&KDSWHU3XEOLF.H\&U\SWRJUDSK\ &KHFNLQJIRU5HYRFDWLRQ8VLQJ2&63 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  6SHFLI\LQJ(LWKHU&5/RU2&63IRU5HYRFDWLRQ&KHFNLQJ To specify the revocation check method (CRL, OCSP, both, or none) for a certificate of a particular CA, use the following CLI syntax: ns-> set pki authority id_num cert-status revoc { CRL | OCSP | all | none } where id_num is the identification number for the certificate. The following example specifies OCSP revocation checking. ns-> set pki authority 3 cert-status revocation-check ocsp The ID number 3 identifies the certificate of the CA. 'LVSOD\LQJ&HUWLILFDWH5HYRFDWLRQ6WDWXV$WWULEXWHV To display the revocation check attributes for a particular CA, use the following CLI syntax: ns-> get pki authority id_num cert-status where id_num is the identification number for the certificate issued by the CA. To display the revocation status attributes for the CA that issued certificate 7: ns-> get pki authority 7 cert-status 6SHFLI\LQJWKH85/RIDQ2&635HVSRQGHUIRUD&HUWLILFDWH To specify the URL string of an OCSP responder for a particular certificate, use the following CLI syntax: ns-> set pki authority id_num cert-status ocsp url url_str To specify the URL string of an OCSP responder (http:\\192.168.10.10) for the CA with certificate at index 5, use the following CLI syntax: ns-> set pki authority 5 cert-status ocsp url http:\\192.168.10.10 To remove the URL (http:\\192.168.2.1) of a CRL server for a certificate 5: ns-> unset pki authority 5 cert-status ocsp url http:\\192.168.2.1 &KDSWHU3XEOLF.H\&U\SWRJUDSK\ &KHFNLQJIRU5HYRFDWLRQ8VLQJ2&63 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  5HPRYLQJ&HUWLILFDWH5HYRFDWLRQ&KHFN$WWULEXWHV To remove all attributes related to a certificate revocation check for a CA that issued a particular certificate, use the following syntax: ns-> unset pki authority id_num cert-status To remove all revocation attributes related to certificate 1: ns-> unset pki authority 1 cert-status &KDSWHU3XEOLF.H\&U\SWRJUDSK\ &KHFNLQJIRU5HYRFDWLRQ8VLQJ2&63 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V   1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  5RXWLQJ%DVHG931V The configuration of a NetScreen device for virtual private network (VPN) support is particularly flexible. In ScreenOS releases prior to 3.1.0, VPN tunnels are treated as objects (or building blocks) that together with source, destination, service, and action, comprise a policy that permits VPN traffic. (Actually, the VPN policy action is tunnel, but the action permit is implied, if unstated). In ScreenOS 3.1.0, the concept of a VPN tunnel shifted. In addition 1 to the previous notion of a tunnel as an object used to build policies—see Chapter 4, “Policy-Based VPNs” on page 123—a tunnel can also be viewed as a network resource used to transport traffic. Thus, you can consider a tunnel as a means for delivering traffic between points A and B, and a policy as a method for either permitting or denying the delivery of that traffic. Simply put, ScreenOS allows you the freedom to decouple the regulation of traffic from the means of its delivery. This chapter presents an overview and offers examples of the following routing-based VPN concepts: • “Tunnel Interfaces” on page 48 – “Example: Tunnel Bound to Tunnel Interface” on page 49 – “Example: Deleting a Tunnel Interface” on page 57 • “LAN-to-LAN VPNs” on page 58 – “Example: Routing-Based LAN-to-LAN VPN, Manual Key” on page 59 – “Example: Routing-Based LAN-to-LAN VPN, AutoKey IKE” on page 70 – “Example: Routing-Based LAN-to-LAN VPN, Dynamic Peer” on page 76 • “Dialup-to-LAN VPN, Dynamic Peer” on page 92 – “Example: Routing-Based Dialup-to-LAN VPN, Dynamic Peer” on page 93 • “Hub-and-Spoke VPNs” on page 103 – “Example: Hub-and-Spoke VPNs” on page 104 • “Back-to-Back VPNs” on page 111 – “Example: Back-to-Back VPNs” on page 112 1. ScreenOS releases after 3.1.0 continues to support pre-ScreenOS 3.1.0 VPN configuration concepts and methods. &KDSWHU5RXWLQJ%DVHG931V 7XQQHO,QWHUIDFHV 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  7811(/,17(5)$&(6 When you configure the remote gateway for a VPN tunnel, you must also specify a security zone interface as the local gateway 2 . Beyond the VPN tunnel termination points (the local and remote gateways), you can also configure tunnel interfaces in either a security zone or in a tunnel zone through which the NetScreen device directs traffic to and from the VPN tunnel 3 . You can bind a VPN tunnel to a specific numbered (with IP address/netmask) or unnumbered (without IP address/netmask) tunnel interface in a security zone. If the tunnel interface is unnumbered, it borrows the IP address from the interface of the security zone in which you created it. Now you have a VPN tunnel that is bound both to a tunnel interface and to a local security zone interface. Conceptually, you can view VPN tunnels as pipes that you have laid. They extend from the local device to remote gateways, and the tunnel interfaces are the openings to these pipes. The pipes are always there, available for use whenever the routing engine directs traffic to one of their interfaces. 2. Your IKE peer uses the IP address of your local gateway interface (or outgoing-interface) when configuring the remote gateway on his NetScreen device. 3. If you do not specify a tunnel interface, the tunnel uses the default interface for the security zone. When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to the tunnel interface. You can only bind a tunnel to the tunnel zone. This allows multiple tunnel interfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface. In such cases, you must create a policy-based VPN configuration. When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnel interface. Doing so allows you to create a routing-based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface. Note: Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support policy-based NAT. When a numbered tunnel interface is in a security zone and is the only interface in that zone, you do not need to create a security zone interface. In this case, the security zone supports VPN traffic via the tunnel interface, but no other kind of traffic. Security Zone Tunnel Zone Tunnel Interfaces Security Zone Interfaces VPN Tunnel VPN Tunnel VPN Tunnel Numbered Numbered or Unnumbered Security Zone Numbered &KDSWHU5RXWLQJ%DVHG931V 7XQQHO,QWHUIDFHV 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  Generally, assign an IP address to a tunnel interface if you want the interface to support policy-based NAT. For more information about VPNs and policy-based NAT, see “Tunnel Zones and Policy-Based NAT” on page 202. You can create a numbered tunnel interface in either a tunnel zone or security zone. If the tunnel interface does not need to support policy-based NAT, and your configuration does not require the tunnel interface to be bound to a tunnel zone, you can specify the interface as unnumbered. You must bind an unnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone. You must also specify an interface bound to that security zone whose IP address the unnumbered tunnel interface borrows. ([DPSOH7XQQHO%RXQGWR7XQQHO,QWHUIDFH In this example, you configure a VPN tunnel between the corporate site and a branch office. The tunnel has the following characteristics: • The VPN tunnel is bound to a tunnel interface named tunnel.1. • The Untrust zone is bound to the untrust-vr, not the trust-vr. • AutoKey IKE VPN using a preshared key (netscreen1), Main mode, the security level predefined as “Compatible” for both Phase 1 and Phase 2 proposals • The interface specified as the local gateway on the corporate site is 210.1.1.1. (The branch office uses this address as the remote gateway in its IKE configuration.) • The NetScreen device at the corporate site is running ScreenOS 4.0.0. • The NetScreen device at the remote site is running a version of ScreenOS earlier than 3.1.0. Note: The security zone interface that you specify must be in the same zone to which you have bound the tunnel interface. Note: Only the configuration for the corporate end of the tunnel is given below. For information on configuring a NetScreen device running pre-USGA ScreenOS, see the NetScreen Concepts & Examples ScreenOS Reference Guide for the version of ScreenOS that is appropriate for your device. &KDSWHU5RXWLQJ%DVHG931V 7XQQHO,QWHUIDFHV 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  :HE8, 6HFXULW\=RQHVDQG9LUWXDO5RXWHUV 1. Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK: IP Address/Netmask: 0.0.0.0/0 Manage IP: 0.0.0.0 2. Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK: Zone Name: Null 3. Network > Zones > Edit (for Untrust): In the Virtual Router Name drop-down list, select untrust-vr, and then click OK. Zone: Sales 10.1.1.1/24 eth2/1 Zone: Untrust 210.1.1.1/24 eth1/2 Branch1 10.2.1.0/24 Gateway 211.2.2.2/24 tunnel.1 Default Gateway 210.1.1.254 trust-vr Routing Domain untrust-vr Routing Domain VPN tunnel: to_branch1 Note: The castle icon represents a security zone interface. The NetScreen device sends the encapsulated VPN traffic to the external router acting as the default gateway. &KDSWHU5RXWLQJ%DVHG931V 7XQQHO,QWHUIDFHV 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  4. Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK: Zone Name: Untrust 5. Network > Zones > New: Enter the following, and then click OK: Name: Sales Virtual Router Name: trust-vr ,QWHUIDFHV²=RQHVDQG7XQQHO 6. Network > Interfaces > Edit (for ethernet2/1): Enter the following, and then click OK: Zone Name: Sales IP Address/Netmask: 10.1.1.1/24 7. Network > Interfaces > Edit (for ethernet1/2): Enter the following, and then click OK: Zone Name: Untrust IP Address/Netmask: 210.1.1.1/24 8. Network > Interfaces > Tunnel IF New: Enter the following, and then click OK: Tunnel Interface Name: tunnel.1 Zone: Untrust Unnumbered: (select) Interface: ethernet1/2(Untrust) 4 4. The source interface must be in the same zone to which the tunnel interface is bound; in this case, the Untrust zone. The unnumbered tunnel interface borrows the IP address of the specified security zone interface. &KDSWHU5RXWLQJ%DVHG931V 7XQQHO,QWHUIDFHV 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  931 9. VPNs > AutoKey IKE > New: Enter the following, and then click OK: VPN Name: to_branch1 Security Level: Compatible Remote Gateway: Create a Simple Gateway: (select) Gateway Name: branch1 Type: Static IP (select), IP Address: 211.2.2.2 Preshared Key: netscreen1 Security Level: Compatible Outgoing Interface: ethernet1/2 5 > Advanced: Enter the following advanced settings, and then click Return to return to the basic AutoKey IKE configuration page: Security Level: Compatible Replay Protection: (select) Bind to: Tunnel Interface: tunnel.1 Proxy-ID: (select) Local IP/Netmask: 10.1.1.0/24 Remote IP/Netmask: 10.2.1.0/24 Service: ANY 5. The outgoing interface does not have to be in the same zone to which the tunnel interface is bound. &KDSWHU5RXWLQJ%DVHG931V 7XQQHO,QWHUIDFHV 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  $GGUHVVHV 10. Objects > Addresses > List > New: Enter the following, and then click OK: Address Name: sales-any IP Address/Domain Name: IP/Netmask: (select), 10.1.1.0/24 Zone: Sales 11. Objects > Addresses > List > New: Enter the following, and then click OK: Address Name: branch1 IP Address/Domain Name: IP/Netmask: (select), 10.2.1.0/24 Zone: Untrust 5RXWHV 12. Network > Routing > Route Table > trust-vr New: Enter the following, and then click OK: Network Address/Netmask: 0.0.0.0/0 Next Hop Virtual Router Name: (select), untrust-vr 13. Network > Routing > Route Table > untrust-vr New: Enter the following, and then click OK: Network Address/Netmask: 10.2.1.0/24 Gateway: (select) Interface: tunnel.1 Gateway IP Address: 0.0.0.0 [...]... paris_office 172.16.5.0/24 931 9 set vpn tokyo_paris manual 30 20 30 30 gateway 2 03. 3 .3. 10 outgoing-interface ethernet3 esp 3des password asdlk24 234 auth sha-1 password PNas 134 a 10 set vpn tokyo_paris bind interface tunnel.1 5RXWHV 11 set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22 .3. 20 12 set vrouter trust-vr route 172.16.5.0/24 interface tunnel.1 3ROLFLHV 13 set policy top name “To... tokyo_office 192.168.10.0/24 931 10 set vpn paris_tokyo manual 30 30 30 20 gateway 201.22 .3. 14 outgoing-interface ethernet3 esp 3des password asdlk24 234 auth sha-1 password PNas 134 a 11 set vpn paris_tokyo bind interface tunnel.1 5RXWHV 12 set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 2 03. 3 .3. 1 13 set vrouter trust-vr route 192.168.10.0/24 interface tunnel.1 3ROLFLHV 14 set policy top... the NetScreen device in Paris Paris Trust Zone Tokyo Untrust Zone Tokyo Trust Zone eth1, 192.168.10.1/24 Untrust Zone Outgoing Interface Untrust Zone eth3, 2 03. 3 .3. 10/24 Gateway 2 03. 3 .3. 1 Outgoing Interface Untrust Zone eth3, 201.22 .3. 14/24 Gateway 201.22 .3. 20 Paris Trust Zone Paris Trust Zone eth1, 172.16.5.1/24 Internet VPN Tunnel Tunnel Interface Tunnel.1 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931 V... 172.16.5.0/24 Zone: Untrust 931 6 VPNs > Manual Key > New: Enter the following, and then click OK: VPN Tunnel Name: Tokyo_Paris Gateway IP: 2 03. 3 .3. 10 Security Index: 30 20 (Local), 30 30 (Remote) Outgoing Interface: ethernet3 ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24 234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas 134 a > Advanced: Enter the following... 9ROXPH  931 V  &KDSWHU  5RXWLQJ%DVHG 931 V /$1WR/$1 931 V &/, 3DULV ,QWHUIDFHV ² =RQHV DQG 7XQQHO 1 2 3 4 5 6 7 set interface ethernet1 zone trust set interface ethernet1 ip 172.16.5.1/24 set interface ethernet1 nat set interface ethernet3 zone untrust set interface ethernet3 ip 2 03. 3 .3. 10/24 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface ethernet3 $GGUHVVHV... 192.168.10.0/24 Zone: Untrust 931 6 VPNs > Manual Key > New: Enter the following, and then click OK: VPN Tunnel Name: Paris_Tokyo Gateway IP: 201.22 .3. 14 Security Index: 30 30 (Local), 30 20 (Remote) Outgoing Interface: ethernet3(Untrust) ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24 234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas 134 a > Advanced: Enter the... ([DPSOHV ² 9ROXPH  931 V  &KDSWHU  5RXWLQJ%DVHG 931 V /$1WR/$1 931 V :HE8, 3DULV ,QWHUIDFHV ² 6HFXULW\ =RQHV 1 Network > Interfaces > Edit (for ethernet1): Enter the following, and then click OK: Zone Name: Trust IP Address/Netmask: 172.16.5.1/24 2 Network > Interfaces > Edit (for ethernet3): Enter the following, and then click OK: Zone Name: Untrust IP Address/Netmask: 2 03. 3 .3. 10/24 3 Network > Interfaces... &RQFHSWV ([DPSOHV ² 9ROXPH  931 V  &KDSWHU  5RXWLQJ%DVHG 931 V /$1WR/$1 931 V &/, 7RN\R ,QWHUIDFHV ² =RQHV DQG 7XQQHO 1 2 3 4 5 6 set interface ethernet1 zone trust set interface ethernet1 ip 192.168.10.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 201.22 .3. 14/24 set interface tunnel.1 zone untrust set interface tunnel.1 ip unnumbered interface ethernet3 $GGUHVVHV 7 8 set address... Untrust interface (ethernet3): 201.22 .3. 14/24 • Paris: - Trust Interface (ethernet1): 172.16.5.1/24 - Untrust interface (ethernet3): 2 03. 3 .3. 10/24 The Trust and Untrust security zones and the Untrust-Tun tunnel zone are all in the trust-vr routing domain The Untrust zone interface (ethernet3) serves as the outgoing interface for the VPN tunnel Topology of the zones configured on the NetScreen device in Tokyo... Edit (for ethernet3): Enter the following, and then click OK : Zone Name: Untrust IP Address/Netmask: 201.22 .3. 14/24 3 Network > Interfaces > Tunnel IF New: Enter the following, and then click OK : Tunnel Interface Name: tunnel.1 Zone: Untrust Unnumbered: (select) Interface: ethernet3(Untrust) 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931 V  &KDSWHU  5RXWLQJ%DVHG 931 V /$1WR/$1 931 V $GGUHVVHV 4 Objects . Zone eth1, 172.16.5.1/24 Outgoing Interface Untrust Zone eth3, 2 03. 3 .3. 10/24 Gateway 2 03. 3 .3. 1 Topology of the zones configured on the NetScreen device in Tokyo. Trust Zone Untrust Zone Trust. 172.16.5.0/24 Zone: Untrust 931 6. VPNs > Manual Key > New: Enter the following, and then click OK: VPN Tunnel Name: Tokyo_Paris Gateway IP: 2 03. 3 .3. 10 Security Index: 30 20 (Local), 30 30 (Remote) Outgoing. page 93 • “Hub-and-Spoke VPNs on page 1 03 – “Example: Hub-and-Spoke VPNs on page 104 • “Back-to-Back VPNs on page 111 – “Example: Back-to-Back VPNs on page 112 1. ScreenOS releases after 3. 1.0