netscreen concepts examples vpns phần 3 doc

1HW6FUHHQ&RQFHSWV [DPSOHV²9ROXPH931V 7 811/ , 175$&6 When you configure the remote gateway for a VPN tunnel, you must also specify a security zone interface as the local gateway2.. You c

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

6SHFLI\LQJ(LWKHU&5/RU2&63IRU5HYRFDWLRQ&KHFNLQJ

To specify the revocation check method (CRL, OCSP, both, or none) for a certificate of a particular CA, use the following CLI syntax:

ns-> set pki authority id_num cert-status revoc { CRL | OCSP | all | none }

where id_num is the identification number for the certificate.

The following example specifies OCSP revocation checking

ns-> set pki authority 3 cert-status revocation-check ocsp

The ID number 3 identifies the certificate of the CA

'LVSOD\LQJ&HUWLILFDWH5HYRFDWLRQ6WDWXV$WWULEXWHV

To display the revocation check attributes for a particular CA, use the following CLI syntax:

ns-> get pki authority id_num cert-status

where id_num is the identification number for the certificate issued by the CA.

To display the revocation status attributes for the CA that issued certificate 7:

ns-> get pki authority 7 cert-status

6SHFLI\LQJWKH85/RIDQ2&635HVSRQGHUIRUD&HUWLILFDWH

To specify the URL string of an OCSP responder for a particular certificate, use the following CLI syntax:

ns-> set pki authority id_num cert-status ocsp url url_str

To specify the URL string of an OCSP responder (http:\\192.168.10.10) for the CA with certificate at index 5, use the following CLI syntax:

ns-> set pki authority 5 cert-status ocsp url http:\\192.168.10.10

To remove the URL (http:\\192.168.2.1) of a CRL server for a certificate 5:

ns-> unset pki authority 5 cert-status ocsp url http:\\192.168.2.1

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

5HPRYLQJ&HUWLILFDWH5HYRFDWLRQ&KHFN$WWULEXWHV

To remove all attributes related to a certificate revocation check for a CA that issued a particular certificate, use the following syntax:

ns-> unset pki authority id_num cert-status

To remove all revocation attributes related to certificate 1:

ns-> unset pki authority 1 cert-status

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

&KDSWHU

5RXWLQJ%DVHG931V

The configuration of a NetScreen device for virtual private network (VPN) support is particularly flexible In

ScreenOS releases prior to 3.1.0, VPN tunnels are treated as objects (or building blocks) that together with source, destination, service, and action, comprise a policy that permits VPN traffic (Actually, the VPN policy action is

tunnel, but the action permit is implied, if unstated) In ScreenOS 3.1.0, the concept of a VPN tunnel shifted In

addition1 to the previous notion of a tunnel as an object used to build policies—see Chapter 4,“Policy-Based VPNs”

on page 123—a tunnel can also be viewed as a network resource used to transport traffic Thus, you can consider a tunnel as a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic Simply put, ScreenOS allows you the freedom to decouple the regulation of traffic from the means of its delivery

This chapter presents an overview and offers examples of the following routing-based VPN concepts:

• “Tunnel Interfaces” on page 48

– “Example: Tunnel Bound to Tunnel Interface” on page 49

– “Example: Deleting a Tunnel Interface” on page 57

• “LAN-to-LAN VPNs” on page 58

– “Example: Routing-Based LAN-to-LAN VPN, Manual Key” on page 59

– “Example: Routing-Based LAN-to-LAN VPN, AutoKey IKE” on page 70

– “Example: Routing-Based LAN-to-LAN VPN, Dynamic Peer” on page 76

• “Dialup-to-LAN VPN, Dynamic Peer” on page 92

– “Example: Routing-Based Dialup-to-LAN VPN, Dynamic Peer” on page 93

• “Hub-and-Spoke VPNs” on page 103

– “Example: Hub-and-Spoke VPNs” on page 104

• “Back-to-Back VPNs” on page 111

– “Example: Back-to-Back VPNs” on page 112

1 ScreenOS releases after 3.1.0 continues to support pre-ScreenOS 3.1.0 VPN configuration concepts and methods.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

7 811(/ , 17(5)$&(6

When you configure the remote gateway for a VPN tunnel, you must also specify a security zone interface as the local gateway2 Beyond the VPN tunnel termination points (the local and remote gateways), you can also configure tunnel interfaces in either a security zone or in a tunnel zone through which the NetScreen device directs traffic to and from the VPN tunnel3 You can bind a VPN tunnel to a specific numbered (with IP address/netmask) or

unnumbered (without IP address/netmask) tunnel interface in a security zone If the tunnel interface is unnumbered,

it borrows the IP address from the interface of the security zone in which you created it Now you have a VPN tunnel that is bound both to a tunnel interface and to a local security zone interface

Conceptually, you can view VPN tunnels as pipes that you have laid They extend from the local device to remote gateways, and the tunnel interfaces are the openings to these pipes The pipes are always there, available for use whenever the routing engine directs traffic to one of their interfaces

2 Your IKE peer uses the IP address of your local gateway interface (or outgoing-interface) when configuring the remote gateway on his NetScreen device.

3 If you do not specify a tunnel interface, the tunnel uses the default interface for the security zone.

When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to the tunnel interface You can only bind a tunnel to the tunnel zone This allows multiple tunnel interfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface In such cases, you must create a policy-based VPN configuration.

When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnel interface Doing so allows you to create a routing-based VPN configuration.

The tunnel interface can be numbered or unnumbered If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface Note: Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support policy-based NAT.

When a numbered tunnel interface is in a security zone and is the only interface

in that zone, you do not need to create a security zone interface In this case, the security zone supports VPN traffic via the tunnel interface, but no other kind

of traffic.

Security Zone

Tunnel Zone

Tunnel Interfaces

Security Zone Interfaces

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

Generally, assign an IP address to a tunnel interface if you want the interface to support policy-based NAT For more information about VPNs and policy-based NAT, see “Tunnel Zones and Policy-Based NAT” on page 202 You can create a numbered tunnel interface in either a tunnel zone or security zone

If the tunnel interface does not need to support policy-based NAT, and your configuration does not require the tunnel interface to be bound to a tunnel zone, you can specify the interface as unnumbered You must bind an unnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone You must also specify an interface bound to that security zone whose IP address the unnumbered tunnel interface borrows

([DPSOH7XQQHO%RXQGWR7XQQHO,QWHUIDFH

In this example, you configure a VPN tunnel between the corporate site and a branch office The tunnel has the following characteristics:

• The VPN tunnel is bound to a tunnel interface named tunnel.1.

• The Untrust zone is bound to the untrust-vr, not the trust-vr

• AutoKey IKE VPN using a preshared key (netscreen1), Main mode, the security level predefined as

“Compatible” for both Phase 1 and Phase 2 proposals

• The interface specified as the local gateway on the corporate site is 210.1.1.1 (The branch office uses this address as the remote gateway in its IKE configuration.)

• The NetScreen device at the corporate site is running ScreenOS 4.0.0

• The NetScreen device at the remote site is running a version of ScreenOS earlier than 3.1.0

Note: The security zone interface that you specify must be in the same zone to which you have bound the tunnel

interface.

Note: Only the configuration for the corporate end of the tunnel is given below For information on configuring a

NetScreen device running pre-USGA ScreenOS, see the NetScreen Concepts & Examples ScreenOS Reference

Guide for the version of ScreenOS that is appropriate for your device.

2 Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK:

Zone Name: Null

3 Network > Zones > Edit (for Untrust): In the Virtual Router Name drop-down list, select untrust-vr, and then click OK.

Zone: Sales 10.1.1.1/24 eth2/1

Zone: Untrust 210.1.1.1/24 eth1/2

Branch1 10.2.1.0/24

Gateway 211.2.2.2/24 tunnel.1

Default Gateway 210.1.1.254 trust-vr Routing Domain

untrust-vr Routing Domain

VPN tunnel:

to_branch1

Note: The castle icon represents

a security zone interface.

The NetScreen device sends the encapsulated VPN traffic to the external router acting as the default gateway.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

4 Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK:

Zone Name: Untrust

5 Network > Zones > New: Enter the following, and then click OK:

Name: SalesVirtual Router Name: trust-vr,QWHUIDFHV²=RQHVDQG7XQQHO

6 Network > Interfaces > Edit (for ethernet2/1): Enter the following, and then click OK:

Zone Name: Sales

IP Address/Netmask: 10.1.1.1/24

7 Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK:

Zone Name: Untrust

IP Address/Netmask: 210.1.1.1/24

8 Network > Interfaces > Tunnel IF New: Enter the following, and then click OK:

Tunnel Interface Name: tunnel.1Zone: Untrust

Unnumbered: (select)Interface: ethernet1/2(Untrust)4

4 The source interface must be in the same zone to which the tunnel interface is bound; in this case, the Untrust zone The unnumbered tunnel interface

borrows the IP address of the specified security zone interface.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

931

9 VPNs > AutoKey IKE > New: Enter the following, and then click OK:

VPN Name: to_branch1Security Level: CompatibleRemote Gateway: Create a Simple Gateway: (select)Gateway Name: branch1

Type: Static IP (select), IP Address: 211.2.2.2Preshared Key: netscreen1

Security Level: CompatibleOutgoing Interface: ethernet1/25

> Advanced: Enter the following advanced settings, and then click Return to

return to the basic AutoKey IKE configuration page:

Security Level: CompatibleReplay Protection: (select)Bind to: Tunnel Interface: tunnel.1Proxy-ID: (select)

Local IP/Netmask: 10.1.1.0/24Remote IP/Netmask: 10.2.1.0/24Service: ANY

5 The outgoing interface does not have to be in the same zone to which the tunnel interface is bound.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

$GGUHVVHV

10 Objects > Addresses > List > New: Enter the following, and then click OK:

Address Name: sales-any

IP Address/Domain Name:

IP/Netmask: (select), 10.1.1.0/24Zone: Sales

11 Objects > Addresses > List > New: Enter the following, and then click OK:

Address Name: branch1

IP Address/Domain Name:

IP/Netmask: (select), 10.2.1.0/24Zone: Untrust

5RXWHV

12 Network > Routing > Route Table > trust-vr New: Enter the following, and then click OK:

Network Address/Netmask: 0.0.0.0/0Next Hop Virtual Router Name: (select), untrust-vr

13 Network > Routing > Route Table > untrust-vr New: Enter the following, and then click OK:

Network Address/Netmask: 10.2.1.0/24Gateway: (select)

Interface: tunnel.1Gateway IP Address: 0.0.0.0

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

14 Network > Routing > Route Table > untrust-vr New: Enter the following, and then click OK:

Network Address/Netmask: 0.0.0.0/0Gateway: (select)

Interface: ethernet1/2(untrust-vr)Gateway IP Address: 210.1.1.2546

3ROLFLHV

15 Policies > (From: Sales, To: Untrust) New: Enter the following, and then click OK:

Source Address: Address Book: sales-anyDestination Address: Address Book: branch1Service: ANY

Action: PermitPosition at Top: (select)

16 Policies > (From: Untrust, To: Sales) New: Enter the following, and then click OK:

Source Address: Address Book: branch1Destination Address: Address Book: sales-anyService: ANY

Action: PermitPosition at Top: (select)

6 Setting a route to the external router designated as the default gateway is essential for both outbound VPN and network traffic In this example, the NetScreen device sends encapsulated VPN traffic to this router as the first hop along its route to the remote peer’s gateway In the illustration for this example, the concept is presented by depicting the tunnel passing through the router.

Note: Because the interface for the Sales zone (eth2/1) is in Route mode, the NetScreen device

automatically makes an entry for it in the untrust-vr route table You do not have to enter one manually.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

&/,

6HFXULW\=RQHVDQG9LUWXDO5RXWHUV

1 unset interface ethernet1/2 ip

2 unset interface ethernet1/2 zone

3 set zone untrust vrouter untrust-vr

4 set zone name sales trust-vr

,QWHUIDFHV²=RQHVDQG7XQQHO

5 set interface ethernet2/1 zone sales

6 set interface ethernet2/1 ip 10.1.1.1/24

7 set interface ethernet1/2 zone untrust

8 set interface ethernet1/2 ip 210.1.1.1/24

9 set interface tunnel.1 zone untrust

10 set interface tunnel.1 ip unnumbered interface eth1/2

931

11 set ike gateway branch1 ip 211.2.2.2 outgoing-interface ethernet1/2 preshare netscreen1 sec-level

compatible

12 set vpn to_branch1 gateway branch1 replay sec-level compatible

13 set vpn to_branch1 bind interface tunnel.1

14 set vpn to_branch1 proxy-id local-ip 10.1.1.0/24 remote-ip 10.2.1.0/24 any

$GGUHVVHV

15 set address sales sales-any 10.1.1.0/24

16 set address untrust branch1 10.2.1.0/24

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

5RXWHV

17 set vrouter trust-vr route 0.0.0.0/0 vrouter untrust-vr

18 set vrouter untrust-vr route 10.2.1.0/24 interface tunnel.1

19 set vrouter untrust-vr route 0.0.0.0/0 interface ethernet1/2 gateway 210.1.1.254

3ROLFLHV

20 set policy top from sales to untrust sales-any branch1 any permit

21 set policy top from untrust to sales branch1 sales-any any permit

22 save

Note: Because the interface for the Sales zone (ethernet2/1) is in Route mode, the NetScreen device

automatically makes an entry for it in the untrust-vr route table You do not have to enter one manually.

1HW6FUHHQ&RQFHSWV ([DPSOHV²9ROXPH931V 

'HOHWLQJ7XQQHO,QWHUIDFHV

You cannot immediately delete a tunnel interface that hosts mapped IP addresses (MIPs), virtual IP addresses (VIPs), or Dynamic IP (DIP) address pools Before you delete a tunnel interface hosting any of these features, you must first delete any policies that reference them Then you must delete the MIPs, VIPs, and DIP pools on the tunnel interface Also, if a routing-based VPN configuration references a tunnel interface, you must first delete the VPN configuration before you can delete the tunnel interface

([DPSOH'HOHWLQJD7XQQHO,QWHUIDFH

In this example, tunnel interface tunnel.2 is linked to DIP pool 8 DIP pool 8 is referenced in a policy (ID 10) for VPN traffic from the Trust zone to the Untrust zone To remove the tunnel interface, you must first remove the policy (or remove the reference to DIP pool 8 from the policy), then the DIP pool, and then the interface

:HE8,

1 Policies (From: Trust, To: Untrust): Click Remove for Policy ID 10.

2 Network > Interfaces > Edit (for tunnel.2) > DIP: Click Remove for DIP ID 8.

3 Network > Interfaces: Click Remove for tunnel.2

&/,

1 unset policy 10

2 unset interface tunnel.2 dip 8

3 unset interface tunnel.2