ibm proventia network multi-function security (mfs

IBM Proventia® Network Multi-Function Security (MFS)

Configuring VPN from Proventia Network MFS to Windows XP SystemsDecember 19, 2007

Overview

Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFS running a Firmware 2.1 operating system or later to Windows 2000 and XP operating systems.

Intended use This document provides an example for configuring VPN from aProventia Network MFS to either of the following systems:

● Windows 2000

● Windows XP

● Windows XP with Service Pack 1 installed

The example is not designed for operational use without modification. A knowledgeable IPsec network administrator or advanced user should design new, custom polices for operational use.

Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the “Related documentation” section of this topic.

Related documentation

Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-Function Security (MFS) Policy Configuration Guide for more information about the following:

● IKE settings

● IPsec and IPsec policies

● security gateways

● access policies

● NAT policies

1

IBM Internet Security Systems

Configuring VPN from Proventia Network MFS to Windows XP Systems

For procedures for configuring the Windows XP system, refer to the documentation provided with your system.

In this document This document contains the following topics:

Topic Page

Before You Begin 3

Task Overview 5

Configuring the Proventia Network MFS Security Gateway 6

Configuring the Proventia Network MFS IPsec Policy 8

Creating an IPsec Policy for VPN Antivirus Protection 9

Creating Related Access Policies for the Proventia Network MFS 11

Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS 12

Creating Access Policies to Enable Traffic from Subnet A to Subnet B 13

Creating NAT Rules 15

Creating the Windows XP IPsec Policy 17

Configuring the Windows XP IKE Policy 18

Creating a Windows XP IPsec Outbound Rule 19

Creating a Windows XP IPsec Inbound Rule 21

2

Contents of document subject to change.

Before You Begin

Before You Begin

Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia Network MFS and Windows XP system.

Topography The following graphic illustrates the network topography of a Proventia Network MFS configured for VPN with a Windows XP system. The example used in this document is based on the topography depicted.

Note: You must statically configure the external interface of the M appliance. DHCP configurations will not function correctly for this connection.

Figure 1: Topography for VPN tunnel from Proventia Network MFS to Windows XP system

InternetProventia® Network MFS `

WindowsXP Client

`

`

`

192.168.1.0/24

Subnet A

192.168.1.1 a.a.a.a b.b.b.b

3



Checklist The following checklist indicates the information that you need before configuring your VPN tunnel.

Task Description

Proventia Network MFS Unit A External IP address _____________________________

Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document.

Proventia Network MFS Unit A Internal IP Address _____________________________

Subnet A IP address/mask _____________________________

Windows XP client IP address _____________________________

Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document.

Preshared key (minimum of 16 characters) _____________________________

Note: Windows XP stores the preshared key in cleartext in the registry, accessible by administrators. Active Directory stores IPsec configuration policies and preshared keys in cleartext. ISS recommends that you use signed certificates identifying the Proventia Network MFS and Windows XP client for better security.

IKE Phase 1 (Main Mode) Authentication MD5 SHA1

IKE Phase 1 Encryption 3DES DES AES

Note: If you select AES, select an AES key length: 128 192 256

IKE Phase 1 Key Lifetime Seconds _____________________________

IKE Phase 1 Key Lifetime Kbytes _____________________________

IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5

IKE Phase 2 (Quick Mode) Authentication MD5 SHA1

IKE Phase 2 Encryption 3DES DES AES

If you select AES, select an AES key length: 128 192 256

IKE Phase 2 Key Lifetime Seconds _____________________________

IKE Phase 2 Key Lifetime Kbytes _____________________________

IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5

Access Policies

Table 1: Checklist before configuring VPN tunnel

4


Task Overview

Task Overview

Introduction This topic describes the tasks required to establish a VPN connection between the Proventia Network MFS and Windows clients.

Required tasks for certificate authentication

To establish the VPN connection, you must complete tasks shown in the following table:

Task Description

1 Configure the Proventia Network MFS security gateway.

Reference: See “Configuring the Proventia Network MFS Security Gateway” on page 6.

2 Configure the Proventia Network MFS IPsec policy.

Reference: See “Configuring the Proventia Network MFS IPsec Policy” on page 8.

3 Enable the firewall access policy in Proventia Manager to enable ISAKMP traffic.

Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS” on page 12.

4 Create firewall access policies in Proventia Manager to enable traffic between subnets.

Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 13.

5 Create NAT rules.

Reference: See “Creating NAT Rules” on page 15.

6 Create the Windows XP IPsec policy.

Reference: See “Creating the Windows XP IPsec Policy” on page 17.

7 Create the Windows XP IKE policy.

Reference: See “Configuring the Windows XP IKE Policy” on page 18.

8 Create the Windows XP IPsec outbound rule.

Reference: See “Creating a Windows XP IPsec Outbound Rule” on page 19.

9 Create the Windows XP IPsec inbound rule.

Reference: See “Creating a Windows XP IPsec Inbound Rule” on page 21.

Table 2: Required tasks to establish the VPN connection

5



Configuring the Proventia Network MFS Security Gateway

Introduction You must configure the security gateway on the Proventia Network MFS that represents the Windows XP client. The security gateway contains the IKE and IPsec communication settings. To configure the security gateway, create an Auto Key IPsec Security Gateway with the settings shown below.

Security gateway IKE Configuration settings

Define the security gateway name, and configure IKE settings on the IKE Configuration tab, as shown in the following table:

Item Setting

Name To_Windows_XP

Enabled Selected

Comment IPsec tunnel to Windows_XP

Direction Both Directions

Exchange Type Main Mode

Encryption Algorithm 3DES

AES Key Length N/A

Note: This list is available if you select the AES encryption algorithm, to allow you to select the AES key length from the list.

Authentication Algorithm

SHA1

Authentication Mode Pre Shared Key

Pre-Shared Key A text string value of at least 16 alphanumeric characters

Example

1234567890abcdefNote: Use the same text string for the Windows XP client.

Life Time Secs 7200

Life Time KBytes 1000000

DH Group Group2

Local IP Address Static Address

Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS.

Example

a.a.a.aRemote IP Address Static Address

Note: In the IP Address field, type the external interface IP address of the Windows XP client.

Example

b.b.b.bTable 3: IKE Configuration settings for the Proventia Network MFS

6


Configuring the Proventia Network MFS Security Gateway

IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled check box is disabled by default. Make sure that this check box is cleared to disable the XAuth settings.

IPsec Configuration general settings

Define the IPsec Configuration general settings on the IPsec Configuration tab, as shown in the following table:

Adding a security proposal

In the Security Proposal area of the IPsec Configuration tab, add a security proposal with the settings shown in the following table:

Advanced settings In the Advanced Settings area of the IPsec Configuration tab, clear the Enabled check box to disable the advanced settings.

Local ID Static Address

Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS.

Example

a.a.a.aRemote ID Static Address

Note: In the IP Address field, type the external interface IP address of the Windows XP client.

Example

b.b.b.b

Item Setting

Table 3: IKE Configuration settings for the Proventia Network MFS

Item Setting

Encapsulation Mode Tunnel

Perfect Forward Secrecy

Group2

Table 4: IPsec Configuration general settings for the Proventia Network MFS

Item Setting

Security Protocol ESP with Auth

Auth Algorithm SHA1

ESP Algorithm 3DES

Life Time Secs 7200

Life Time KBytes 1000000

Table 5: Security Proposal settings for the Proventia Network MFS

7



Configuring the Proventia Network MFS IPsec Policy

Introduction You must configure the IPsec policy to define what is encrypted between the Proventia Network MFS and the Windows XP client. The IPsec policy is configured without network address translation (NAT).


IPsec policy general settings

Define the IPsec policy general settings as shown in the following table:

IPsec policy remaining settings

Define the remaining IPsec policy settings as shown in the following table:

Item Setting

Name To_Windows_XP

Enabled Selected

Comment IPsec tunnel to Windows XP

Security Process Encrypt

Protocol All

Table 6: IPsec general policy settings for the Proventia Network MFS

On this subtab... Select this item... With this setting...

Security Gateway Auto Key Security Gateway To_Windows_XP

Source Address Network Address/#Network Bits (CIDR)

The subnet address and mask that is behind the Proventia Network MFS

Example

192.168.1.0/24Source Port Any N/A

Destination Address Single IP Address The external interface IP address of the Windows XP system

Example

b.b.b.bDestination Port Any N/A

Table 7: IPsec policy settings for the Proventia Network MFS

8


Creating an IPsec Policy for VPN Antivirus Protection

Creating an IPsec Policy for VPN Antivirus Protection

Introduction The antivirus software proxies traffic to the external interface of the Proventia Network MFS for the following protocols:

● HTTP

● FTP

● SMTP

● POP3

To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPsec policy.

Note: The Proventia Network MFS automatically creates the mirror inbound policy for antivirus protection for VPN.

IPsec policy general settings

Define the IPsec policy general settings as shown in the following table:

IPsec policy remaining settings

Define the remaining IPsec policy settings as shown in the following table:

Item Setting

Name AV_To_Windows_XP

Enabled Selected

Comment IPsec policy to protect AV traffic to Windows XP

Security Process Encrypt

Protocol All

Table 8: IPsec Configuration general settings for antivirus VPN protection


Security Gateway Auto Key Security Gateway To_Windows_XP

Source Address Single IP Address The external interface IP address of the Proventia Network MFS

Example

a.a.a.aNote: This setting encapsulates traffic from the Proventia Network MFS external interface.

Source Port Any N/A

Destination Address Single IP Address The external interface IP address of the Windows XP system

Example

b.b.b.bTable 9: IPsec Configuration remaining settings for VPN antivirus protection

9



Destination Port Any N/A


Table 9: IPsec Configuration remaining settings for VPN antivirus protection (Continued)

10


Creating Related Access Policies for the Proventia Network MFS

Creating Related Access Policies for the Proventia Network MFS

Introduction You must create additional access policies to do the following:

● enable Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia Network MFS external interface

Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS” on page 12.

● enable traffic from subnet A to subnet B without NAT (Network Address Translation)

Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 13.

Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets.


Order of access policies

The appliance processes access policies in the order that they appear in the Access Policy list.

11



Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS

Introduction Although you have created a VPN tunnel from the Windows XP client to the Proventia Network MFS VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS external interface.

To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy that allows VPN traffic. You can identify this policy by the Comment field that includes the following default text:

Enable this rule for VPN Connectivity

Note: This access policy is disabled by default. You must enable it to allow VPN traffic.

ISAKMP access policy general settings

Define the access policy general settings as shown in the following table:

ISAKMP access policy remaining settings

Define the remaining access policy settings as shown in the following table:

Item Setting

Enabled Selected

Action Allow

Log Enabled Not selected (optional)

Comment Enable this rule for VPN Connectivity

Table 10: ISAKMP access policy general settings for the Proventia Network MFS


Protocol Any N/A

Source Address Single IP Address The external interface IP address of the Windows XP system

Example

b.b.b.bSource Port Any N/A

Destination Address Self N/A

Destination Port Specify Network Objects ISAKMP_UDP

Table 11: ISAKMP access policy remaining settings

12


Creating Access Policies to Enable Traffic from Subnet A to Subnet B

Creating Access Policies to Enable Traffic from Subnet A to Subnet B

Introduction You must create two additional access policies on the Proventia Network MFS to allow all traffic from subnet A to subnet B:

● a policy to allow inbound traffic

● a policy to allow outbound traffic

Inbound access policy general settings

Define the inbound access policy general settings as defined in the following table:

Inbound access policy remaining settings

Define the remaining inbound access policy settings as shown in the following table:

Outbound access policy general settings

Define the outbound access policy general settings as defined in the following table:

Item Setting

Enabled Selected

Action Allow


Comment Access policy to allow traffic from remote Windows XP system

Table 12: Inbound access policy general settings


Protocol Any N/A


Example

b.b.b.bSource Port Any N/A

Destination Address Network Address/#Network Bits (CIDR)

The network IP address and mask for subnet A.

Example

192.168.1.0/24Destination Port Any N/A

Table 13: Inbound access policy remaining settings

Item Setting

Enabled Selected

Action Allow


Table 14: Outbound access policy general settings

13



Outbound access policy remaining settings

Define the remaining outbound access policy settings as shown in the following table:

Comment Access policy to allow traffic out to remote Windows XP network

Item Setting

Table 14: Outbound access policy general settings (Continued)


Protocol Any N/A


The network mask for subnet A.

Example

192.168.1.0/24Source Port Any N/A

Destination Address Single IP Address The external interface IP address of the Windows XP system.

Example


Table 15: Outbound access policy remaining settings

14


Creating NAT Rules

Creating NAT Rules

Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rules to bypass NAT and insure that the appliance does not translate packets that travel between subnets. The additional NAT rules are as follows:

● a Source NAT Rule

● a Destination NAT Rule

Source NAT Rule general settings

Create a Source NAT Rule with general settings as defined in the following table:

Source NAT Rule remaining settings

Define the remaining Source NAT Rule settings as shown in the following table:

Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules table.

Destination NAT Rule general settings

Create a Destination NAT Rule with general settings as defined in the following table:

Item Setting

Name Windows_XP_BypassNAT_Src

Enabled Selected

Comment Source NAT Rule to bypass NAT

Table 16: Source NAT Rule general settings


Protocol Any N/A


The network mask for subnet A.

Example

192.168.1.0/24Destination Address Single IP Address The external interface IP address

of the Windows XP system

Example


Translated Address Do Not Translate N/A

Table 17: Source NAT Rule remaining settings

Item Setting

Name Windows_XP_BypassNAT_Dst

Enabled Selected

Comment Destination NAT Rule to bypass NAT

Table 18: Destination NAT Rule general settings

15



Destination NAT Rule remaining settings

Define the remaining Destination NAT Rule settings as shown in the following table:

Note: Make sure that the Destination NAT Rule is in the first position in the Destination NAT Rules table.


Protocol Any N/A


Example

10.1.0.0/16Destination Address Network Address/#Network Bits

(CIDR)The network mask for subnet A

Example

192.168.1.0/24Destination Port Any N/A

Translated Address Do Not Translate N/A

Translated Port Do Not Translate N/A

Table 19: Destination NAT Rule remaining settings

16


Creating the Windows XP IPsec Policy

Creating the Windows XP IPsec Policy

Introduction In this example, you are creating a Local IPsec policy for a Windows XP workstation that is not a member of a domain, or the domain does not assign an IPsec policy to the computer.

An administrator must use the Active Directory group policy editor to assign an IPsec policy to a Windows XP workstation in a domain.

Accessing the Local IPsec Policy Snap-in

To access the Local IPsec Policy Snap-in:

1. Run MMC.EXE.

2. Select File Add/Remove Snap In.

3. Click Add, and then add the IP Security Policy Management.

4. Select Local computer for computer domain.

Note: Selecting Active Directory domain only allows you to configure the IPsec policy, not assign it.

5. Close the Add Standalone Snap-In window.

6. Click OK to accept the snap-in on the Add/Remove Snap-In window.

7. Select Action Create IP Security Policy, and continue as follows:

■ Type a descriptive name.

Example: Proventia Network MFS■ Disable Activate the default response rule.

■ Enable Edit Properties.

17



Configuring the Windows XP IKE Policy

Introduction On the General tab for the policy, you can modify the settings for Phase 1 (Main Mode) negotiations. In this example, you change Windows XP IKE policy settings to correspond to the Proventia Network MFS settings.

Procedure To configure IKE on Windows XP:

1. Select the General tab, and then continue as follows:

2. Type a descriptive Name for this policy.

Example: Proventia Network MFS3. If you are using Windows XP, select Advanced.

4. In the Key Exchange Settings window, continue as follows:

■ Disable Master key perfect forward secrecy (PFS).

■ Set Authenticate and generate key every to 480 minutes.

■ Set Authenticate and generate a new key after every to 0 session(s).

5. Click Methods for Key Exchange Security Methods.

6. Remove all security methods.

7. Add the following method:

■ Set Integrity algorithm to SHA1.

■ Set Encryption algorithm to 3DES.

■ Set Diffie-Hellman group to Medium (2).

18


Creating a Windows XP IPsec Outbound Rule

Creating a Windows XP IPsec Outbound Rule

Introduction This part of the policy configures the encrypted VPN tunnel to the Proventia Network MFS. Here you set Phase 2 (Quick Mode) negotiations to consist of Encapsulating Security Payload (ESP) with Authentication and without Authentication Headers (AH).

Since each Security Association is unidirectional, you must create both inbound and outbound IPsec rules for the VPN tunnel to the Proventia Network MFS.

Procedure To create an IPsec outbound rule:

1. Select the Rules tab, and then continue as follows:

■ In the lower right area, disable Use Add Wizard.

■ Select Add to create a new IPsec rule.

2. Select the IP Filter List tab, and then click Add to set Filter Properties.

3. In the Name field, type a descriptive name for this policy.

Example: Outbound Proventia VPN filter4. Disable Use Add Wizard, and then add a new filter.

5. Select the Addressing tab, and then continue as follows:

■ Set Source address to My IP Address.

■ Set Destination address to A specific IP subnet, and then type the IP address and subnet for subnet A that is behind the Proventia Network MFS.

■ Disable Mirrored.

6. Select the Protocol tab, and then select protocol type Any.

7. Click OK, and then click OK again.

8. To enable the IP Filter List, select the left circle of the new rule.

9. On the Filter Action tab, disable Use Add Wizard, and then select Add.

10. Select the General tab, and then type a descriptive name.

Example: Proventia Network MFS11. On the Security Methods tab, select Negotiate Security.

12. Disable the following:

■ Accept unsecured communication

■ Allow unsecured communication

■ Session key perfect forward secrecy

13. Click Add.

14. Select Custom, and then click Settings.

15. Add a security method, as follows:

■ Enable Data integrity and Encryption (ESP).

■ Set Integrity Algorithm to SHA1.

■ Set Encryption Algorithm to 3DES.

■ Set Generate a new key every to 100,000 Kbytes.

19



■ Set Generate a new key every to 7200 seconds.

16. Click OK.

17. Click OK, and then click OK again to return to the Filter Action tab.

18. Select the Authentication Methods tab.

19. Click Add.

20. Select Use this string (preshared key).

21. Type a string that is at least 16 characters long for the preshared key.

Example:

1234567890abcdef22. Click OK.

23. Move the pre-shared key to the top.

24. Select the Tunnel Setting tab.

25. Select The tunnel endpoint is specified by this IP address.

26. Set the IP address to the Proventia Network MFS external IP address.

Example:

a.a.a.a

27. Select the Connection Type tab, and then select All Network Connections.

28. Click OK.

29. Click Close.

20


Creating a Windows XP IPsec Inbound Rule

Creating a Windows XP IPsec Inbound Rule

Introduction The configuration for this rule is the same as the outbound rule except for the IP Filter.

Procedure To create an IPsec inbound rule:

1. Select the Rules tab, and then continue as follows:

■ Disable Use Add Wizard.

■ Click Add to create a new IPsec rule.

2. Select the IP Filter List tab, and then click Add to set Filter Properties.

3. Disable Use Add Wizard, and then Add a new filter.

4. Select the Addressing tab, and then continue as follows:

■ Set the Source address to A specific IP Subnet, and then type the IP address and subnet for Subnet A which is behind the Proventia Network MFS.

■ Set the Destination address to My IP Address.

■ Disable Mirrored.

5. Select the Protocol tab, and then select protocol type Any.

6. Click OK, and then click OK again.

7. To enable the IP Filter List, select the left circle of the new rule.

8. On the Filter Action tab, select the left circle of the new Proventia Network MFS filter action to enable it.

9. Select the Authentication Methods tab.

10. Click Add.

11. Select Use this string (preshared key).

12. Type a string that is at least 16 characters long for the preshared key.

Example:

1234567890abcdef13. Click OK.

14. Move the pre-shared key to the top.

15. Select the Tunnel Setting tab.

16. Select The tunnel endpoint is specified by this IP address.

17. Set the IP address to the Windows XP client IP address.

Example:

b.b.b.b

18. Select the Connection Type tab, and then select All Network Connections.

19. Click OK.

20. Click Close.

21



© Copyright IBM Corporation 2003, 2007. All Rights Reserved.

IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.

Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.

Other company, product and service names may be trademarks or service marks of others.

References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.

22


ibm proventia network multi-function security (mfs

Documents

windows xp windows xp

proventia network mfs11

network topography

theproventia network

aproventia network mfs

b proventia network

windows xp ike policy

windows xp ipsec policy17