Wireless Group Policy WLAN Radius Part 3 WLAN Radius Config WLAN Client Config Linksys BEFSR41 Firmware Linksys BEFSR41 101 Linksys WAP54G config More Linksys BEFSR config Security how-to Writing DNS Zonefiles Is ZoneAlarm Spyware? Linksys Wishlist Sendmail spamblock Bind


Privacy Feedback

Dynamic VPN tunnel to Symantec Enterprise Firewall

Tried reading the instructions in the manual, and are still scratching your head? Well, here's the steps required to create a dynamic (IKE) vpn tunnel between the Symantec Firewall/VPN appliance and the Symantec Enterprise Firewall 7.0 (aka Raptor).

First, on the Enterprise firewall, you'll need to create a Security Gateway for your Appliance firewall. Simply type in the IP address of the appliance, check the Enable IKE box, select "Shared Secret" and enter anything. It must be between 20 and 64 characters long. You also need a Security Gateway for the Enterprise firewall itself. Just create new security gateway, and pick the firewalls' IP address from the dropdown box.

Second, create a subnet entity to describe the network behind the appliance. Name it appropriately.

Third, create a new secure tunnel. Give it a name, and a description if you feel like it. Select the work LAN as the Local Entity, and the Firewall's own Security Gateway as the local Gateway. For the remote entity, select the entity created in step two, and for remote gateway, select the one created in step one.

For the VPN Policy, I used the "ike_sample_crypto_interop" policy that is created by default when installing the firewall. The reason is it allows for both SHA1 and MD5 authentication, and also 3DES and DES encryption. So, on your appliance, you can pick whatever you want. I also left the timeout, data volume and inactivity at the default. (see picture 3)

The last step is the settings on the appliance! The instructions in the manual isn't all that bad, but there's a number of ifs and ors that confuses things.

Starting at the top, give it a reasonable name ... The city name or the name of the company would do nicely. Next, select "Enable" or you won't be going anywhere. Phase 1 Negotiation should be set to Main Mode, and set the encryption to either ESP 3DES SHA1 or ESP 3DES MD5. 

Moving on to the SA Lifetime, it should be set to less than the same on the Enterprise firewall. There's an issue with some version of the firmware on the appliance that causes issues with renegotiating keys if the SA expires on the Enterprise firewall first! The default setting on the Enterprise firewall is 480 minutes, so cut it back a little. Also copy the Data Volume limit from the settings on the SEF (2100000 by default), and set the Inactivity Timeout to zero. Perfect Forward Secrecy should be set to enable.

Under Local Security Gateway, set the ID type to "IP address", and leave the Phase 1 ID field blank. For the Remote Security Gateway IP address, enter the IP address of the SEF, select ID type "IP address", leave Phase 1 ID blank, and enter in the same Secret Key as you entered on the SEF.

I've set the NetBIOS broadcasts to disabled, and I can still access Windows computer across the VPN. Global Tunnel should also be disabled, unless you want all the traffic behind the appliance to be forced through the VPN Tunnel and out the SEF to the internet.

At the bottom of the screen, enter the IP subnet of the remote network, complete with subnet mask. Note that it must match exactly! Click the "Add" or "Update" buttom as appropriate, and you should be able to connect to computers on the other end of the tunnel in a matter of seconds. Note that it takes a couple of seconds for the IKE negotiation, so when you do a ping, don't worry of the first few doesn't come back ...  (see picture 4)

It doesn't look like the 3DES encryption is adding any significant delay to the traffic. Ping times to the SEF gateway and ping times to an internal host shows only a 7 ms increase in roundtrip time. Ping roundtrip averages are 41ms vs. 48 ms. Multiple test shows a similar results.

©Lars M. Hansen