Hi McAfee firewall lists.
We are in the process to migrate a bounch of vpn tunnels from cisco vpn concentrator to our McAfee firewall, since I must admit I'm not familiar with vpn on McAfee firewall & I would like to know if there is some document that could help me to create vpn tunnels on the McAfee firewall.
is there any step by step procedure to create ipsec vpn site 2 site or any guide for the troubleshooting processes ?
thanks for your help and input.
There's every chance that you'll find something in the knowledge base if you take a look. But I personally don't consider site-to-site VPNs to be that complicated.
Step 1 - Create an ISAKMP rule.
The appliance uses a process called isakmp to perform the preliminary negotiation of a tunnel with a 3rd-party peer. In order for it to do this, a rule must be created so that the isakmp process wakes up. It doesn't have to be a complicated rule, something like this will work just fine:-
If you want to be more specific (like only have it listening on a designated external IP address on the Firewall) you can create an appropriate address object and use it as the destination endpoint value.
Step 2 - Go to Network --> VPN Configuration --> VPN Definitions and define your VPN tunnel.
Here is an example of a simple entry.
The last screen I generally stick with the defaults and then check with the remote party to see how their side of the tunnel is being configured. Here you can see where the phase 1 and phase 2 rekey intervals are specified (with other vendors I have noticed these values are often much, much , larger than the McAfee defaults) and can implement perfect forward secrecy (PFS) if necessary.
The other important element is on the General tab, and that is the "Zone" assignment. In this example the zone has been set to "internal". This means that the tunnel will be completely transparent to both parties any address in the 192.168.1.x network will be able to access and 10.10.10.x address for any protocol. You would only do this if you have complete faith in the other end of the link (maybe if it is another office belonging to your organisation). Otherwise you should pick a different zone and use this value instead.
For VPNs it is possible to use a virtual zone (a zone definintion which is not associated with a physical interface). This will act as the termination point for the VPN and then you can apply access rules between this zone and your internal/LAN zone to determine which protocols are allow and which hosts are allowed to use the VPN.
Sometimes I'd suggest terminating the VPN on the internal zone to prove that the tunnel is working and then changing it to a virtual zone with access rules to lock it down to your satisfaction.
Troubleshooting-wise, the Audit Viewer is your go to tool. There is a "VPN" filter which you can apply which will then only present you with audit specific to the IPSec functionality, or if you are comfortable with the command line the command "showaudit -kv" will stream VPN-specific audit data to you in real time.
Hope that helps.
I posted this in some other VPN thread here (https://community.mcafee.com/message/151301#151301)
You can look for just VPN related audits with this audit filter:
$> acat -e "area vpn" | less
You can look for just -this- VPN tunnel with this audit filter:
$> acat -e "vpn_name MY_VPN" | less
You can also run the commands on the past audits (the audits that have 'rolled', or been gzipped, already):
$> acat -e "area vpn" /var/log/audit.raw.[date-range].gz | less
You do not have to unzip the files to use the acat command on them.
Or you can run a 'live' audit and test your traffic and then look at the data right then:
$> acat -ke "area vpn" > liveaudit.txt
Then open the file:
$> less liveaudit.txt
(use 'q' to quit out of less when you're done)
Also, here are some KB articles about VPNs on the firewall:
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to Set up a VPN Using the GreenBow VPN Client (KB64323)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to get notified when a VPN becomes active or idle (KB65689)
Creating a VPN between Firewall Enterprise/Sidewinder 7.x and a UTM Firewall/SnapGear with a static IP address (KB63319)
Creating a VPN between UTM Firewall/Sidewinder 7.x and a UTM Firewall/SnapGear with a dynamic IP address (KB63322)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to Create a VPN Between a SoftRemote Client and the firewall (KB64219)
Creating a VPN between Firewall Enterprise with a dynamic IP address, and a UTM Firewall/SnapGear with a static IP address (KB65730)
Firewall Enterprise/Sidewinder/Secure Firewall: VPNs with rules using NAT and redirection (KB68501)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to create a VPN between two Firewall Enterprise firewalls when the Remote Networks have a Different Address Space (KB64218)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to create a VPN between two Firewall Enterprise firewalls when the Remote Networks share the same address space (KB64313)
Firewall Enterprise/Sidewinder/Secure Firewall 7.x: Configuration for Shrew Soft VPN to Sidewinder 7.0.1 using a client Certificate and password extended authentication (KB67215)
-Phil / sliedl
Thank you so much for your help, with the information you have provided will be enough I will proceed according to your suggestions....
Thank you !