The following information is for FCC compliance for Class A devices: This equipment has been tested and found to comply with the limits for a Class A digital device, pursuant to Part 15 of the FCC Rules. The following example shows some of the feature dependencies for the set interface command. set interface vlan1 broadcast { flood | arp [ trace-route.
0RGHV
7UDQVSRUW0RGH
7XQQHO0RGH
In a dial-up-to-LAN VPN, there is no tunnel gateway at the VPN dial-up client's end of the tunnel; the tunnel extends directly to the customer himself. In this case, on packets sent to the calling client, both the new header and.
3URWRFROV
Triple DES (3DES) - A more powerful version of DES in which the original DES algorithm is applied in three rounds, with a 168-bit key. For either the encryption or authentication algorithm you can choose NULL; however, you cannot select NULL for both at once.
H\0DQDJHPHQW
0DQXDO.H\
XWR.H\,.(
When you use certificates to authenticate the participants during an AutoKey IKE negotiation, each side generates a public/private key pair (see Chapter 2, "Public Key Cryptography" on page 23) and acquires a certificate (see "Certificates and CRLs" on page 29 ). As long as the issuing certificate authority (CA) is trusted by both sides, participants can retrieve the peer's public key and verify the peer's signature.
6HFXULW\$VVRFLDWLRQ
No need to keep track of keys and SAs; IKE does it automatically. In Phase 2, participants negotiate IPSec SAs for encryption and authentication of subsequent user data exchanges.
3KDVH
For a Manual Key IPSec tunnel, there is no need to negotiate which SAs to use because all security association (SA) parameters are previously defined. When the traffic matches a policy that uses the manual key tunnel, or when a route involves the tunnel, the NetScreen appliance simply encrypts and authenticates the data that you specified and forwards it to the destination gateway.
0DLQ0RGHDQG$JJUHVVLYH0RGH
7KH'LIILH+HOOPDQ([FKDQJH
Compatible: nopfs-esp-3des-sha, nopfs-esp-3des-md5, nopfs-esp-des-sha and nopfs-esp-des-md5. Basic: nopfs-esp-des-sha and nopfs-esp-des-md5 You can also define custom Phase 2 proposals.
3HUIHFW)RUZDUG6HFUHF\
Using this feature does not require negotiation because packets are always sent with sequence numbers.
5HSOD\3URWHFWLRQ
3DFNHW)ORZ3ROLF\%DVHG/$1WR/$1931
It encrypts the entire packet (including the original header) and puts a new header on the packet. It sends the packet to that is, the outgoing interface IP address of the NetScreen device in Paris.
7UDYHUVLQJD1$7'HYLFH
All UDP packets contain a UDP checksum, a calculated value that ensures that UDP packets are free of transmission errors.
7KH.HHSDOLYH)UHTXHQF\9DOXH
36HF1$77UDYHUVDODQG,QLWLDWRU5HVSRQGHU6\PPHWU\
DPSOH(QDEOLQJ1$77UDYHUVDO
Obtain a CA certificate for the CA that issued the personal certificate (which essentially verifies the identity of the CA you are authenticating) and load the CA certificate into the NetScreen device. Obtain a local certificate (also called a personal certificate) from the CA whose CA certificate you previously loaded, and then load the local certificate into the NetScreen device.
5RXWLQJ%DVHG931V
If unnumbered, the tunnel interface borrows the IP address from the security zone interface. Only a numbered tunnel interface (that is, an interface with an IP address and netmask) can support policy-based NAT.
DPSOH7XQQHO%RXQGWR7XQQHO,QWHUIDFH
Typically, assign an IP address to a tunnel interface if you want the interface to support policy-based NAT. The outbound interface does not have to be in the same zone as the tunnel interface.
HOHWLQJ7XQQHO,QWHUIDFHV
DPSOH'HOHWLQJD7XQQHO,QWHUIDFH
See “Example: Routing-based LAN-to-LAN VPN, Manual Key” on page 59 and “Example: Routing-based LAN-to-LAN VPN, AutoKey IKE” on page 70.). Enter the IP addresses for the local and remote endpoints in the directories for the Trust and Untrust zones. Network > Interfaces > Edit (for ethernet3): Enter the following and then click OK : Area Name: Do not trust.
Network > Interfaces > Tunnel IF New: Enter the following, then click OK : Tunnel Interface Name: tunnel.1. For the Phase 1 and 2 security levels, you specify one Phase 1 proposal—either pre-g2-3des-sha for the pre-shared key method or rsa-g2-3des-sha for certificates—and select the predefined "Compatible" set of proposals for the phase 2.
DPSOH5RXWLQJ%DVHG/$1WR/$1931'\QDPLF3HHU
In this example, the author's local user Phil (login name: pmason; password: Nd4syst4) wants to receive his email from a mail server on the company website. When it tries to do this, it is authenticated twice: first, NetScreen A authenticates it locally before allowing traffic from it through tunnel8; second, the mail server program authenticates it and sends an IDENT request through the tunnel. It is assumed that both participants already have Verisign RSA certificates and that the email address [email protected] appears in the local certificate on NetScreen A. For information on obtaining and uploading certificates, see “ Certificates and CRLs ” on page 29.) For Phase 1 and Phase 2 security levels, specify one Phase 1 template—either pre-g2-3des-sha for the pre-shared key method or rsa-g2-3des-sha for certificates—and select a predefined set of "Compatible" proposals for Phase 2.
After NetScreen A authenticates him, he is allowed to contact the corporate mail server via the VPN tunnel. Note: For the mail server to send the IDENT request through the tunnel, the NetScreen A and B administrators must add a custom service for it (TCP, port 113) and set policies that allow traffic to pass through the tunnel to the .
DPSOH5RXWLQJ%DVHG'LDOXSWR/$1931'\QDPLF3HHU
Click the Add a new connection button and type Mail next to the new connection icon that appears. Click the PLUS symbol, located to the left of the unix icon, to expand the connection policy. Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Authentication (Phase 1) and Key Exchange (Phase 2) to expand the policy further.
If you create two VPN tunnels that terminate at a NetScreen device, you can configure a pair of routes so that the NetScreen device routes traffic leaving one tunnel to the other tunnel. If both tunnels are contained in a single zone, you do not need to create a policy to allow traffic to pass from one tunnel to the other.
DPSOH+XEDQG6SRNH931V
You can enforce interzone policies at the hub site for traffic moving from one VPN tunnel to another by placing the spoke sites in different zones18. Because they are in different zones, the NetScreen appliance at the hub must perform a policy lookup before redirecting traffic from one tunnel to another. NetScreen-5XP users, who can use a maximum of ten VPN tunnels simultaneously, applying the hub-and-ghost method dramatically increases their VPN options and capabilities.
The administrator on the hub device can completely control outgoing traffic from all perimeter networks. At each perimeter site, there must first be a policy that tunnels all outgoing traffic through the spoke VPNs to the hub; eg: set policy top from trust to untrust any tunnel vpn name_str (where name_str defines the specific VPN tunnel from each perimeter site to the hub).
DPSOH%DFNWR%DFN931V
For example, perimeter site A can connect to the hub, and to perimeter sites B, C, D…, but A only needs to set up one VPN tunnel. You bind the VPN1 tunnel to the tunnel.1 interface and the VPN2 tunnel to the tunnel.2 interface. Although you do not assign IP addresses to the X1 and X2 zone interfaces, you do assign addresses to both tunnel interfaces.
Use them as the source and destination addresses in the policy that references the VPN tunnel to the hub site. Use them as the source and destination addresses in the policies that apply to the VPN tunnel to the hub site.
3ROLF\%DVHG931V
As used here, a static LAN-to-LAN VPN involves an IPSec tunnel connecting two LANs, each with a NetScreen device acting as a secure gateway. -LAN-to-LAN-based VPN, Manual Key" on page 127 and "Example: Policy-based LAN-to-LAN VPN, IKE AutoKey" on page 136.) With a static LAN-to-LAN VPN , hosts at either end of the tunnel can initiate VPN tunnel setup because the IP address of the remote gateway remains constant and thus reachable.
If the outgoing interface of one of the NetScreen devices has a dynamically assigned IP address, this device is called a dynamic peer and the VPN is configured differently. With a dynamic peer LAN-to-LAN VPN, only hosts behind the dynamic peer can initiate the VPN tunnel setup because only their external gateway has a fixed IP address and is thus reachable from their local gateway.
7XQQHO,QWHUIDFHV
Enter the IP addresses for the local and remote endpoints in the Trust and Do Not Trust address books. The ISP serving NetScreen A dynamically assigns the IP address for its Untrust zone interface via DHCP. Network > Interfaces > Edit (for Ethernet3): Enter the following, then click OK4: Zone name: Untrusted.
DPSOH3ROLF\%DVHG'LDOXSWR/$19310DQXDO.H\
Because NetScreen-Remote processes passwords into keys differently than other NetScreen products do, after you set up the tunnel, do the following:. Click Add a new connection and type Unix next to the new connection icon that appears. Click the PLUS symbol, located to the left of the Security Policy icon, and then the PLUS symbol to the left of Key Exchange (Phase 2) to expand the policy further.
Create a policy from the Do Not Trust zone to the Trust zone, allowing access to UNIX for the dial-up user. Click Add a new connection and type UNIX next to the new connection icon that appears.
DPSOH3ROLF\%DVHG'LDOXSWR/$1931'\QDPLF3HHU
Instead, the NetScreen appliance uses an individual group's IKE ID user profile that contains a partial IKE ID. Assign a new group user IKE ID to the on-call user group16 and name the group. Then, any individual IKE user can successfully build a VPN tunnel to the NetScreen device on a dial-up connection with a certificate with distinguished name elements that match the IKE partial ID defined in the group ID user profile.
An ASN1-DN wildcard requires that values in the remote peer's unique name IKE ID match values in the partial ASN1-DN IKE ID of the group's IKE user. Full ASN1-DN IKE ID of the IKE dial-in user: CN=christine,OU=finance,O=netscreen,ST=ca,C=us.
