Device-Level AutoKey IKE VPN: Using VPN Configuration Overview
When you configure the VPN, you are defining the gateway the security device uses to connect to the VPN, the IKE Phase 2 proposals used by that gateway, and how you want NSM to monitor the VPN tunnel.
For route-based VPNs, you are also binding the VPN to the tunnel interface or zone that sends and receives VPN traffic to and from the device.
The following topics explain how to configure device-level autokey IKE VPN using VPN configuration:
Device-Level AutoKey IKE VPN Properties
Enter the following values as described in Table 1.
Table 1: Device-Level AutoKey IKE VPN Properties
Enter a name for the VPN.
Select the gateway for the VPN.
Idle Time to Disable SA
Configure the number of minutes before a session that has no traffic automatically disables the SA.
In a replay attack, an attacker intercepts a series of legitimate packets and uses them to create a denial of service (DoS) against the packet destination or to gain entry to trusted networks. If replay protection is enabled, your security devices inspect every IPsec packet to see if the packet has been received before—if packets arrive outside a specified sequence range, the security device rejects them.
Configure the mode:
Do not set Fragment Bit in the Outer Header
The Fragment Bit controls how the IP packet is fragmented when traveling across networks.
ScreenOS Security Measures Using VPN Configuration
For Phase 2 negotiations, select a proposal or proposal set. You can select from predefined or user-defined proposals:
To use a predefined proposal set, select one of the following:
Basic (nopfs-esp-des-sha, nopfs-esp-des-md5)
Compatible (nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha, nopfs-esp-des-md5)
Standard (gs-esp-3des-sha, gs-esp-aes128-sha)
To use a user-defined proposal, select a single proposal from the list of predefined and custom IKE Phase 2 proposals. For details on custom IKE proposals, see “ Configuring IKE Proposals” in the Network and Security Manager Administration Guide.
If your VPN includes only security devices, you can specify one predefined or custom proposal that NSM propagates to all nodes in the VPN. If your VPN includes extranet devices, you should use multiple proposals to increase security and ensure compatibility.
You can bind the VPN tunnel to a tunnel interface or tunnel zone to increase the number of available interfaces in the security device. To use a tunnel interface and/or tunnel zone in your VPN, you must first create the tunnel interface or zone on the device; for details, see Routing-Based VPN Support Using Tunnel Interfaces and Tunnel Zones Overview and Configuring a Tunnel Interface.
Table 2 describes the binding methods in the device.
Table 2: Binding/ProxyID
Select none when you do not want to bind the VPN tunnel to a tunnel interface or zone.
Select a preconfigured tunnel interface on the security device to bind the VPN tunnel to the tunnel interface. The security device routes all VPN traffic through the tunnel interface to the protected resources. The user can set DSCP marking as a system for tagging traffic at a position within a hierarchy of priority.
Select a preconfigured tunnel zone on the security device to bind the VPN tunnel directly to the tunnel zone. The tunnel zone must include one or more numbered tunnel interfaces; when the security device routes VPN traffic to the tunnel zone, the traffic uses one or more of the tunnel interfaces to reach the protected resources.
Select an option upon which the ScreenOS device overwrites the first 3 bits in the ToS byte with the IP precedence priority.
Select the DSCP Value.
Select an option to define a proxy ID through either an IP address or an address name of the local and remote device.
Proxy ID Check
Select this option to enable the proxy-ID check on a route-based VPN. From ScreenOS 6.3, proxy ID check supports IPv6.
You can also enable proxy and configure the proxy parameters. When multiple tunnels exist between peers, the security device cannot use the route to direct the traffic through a particular tunnel. In such cases, the security device uses multiple proxy IDs to direct the traffic. You can use either an IP address or an address name of the local and remote device to define a proxy ID.
Monitor Management on ScreenOS Devices Using AutoKey IKE VPN
You can enable VPN Monitor and configure the monitoring parameters for the device. Monitoring is off by default. Select the VPN Monitor in Realtime Monitor to display statistics for the VPN tunnel as described in Table 3.
Table 3: Monitor
VPN Monitor Status
When enabled, the device sends ICMP echo requests (pings) through the tunnel at specified intervals (configurable in seconds) to monitor network connectivity (the device uses the IP address of the local outgoing interface as the source address and the IP address of the remote gateway as the destination address). If the ping activity indicates that the VPN monitoring status has changed, the device triggers an SNMP trap; VPN Monitor (in RealTime Monitor) tracks these SNMP statistics for VPN traffic in the tunnel and displays the tunnel status. From ScreenOS 6.3, VPN monitor supports IPv6.
When enabled, the device regenerates the IKE key after a failed VPN tunnel attempts to reestablish itself. When disabled, the device monitors the tunnel only when the VPN passes user-generated traffic (instead of using device-generated ICMP echo requests). Use the rekey option to:
This option appears only for devices running ScreenOS 5.x. When enabled, the device optimizes its VPN monitoring behavior as follows:
Source Interface and Destination IP
These options configure VPN monitoring when the other end of the VPN tunnel is not a security device. Specify the source and destination IP addresses.