Device-Level AutoKey IKE VPN: Using VPN Configuration Overview
When you configure
the VPN, you are defining the gateway the security device uses to
connect to the VPN, the IKE Phase 2 proposals used by that gateway,
and how you want NSM to monitor the VPN tunnel.
For route-based VPNs, you are also binding the
VPN to the tunnel interface or zone that sends and receives VPN traffic
to and from the device.
The following topics explain how to configure device-level autokey
IKE VPN using VPN configuration:
Device-Level AutoKey IKE VPN Properties
Enter the following values as described in Table 1.
Table 1: Device-Level AutoKey IKE VPN Properties
Properties
|
Your Action
|
VPN Name
|
Enter a name for the VPN.
|
Remote Gateway
|
Select the gateway for the VPN.
|
Idle Time to Disable SA
|
Configure the number of minutes before a session that has no
traffic automatically disables the SA.
|
Replay Protection
|
In a replay attack, an attacker intercepts a series of legitimate
packets and uses them to create a denial of service (DoS) against
the packet destination or to gain entry to trusted networks. If replay
protection is enabled, your security devices inspect every IPsec packet
to see if the packet has been received before—if packets arrive
outside a specified sequence range, the security device rejects them.
|
IPSec Mode
|
Configure the mode:
- Use tunnel mode for IPsec—Before an IP packet enters
the VPN tunnel, NSM encapsulates the packet in the payload of another
IP packet and attaches a new IP header. This new IP packet can be
authenticated, encrypted, or both. The DSCP mark (which allows the
user to configure the DSCP value for each route based VPN) supports
only Tunnel IPsec mode.
- Use transport mode for L2TP-over-IPsec—NSM does
not encapsulate the IP packet, meaning that the original IP header
must remain in plaintext. However, the original IP packet can be authenticated,
and the payload can be encrypted.
|
Do not set Fragment Bit in the Outer Header
|
The Fragment Bit controls how the IP packet is fragmented when
traveling across networks.
- Clear—Use this option to enable IP packets to be
fragmented.
- Set—Use this option to ensure that IP packets are
not fragmented.
- Copy—Select to use the same option as specified
in the internal IP header of the original packet.
|
ScreenOS Security Measures Using VPN Configuration
For Phase 2 negotiations, select a proposal or
proposal set. You can select from predefined or user-defined proposals:
- To use a predefined proposal set, select one of the following:
- Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
- Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, nopfs-esp-des-md5)
- Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
- To use a user-defined proposal, select a single proposal
from the list of predefined and custom IKE Phase 2 proposals. For
details on custom IKE proposals, see “ Configuring IKE Proposals”
in the Network and Security Manager Administration Guide.
If your VPN includes only security devices, you
can specify one predefined or custom proposal that NSM propagates
to all nodes in the VPN. If your VPN includes extranet devices, you
should use multiple proposals to increase security and ensure compatibility.
Binding/ProxyID
You can bind the VPN tunnel to a tunnel interface
or tunnel zone to increase the number of available interfaces in the
security device. To use a tunnel interface and/or tunnel zone in your
VPN, you must first create the tunnel interface or zone on the device;
for details, see and Configuring a Tunnel Interface.
Table 2 describes the binding
methods in the device.
Table 2: Binding/ProxyID
Binding Methods
|
Description
|
None
|
Select none when you do not want to bind the VPN tunnel to a
tunnel interface or zone.
|
Tunnel Interface
|
Select a preconfigured tunnel interface on the security device
to bind the VPN tunnel to the tunnel interface. The security device
routes all VPN traffic through the tunnel interface to the protected
resources. The user can set DSCP marking as a system for tagging traffic
at a position within a hierarchy of priority.
|
Tunnel Zone
|
Select a preconfigured tunnel zone on the security device to
bind the VPN tunnel directly to the tunnel zone. The tunnel zone must
include one or more numbered tunnel interfaces; when the security
device routes VPN traffic to the tunnel zone, the traffic uses one
or more of the tunnel interfaces to reach the protected resources.
|
DSCP Marking
|
Select an option upon which the ScreenOS device overwrites the
first 3 bits in the ToS byte with the IP precedence priority.
|
DSCP Value
|
Select the DSCP Value.
|
Proxy
|
Select an option to define a proxy ID through either an IP address
or an address name of the local and remote device.
- IP Address — Select this option to define multiple
proxy IDs using an IP address. Upon selecting this option, you must
set the new IP format settings.
- Address Book — Select this option to define multiple
proxy IDs using an address book. Upon selecting this option, you must
set the new address format settings.
- Disable — Select this option to disable the proxy
parameter settings.
|
Proxy ID Check
|
Select this option to enable the proxy-ID check on a route-based
VPN. From ScreenOS 6.3, proxy ID check supports IPv6.
|
You can also enable proxy and configure the proxy
parameters. When multiple tunnels exist between peers, the security
device cannot use the route to direct the traffic through a particular
tunnel. In such cases, the security device uses multiple proxy IDs
to direct the traffic. You can use either an IP address or an address
name of the local and remote device to define a proxy ID.
Monitor Management on ScreenOS Devices Using AutoKey IKE VPN
You can enable VPN Monitor and configure the monitoring
parameters for the device. Monitoring is off by default. Select the VPN Monitor in Realtime Monitor to display statistics
for the VPN tunnel as described in Table 3.
Table 3: Monitor
VPN Monitor Status
|
Description
|
VPN Monitor
|
When enabled, the device sends ICMP echo requests (pings) through
the tunnel at specified intervals (configurable in seconds) to monitor
network connectivity (the device uses the IP address of the local
outgoing interface as the source address and the IP address of the
remote gateway as the destination address). If the ping activity indicates
that the VPN monitoring status has changed, the device triggers an
SNMP trap; VPN Monitor (in RealTime Monitor) tracks these SNMP statistics
for VPN traffic in the tunnel and displays the tunnel status. From
ScreenOS 6.3, VPN monitor supports IPv6.
|
Rekey
|
When enabled, the device regenerates the IKE key after a failed
VPN tunnel attempts to reestablish itself. When disabled, the device
monitors the tunnel only when the VPN passes user-generated traffic
(instead of using device-generated ICMP echo requests). Use the rekey
option to:
- Keep the VPN tunnel up even when traffic is not passing
through
- Monitor devices at the remote site.
- Enable dynamic routing protocols to learn routes at a
remote site and transmit messages through the tunnel.
- Automatically populate the next-hop tunnel binding table
(NHTB table) and the route table when multiple VPN tunnels are bound
to a single tunnel interface.
|
Optimized
|
This option appears only for devices running ScreenOS 5.x. When
enabled, the device optimizes its VPN monitoring behavior as follows:
- Considers incoming traffic in the VPN tunnel as ICMP echo
replies. This reduces false alarms that might occur when traffic through
the tunnel is heavy and the echo replies cannot get through.
- Suppresses VPN monitoring pings when the tunnel passes
both incoming and outgoing traffic. This can help reduce network traffic.
|
Source Interface and Destination IP
|
These options configure VPN monitoring when the other end of
the VPN tunnel is not a security device. Specify the source and destination
IP addresses.
|
Published: 2009-08-20
