Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

7-2

Virtual Private Networking

December 2003, M-10041-01

•

IKE Policies

: Define the authentication scheme and automatically generate the encryption

keys. As an alternative option, to further automate the process, you can create an Internet Key

Exchange

(

IKE) policy which uses a trusted certificate authority to provide the authentication

while the IKE policy still handles the encryption.

•

VPN Policies

: Apply the IKE policy to specific traffic which requires a VPN tunnel. Or, you

can create a VPN policy which does not use an IKE policy but in which you manually enter all

the authentication and key parameters.

Since the VPN Auto policies require IKE policies, you must define the IKE policy first. The

FVS328 also allows you to manually input the authentication scheme and encryption key values.

VPN Manual policies manage the keys according to settings you select and do not use IKE

policies.

In order to establish secure communication over the Internet with the remote site you need to

configure matching VPN parameters on both the local and remote sites. The outbound VPN

parameters on one end must match to the inbound VPN parameters on other end, and vice versa.

When the network traffic enters into the FVS328 from the LAN network interface, if there is no

VPN policy found for a type of network traffic, then that traffic passes through without any

change. However, if the traffic is selected by a VPN policy, then the Internet Protocol security

IPSec authentication and encryption rules will be applied to it as defined in the VPN policy.

By default, a new VPN policy is added with the least priority, that is, at the end of the VPN policy

table. You can change the priority by selecting the VPN policy from the policy table and clicking

Move.

Using Automatic Key Management

The most common configuration scenarios will use IKE policies to automatically manage the

authentication and encryption keys. Based on the IKE policy, some parameters for the VPN tunnel

are generated automatically. The IKE protocols perform negotiations between the two VPN

endpoints to automatically generate required parameters.

Some organizations will use an IKE policy with a Certificate Authority (CA) to perform

authentication. Typically, CA authentication is used in large organizations which maintain their

own internal CA server. This requires that each VPN gateway have a certificate and trust

certificate root from the CA. Using CAs reduces the amount of data entry required on each VPN

endpoint.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Virtual Private Networking

7-3

December 2003, M-10041-01

IKE Policies’ Automatic Key and Authentication Management

Click the IKE Policies link from the VPN section of the main menu, and then click the Add button

of the IKE Policies screen to display the IKE Policy Configuration menu shown in

Figure 7-2

.

Figure 7-2:

IKE - Policy Configuration Menu

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

7-4

Virtual Private Networking

December 2003, M-10041-01

The IKE Policy Configuration fields are defined in the following table.

Table 7-1.

IKE Policy Configuration Fields

Field

Description

General

These settings identify this policy and determine its major characteristics.

Policy Name

The descriptive name of the IKE policy. Each policy should have a unique

policy name. This name is not supplied to the remote VPN endpoint. It is

only used to help you identify IKE policies.

Direction/Type

This setting is used when determining if the IKE policy matches the current

traffic. The drop-down menu includes the following:

•

Initiator – Outgoing connections are allowed, but incoming are blocked.

•

Responder – Incoming connections are allowed, but outgoing are

blocked.

•

Both Directions – Both outgoing and incoming connections are allowed.

•

Remote Access – This is to allow only incoming client connections,

where the IP address of the remote client is unknown.

If Remote Access is selected, the “Exchange Mode” MUST be

“Aggressive,” and the ‘Identities’ below (both Local and Remote) MUST

be “Name.” On the matching VPN Policy, the IP address of the remote

VPN endpoint should be set to 0.0.0.0.

Exchange Mode

Main Mode or Aggressive Mode. This setting must match the setting used

on the remote VPN endpoint.

•

Main Mode is slower but more secure.

•

Aggressive Mode is faster but less secure.

Local

These parameters apply to the Local FVS328 firewall.

Local Identity Type

Use this field to identify the local FVS328. You can choose one of the

following four options from the drop-down list:

•

By its Internet (WAN) port IP address.

•

By its Fully Qualified Domain Name (FQDN) – your domain name.

•

By a Fully Qualified User Name – your name, E-mail address, or

other ID.

•

By DER ASN.1 DN – the binary Distinguished Encoding Rules (DER)

encoding of your ASN.1 X.500 Distinguished Name.

Local Identity Data

This field lets you identify the local FVS328 by name.

Remote

These parameters apply to the target remote FVS328 firewall, VPN

gateway, or VPN client.

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

Virtual Private Networking

7-5

December 2003, M-10041-01

Remote Identity Type

Use this field to identify the remote FVS328. You can choose one of the

following four options from the drop-down list:

•

By its Internet (WAN) port IP address.

•

By its Fully Qualified Domain Name (FQDN) – your domain name.

•

By a Fully Qualified User Name – your name, E-mail address, or

other ID.

•

By DER ASN.1 DN – the binary DER encoding of your ASN.1 X.500

Distinguished Name.

Remote Identity Data

This field lets you identify the target remote FVS328 by name.

IKE SA Parameters

These parameters determine the properties of the IKE Security

Association.

Encryption Algorithm

Choose the encryption algorithm for this IKE policy:

• DES

•

3DES is more secure and is the default

Authentication Algorithm

If you enable Authentication Headers (AH), this menu lets you select from

these authentication algorithms:

•

MD5 –- the default

•

SHA-1 – more secure

Authentication Method

You can select Pre-Shared Key or RSA Signature.

Pre-Shared Key

Specify the key according to the requirements of the Authentication

Algorithm you selected.

•

For MD5, the key length should be 16 bytes.

•

For SHA-1, the key length should be 20 bytes.

RSA Signature

RSA Signature requires a certificate.

Diffie-Hellman (DH) Group

The Diffie-Hellman groups are MODP Oakley Groups 1 and 2. The DH

Group setting determines the size of the key used in the key exchange.

This must match the value used on the remote VPN gateway or client.

Select Group 1 (768 bit) or Group 2 (1024 bit).

SA Life Time

The amount of time in seconds before the Security Association expires;

over an hour (3600) is common.

Table 7-1.

IKE Policy Configuration Fields

Field

Description

Model FVS328 ProSafe VPN Firewall with Dial Back-up Reference Manual

7-6

Virtual Private Networking

December 2003, M-10041-01

VPN Policy Configuration for Auto Key Negotiation

An already defined IKE policy is required for VPN - Auto Policy configuration. From the VPN

Policies section of the main menu, you can navigate to the VPN - Auto Policy configuration menu.

Figure 7-3:

VPN - Auto Policy Menu