Route based VPN
Can be manual or auto key.
Route based VPNs do not reference a tunnel object like policy based VPNs. When route lookup is performed, the Netscreen checks to see what interface should be used for the traffic. If the route points to a tunnel interface bound to a VPN, the traffic will be encapsulated and sent over the tunnel.
Advantages:
Conserves resources. All policies will use a single SA. Route based VPNs also support Dynamic routing protocols like OSPF. Deney policies can also
Be utilized within route based VPNs. However the number or route based VPNs is limited to the number of routes and tunnel interfaces allowed by the appliance.
Example: CLI/WebUI
Define tunnel interface for the VPN. Must be an unused tunnel interface.
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet3
WebUI:Network>Intefaces>EDIT/New Tunnelif.
Create the local and remote networks participating in the VPN
set address trust Trust_LAN 10.1.1.0/24
set address untrust Remote_Office 10.2.2.0/24
WebUI: Policy > Policy Elements> Addresses > List > New:
Define the remote peer and the interface the the remote peer sits behind.PSK and Phase 1 proposal
set ike gateway To_Remote address 2.2.2.2 main outgoing-interface ethernet3preshare h1p8A24nG5 proposal pre-g2-3des-sha
WebUI: VPNs > AutoKey Advanced > Gateway > New:
WebUI: Select Advanced in the gateway configuration screen.
Proxy IDs to be sent to the remote peer
set vpn Local_Remote gateway To_Remote sec-level compatible
set vpn Local_Remote bind interface tunnel.1
set vpn Local_Remote proxy-id local-ip 10.1.1.0/24 remote-ip 10.2.2.0/24 any
WebUI: VPNs > AutoKey IKE > New:
Default gateway definition (should already be defined) and bind the remote network to the tunnel interface.
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1
WebUI: Network > Routing > Routing Entries > trust-vr
Network Address/Netmask: 10.2.2.0/24
Gateway: (select)
Interface: Tunnel.1
Gateway IP Address: 0.0.0.0
Define the access policy
set policy top name “To Remote” from trust to untrust Trust_LAN Remote_Office any permit
WebUI: Policies > (From: Trust, To: Untrust) New:
set policy top name “From Remote” from untrust to trust Remote_Office Trust_LAN any permit
WebUI: Policies > (From: Untrust, To: Trust) > New:
save
Can be manual or auto key.
Route based VPNs do not reference a tunnel object like policy based VPNs. When route lookup is performed, the Netscreen checks to see what interface should be used for the traffic. If the route points to a tunnel interface bound to a VPN, the traffic will be encapsulated and sent over the tunnel.
Advantages:
Conserves resources. All policies will use a single SA. Route based VPNs also support Dynamic routing protocols like OSPF. Deney policies can also
Be utilized within route based VPNs. However the number or route based VPNs is limited to the number of routes and tunnel interfaces allowed by the appliance.
Example: CLI/WebUI
Define tunnel interface for the VPN. Must be an unused tunnel interface.
set interface tunnel.1 zone untrust
set interface tunnel.1 ip unnumbered interface ethernet3
WebUI:Network>Intefaces>EDIT/New Tunnelif.
Create the local and remote networks participating in the VPN
set address trust Trust_LAN 10.1.1.0/24
set address untrust Remote_Office 10.2.2.0/24
WebUI: Policy > Policy Elements> Addresses > List > New:
Define the remote peer and the interface the the remote peer sits behind.PSK and Phase 1 proposal
set ike gateway To_Remote address 2.2.2.2 main outgoing-interface ethernet3preshare h1p8A24nG5 proposal pre-g2-3des-sha
WebUI: VPNs > AutoKey Advanced > Gateway > New:
WebUI: Select Advanced in the gateway configuration screen.
Proxy IDs to be sent to the remote peer
set vpn Local_Remote gateway To_Remote sec-level compatible
set vpn Local_Remote bind interface tunnel.1
set vpn Local_Remote proxy-id local-ip 10.1.1.0/24 remote-ip 10.2.2.0/24 any
WebUI: VPNs > AutoKey IKE > New:
Default gateway definition (should already be defined) and bind the remote network to the tunnel interface.
set vrouter trust-vr route 0.0.0.0/0 interface ethernet3 gateway 1.1.1.250
set vrouter trust-vr route 10.2.2.0/24 interface tunnel.1
WebUI: Network > Routing > Routing Entries > trust-vr
Network Address/Netmask: 10.2.2.0/24
Gateway: (select)
Interface: Tunnel.1
Gateway IP Address: 0.0.0.0
Define the access policy
set policy top name “To Remote” from trust to untrust Trust_LAN Remote_Office any permit
WebUI: Policies > (From: Trust, To: Untrust) New:
set policy top name “From Remote” from untrust to trust Remote_Office Trust_LAN any permit
WebUI: Policies > (From: Untrust, To: Trust) > New:
save
Posts
0 comments:
Post a Comment