Virtual Private Network (VPN)

To Add a VPN Gateway

Setting up a VPN requires you to have a certificate per Screen and to define the address groups involved. For descriptions and concepts of the virtual private network, see "Encryption, Tunneling, and Virtual Private Networks" in SunScreen 3.2 Administrator's Overview.

1. At the command line prompt, type:

   edit> add vpngateway vpn-net addrgrp-a SKIP cert-a KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE

   Where:

   • vpn-net is the name of the VPN

   • addrgrp-a is an address group that uses the following certificate

   • SKIP cert-a is the certificate

   If you are using a tunnel address, append TUNNEL address_name to the add/replace.

   To setup the VPN completely, you should have all the certificates, address groups, and VPN gateways defined on each Screen. In a VPN configuration that has two networks connected, you would see something like the following:

   edit> list vpngateway 1 "vpn-net" "addrgrp-a" SKIP "cert-a" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE" 2 "vpn-net" "addrgrp-b" SKIP "cert-b" KEY "DES-CBC" DATA "RC4-40" MAC "MD5" COMPRESSION "NONE"

2. Create an address group to contain the address groups for both networks, for example:

   edit> add address vpn-grp GROUP { addrgrp-a addrgrp-b } {}

3. Define a rule to specify the VPN gateway:

   edit> add rule common vpn-grp vpn-grp ALLOW VPN vpn-net

To Replace a VPN Gateway

VPN gateways are set up in an ordered manner.

To change values, at the command line prompt, type (for example):

edit> replace vpngateway 1 vpn-net addrgrp-a SKIP cert-new KEY DES-CBC DATA RC4-40 MAC MD5 COMPRESSION NONE

To Remove a VPN Gateway

To remove the VPN gateway, you must delete the rules and VPN object.

At the command line prompt, type (for example):

edit> del vpngateway 1