Example: Creating Device Level VPN Type 1 (NSM Procedure)

This topic provides examples of the two device-level VPN types with step-by-step instructions on creating each type of device-level VPN.

Note: For examples on creating other VPN types using VPN Manager, see the Network and Security Manager Administration Guide.

In this example, a manual key tunnel provides a secure communication channel between offices in Tokyo and Paris. The trust zones at each site are in NAT mode. The trust and untrust security zones are in the trust-vr routing domain, and the untrust zone interface (ethernet3) serves as the outgoing interface for the VPN tunnel.

To set up the tunnel, you must configure the security devices at both ends of the tunnel. First, you create the VPN components that you use to build the VPN, such as the security devices and the shared address objects. Next, you create the tunnel interfaces for each device and configure the VPN tunnel. You must also add the necessary static routes on each device to create the VPN tunnel. Finally, you create firewall rules in a security policy to control VPN traffic between the two sites.

Figure 1: RB Site-to-Site VPN, MK Example Overview

RB Site-to-Site VPN, MK Example Overview
  1. Add the Tokyo and Paris security devices (for details on adding devices, see “Adding Devices” in the Network and Security Manager Administration Guide). Begin by configuring the Tokyo device with the following interfaces:
    • Ethernet1 is the trust IP (10.1.1.1/24) in the trust zone.
    • Ethernet3 is the untrust IP (1.1.1.1/24) in the untrust zone.
  2. Configure the Paris device with the following interfaces:
    • Ethernet1 is the trust IP (10.2.2.1/24) in the trust zone.
    • Ethernet3 is the untrust IP (2.2.2.2/24) in the untrust zone.
  3. Create the address objects that you use in the VPN rule in the firewall rulebase (for details on creating VPN rules, see the Adding VPN Rules to a Security Policy Overview).
  4. Add the Tokyo trust LAN (10.1.1.0/24) as an network address object. In Address Objects, click the Add icon and select Network. Configure the following settings, and then click OK:
    • For Name, enter Tokyo Trust LAN.
    • For IP Address/Netmask, enter 10.1.1.0/24.
    • Select Use Wildcard Mask if you want the wildcard mask to be sent as part of the address field instead of the Netmask.
    • For Wildcard Mask, enter 10.1.1.0.
    • For Color, select magenta.
    • For Comment, enter Tokyo Trust Zone.
  5. Add the Paris trust LAN (10.2.2.0/24) as a network address object. In Address Objects, click the Add icon and select Network. Configure the following settings, and then click OK:
    • For Name, enter Paris Trust LAN.
    • For IP Address/Netmask, enter 10.2.2.0/24.
    • Select Use Wildcard Mask if you want the wildcard mask to be sent as part of the address field instead of the Netmask.
    • For Wildcard Mask, enter 10.2.2.0.
    • For Color, select magenta.
    • For Comment, enter Paris Trust Zone.
  6. Configure the Tokyo tunnel interface:
    • In the NSM navigation tree, select Device Manager > Devices, and then double-click the Tokyo device to open the device configuration.
    • In the device navigation tree, select Network > Interface. Click the Add icon and select Tunnel Interface. The General Properties screen for tunnel.1 appears.
  7. Configure the following settings, and then click OK:
    • For Zone, select untrust.
    • For IP Options, select Unnumbered.
    • For Source Interface, select ethernet3.
  8. Create the Tokyo VPN. In the device navigation tree, select VPN Settings > AutoKey IKE/Manual VPN.
  9. Select the Manual tab, and then click the Add icon. The Properties screen appears. Configure the Properties tab as follows:
    • For Name, enter Tokyo_Paris.
    • For Gateway, enter 2.2.2.2.
    • For Local SP, enter 3020.
    • For Remote SPI, enter 3030.
    • For Outgoing Interface, select ethernet3.
    • For ESP/AH, select ESP CBC.
    • For Encryption Algorithm, select 3DES-CBC.
    • Select Generate Key by Password, and then enter the password asdlk24234.
    • For Authentication Algorithm, select SHA-1.
    • Select Generate Key by Password, and then enter the password PNas134a.
    • Select the Binding tab. Select Tunnel Interface, and then select tunnel.1.
  10. Click OK to save the new VPN.
  11. Create Tokyo routes:
    • In the device navigation tree, select Network > Virtual Router to display the list of virtual routers on the device. Double-click the trust-vr route to open the vr for editing.
    • In the virtual router dialog box, click Routing Table, and then click the Add icon under destination-based routing table to add a new static route.

      Note: ScreenOS 5.0.x devices display destination-based and source-based routing tables; ScreenOS 5.1 and later devices display destination-based, source-based, and source interface-based routing tables.

  12. Configure a route from the untrust interface to the gateway, and then click OK.
  13. Configure route from the trust zone to the tunnel interface, and then click OK.
  14. Click OK to save your changes to the virtual router, and then click OK to save your changes to the Tokyo device.
  15. Configure the Paris tunnel interface:
    • In Device Manager, double-click the device icon for Paris to open the device configuration.
    • In the device navigation tree, select Network > Interface. Click the Add icon and select Tunnel Interface. The General Properties screen appears.
  16. Configure the following settings, and then click OK:
    • For Zone, select untrust.
    • For IP Options, select Unnumbered.
    • For Source Interface, select ethernet3.
  17. Create the Paris VPN:
    • In the device navigation tree, select VPN Settings > AutoKey IKE/Manual VPN.
    • Select the Manual tab, and then click the Add icon. The Properties screen appears.
  18. Configure the following settings:
    • For Name, enter Paris_Tokyo.
    • For Gateway, enter 2.2.2.2.
    • For Local SP, enter 3020.
    • For Remote SPI, enter 3030.
    • For Outgoing Interface, select ethernet3.
    • For ESP/AH, select ESP CBC.
    • For Encryption Algorithm, select 3DES-CBC, and then select Generate Key by Password and enter the password asdlk24234.
    • For Authentication Algorithm, select SHA-1, and then select Generate Key by Password and enter the password PNas134a.
  19. Select the Binding tab. Select Tunnel Interface, and then select tunnel.1.
  20. In the device navigation tree, select Network > Virtual Router to display the list of virtual routers on the device.
  21. Click OK to save the new VPN.
  22. Create Paris routes.
  23. Double-click the trust-vr route to open the vr for editing.
  24. In the virtual router dialog box, click Routing Table, and then click the Add icon under destination-based routing table to add a new static route.

    Note: ScreenOS 5.0.x or later devices display both destination-based and source-based routing tables; ScreenOS 5.1 and later devices display destination-based, source-based, and source interface-based routing tables.

  25. Configure a route from the untrust interface to the gateway, and then click OK.
  26. Configure route from the trust zone to the tunnel interface, and then click OK.
  27. Click OK to save your changes to the virtual router, and then click OK to save your changes to the Paris device.
  28. Create the security policy:
    • In the main navigation tree, select Security Policies. Click the Add icon to display the New Security Policy dialog box.
  29. Configure the following settings, and then click OK:
    • For Security Policy Name, enter Corporate Route-based VPNs.
    • Add comments, if desired.
  30. In the NSM navigation tree, select Security Policies > Corporate Route-based VPNs. The security policy appears in the display area. Configure the rules.

Related Documentation