A VPN is a group of Screens that transfer encrypted data among themselves. A VPN simulates a private network using a public network, with IP-level encryption providing privacy.
A VPN object in SunScreen--called a "VPN" in this document--is not a virtual private network as generally defined in the firewall industry. It is a mechanism for implementing SunScreen's version of a VPN.
After a VPN has been defined, you can refer to it when adding rules to your security policy. This means you can define your security policy with fewer rules. The system automatically generates the multiple rules that the VPN defines.
In defining a VPN:
Choose a name. This name is used in the Name field in the VPN gateway entries. It is also used in any policy rules that refer to this VPN.
Define a VPN gateway object for each Screen in a VPN. You define VPN gateway objects in the administration GUI through the VPN tab in the Policy Rules page.
When defining a VPN gateway object, which is a list of Screens, specify the following information:
Rule Index (Optional) - Assigns a number to the VPN gateway entry. This affects the position within the VPN gateway list. By default, the GUI will place new entries at the end of the current list. Because SunScreen uses ordered rules, be sure to place the rule in the order in which you want it to take effect. See "Stateful Packet Filtering" for a description of ordered rules within SunScreen.
Name - The name of the VPN of which this VPN gateway is a member. Use the name you chose for the VPN.
Address - The addresses protected by this Screen. Generally, this address will be the same as one of the interface addresses for this Screen.
You can use any address in the VPN rules. Only addresses that interact with a VPN gateway and the address specified in the rule will apply. The simplest rule uses * for the source and destination address. This rule allows encrypted use of the specified service for all addresses in the VPN.
Certificate - The certificate used for this Screen when encrypting packets to other Screens in the VPN. For a particular VPN, all certificates must refer to keys of the same strength (for example, 512-, 1024-, 2048-, or 4096-bit Diffie-Hellman keys).
Key Algorithm - The key algorithm that is used when encrypting packets to other Screens in the VPN. This field must be identical in all VPN gateway entries with the same VPN name.
Data Algorithm - The data algorithm that is used when encrypting packets to other Screens in the VPN. This field must be identical in all VPN gateway entries with the same VPN name.
MAC Algorithm - The MAC algorithm that is used when encrypting packets to other Screens in the VPN. This field must be identical in all VPN gateway entries with the same VPN name.
Tunnel Address - The Screen's tunnel address that is used when encrypting packets to other Screens in the VPN.
Description - Optionally, provide a short description of this VPN gateway entry.
See ssadm-rule(1m) for information about VPNs using IPsec/IKE.
The site shown in Figure 6-3 has ten Screens. One of the systems protected by each Screen is a mail server. Assume that your security policy allows the exchange of encrypted mail between all these mail servers and you want to define rules to allow SMTP between all of the mail servers.
Without a VPN, you must define nine rules on each Screen for each mail server to send mail encrypted to the other nine mail servers. Because you have ten mail servers, you must define a total of 90 rules. If, instead you defined a VPN, you only need a single rule: one that allows the mail servers to send mail to the other mail servers using the VPN. Because you have ten Screens in the VPN, you must define ten VPN gateway entries.
Looking at this example in detail, the figure below shows the configuration. In this example, the name for the VPN is "ourVPN." The Screens are labeled Screen1 through Screen10. The mail servers behind them are labeled mail1 through mail10 and are part of network1 through network10.
Once you have defined the VPN objects, as shown in the figure below, you can use the VPN in any rule. Select VPN as the action for the data between the sender and the SMTP server, and specify the name of the VPN.
Assuming an address group named MailServers containing all the mail servers exchanging encrypted mail, define the rule in the Rule Definition dialog box shown in the figure below.
The VPN rule appears on the Packet Filtering tab of the Policy Rules page. The more restrictive a rule is, the earlier it should be ordered in the list of rules because the rules take effect in order. The more restrictive VPN rule comes before the more general rule and so will take effect earlier.
There is no limit to the number of VPNs to which a Screen can belong. For example, you can define two VPNs--one for encryption at 1024 bits, and one for encryption at 4096 bits. A single Screen can belong to both of those VPNs: one entry specifying the 1024-bit certificate, and the other specifying the 4096-bit certificate.
Currently, the VPN object has the following limitation:
The key, data, and MAC algorithms must be the same for all gateways within a VPN.