Sei sulla pagina 1di 3

How to create VTI (VPN Tunnel Interface) based VPNs Solution ID: Product: Version: Date Created: Last

Modified: Solution sk38521 Did this solution solve your problem? Security Gateway [Click on the stars to rate] R70, NGX R65, R71 14-abr-2009 30-nov-2010

A VPN Tunnel Interface (VTI) is a virtual interface on a VPN-1 component which is associated with an existing VPN tunnel, and is used by IP routing as a point-to-point interface directly connected to a VPN peer gateway. Each VTI is associated with a single tunnel to a VPN peer gateway. The tunnel behaves just like a point-to-point link between two gateways. The tunnel and its properties are defined by a VPN Community linking the two gateways. The peer gateways should also be configured with a VTI. The native IP routing mechanism on each gateway can then direct traffic into the tunnel, just as the mechanism would do for any other type of interface. Numbered VTIs have a unique IP address assigned to them, while unnumbered VTIs do not. The IPSO operating system currently only supports unnumbered VTIs. Following steps are needed to configure a VTI based VPN on the IP Security Platforms. Please note that it is assumed that you have a fully functional firewall/vpn module install that is able to properly pass all other traffic and communicate correctly with the Security Management (SmartCenter) Server. And you are familiar with the creation and definition of the various types of objects within SmartDashboard and familiar with the IPSO command line and Voyager interface. Step1: Configure Local Encryption Domain 1. Go to SmartDashboard and edit the local Security Gateway object. 2. Navigate to the topology section, and select 'Manually Defined' under the VPN Domain section. 3. Click "New" and create a 'Simple Group'. 4. Leave the group blank. The encryption domain of VTI based end points are left blank, as all traffic will be routed based on static routes added pointing to the VTIs. However, if you plan to create VPNs to non-NGX modules, managed by this same Security Management (SmartCenter), you need to define a proper encryption domain. Step2: Create & Configure Remote Security Gateway Object & Encryption Domain 1. Create the remote end point Security Gateway. 2. Under the topology section, again select 'Manually Defined' under the VPN Domain section. 3. Click "New" and create a 'Simple Group'.

4. Leave the group blank. Step3: Configure VPN Community 1. Create a new Star/Meshed VPN Community and add the VPN peers to it, making sure to verify the VPN Phase 1 and Phase 2 properties, and preshared secrets and other VPN properties, as necessary. Step4: Configure Appropriate Access Rules 1. Create appropriate VPN access rules in the Security rulebase. 2. Do not include the newly created VPN community under the VPN section of the security rule. 3. Install the security policy. Step5: Configure the VPN Tunnel Interface (VTI) Note: The VTI may be added via Voyager OR via the command line using the vpn shell.

To add the VTI via Voyager: 1. Login to Voyager and navigate to 'Config > Checkpoint Firewall-1 > FWVPN Configuration'. 2. Enter the name of the remote peer Security Gateway object, configured in SmartDashboard and select the interface which will proxy the connection and then click "Apply". 3. If you have done the above steps in order, you should now have a VTI created and showing a status of 'OK'. 4. Click "Save" to save your configuration. 5. Take a note of the interface name. You will need this in the next step. To add the VTI via the command line: 1. Login to the IPSO unit and run the command vpn shell to enter the vpn shell. 2. Next, run the following command to create a VTI. interface/add/unnumbered [name of peer object] [logical name of proxy interface] Note: The 'proxy interface' shoud be the interface of the Security Gateway facing the remote peer. 3. This will create the appropriate VTI. You may run the following command to view the VTI created. show/interface/summary all

Step6: Configure Static Routes Note: You may configure this static route via Voyager or via command line using clish.

To configure the route via Voyager: 1. Navigate to the 'Static Routes' page in Voyager and add a new static route, selecting 'Logical Address' as the 'Gateway Type'. 2. Click "Apply" and choose the VTI name from the drop-down list as the nexthop gateway. 3. Click "Apply" and "Save".

To configure the route via clish: 1. Login to the IPSO unit via the command line and run clish to enter the command line shell. 2. Next run the following commands to create the static routes for the VTI:
Nokia> set static-route [network/mask_length] nexthop gateway logical [VTI Interface] on

3. Next, run the following commands to save the configuration:


Nokia> save config

Step7: Test Newly Created VPN Note: For more detailed information regarding the new VTI based VPNs, refer to VPN R71 Administration Guide.