way communication is allowed, and one of these rules may be used without the other, it is more common to use both together.

Example: Dynamic Translation of a Range Of Addresses to One Host

In the following example, the translation occurs only when the destinations match what is in the internet address group. If the address is not in this group, the source address cannot be translated.

Virtual Private Network (VPN) Rules

Typically, companies use a virtual private network (VPN) when they have offices with networks in more than one location. Usually, those companies want to use an encrypted tunnel through public networks for a secure connection between their own locations or to connect securely with partners. This strategy avoids the need for dedicated lines or any changes to user applications.

You can use a Screen as a VPN gateway on behalf of systems or networks that reside behind the firewall. The Screen then encrypts and encapsulates all packets before they are sent over the Internet. The content of each packet remains private until it arrives at the remote location. Anyone capturing packets between locations will only see encrypted, unreadable packets.

A VPN also enables a site to conceal the details of its own network topology by encrypting the original packets (including their IP headers) and creating new IP headers using addresses specified by the VPN gateway (called tunnel addresses). When these packets arrive at the remote location, the new IP headers are removed. Then, once decryption takes place, the original headers are restored so the packets can reach their intended destination.

VPN Rules are a convenience that allows you to easily define and reference a large number of systems or networks using a single VPN name. First, you create VPN rules which define your VPN endpoints and give the definition for a VPN name. Then, you use the VPN name as part of a Packet Filtering rule with the VPN action. This method is particularly convenient where you are referencing groups of networks as opposed to groups of systems. Then, if the topographical details of a network changes, you only have to modify the related VPN rules and not the Packet Filtering rules. Since you only need one certificate for each VPN rule, certificate management is much easier.

SunScreen provides another option for creating a VPN gateway: Use the ENCRYPT action on Packet Filtering rules. In this scenario, you define the encrypted VPN endpoints as part of a regular Packet Filtering rule. The VPN endpoints typically are single systems although you can define multiple endpoints using Address ranges and groups. This method provides an easy way to accommodate requests for encrypted access between a few systems

See the SunScreen 3.2 Configuration Examples manual for detailed examples of using VPN rules.

Before You Begin

Before you configure a VPN, you must complete several preliminary tasks:

• Install the SunScreen software on all Screens involved in the VPN.

  For detailed information on Screen installation, refer to the SunScreen Installation Guide.

  ---

  Note -

  Each Screen must have its own local certificate.

  If you install a Screen with remote administration, this certificate is generated automatically. If not, refer to "To Generate SKIP UDHs Certificates" for details on how to create this certificate if you are using SKIP or to "To Generate an IKE Certificate" if you are using IKE.

  ---

• Add a certificate object to each Screen for every other Screen in the VPN.

  For more information on adding certificates, refer to "To Associate SKIP Certificate" if you are using SKIP or to."To Associate an IKE Certificate" if you are using IKE.

• Create Address objects (host, group, or range) on each Screen for any address in the VPN, including an Address object for each Screen as well.

  Refer to "Address Objects" for more information.

Once you successfully complete these tasks, set up the VPN by defining VPN gateways and creating packet filtering rules as described in the following sections.

Configuring a VPN

To define the systems that are taking part in a particular VPN, you need to create a VPN gateway for each Screen involved in the VPN. You create these gateway definitions by using the VPN tab in the Policy Rules area of the Policy Rules page.

Each VPN gateway definition associates a particular certificate with a set of hosts that are protected by that gateway. The protected hosts will have traffic protected by that certificate and its private key.

To Add a VPN Gateway Definition

1. Execute the steps in "To Modify Rules".

2. Click the VPN tab in the Policy Rules area.

   

3. Click the Add New Rule button in the VPN area.

   The VPN Definition dialog box appears.

   

   The following table describes the controls in the VPN Definition dialog box for defining VPN gateways.

   Table 3-6 Controls in the VPN Definition Dialog Box

   Control	Descriptions
   Rule Index	(Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed the end of the list). Typing a lower number inserts the new rule into the specified position in the list and renumbers the rules currently in the configuration. Rules take effect in order.
   Name	Specifies the Name of the VPN to which this gateway belongs. Type the same name in the Name field for each gateway that is in the VPN.
   Description	(Optional) Provides a short description of the VPN gateway.
   Address	Specifies the addresses to be protected by this VPN gateway.
   Encryption	Specifies the type of encryption. Select either SKIP or IPsec IKE.
   Certificate	Specifies the name of the certificate for this VPN gateway.
   Key Algorithm	(SKIP only) Specifies the secret (key) algorithm the VPN uses. All gateways in the same VPN must use the same (key) algorithm.
   Data Algorithm	(SKIP only) Specifies the data algorithm the VPN uses. All gateways in the same VPN must use the same data algorithm.
   MAC Algorithm	(SKIP only) Specifies the MAC algorithm the VPN uses. All gateways in the same VPN must use the same MAC algorithm.
   Tunnel Address	(SKIP only) Specifies the destination address on the outer (unencrypted) IP packet to which tunnel packets are sent.

4. In the Name field, type the name of the VPN to which the gateway belongs.

   Type the same name for each gateway to be included in the VPN.

5. (Optional) Type a description of the VPN gateway in the Description field.

6. In the Address field, select the addresses to be protected by this VPN gateway.

7. Select the encryption type. If you select IPSEC IKE, the following panel appears. Go to Step 13 below for the IPsec IKE definitions

8. In the Certificate field, select the gateway's Certificate ID.

9. In the Key Algorithm field, select the key algorithm (or "none") to be used by the VPN.

   All gateways in the same VPN must use the same key algorithm.

10. In the Data Algorithm field, select the data algorithm (or "none") to be used by the VPN.

    All gateways in the same VPN must use the same data algorithm.

11. In the MAC Algorithm field, select the MAC algorithm (or "none") to be used by the VPN.

    All gateways in the same VPN must use the same MAC algorithm.

12. In the Tunnel Address field, select the tunnel address to be used by the VPN.

13. If you selected IPSEC IKE for encryption, you can select the algorithms to be used as follows:

    

    1. Click the ESP Edit button to define the ESP header encryption and authentication algorithms.

       

    2. Click the AH Edit button to define authentication headers.

       

    3. Select the Encryption Algorithm for IKE. The options are none, null, DES, 3DES, BLOWFISH, or AES.

    4. Select the Hash Algorithm. The options are MD5 or SHA1.

    5. Select the Oakley Group. The options are 1, 2, or 5.

    6. Select the Authentication Method. The options are RSA-SIGNATURES, or DSS-SIGNATURES.

    7. Select the Source Certificate. Click the arrow to see a list of available IKE certificated.

14. Click the OK button.

Repeat Step 3 through Step 14 to define a VPN gateway for each Screen in the VPN. To make sure they are all included in this particular VPN, be sure to give all of them the same VPN name.

To Create Packet Filtering Rules for a VPN

To use the VPN you have defined by creating VPN gateways, perform the following steps to add packet filtering rules:

1. Execute the steps in "To Modify Rules".

2. Click the Packet Filtering tab of the Policy Rules area.

   

3. Click the Add New Rule button at the bottom of the rules.

   The Rule Definition dialog box appears.

   

4. Type the information into the fields as desired.

   You may use the asterisk, or wildcard, character ("*") in the source and destination fields. Using a wild card will check all traffic to see if it is part of the specified VPN.

   Select VPN in the action field. When the Action Details dialog box requires a VPN, select the name of the VPN used when defining the VPN gateways.

   

   The one VPN-based rule will then generate all the VPN gateway pair-wise rules so that the hosts at each site can communicate with each other securely. Any host that cannot be secured (for example, if it is not protected by a VPN gateway) will not be allowed to communicate by the VPN-based rule. You can create a rule that allows that particular host to communicate, but you must set that up separately and explicitly.

5. Click the OK button for both the Action Details and the Add Rule dialog boxes.

   ---

   Note -

   If you did not use "*" for source, destination, and service, repeat steps 2 through 4 for any additional rules. You must add VPN rules for each Screen that is part of the VPN.

   ---