ibm proventia network multi-function security (mfs
TRANSCRIPT
IBM Proventia® Network Multi-Function Security (MFS)
Configuring VPN from Proventia Network MFS to Windows XP SystemsDecember 19, 2007
Overview
Introduction This document describes how to configure a VPN tunnel from a Proventia Network MFS running a Firmware 2.1 operating system or later to Windows 2000 and XP operating systems.
Intended use This document provides an example for configuring VPN from aProventia Network MFS to either of the following systems:
● Windows 2000
● Windows XP
● Windows XP with Service Pack 1 installed
The example is not designed for operational use without modification. A knowledgeable IPsec network administrator or advanced user should design new, custom polices for operational use.
Scope This document does not provide specific procedures, but rather examples of settings. For specific instructions on how to configure these settings, refer to the documentation listed in the “Related documentation” section of this topic.
Related documentation
Refer to the Proventia Manager online Help and the IBM Proventia Network Multi-Function Security (MFS) Policy Configuration Guide for more information about the following:
● IKE settings
● IPsec and IPsec policies
● security gateways
● access policies
● NAT policies
1
IBM Internet Security Systems
Configuring VPN from Proventia Network MFS to Windows XP Systems
For procedures for configuring the Windows XP system, refer to the documentation provided with your system.
In this document This document contains the following topics:
Topic Page
Before You Begin 3
Task Overview 5
Configuring the Proventia Network MFS Security Gateway 6
Configuring the Proventia Network MFS IPsec Policy 8
Creating an IPsec Policy for VPN Antivirus Protection 9
Creating Related Access Policies for the Proventia Network MFS 11
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS 12
Creating Access Policies to Enable Traffic from Subnet A to Subnet B 13
Creating NAT Rules 15
Creating the Windows XP IPsec Policy 17
Configuring the Windows XP IKE Policy 18
Creating a Windows XP IPsec Outbound Rule 19
Creating a Windows XP IPsec Inbound Rule 21
2
Contents of document subject to change.
Before You Begin
Before You Begin
Introduction This topic includes a topography graphic and a checklist to help you gather the information you need to configure VPN for your Proventia Network MFS and Windows XP system.
Topography The following graphic illustrates the network topography of a Proventia Network MFS configured for VPN with a Windows XP system. The example used in this document is based on the topography depicted.
Note: You must statically configure the external interface of the M appliance. DHCP configurations will not function correctly for this connection.
Figure 1: Topography for VPN tunnel from Proventia Network MFS to Windows XP system
InternetProventia® Network MFS `
WindowsXP Client
`
`
`
192.168.1.0/24
Subnet A
192.168.1.1 a.a.a.a b.b.b.b
3
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Checklist The following checklist indicates the information that you need before configuring your VPN tunnel.
Task Description
Proventia Network MFS Unit A External IP address _____________________________
Note: This is the IP address that you will use where a.a.a.a appears in the examples in this document.
Proventia Network MFS Unit A Internal IP Address _____________________________
Subnet A IP address/mask _____________________________
Windows XP client IP address _____________________________
Note: This is the IP address that you will use where b.b.b.b appears in the examples in this document.
Preshared key (minimum of 16 characters) _____________________________
Note: Windows XP stores the preshared key in cleartext in the registry, accessible by administrators. Active Directory stores IPsec configuration policies and preshared keys in cleartext. ISS recommends that you use signed certificates identifying the Proventia Network MFS and Windows XP client for better security.
IKE Phase 1 (Main Mode) Authentication MD5 SHA1
IKE Phase 1 Encryption 3DES DES AES
Note: If you select AES, select an AES key length: 128 192 256
IKE Phase 1 Key Lifetime Seconds _____________________________
IKE Phase 1 Key Lifetime Kbytes _____________________________
IKE Phase 1 Diffie-Hellman Group Group1 Group2 Group5
IKE Phase 2 (Quick Mode) Authentication MD5 SHA1
IKE Phase 2 Encryption 3DES DES AES
If you select AES, select an AES key length: 128 192 256
IKE Phase 2 Key Lifetime Seconds _____________________________
IKE Phase 2 Key Lifetime Kbytes _____________________________
IKE Phase 2 Diffie-Hellman Group None Group1 Group2 Group5
Access Policies
Table 1: Checklist before configuring VPN tunnel
4
Contents of document subject to change.
Task Overview
Task Overview
Introduction This topic describes the tasks required to establish a VPN connection between the Proventia Network MFS and Windows clients.
Required tasks for certificate authentication
To establish the VPN connection, you must complete tasks shown in the following table:
Task Description
1 Configure the Proventia Network MFS security gateway.
Reference: See “Configuring the Proventia Network MFS Security Gateway” on page 6.
2 Configure the Proventia Network MFS IPsec policy.
Reference: See “Configuring the Proventia Network MFS IPsec Policy” on page 8.
3 Enable the firewall access policy in Proventia Manager to enable ISAKMP traffic.
Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS” on page 12.
4 Create firewall access policies in Proventia Manager to enable traffic between subnets.
Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 13.
5 Create NAT rules.
Reference: See “Creating NAT Rules” on page 15.
6 Create the Windows XP IPsec policy.
Reference: See “Creating the Windows XP IPsec Policy” on page 17.
7 Create the Windows XP IKE policy.
Reference: See “Configuring the Windows XP IKE Policy” on page 18.
8 Create the Windows XP IPsec outbound rule.
Reference: See “Creating a Windows XP IPsec Outbound Rule” on page 19.
9 Create the Windows XP IPsec inbound rule.
Reference: See “Creating a Windows XP IPsec Inbound Rule” on page 21.
Table 2: Required tasks to establish the VPN connection
5
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Configuring the Proventia Network MFS Security Gateway
Introduction You must configure the security gateway on the Proventia Network MFS that represents the Windows XP client. The security gateway contains the IKE and IPsec communication settings. To configure the security gateway, create an Auto Key IPsec Security Gateway with the settings shown below.
Security gateway IKE Configuration settings
Define the security gateway name, and configure IKE settings on the IKE Configuration tab, as shown in the following table:
Item Setting
Name To_Windows_XP
Enabled Selected
Comment IPsec tunnel to Windows_XP
Direction Both Directions
Exchange Type Main Mode
Encryption Algorithm 3DES
AES Key Length N/A
Note: This list is available if you select the AES encryption algorithm, to allow you to select the AES key length from the list.
Authentication Algorithm
SHA1
Authentication Mode Pre Shared Key
Pre-Shared Key A text string value of at least 16 alphanumeric characters
Example
1234567890abcdefNote: Use the same text string for the Windows XP client.
Life Time Secs 7200
Life Time KBytes 1000000
DH Group Group2
Local IP Address Static Address
Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS.
Example
a.a.a.aRemote IP Address Static Address
Note: In the IP Address field, type the external interface IP address of the Windows XP client.
Example
b.b.b.bTable 3: IKE Configuration settings for the Proventia Network MFS
6
Contents of document subject to change.
Configuring the Proventia Network MFS Security Gateway
IKE XAuth settings In the XAuth area of the IKE Configuration tab, the Enabled check box is disabled by default. Make sure that this check box is cleared to disable the XAuth settings.
IPsec Configuration general settings
Define the IPsec Configuration general settings on the IPsec Configuration tab, as shown in the following table:
Adding a security proposal
In the Security Proposal area of the IPsec Configuration tab, add a security proposal with the settings shown in the following table:
Advanced settings In the Advanced Settings area of the IPsec Configuration tab, clear the Enabled check box to disable the advanced settings.
Local ID Static Address
Note: In the IP Address field, type the external interface IP address of the Proventia Network MFS.
Example
a.a.a.aRemote ID Static Address
Note: In the IP Address field, type the external interface IP address of the Windows XP client.
Example
b.b.b.b
Item Setting
Table 3: IKE Configuration settings for the Proventia Network MFS
Item Setting
Encapsulation Mode Tunnel
Perfect Forward Secrecy
Group2
Table 4: IPsec Configuration general settings for the Proventia Network MFS
Item Setting
Security Protocol ESP with Auth
Auth Algorithm SHA1
ESP Algorithm 3DES
Life Time Secs 7200
Life Time KBytes 1000000
Table 5: Security Proposal settings for the Proventia Network MFS
7
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Configuring the Proventia Network MFS IPsec Policy
Introduction You must configure the IPsec policy to define what is encrypted between the Proventia Network MFS and the Windows XP client. The IPsec policy is configured without network address translation (NAT).
Reference: See “Creating NAT Rules” on page 15.
IPsec policy general settings
Define the IPsec policy general settings as shown in the following table:
IPsec policy remaining settings
Define the remaining IPsec policy settings as shown in the following table:
Item Setting
Name To_Windows_XP
Enabled Selected
Comment IPsec tunnel to Windows XP
Security Process Encrypt
Protocol All
Table 6: IPsec general policy settings for the Proventia Network MFS
On this subtab... Select this item... With this setting...
Security Gateway Auto Key Security Gateway To_Windows_XP
Source Address Network Address/#Network Bits (CIDR)
The subnet address and mask that is behind the Proventia Network MFS
Example
192.168.1.0/24Source Port Any N/A
Destination Address Single IP Address The external interface IP address of the Windows XP system
Example
b.b.b.bDestination Port Any N/A
Table 7: IPsec policy settings for the Proventia Network MFS
8
Contents of document subject to change.
Creating an IPsec Policy for VPN Antivirus Protection
Creating an IPsec Policy for VPN Antivirus Protection
Introduction The antivirus software proxies traffic to the external interface of the Proventia Network MFS for the following protocols:
● HTTP
● FTP
● SMTP
● POP3
To ensure that traffic analyzed by the antivirus software is sent and received from the remote VPN subnet B, you must create an additional IPsec policy.
Note: The Proventia Network MFS automatically creates the mirror inbound policy for antivirus protection for VPN.
IPsec policy general settings
Define the IPsec policy general settings as shown in the following table:
IPsec policy remaining settings
Define the remaining IPsec policy settings as shown in the following table:
Item Setting
Name AV_To_Windows_XP
Enabled Selected
Comment IPsec policy to protect AV traffic to Windows XP
Security Process Encrypt
Protocol All
Table 8: IPsec Configuration general settings for antivirus VPN protection
On this subtab... Select this item... With this setting...
Security Gateway Auto Key Security Gateway To_Windows_XP
Source Address Single IP Address The external interface IP address of the Proventia Network MFS
Example
a.a.a.aNote: This setting encapsulates traffic from the Proventia Network MFS external interface.
Source Port Any N/A
Destination Address Single IP Address The external interface IP address of the Windows XP system
Example
b.b.b.bTable 9: IPsec Configuration remaining settings for VPN antivirus protection
9
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Destination Port Any N/A
On this subtab... Select this item... With this setting...
Table 9: IPsec Configuration remaining settings for VPN antivirus protection (Continued)
10
Contents of document subject to change.
Creating Related Access Policies for the Proventia Network MFS
Creating Related Access Policies for the Proventia Network MFS
Introduction You must create additional access policies to do the following:
● enable Internet Security Association and Key Management Protocol (ISAKMP) traffic to the Proventia Network MFS external interface
Reference: See “Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS” on page 12.
● enable traffic from subnet A to subnet B without NAT (Network Address Translation)
Reference: See “Creating Access Policies to Enable Traffic from Subnet A to Subnet B” on page 13.
Guideline You are creating a VPN tunnel in which the original IP addresses are preserved in the ESP, so you do not need NAT for the subnets.
Reference: See “Creating NAT Rules” on page 15.
Order of access policies
The appliance processes access policies in the order that they appear in the Access Policy list.
11
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Creating an Access Policy to Enable ISAKMP Traffic to the Proventia Network MFS
Introduction Although you have created a VPN tunnel from the Windows XP client to the Proventia Network MFS VPN server, you must configure the firewall to accept or deny traffic from the VPN client. To do this, enable ISAKMP traffic to the Proventia Network MFS external interface.
To enable ISAKMP traffic to the Proventia Network MFS, enable the access policy that allows VPN traffic. You can identify this policy by the Comment field that includes the following default text:
Enable this rule for VPN Connectivity
Note: This access policy is disabled by default. You must enable it to allow VPN traffic.
ISAKMP access policy general settings
Define the access policy general settings as shown in the following table:
ISAKMP access policy remaining settings
Define the remaining access policy settings as shown in the following table:
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Comment Enable this rule for VPN Connectivity
Table 10: ISAKMP access policy general settings for the Proventia Network MFS
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Single IP Address The external interface IP address of the Windows XP system
Example
b.b.b.bSource Port Any N/A
Destination Address Self N/A
Destination Port Specify Network Objects ISAKMP_UDP
Table 11: ISAKMP access policy remaining settings
12
Contents of document subject to change.
Creating Access Policies to Enable Traffic from Subnet A to Subnet B
Creating Access Policies to Enable Traffic from Subnet A to Subnet B
Introduction You must create two additional access policies on the Proventia Network MFS to allow all traffic from subnet A to subnet B:
● a policy to allow inbound traffic
● a policy to allow outbound traffic
Inbound access policy general settings
Define the inbound access policy general settings as defined in the following table:
Inbound access policy remaining settings
Define the remaining inbound access policy settings as shown in the following table:
Outbound access policy general settings
Define the outbound access policy general settings as defined in the following table:
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Comment Access policy to allow traffic from remote Windows XP system
Table 12: Inbound access policy general settings
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Single IP Address The external interface IP address of the Windows XP system
Example
b.b.b.bSource Port Any N/A
Destination Address Network Address/#Network Bits (CIDR)
The network IP address and mask for subnet A.
Example
192.168.1.0/24Destination Port Any N/A
Table 13: Inbound access policy remaining settings
Item Setting
Enabled Selected
Action Allow
Log Enabled Not selected (optional)
Table 14: Outbound access policy general settings
13
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Outbound access policy remaining settings
Define the remaining outbound access policy settings as shown in the following table:
Comment Access policy to allow traffic out to remote Windows XP network
Item Setting
Table 14: Outbound access policy general settings (Continued)
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Network Address/#Network Bits (CIDR)
The network mask for subnet A.
Example
192.168.1.0/24Source Port Any N/A
Destination Address Single IP Address The external interface IP address of the Windows XP system.
Example
b.b.b.bDestination Port Any N/A
Table 15: Outbound access policy remaining settings
14
Contents of document subject to change.
Creating NAT Rules
Creating NAT Rules
Introduction In firmware version 2.1 and later, you must add NAT (Network Address Translation) rules to bypass NAT and insure that the appliance does not translate packets that travel between subnets. The additional NAT rules are as follows:
● a Source NAT Rule
● a Destination NAT Rule
Source NAT Rule general settings
Create a Source NAT Rule with general settings as defined in the following table:
Source NAT Rule remaining settings
Define the remaining Source NAT Rule settings as shown in the following table:
Note: Make sure that the Source NAT Rule is in the first position in the Source NAT Rules table.
Destination NAT Rule general settings
Create a Destination NAT Rule with general settings as defined in the following table:
Item Setting
Name Windows_XP_BypassNAT_Src
Enabled Selected
Comment Source NAT Rule to bypass NAT
Table 16: Source NAT Rule general settings
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Network Address/#Network Bits (CIDR)
The network mask for subnet A.
Example
192.168.1.0/24Destination Address Single IP Address The external interface IP address
of the Windows XP system
Example
b.b.b.bDestination Port Any N/A
Translated Address Do Not Translate N/A
Table 17: Source NAT Rule remaining settings
Item Setting
Name Windows_XP_BypassNAT_Dst
Enabled Selected
Comment Destination NAT Rule to bypass NAT
Table 18: Destination NAT Rule general settings
15
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Destination NAT Rule remaining settings
Define the remaining Destination NAT Rule settings as shown in the following table:
Note: Make sure that the Destination NAT Rule is in the first position in the Destination NAT Rules table.
On this subtab... Select this item... With this setting...
Protocol Any N/A
Source Address Single IP Address The external interface IP address of the Windows XP system
Example
10.1.0.0/16Destination Address Network Address/#Network Bits
(CIDR)The network mask for subnet A
Example
192.168.1.0/24Destination Port Any N/A
Translated Address Do Not Translate N/A
Translated Port Do Not Translate N/A
Table 19: Destination NAT Rule remaining settings
16
Contents of document subject to change.
Creating the Windows XP IPsec Policy
Creating the Windows XP IPsec Policy
Introduction In this example, you are creating a Local IPsec policy for a Windows XP workstation that is not a member of a domain, or the domain does not assign an IPsec policy to the computer.
An administrator must use the Active Directory group policy editor to assign an IPsec policy to a Windows XP workstation in a domain.
Accessing the Local IPsec Policy Snap-in
To access the Local IPsec Policy Snap-in:
1. Run MMC.EXE.
2. Select File Add/Remove Snap In.
3. Click Add, and then add the IP Security Policy Management.
4. Select Local computer for computer domain.
Note: Selecting Active Directory domain only allows you to configure the IPsec policy, not assign it.
5. Close the Add Standalone Snap-In window.
6. Click OK to accept the snap-in on the Add/Remove Snap-In window.
7. Select Action Create IP Security Policy, and continue as follows:
■ Type a descriptive name.
Example: Proventia Network MFS■ Disable Activate the default response rule.
■ Enable Edit Properties.
17
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
Configuring the Windows XP IKE Policy
Introduction On the General tab for the policy, you can modify the settings for Phase 1 (Main Mode) negotiations. In this example, you change Windows XP IKE policy settings to correspond to the Proventia Network MFS settings.
Procedure To configure IKE on Windows XP:
1. Select the General tab, and then continue as follows:
2. Type a descriptive Name for this policy.
Example: Proventia Network MFS3. If you are using Windows XP, select Advanced.
4. In the Key Exchange Settings window, continue as follows:
■ Disable Master key perfect forward secrecy (PFS).
■ Set Authenticate and generate key every to 480 minutes.
■ Set Authenticate and generate a new key after every to 0 session(s).
5. Click Methods for Key Exchange Security Methods.
6. Remove all security methods.
7. Add the following method:
■ Set Integrity algorithm to SHA1.
■ Set Encryption algorithm to 3DES.
■ Set Diffie-Hellman group to Medium (2).
18
Contents of document subject to change.
Creating a Windows XP IPsec Outbound Rule
Creating a Windows XP IPsec Outbound Rule
Introduction This part of the policy configures the encrypted VPN tunnel to the Proventia Network MFS. Here you set Phase 2 (Quick Mode) negotiations to consist of Encapsulating Security Payload (ESP) with Authentication and without Authentication Headers (AH).
Since each Security Association is unidirectional, you must create both inbound and outbound IPsec rules for the VPN tunnel to the Proventia Network MFS.
Procedure To create an IPsec outbound rule:
1. Select the Rules tab, and then continue as follows:
■ In the lower right area, disable Use Add Wizard.
■ Select Add to create a new IPsec rule.
2. Select the IP Filter List tab, and then click Add to set Filter Properties.
3. In the Name field, type a descriptive name for this policy.
Example: Outbound Proventia VPN filter4. Disable Use Add Wizard, and then add a new filter.
5. Select the Addressing tab, and then continue as follows:
■ Set Source address to My IP Address.
■ Set Destination address to A specific IP subnet, and then type the IP address and subnet for subnet A that is behind the Proventia Network MFS.
■ Disable Mirrored.
6. Select the Protocol tab, and then select protocol type Any.
7. Click OK, and then click OK again.
8. To enable the IP Filter List, select the left circle of the new rule.
9. On the Filter Action tab, disable Use Add Wizard, and then select Add.
10. Select the General tab, and then type a descriptive name.
Example: Proventia Network MFS11. On the Security Methods tab, select Negotiate Security.
12. Disable the following:
■ Accept unsecured communication
■ Allow unsecured communication
■ Session key perfect forward secrecy
13. Click Add.
14. Select Custom, and then click Settings.
15. Add a security method, as follows:
■ Enable Data integrity and Encryption (ESP).
■ Set Integrity Algorithm to SHA1.
■ Set Encryption Algorithm to 3DES.
■ Set Generate a new key every to 100,000 Kbytes.
19
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
■ Set Generate a new key every to 7200 seconds.
16. Click OK.
17. Click OK, and then click OK again to return to the Filter Action tab.
18. Select the Authentication Methods tab.
19. Click Add.
20. Select Use this string (preshared key).
21. Type a string that is at least 16 characters long for the preshared key.
Example:
1234567890abcdef22. Click OK.
23. Move the pre-shared key to the top.
24. Select the Tunnel Setting tab.
25. Select The tunnel endpoint is specified by this IP address.
26. Set the IP address to the Proventia Network MFS external IP address.
Example:
a.a.a.a
27. Select the Connection Type tab, and then select All Network Connections.
28. Click OK.
29. Click Close.
20
Contents of document subject to change.
Creating a Windows XP IPsec Inbound Rule
Creating a Windows XP IPsec Inbound Rule
Introduction The configuration for this rule is the same as the outbound rule except for the IP Filter.
Procedure To create an IPsec inbound rule:
1. Select the Rules tab, and then continue as follows:
■ Disable Use Add Wizard.
■ Click Add to create a new IPsec rule.
2. Select the IP Filter List tab, and then click Add to set Filter Properties.
3. Disable Use Add Wizard, and then Add a new filter.
4. Select the Addressing tab, and then continue as follows:
■ Set the Source address to A specific IP Subnet, and then type the IP address and subnet for Subnet A which is behind the Proventia Network MFS.
■ Set the Destination address to My IP Address.
■ Disable Mirrored.
5. Select the Protocol tab, and then select protocol type Any.
6. Click OK, and then click OK again.
7. To enable the IP Filter List, select the left circle of the new rule.
8. On the Filter Action tab, select the left circle of the new Proventia Network MFS filter action to enable it.
9. Select the Authentication Methods tab.
10. Click Add.
11. Select Use this string (preshared key).
12. Type a string that is at least 16 characters long for the preshared key.
Example:
1234567890abcdef13. Click OK.
14. Move the pre-shared key to the top.
15. Select the Tunnel Setting tab.
16. Select The tunnel endpoint is specified by this IP address.
17. Set the IP address to the Windows XP client IP address.
Example:
b.b.b.b
18. Select the Connection Type tab, and then select All Network Connections.
19. Click OK.
20. Click Close.
21
Contents of document subject to change.
Configuring VPN from Proventia Network MFS to Windows XP Systems
© Copyright IBM Corporation 2003, 2007. All Rights Reserved.
IBM and the IBM logo are trademarks or registered trademarks of International Business Machines Corporation in the United States, other countries, or both. ADDME, Ahead of the threat, BlackICE, Internet Scanner, Proventia, RealSecure, SecurePartner, SecurityFusion, SiteProtector, System Scanner, Virtual Patch, X-Force and X-Press Update are trademarks or registered trademarks of Internet Security Systems, Inc. in the United States, other countries, or both. Internet Security Systems, Inc. is a wholly-owned subsidiary of International Business Machines Corporation.
Microsoft, Windows, and Windows NT are trademarks of Microsoft Corporation in the United States, other countries, or both.
Other company, product and service names may be trademarks or service marks of others.
References in this publication to IBM products or services do not imply that IBM intends to make them available in all countries in which IBM operates.
22
Contents of document subject to change.