A VPN object in SunScreen--called a "VPN" in this document--is not a virtual private network as generally defined in the firewall industry. It is a mechanism for implementing SunScreen's version of a VPN.
After a VPN has been defined, you can refer to it when adding rules to your security policy. This means you can define your security policy with fewer rules. The system automatically generates the multiple rules that the VPN defines.
In defining a VPN:
When defining a VPN gateway object, which is a list of Screens, specify the following information:
Rule Index (Optional) - Assigns a number to the VPN gateway entry. This affects the position within the VPN gateway list. By default, the GUI will place new entries at the end of the current list. Because SunScreen uses ordered rules, be sure to place the rule in the order in which you want it to take effect. See "Stateful Packet Filtering" for a description of ordered rules within SunScreen.
You can use any address in the VPN rules. Only addresses that interact with a VPN gateway and the address specified in the rule will apply. The simplest rule uses * for the source and destination address. This rule allows encrypted use of the specified service for all addresses in the VPN.
Certificate - The certificate used for this Screen when encrypting packets to other Screens in the VPN. For a particular VPN, all certificates must refer to keys of the same strength (for example, 512-, 1024-, 2048-, or 4096-bit Diffie-Hellman keys).
See ssadm-rule(1m) for information about VPNs using IPsec/IKE.
The site shown in Figure 6-3 has ten Screens. One of the systems protected by each Screen is a mail server. Assume that your security policy allows the exchange of encrypted mail between all these mail servers and you want to define rules to allow SMTP between all of the mail servers.
Without a VPN, you must define nine rules on each Screen for each mail server to send mail encrypted to the other nine mail servers. Because you have ten mail servers, you must define a total of 90 rules. If, instead you defined a VPN, you only need a single rule: one that allows the mail servers to send mail to the other mail servers using the VPN. Because you have ten Screens in the VPN, you must define ten VPN gateway entries.
Looking at this example in detail, the figure below shows the configuration. In this example, the name for the VPN is "ourVPN." The Screens are labeled Screen1 through Screen10. The mail servers behind them are labeled mail1 through mail10 and are part of network1 through network10.
Once you have defined the VPN objects, as shown in the figure below, you can use the VPN in any rule. Select VPN as the action for the data between the sender and the SMTP server, and specify the name of the VPN.
The VPN rule appears on the Packet Filtering tab of the Policy Rules page. The more restrictive a rule is, the earlier it should be ordered in the list of rules because the rules take effect in order. The more restrictive VPN rule comes before the more general rule and so will take effect earlier.
There is no limit to the number of VPNs to which a Screen can belong. For example, you can define two VPNs--one for encryption at 1024 bits, and one for encryption at 4096 bits. A single Screen can belong to both of those VPNs: one entry specifying the 1024-bit certificate, and the other specifying the 4096-bit certificate.
The key, data, and MAC algorithms must be the same for all gateways within a VPN.