Configuring gateway-to-gateway tunnels with Symantec security gateways

Symantec.com > Enterprise > Support > Knowledge Base

Configuring gateway-to-gateway tunnels with Symantec security gateways

Question/Issue:
This document provides information and instructions on configuring gateway-to-gateway tunnels from your Symantec Gateway Security 300 Series to other Symantec security gateways.

Solution:
Gateway-to-gateway tunnels help secure your internal network by providing a secure bridge to an external LAN. There are several tasks involved in successfully securing the network with gateway-to-gateway tunnels. The
following section describes the gateway-to-gateway tunnels, and then provides procedures for configuring the tunnels.

Understanding gateway-to-gateway tunnels
You might want to make your network resources available to an outside group, such as another office of the company. Instead of requiring each user on the second network to establish their own, private secure connection, you can create one gateway-to-gateway tunnel, which makes resources on each network available to the other. This type of tunnel is LAN-to-LAN, instead of user-to-LAN.

Configuring gateway-to-gateway tunnels
The appliance supports gateway-to-gateway tunnel configurations. A gateway-to-gateway configuration is created when two security gateways are connected, through an internal network, or the Internet, from WAN port to WAN port.

This type of network configuration usually connects two subnets on the same network or two remote offices through the Internet. Once a VPN tunnel is established, users protected by a security gateway at one site can establish a tunneled connection to the security gateway protecting the remotely located site. The remote user can connect to and access the resources of the private network as if the remote workstation was physically located inside the protected network.

The Symantec Gateway Security 300 Series can connect to another Symantec Gateway Security 300 Series appliance or to one of the following appliances:

Symantec Gateway Security 5400 Series
Symantec Firewall/VPN Appliance

Symantec Gateway Security 300 Series security gateways support creating a VPN tunnel to up to five remote subnets behind Symantec Enterprise Firewall or Symantec Gateway Security 5400 Series appliances, but not to another Symantec Gateway Security 300 Series appliance or Symantec Firewall/VPN Appliance.
Tunnels between two Symantec Gateway Security 300 Series appliances are only made to the subnet on the LAN side of the appliance and only support the first set (subnet/mask) of the five sets of fields, which you
define on the VPN > Dynamic Tunnels or VPN > Static Tunnels tabs.
If you have another (additional) subnet on the LAN side of the Symantec Gateway Security 300 Series security gateway, VPN client tunnels to the LAN side of the security gateway are not supported for computers on this separate subnet. Only computers residing on the appliance subnet (found on the LAN IP screen) are supported for LAN/WLAN-side VPN tunnels.

Note: Gateway-to-gateway VPN tunnels are supported on the appliance's WAN ports; you cannot define gateway-to-gateway VPN tunnels on the appliance's LAN or WLAN ports.

Supported gateway-to-gateway VPN tunnels
The Symantec Gateway Security 300 Series appliance lets you configure two types of gateway-to-gateway VPN tunnels:

Dynamic
The security gateway comes with a predefined global IKE policy that automatically applies to your IKE Phase 1 negotiations. You can change the setting of the SA Lifetime parameter in the Global IKE Policy. SA Lifetime specifies the amount of time that the tunnel rekeys (in minutes). This parameter is located in VPN > Advanced > Global IKE Settings (Phase 1 Rekey).
Static
Static gateway-to-gateway configurations require you to manually enter tunnel parameters at each security gateway. Both ends must have the same parameters, including secret keys, security parameter indexes (SPIs), authentication schemes, encryption methods.

Gateway-to-gateway VPN tunnel persistence and high-availability
After the security gateway restarts, dynamic gateway-to-gateway VPN tunnels are re-established. Dynamic gateway-to-gateway VPN tunnels are also re-established if the WAN port status changes from disconnected to connected. This feature reduces management overhead by providing automatic reconnection of tunnels.
If the VPN tunnel fails to establish after three times, the security gateway waits between one and five minutes before attempting to reconnect. This process continues until the VPN tunnel is re-established.
If there is a network failure, the security gateway automatically re-establishes the VPN tunnel through a backup port (WAN port or serial port). If the IP address of the security gateway changes, it re-establishes gateway-to-gateway VPN tunnels with the remote gateway using the new IP address.

Gateway-to-gateway VPN tunnel interoperability
When Symantec Gateway Security 5400 Series or Symantec Enterprise Firewall initiates a gateway-to-gateway tunnel to a Symantec Gateway Security 300 Series appliance, it begins negotiation in Main Mode. The mode on the VPN tunnel definition on the Symantec Gateway Security 300 Series VPN tunnel definition must be Main Mode or the VPN tunnel will not establish.
Symantec Gateway Security 5400 Series and Symantec Enterprise Firewall accept either Main Mode or Aggressive Mode Phase 1 negotiations from a remote gateway. The Symantec Gateway Security 300 Series appliance can be configured for Main or Aggressive Mode. The default is Main Mode. When initiating a VPN tunnel to Symantec Gateway Security 5400 or Symantec Enterprise Firewall, configure the Symantec Gateway Security 300 Series appliance to use Main Mode so that if the remote end is the initiates the VPN tunnel, it does not establish a connection.
When a non-Symantec gateway initiates a VPN tunnel to an Symantec Gateway Security 300 Series appliance, the Symantec Gateway Security 300 Series appliance accepts the mode set by the administrator on the tunnel definition. When a Symantec Gateway Security 300 Series appliance initiates a VPN tunnel to a non-Symantec security gateway, the Symantec Gateway Security 300 Series appliance should use the mode set by the administrator on the tunnel definition; the default setting is Main Mode. If Main Mode is not used, it may cause rekey problems if the remote security gateway tries to rekey first.

Creating VPN tunnels to Symantec Gateway Security 5400 Series clusters
To create a VPN tunnel to a Symantec Gateway Security 5400 Series appliance high-availability/load balancing cluster, define the VPN tunnel using the virtual IP address of the cluster. Tunnels between Symantec Gateway 300 Series and Symantec Gateway Security 5400 Series appliances are supported in high-availability only.

Configuring dynamic gateway-to-gateway tunnels
Dynamic tunnels, also known as IKE (Internet Key Exchange) tunnels, automatically generate authentication and encryption keys. Typically, a long password, called a preshared key (also known as a shared secret), is entered. The target security gateway must recognize this key for authentication to succeed. If the key matches, then Security Parameter Index (SPI), authentication, and encryption keys are automatically generated and the tunnel is created. The security gateway usually re-keys (generates a new key) automatically at set intervals to ensure the continued integrity of the key.

Configuration tasks for dynamic gateway-to-gateway tunnels

In the left pane, click VPN.
On the Dynamic Tunnels tab, in the Name text box, type a name for the new tunnel.
To edit an existing tunnel, from the VPN Tunnel drop-down list, select a VPN tunnel.
Check Enable VPN Tunnel.
On the VPN Policy drop-down list, select a VPN policy to which you want to bind to the tunnel.
If you have a multisession PPPoE ISP account, under Local Security Gateway, in the PPPoE Session drop-down list, select a PPPoE session to which you want to bind to the tunnel. If you do not have a multisession PPPoE ISP account, skip this step.
For model 360 or 360R, on the Local Endpoint drop-down list, select an endpoint for the tunnel.
On the ID Type drop-down list, select a Phase 1 ID type.
In the Phase 1 ID text box, type the Phase 1 ID.
Under Remote Security Gateway, do the following:
- In the Gateway Address text box, type the remote gateway address.
- Optionally, in the ID Type drop-down list, select a Phase 1 ID type.
- Optionally, in the Phase 1 ID text box, type the Phase 1 ID.
- In the Pre-Shared Key text box, type a key.
- In each Remote Subnet IP text box, type the IP address of the destination network. To create a global tunnel, type 0.0.0.0.
- In each Mask text box, type the netmask of the destination network. To create a global tunnel, type 255.0.0.0.
  If you create a global tunnel, you must also check the Global Tunnel box.
Click Add.

Configuring static gateway-to-gateway tunnels
Static tunnels do not use any information from the Global IKE Policy (Phase 1 negotiation). You must manually type all of the information necessary to establish the tunnel. However, you can define a VPN Policy for Phase 2
negotiation.
When defining static tunnels, you must enter an authentication key, as well as an encryption key (if encryption is used). The keys must match on both sides of the VPN. In addition, a Security Parameter Index (SPI) is manually typed and included with every packet transmitted between security gateways. The SPI is a unique gateway identifier that indicates the set of keys that belongs to each packet.

Encryption and authentication key lengths
When you define a static tunnel, you must type an encryption key and an authentication key. Each key has a specific key length based on the method that you chose. For each method, a key length is shown for both ASCII characters and Hex characters.

Encryption Key Lengths

Method	Key length in character bytes	Key length in Hex
DES	8	18 (0x + 16 hex digits)
3DES	24	50 (0x + 20 hex digits)
AES-128	16	18 (0x + 20 hex digits)
AES-192	24	50 (0x + 20 hex digits)
AES-256	32	66 (0x + 20 hex digits)

Authentication Key Lengths

Method	Key length in character bytes	Key length in Hex
MD5	16	34 (0x + 16 hex digits)
SHA1	20	42 (0x + 20 hex digits)

To add a static gateway-to-gateway tunnel

In the left pane of the SGMI, click VPN.
In the right pane, on the Static Tunnels tab, under IPSec Security Association, in the Tunnel Name text box, type a name for the tunnel.
To edit an existing static tunnel, on the VPN Tunnel drop-down list, select a VPN Tunnel.
Check Enable VPN Tunnel.
If you have a multisession PPPoE ISP account, under Local Security Gateway, in the PPPoE Session drop-down list, select a PPPoE session to which you want to bind to the tunnel. If you do not have a multisession
PPPoE ISP account, skip this step.
For model 360 and 360R, on the Local Endpoint drop-down list, select the endpoint for the tunnel.
In the Incoming SPI text box, type the incoming SPI to match the remote SPI.
In the Outgoing SPI text box, type the outgoing SPI to match the local SPI from the remote side.
On the VPN Policy drop-down list, select a VPN policy to which you want to bind to the tunnel.
Use an existing VPN policy or create a new one. See the Understanding VPN policies section of page 82 of the Symantec Gateway Security 300 Series Administrator's Guide.
In the Encryption Key text box, type the encryption key to match the chosen VPN policy.
Entry length must match the chosen VPN policy.
In the Authentication Key text box, type the authentication key to match the chosen VPN policy.
Under Remote Security Gateway, in the Gateway Address text box, type the gateway address to be the gateway address of the Symantec Enterprise VPN.
Next to NetBIOS Broadcast, click Disable.
Next to Global Tunnel, click Disable.
In the Remote Subnet IP text boxes, type the IP address of the remote subnet to the destination network.to create a global tunnel, type 0.0.0.0.
In the Mask text boxes, type the mask to the netmask of the destination network. To create a global tunnel, type 255.0.0.0.
Click Add.

Sharing information with the remote gateway administrator
This list describes the information that you must provide to the administrator of the remote security gateway to which you want to create a tunnel:

IP address
Authentication key (Static tunnel only)
Encryption key (Static tunnel only)
SPI (Static tunnel only)
Preshared key
Local subnet/mask
VPN policy encryption method
VPN policy authentication method
(Optional) Local phase 1 ID

Available Translations:

RATE THIS SOLUTION: Was this solution helpful to you?
Yes
No; If any information was unclear, or the information you were seeking was not provided, please let us know. Your feedback will help us improve this service.
NOTE: Comments entered here will NOT recieve a personal email response.

Document ID: 2004041413075554
Last Modified: 01/29/2007
Date Created: 04/14/2004
Product(s): Symantec Gateway Security 300 Series, Symantec Gateway Security 400 Series
Release(s): 320, 360, 360R, 440, 460, 460R, SGS 440, SGS 460, SGS 460R