Virtual Private Network (VPN) Rules

Typically, companies use a virtual private network (VPN) when they have offices with networks in more than one location. Usually, those companies want to use an encrypted tunnel through public networks for a secure connection between their own locations or to connect securely with partners. This strategy avoids the need for dedicated lines or any changes to user applications.

You can use a Screen as a VPN gateway on behalf of systems or networks that reside behind the firewall. The Screen then encrypts and encapsulates all packets before they are sent over the Internet. The content of each packet remains private until it arrives at the remote location. Anyone capturing packets between locations will only see encrypted, unreadable packets.

A VPN also enables a site to conceal the details of its own network topology by encrypting the original packets (including their IP headers) and creating new IP headers using addresses specified by the VPN gateway (called tunnel addresses). When these packets arrive at the remote location, the new IP headers are removed. Then, once decryption takes place, the original headers are restored so the packets can reach their intended destination.

VPN Rules are a convenience that allows you to easily define and reference a large number of systems or networks using a single VPN name. First, you create VPN rules which define your VPN endpoints and give the definition for a VPN name. Then, you use the VPN name as part of a Packet Filtering rule with the VPN action. This method is particularly convenient where you are referencing groups of networks as opposed to groups of systems. Then, if the topographical details of a network changes, you only have to modify the related VPN rules and not the Packet Filtering rules. Since you only need one certificate for each VPN rule, certificate management is much easier.

SunScreen provides another option for creating a VPN gateway: Use the ENCRYPT action on Packet Filtering rules. In this scenario, you define the encrypted VPN endpoints as part of a regular Packet Filtering rule. The VPN endpoints typically are single systems although you can define multiple endpoints using Address ranges and groups. This method provides an easy way to accommodate requests for encrypted access between a few systems

See the SunScreen 3.2 Configuration Examples manual for detailed examples of using VPN rules.

Before You Begin

Before you configure a VPN, you must complete several preliminary tasks:

• Install the SunScreen software on all Screens involved in the VPN.

  For detailed information on Screen installation, refer to the SunScreen Installation Guide.

  ---

  Note -

  Each Screen must have its own local certificate.

  If you install a Screen with remote administration, this certificate is generated automatically. If not, refer to "To Generate SKIP UDHs Certificates" for details on how to create this certificate if you are using SKIP or to "To Generate an IKE Certificate" if you are using IKE.

  ---

• Add a certificate object to each Screen for every other Screen in the VPN.

  For more information on adding certificates, refer to "To Associate SKIP Certificate" if you are using SKIP or to."To Associate an IKE Certificate" if you are using IKE.

• Create Address objects (host, group, or range) on each Screen for any address in the VPN, including an Address object for each Screen as well.

  Refer to "Address Objects" for more information.

Once you successfully complete these tasks, set up the VPN by defining VPN gateways and creating packet filtering rules as described in the following sections.

Configuring a VPN

To define the systems that are taking part in a particular VPN, you need to create a VPN gateway for each Screen involved in the VPN. You create these gateway definitions by using the VPN tab in the Policy Rules area of the Policy Rules page.

Each VPN gateway definition associates a particular certificate with a set of hosts that are protected by that gateway. The protected hosts will have traffic protected by that certificate and its private key.

To Add a VPN Gateway Definition

1. Execute the steps in "To Modify Rules".

2. Click the VPN tab in the Policy Rules area.

   

3. Click the Add New Rule button in the VPN area.

   The VPN Definition dialog box appears.

   

   The following table describes the controls in the VPN Definition dialog box for defining VPN gateways.

   Table 3-6 Controls in the VPN Definition Dialog Box

   Control	Descriptions
   Rule Index	(Optional) Assigns a number to a rule. By default, this field displays a number one greater than the last rule (indicating this rule will be placed the end of the list). Typing a lower number inserts the new rule into the specified position in the list and renumbers the rules currently in the configuration. Rules take effect in order.
   Name	Specifies the Name of the VPN to which this gateway belongs. Type the same name in the Name field for each gateway that is in the VPN.
   Description	(Optional) Provides a short description of the VPN gateway.
   Address	Specifies the addresses to be protected by this VPN gateway.
   Encryption	Specifies the type of encryption. Select either SKIP or IPsec IKE.
   Certificate	Specifies the name of the certificate for this VPN gateway.
   Key Algorithm	(SKIP only) Specifies the secret (key) algorithm the VPN uses. All gateways in the same VPN must use the same (key) algorithm.
   Data Algorithm	(SKIP only) Specifies the data algorithm the VPN uses. All gateways in the same VPN must use the same data algorithm.
   MAC Algorithm	(SKIP only) Specifies the MAC algorithm the VPN uses. All gateways in the same VPN must use the same MAC algorithm.
   Tunnel Address	(SKIP only) Specifies the destination address on the outer (unencrypted) IP packet to which tunnel packets are sent.

4. In the Name field, type the name of the VPN to which the gateway belongs.

   Type the same name for each gateway to be included in the VPN.

5. (Optional) Type a description of the VPN gateway in the Description field.

6. In the Address field, select the addresses to be protected by this VPN gateway.

7. Select the encryption type. If you select IPSEC IKE, the following panel appears. Go to Step 13 below for the IPsec IKE definitions

8. In the Certificate field, select the gateway's Certificate ID.

9. In the Key Algorithm field, select the key algorithm (or "none") to be used by the VPN.

   All gateways in the same VPN must use the same key algorithm.

10. In the Data Algorithm field, select the data algorithm (or "none") to be used by the VPN.

    All gateways in the same VPN must use the same data algorithm.

11. In the MAC Algorithm field, select the MAC algorithm (or "none") to be used by the VPN.

    All gateways in the same VPN must use the same MAC algorithm.

12. In the Tunnel Address field, select the tunnel address to be used by the VPN.

13. If you selected IPSEC IKE for encryption, you can select the algorithms to be used as follows:

    

    1. Click the ESP Edit button to define the ESP header encryption and authentication algorithms.

       

    2. Click the AH Edit button to define authentication headers.

       

    3. Select the Encryption Algorithm for IKE. The options are none, null, DES, 3DES, BLOWFISH, or AES.

    4. Select the Hash Algorithm. The options are MD5 or SHA1.

    5. Select the Oakley Group. The options are 1, 2, or 5.

    6. Select the Authentication Method. The options are RSA-SIGNATURES, or DSS-SIGNATURES.

    7. Select the Source Certificate. Click the arrow to see a list of available IKE certificated.

14. Click the OK button.

Repeat Step 3 through Step 14 to define a VPN gateway for each Screen in the VPN. To make sure they are all included in this particular VPN, be sure to give all of them the same VPN name.

To Create Packet Filtering Rules for a VPN

To use the VPN you have defined by creating VPN gateways, perform the following steps to add packet filtering rules:

1. Execute the steps in "To Modify Rules".

2. Click the Packet Filtering tab of the Policy Rules area.

   

3. Click the Add New Rule button at the bottom of the rules.

   The Rule Definition dialog box appears.

   

4. Type the information into the fields as desired.

   You may use the asterisk, or wildcard, character ("*") in the source and destination fields. Using a wild card will check all traffic to see if it is part of the specified VPN.

   Select VPN in the action field. When the Action Details dialog box requires a VPN, select the name of the VPN used when defining the VPN gateways.

   

   The one VPN-based rule will then generate all the VPN gateway pair-wise rules so that the hosts at each site can communicate with each other securely. Any host that cannot be secured (for example, if it is not protected by a VPN gateway) will not be allowed to communicate by the VPN-based rule. You can create a rule that allows that particular host to communicate, but you must set that up separately and explicitly.

5. Click the OK button for both the Action Details and the Add Rule dialog boxes.

   ---

   Note -

   If you did not use "*" for source, destination, and service, repeat steps 2 through 4 for any additional rules. You must add VPN rules for each Screen that is part of the VPN.

   ---