&KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  7XQQHO,QWHUIDFHV Beyond the VPN tunnel termination points (the local and remote gateways), you can also configure tunnel interfaces in either a security zone or in a tunnel zone through which the NetScreen device directs traffic to and from the VPN tunnel 1 . You can bind a VPN tunnel to a specific numbered (with IP address/netmask) or unnumbered (without IP address/netmask) tunnel interface in a security zone. If the tunnel interface is unnumbered, it borrows the IP address from the interface of the security zone in which you created it. Generally, assign an IP address to a tunnel interface if you want the interface to support policy-based NAT. For more information about policy-based NAT, see “Tunnel Zones and Policy-Based NAT” on page 202. You can create a numbered tunnel interface in either a tunnel zone or security zone. 1. If you do not specify a tunnel interface, the tunnel uses the default interface for the security zone. When a numbered tunnel interface is in a tunnel zone, you cannot bind a VPN tunnel to the tunnel interface. You can only bind a tunnel to the tunnel zone. This allows multiple tunnel interfaces to link to a single tunnel, or multiple tunnels to link to a single tunnel interface. In such cases, you must create a policy-based VPN configuration. When a tunnel interface is in a security zone, you must bind a VPN tunnel to the tunnel interface. Doing so allows you to create a routing-based VPN configuration. The tunnel interface can be numbered or unnumbered. If it is unnumbered, the tunnel interface borrows the IP address from the security zone interface. Note: Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support policy-based NAT. When a numbered tunnel interface is in a security zone and is the only interface in that zone, you do not need to create a security zone interface. In this case, the security zone supports VPN traffic via the tunnel interface, but no other kind of traffic. Security Zone Tunnel Zone Tunnel Interfaces Security Zone Interfaces VPN Tunnel VPN Tunnel VPN Tunnel Numbered Numbered or Unnumbered Security Zone Numbered &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  If the tunnel interface does not need to support policy-based NAT, and your configuration does not require the tunnel interface to be bound to a tunnel zone, you can specify the interface as unnumbered. You must bind an unnumbered tunnel interface to a security zone; you cannot bind it to a tunnel zone. You must also specify an interface bound to that security zone whose IP address the unnumbered tunnel interface borrows. Note: The security zone interface that you specify must be in the same zone to which you have bound the tunnel interface. &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  ([DPSOH3ROLF\%DVHG/$1WR/$19310DQXDO.H\ In this example, a Manual Key tunnel provides a secure communication channel between offices in Tokyo and Paris, using ESP with 3DES encryption and SHA-1 authentication. The Trust zones at each site are in NAT mode. The addresses are as follows: The Trust and Untrust security zones and the Untrust-Tun tunnel zone are in the trust-vr routing domain. The Untrust zone interface (ethernet3) serves as the outgoing interface for the VPN tunnel. • Tokyo: - Trust interface (ethernet1): 192.168.10.1/24 - Untrust interface (ethernet3): 201.22.3.14/24 •Paris: - Trust interface (ethernet1): 172.16.5.1/24 - Untrust interface (ethernet3): 203.3.3.10/24 Note: By default, a VPN tunnel is bound to the Untrust-Tun tunnel zone—even if you select the Bind to: None option on the VPNs > Manual Key > New > Advanced configuration page in the WebUI. Tokyo Trust Zone eth1, 192.168.10.1/24 Outgoing Interface Untrust Zone eth3, 201.22.3.14/24 Gateway 201.22.3.20 VPN Tunnel Internet Paris Trust Zone eth1, 172.16.5.1/24 Outgoing Interface Untrust Zone eth3, 203.3.3.10/24 Gateway 203.3.3.1 Topology of the zones configured on the NetScreen device in Tokyo. Trust Zone Untrust Zone Trust Zone Untrust Zone TokyoParis Tokyo Paris Topology of the zones configured on the NetScreen device in Paris. Untrust-Tun Zone Untrust-Tun Zone &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  To set up the tunnel, perform the following five steps on the NetScreen devices at both ends of the tunnel: 1. Assign IP addresses to the physical interfaces bound to the security zones. 2. Configure the VPN tunnel, and designate its outgoing interface in the Untrust zone. 3. Enter the IP addresses for the local and remote endpoints in the Trust and Untrust address books. 4. Enter a default route to the external router. 5. Set up policies for VPN traffic to pass bidirectionally through the tunnel. :HE8,7RN\R ,QWHUIDFHV²6HFXULW\=RQHV 1. Network > Interfaces > Edit (for ethernet1): Enter the following, and then click OK: Zone Name: Trust IP Address/Netmask: 192.168.10.1/24 2. Network > Interfaces > Edit (for ethernet3): Enter the following, and then click OK: Zone Name: Untrust IP Address/Netmask: 201.22.3.14/24 $GGUHVVHV 3. Objects > Addresses > List > New: Enter the following, and then click OK: Address Name: Trust_LAN IP Address/Domain Name: IP/Netmask: (select), 192.168.10.0/24 Zone: Trust &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  4. Objects > Addresses > List > New: Enter the following, and then click OK: Address Name: Paris_office IP Address/Domain Name: IP/Netmask: (select), 172.16.5.0/24 Zone: Untrust 931 5. VPNs > Manual Key > New: Enter the following, and then click OK: VPN Tunnel Name: Tokyo_Paris Gateway IP: 203.3.3.10 Security Index: 3020 (Local), 3030 (Remote) Outgoing Interface: ethernet3 ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a 5RXWH 6. Network > Routing > Routing Table > trust-vr New: Enter the following, and then click OK: Network Address/Netmask: 0.0.0.0/0 Gateway: (select) Gateway IP Address: 201.22.3.20 Interface: ethernet3(untrust) &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  3ROLFLHV 7. Policies > (From: Trust, To: Untrust) New: Enter the following, and then click OK: Name: To/From Paris Source Address: Address Book: (select), Trust_LAN Destination Address: Address Book: (select), Paris_office Service: ANY Action: Tunnel Tunnel VPN: Tokyo_Paris Modify matching VPN policy: (select) Position at Top: (select) &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  :HE8,3DULV ,QWHUIDFHV²6HFXULW\=RQHV 1. Network > Interfaces > Edit (for ethernet1): Enter the following, and then click OK: Zone Name: Trust IP Address/Netmask: 172.16.5.1/24 2. Network > Interfaces > Edit (for ethernet3): Enter the following, and then click OK: Zone Name: Untrust IP Address/Netmask: 203.3.3.10/24 $GGUHVVHV 3. Objects > Addresses > List > New: Enter the following, and then click OK: Address Name: Trust_LAN IP Address/Domain Name: IP/Netmask: (select), 172.16.5.0/24 Zone: Trust 4. Objects > Addresses > List > New: Enter the following, and then click OK: Address Name: Tokyo_office IP Address/Domain Name: IP/Netmask: (select), 192.168.10.0/24 Zone: Untrust &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  931 5. VPNs > Manual Key > New Manual Key Entry: Enter the following, and then click OK: VPN Tunnel Name: Paris_Tokyo Gateway IP: 201.22.3.14 Security Index: 3030 (Local), 3020 (Remote) Outgoing Interface: ethernet3(Untrust) Bind to Tunnel Zone: (select), Untrust-Tun ESP-CBC: (select) Encryption Algorithm: 3DES-CBC Generate Key by Password: asdlk24234 Authentication Algorithm: SHA-1 Generate Key by Password: PNas134a 5RXWH 6. Network > Routing > Routing Table > trust-vr New: Enter the following, and then click OK: Network Address/Netmask: 0.0.0.0/0 Gateway: (select) Gateway IP Address: 203.3.3.1 Interface: ethernet3(untrust) &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  3ROLFLHV 7. Policies > (From: Trust, To: Untrust) New: Enter the following, and then click OK: Name: To/From Tokyo Source Address: Address Book: (select), Trust_LAN Destination Address: Address Book: (select), Tokyo_office Service: ANY Action: Tunnel Tunnel VPN: Paris_Tokyo Modify matching VPN policy: (select) Position at Top: (select) &KDSWHU3ROLF\%DVHG931V /$1WR/$1931V 1HW6FUHHQ&RQFHSWV([DPSOHV²9ROXPH931V  &/,7RN\R ,QWHUIDFHV²=RQHVDQG7XQQHO 1. set interface ethernet1 zone trust 2. set interface ethernet1 ip 192.168.10.1/24 3. set interface ethernet3 zone untrust 4. set interface ethernet3 ip 201.22.3.14/24 $GGUHVVHV 5. set address trust Trust_LAN 192.168.10.0/24 6. set address untrust paris_office 172.16.5.0/24 931 7. set vpn tokyo_paris manual 3020 3030 gateway 203.3.3.10 outgoing-interface ethernet3 esp 3des password asdlk24234 auth sha-1 password PNas134a 5RXWH 8. set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 201.22.3.20 3ROLFLHV 9. set policy top name “To/From Paris” from trust to untrust Trust_LAN paris_office any tunnel vpn tokyo_paris 10. set policy top name “To/From Paris” from untrust to trust paris_office Trust_LAN any tunnel vpn tokyo_paris 11. save [...]... (select) 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1 931V &/, 7RN\R ,QWHUIDFHV ² =RQHV DQG 7XQQHO 1 2 3 4 set interface ethernet1 zone trust set interface ethernet1 ip 192. 168 .10.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 201.22.3.14/24 $GGUHVVHV 5 6 set address trust Trust_LAN 192. 168 .10.0/24 set address untrust paris_office 172. 16. 5.0/24... save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1 931V &/, 3DULV ,QWHUIDFHV ² =RQHV DQG 7XQQHO 1 2 3 4 set interface ethernet1 zone trust set interface ethernet1 ip 172. 16. 5.1/24 set interface ethernet3 zone untrust set interface ethernet3 ip 203.3.3.10/24 $GGUHVVHV 5 6 set address trust Trust_LAN 172. 16. 5.0/24 set address untrust tokyo_office 192. 168 .10.0/24... save 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1 931V ([DPSOH 3ROLF\%DVHG /$1WR/$1 931 '\QDPLF 3HHU In this example, a VPN tunnel securely connects the users in the Trust zone behind NetScreen A to the mail server in the corporate DMZ zone, protected by NetScreen B The Untrust zone interface for NetScreen B has a static IP address The ISP serving NetScreen. .. DHCP Because only NetScreen B has a fixed address for its Untrust zone, VPN traffic must originate from hosts behind NetScreen A After NetScreen A has established the tunnel, traffic through the tunnel can originate from either end All zones are in the trust-vr routing domain Topology of the zones configured on NetScreen A at the branch office Topology of the zones configured on NetScreen B at the... eth2, 203.10.30.1/24 Mail Server 203.10.30.5 Internet SMTP or POP3 Request NetScreen A VPN Tunnel NetScreen B IDENT Request DHCP Server 203.2.3.1 Note: Before making an SMTP or POP3 connection to the corporate mail server, Phil must first initiate an HTTP, FTP, or Telnet connection so that NetScreen A can authenticate him 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1... Address/Domain Name: IP/Netmask: 203.10.30.5/32 Zone: Untrust 6HUYLFHV 6 Objects > Services > Custom > New: Enter the following, and then click OK: Service Name: Ident Service Timeout: Use protocol default: (select) 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1 931V Transport Protocol: TCP (select) Source Port: Low 0, High 65 535 Destination Port: Low 113, High 113 7 Objects... 10.10.10.0/24 Zone: Untrust 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1 931V 6HUYLFHV 5 Objects > Services > Custom > New: Enter the following, and then click OK: Service Name: Ident Service Timeout: Use protocol default: (select) Transport Protocol: TCP (select) Source Port: Low 0, High 65 535 Destination Port: Low 113, High 113 6 Objects > Services > Group... certificate on NetScreen A (For information about obtaining and loading certificates, see “Certificates and CRLs” on page 29.) For the Phase 1 and 2 security levels, you specify one Phase 1 proposal—either pre-g2-3des-sha for the preshared key method or rsa-g2-3des-sha for certificates—and select the predefined “Compatible” set of proposals for Phase 2 :HE8, 1HW6FUHHQ $ ,QWHUIDFHV ² 6HFXULW\ =RQHV... initiate an HTTP, FTP, or Telnet connection so that NetScreen A can respond with a firewall user/login prompt to authenticate him After NetScreen A authenticates him, he has permission to contact the corporate mail server via the VPN tunnel 4 You cannot specify the IP address of the DHCP server through the WebUI; however, you can do so through the CLI 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU... Preferred certificate (optional) Peer CA: Entrust Peer Type: X509-SIG 2 VPNs > AutoKey IKE > New: Enter the following, and then click OK: VPN Name: Tokyo_Paris Security Level: Compatible Remote Gateway: Predefined: (select), To_Paris 1HW6FUHHQ &RQFHSWV ([DPSOHV ² 9ROXPH  931V  &KDSWHU  3ROLF\%DVHG 931V /$1WR/$1 931V :HE8, 3DULV 1 VPNs > AutoKey Advanced > Gateway > New: Enter the following, and . zone behind NetScreen A to the mail server in the corporate DMZ zone, protected by NetScreen B. The Untrust zone interface for NetScreen B has a static IP address. The ISP serving NetScreen A. ethernet3 ip 203.3.3.10/24 $GGUHVVHV 5. set address trust Trust_LAN 172. 16. 5.0/24 6. set address untrust tokyo_office 192. 168 .10.0/24 931 7. set vpn paris_tokyo manual 3030 3020 gateway 201.22.3.14. ethernet3 ip 201.22.3.14/24 $GGUHVVHV 5. set address trust Trust_LAN 192. 168 .10.0/24 6. set address untrust paris_office 172. 16. 5.0/24 931 7. set vpn tokyo_paris manual 3020 3030 gateway 203.3.3.10