Chapter 9 SunScreen and Windows 2000 IKE Interoperability

This chapter provides some examples of how you can make a SunScreen firewall and a machine running Windows 2000 communicate with each other using IKE. SunScreen 3.2 and Windows 2000 each support the following IKE features:

• Preshared Keys - These keys act like a password to authenticate the communicating endpoints during IKE negotiation.

• Signed X.509 Certificates - These are certificates signed by a Certificate Authority (CA) as opposed to the self-signed Diffie-Hellman certificates supported by SunScreen (but not Windows 2000).

This chapter provides examples that illustrate the use of both interoperabilty features. You can find command line examples of using IKE in the IKE Policy Rule Syntax section of the Command Line Interface chapter of the SunScreen 3.2 Administrators Guide.

Network Example

Figure 9-1 shows a SunScreen communicating with a Windows 2000 systems over the Internet. The Screen is using IKE preshared keys and also using signed certificates. Some of the CAs supported by Windows 2000 are also shown. SunScreen does not restrict the use of CAs to these authorities.

In this example, the Screen is communicating with one Windows 2000 system using an IKE preshared key and is also communicating with another system using CA signed certificates.

Figure 9-1 Windows 2000-SunScreen Interoperability

Using Preshared Keys

Preshared keys function as a type of password which authenticates each side of a communications channel during IKE negotiation. The actual preshared key (an ASCII text string) is not sent over the wire but a hash of it is used instead. Once the IKE parameters are successfully negotiated, regular secure communications can proceed. While this authentication method is simple to set up, it typically does not scale well.

Certain SunScreen features like remote administration require the use of certificates. So, you cannot use a Windows 2000 system to remotely administer a Screen using preshared keys.

Configuring the Screen to Use Preshared Keys

This sections describes how you set up SunScreen to use IKE preshared Keys.

Set Up the Screen

1. Select and edit the appropriate policy.

2. Define an IPsec Key Common Object.

   ---

   Note -

   This is an optional step as you can also enter a preshared key directly into a field on the Rule Definition Action Details window.

   ---

   In the Common Object panel select IPsec Key and New; the IPsec Key dialog appears (see Figure 9-2).

   Figure 9-2 IPsec Key Dialog Window

   
   

3. Fill in the required fields

   Provide a Name and Description for the object as well as selecting the desired key size from the Key Size list. If you were using a preshared key generated by another system, you could type the key into the Key field. If you were using SunScreen to generate the key, you would click the Generate New Key button. The key does not have to be numeric, so you could for instance use a phrase.

4. Define the required Address objects.

   In this example, you would define HOST type Address objects for the following systems: bos-host5, sf-w2kremote, and sf-w2k1.

5. Create a Packet Filtering rule that allows encrypted communication between the systems using the IKE preshared key.

   In this example, telnet is the required service but it could be any service. The way you define the rule is similar to other IKE encryption rules except that the Authentication Method is PRE-SHARED (for more details on defining Packet Filtering IKE rules, see "Create Packet Filtering Rules with the ENCRYPT action".) See Figure 9-3 for an example of what the Rule Definition and Action Details windows would look like.

   Figure 9-3 Rule Definition Windows for PreShared Key

   
   

   ---

   Note -

   The Oakley Group field on the Screen and the DH Group field on the Windows 2000 system must use the same value.

   ---

6. Click the Options tab and select the IKE mode.

   Your choices are Tunnel or Transport mode. Tunnel mode encapsulates and encrypts the entire packet including the IP header for maximum security. Transport mode encapsulates and encrypts only the data portion of the IP packet resulting in smaller packets and potentially better throughput as the Screen is relieved of the overhead of decrypting the IP header. SunScreen and Windows 2000 both support IKE Transport and Tunnel modes.

   If you choose Tunnel mode, you can supply the Source and Destination Tunnel addresses. You can also supply Source and Destination Screens. If you choose Transport mode, you can only specify Source and Destination Screens.

   If the Source Address is the Screen, specify the Screen object in the Source Screen field. If the Destination Address is the Screen, specify the Screen object in the Destination Screen field.

7. Save and activate the policy.

Configuring the Windows 2000 System to Use Preshared Keys

See the Windows 2000 online help for specific instructions on how to create a Security Policy with an IKE filter that uses preshared keys. You can also refer to the Microsoft White Paper How to Configure IPSec Tunneling in Windows 2000 which is available from their web site.

When you create the Security Policy, make sure all the IKE parameters on the Windows system match the IKE parameters on the Screen, including:

• ESP and/or AH

• Encryption Algorithm

• Hash Algorithm

• Authentication Method

Make sure he the DH Group value is the same as the Oakley Group value on the Screen. Lastly, use the same preshared key as the key used on the Screen.

Windows 2000 uses an ACSII character string to specify the preshared key. SunScreen uses an ASCII hexidecimal string for the same purpose. For example, if you specified the preshared key as ABC on the Windows 2000 system, you would specify the same key as 414243 on the SunScreen system.

Using CA Signed Certificates

A more secure method than using preshared keys is using CA signed X.509 certificates. These certificates must be digitally signed by a Certificate Authority (CA) supported by both the Windows 2000 system and the SunScreen system. Currently, Microsoft supports certificates signed by its own Windows 2000 Server CA as well as a number of public CA authorities (see the Trusted CA Authorities list on Windows 2000, all of these vendors qualify as Root CAs). You can also use non-public CA's like Netscape Certificate server, if you import the CA's root Ccertificate into the Windows 2000 Trusted Root Certificate store. Self signed certificates are not supported by Microsoft

Each side must be able to follow each signed certificate up its certificate chain to the Root CA. They accomplish verification by having the Root CA's certificate in a special certificate store (the IKE root CA certificates GROUP certificate object on the Screen and the Trusted Root Certificate store on the Windows 2000 system). Because both systems must use certificates signed by a CA common to both systems, you cannot use self signed DH certificates to interoperate with Windows 2000.

Certificates are necessary in order to have a Windows 2000 system act as a remote Administration Station managing a Screen.

Configuring the Screen to Use CA Signed Certificates

The following sections describe how you would set up the Screen and the Windows 2000 system to interoperate.

Set Up the Screen

1. Generate a Certificate Signing Request

   1. From the Common Objects panel, select Generate IKE Certificate

   2. When the IKE Certificate dialog appears, click the Generate CA Request button; see Figure 9-4

      Figure 9-4 Generate CA Signing Request

      
      

   3. Fill in the required fields.

      Type in a Distinguished Name and make sure that the Encryption Type and Key Size match the related parameters used by the Windows 2000 system for its own certificate.

   4. Click the Generate button.

      SunScreen generates a Certificate Signing Request (CSR) and also creates and stores a private key. The following figure shows the CSR.

      Figure 9-5 IKE CA Certificate Signing Request

      
      

      You can copy the text or save into a file for use in your signing request.

2. Present the CSR to the CA.

   Have the certificate signed and acquire the new certificate.

3. Import the CA signed certificate into the Screen

   1. From the common Objects panel, choose Import IKE Certificate. The Import IKE Certificate screen appears

   2. Specify a name and description.

   3. Choose an import method

      Click the appropriate button and then either specify a file to import or paste the signed certificate into the text area.

   4. Click the Install Certificate button.

4. Add the IKE Root CA Certificate to the Screen.

   You accomplish this task by adding the Root CA certificate to the IKE root CA Certificates GROUP object.

   1. Acquire the Root CA certificate and import it into the Screen's certificate store.

   2. After you finish the import, in the Common Objects panel, search for the IKE root CA certificates object.

      When you find the object, select it and click the edit button. The Certificates object dialog appears. See Figure 9-6.

      Figure 9-6 Import Root CA

      
      

   3. Select the Root CA certificate you want and add it to the Include List.

   4. Click OK to finish the task.

5. Edit the Root CA certificate object.

   A requirement of Windows 2000 for IKE interoperability is that you must specify the Root CA certificate by its ISSUER Distinguished Name.

   1. Search for the Root CA certificate object.

      When you find the correct object click the Edit button.

   2. Edit the Distinguished Name.

      In the Distinguished Name, change the first qualifier from SUBJECT to ISSUER. Keep the value of the qualifier the same, only change the handle.

Configuring Windows 2000 to Use CA Signed Certificates

The following section describes in general terms how you would set up a Windows 2000 system to interoperate with a Screen. This section only provides general steps. For specific instructions on setting up the Windows 2000 system see the Windows 2000 online help and also refer to these White Papers which are available on the Microsoft web site.

• How to Configure IPSec Tunneling in Windows 2000

• How to Install a Certificate for Use with IP Security

• Step-by-Step Guide to Internet Protocol Security IPSec

Set Up the Windows 2000 System

1. Obtain a private key and certificate signed by the same CA used by the Screen with whom you wish to communicate.

2. Make sure that the CA Root certificate is in the Trusted Root CA Certificate store.

3. Create an IPSec security policy.

   Create an IKE rule that allows communication between the Screen and the Windows 2000 system.

4. Be aware of the following interoperability requirements:

   • The Authentication Method should be Certificate Authority and the Root CA list must contain the common Root CA certificate.

   • The filter action should be Negotiate Security and it should only specify one security method.

Using the Encryption Action on the Screen

To set up a packet filtering rule on the Screen use the same procedure as would be used with any IKE encryption rule. However, you must be aware of the following interoperability requirements:

• The ESP and AH values must match those specified in the Filter Action on the Windows 2000 system.

• The encryption Algorithm must be either DES or 3DES.

• The Authentication Method must be RSA-SIGNATURES

• The Oakley group must be consistent with the DH values used by the Windows 2000 system during IKE negotiation. You are restricted to those values supported by the Windows 2000 system. For example, Windows 2000 does not support Oakley group 5. The following table shows the default Oakley Group values used by Windows 2000. If someone on the Windows 2000 side changes these default values (unlikely based on how far down they are buried in the GUI) , you would have to use a value that matches their new value.

  Encryption Algorithm	Hash Algorithm	Oakley Group Value
  3DES	SHA1	2
  3DES	MD5	2
  DES	SHA1	1
  DES	MD5	1

• If the rule permits traffic from the Windows 2000 system to the Screen, the Source Certificate must be the Root CA certificate and the Destination Screen is the Screen object.

• If the rule permits traffic from the Screen to the Windows 2000 system, the Destination Certificate must be the Root CA certificate and the Source Screen is the Screen object.