Skip navigation
McAfee Secure sites help keep you safe from identity theft, credit card fraud, spyware, spam, viruses and online scams
1371 Views 3 Replies Latest reply: May 17, 2013 6:49 PM by alex_vani RSS
alex_vani Newcomer 31 posts since
Mar 24, 2013
Currently Being Moderated

May 15, 2013 7:03 PM

VPN-tunnels Site 2 Site Creation / troubleshooting

Hi McAfee firewall lists.

 

We are in the process to migrate a bounch of vpn tunnels from cisco vpn concentrator to our McAfee firewall, since I must admit I'm not familiar with vpn on McAfee firewall & I would like to know if there is some document that could help me to create vpn tunnels on the McAfee firewall.

 

is there any step by step procedure to create ipsec vpn site 2 site or any guide for the troubleshooting processes  ?

 

thanks for your help and input.

 

Alex

  • PhilM Champion 528 posts since
    Jan 7, 2010

    Alex,

     

    There's every chance that you'll find something in the knowledge base if you take a look. But I personally don't consider site-to-site VPNs to be that complicated.

     

    Step 1 - Create an ISAKMP rule.

    The appliance uses a process called isakmp to perform the preliminary negotiation of a tunnel with a 3rd-party peer. In order for it to do this, a rule must be created so that the isakmp process wakes up. It doesn't have to be a complicated rule, something like this will work just fine:-

     

    ISAKMP-Rule.JPG

     

    If you want to be more specific (like only have it listening on a designated external IP address on the Firewall) you can create an appropriate address object and use it as the destination endpoint value.

     

    Step 2 - Go to Network --> VPN Configuration --> VPN Definitions and define your VPN tunnel.

     

    Here is an example of a simple entry.

    • The local private network is 192.168.1.0/24.
    • The remote network is 10.10.10.0/24.
    • The public IP address of the remote firewall is 1.1.1.1
    • The pre-shared key is "password"
    • The tunnel is going to use AES256/MD5

     

    VPN1.JPG

    VPN2.JPG

    VPN3.JPG

    VPN4.JPG

    VPN5.JPG

    The last screen I generally stick with the defaults and then check with the remote party to see how their side of the tunnel is being configured. Here you can see where the phase 1 and phase 2 rekey intervals are specified (with other vendors I have noticed these values are often much, much , larger than the McAfee defaults) and can implement perfect forward secrecy (PFS) if necessary.

     

    The other important element is on the General tab, and that is the "Zone" assignment. In this example the zone has been set to "internal". This means that the tunnel will be completely transparent to both parties any address in the 192.168.1.x network will be able to access and 10.10.10.x address for any protocol. You would only do this if you have complete faith in the other end of the link (maybe if it is another office belonging to your organisation). Otherwise you should pick a different zone and use this value instead.

     

    For VPNs it is possible to use a virtual zone (a zone definintion which is not associated with a physical interface). This will act as the termination point for the VPN and then you can apply access rules between this zone and your internal/LAN zone to determine which protocols are allow and which hosts are allowed to use the VPN.

     

    Sometimes I'd suggest terminating the VPN on the internal zone to prove that the tunnel is working and then changing it to a virtual zone with access rules to lock it down to your satisfaction.

     

    Troubleshooting-wise, the Audit Viewer is your go to tool. There is a "VPN" filter which you can apply which will then only present you with audit specific to the IPSec functionality, or if you are comfortable with the command line the command "showaudit -kv" will stream VPN-specific audit data to you in real time.

     

    Hope that helps.

     

    -Phil.

  • sliedl McAfee SME 535 posts since
    Nov 3, 2009
    Currently Being Moderated
    2. May 16, 2013 11:16 AM (in response to alex_vani)
    Re: VPN-tunnels Site 2 Site Creation / troubleshooting

    I posted this in some other VPN thread here (https://community.mcafee.com/message/151301#151301)

     

    You can look for just VPN related audits with this audit filter:

    $> acat -e "area vpn" | less

    You can look for just -this- VPN tunnel with this audit filter:

    $> acat -e "vpn_name MY_VPN" | less

     

    You can also run the commands on the past audits (the audits that have 'rolled', or been gzipped, already):

    $> acat -e "area vpn" /var/log/audit.raw.[date-range].gz | less

    You do not have to unzip the files to use the acat command on them.

    Or you can run a 'live' audit and test your traffic and then look at the data right then:

    $> acat -ke "area vpn" > liveaudit.txt

    Then open the file:

    $> less liveaudit.txt

    (use 'q' to quit out of less when you're done)

     

    Also, here are some KB articles about VPNs on the firewall:

    Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to Set up a VPN Using the GreenBow VPN Client (KB64323)

    Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to get notified when a VPN becomes active or idle (KB65689)

    Creating a VPN between Firewall Enterprise/Sidewinder 7.x and a UTM Firewall/SnapGear with a static IP address (KB63319)

    Creating a VPN between UTM Firewall/Sidewinder 7.x and a UTM Firewall/SnapGear with a dynamic IP address (KB63322)

    Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to Create a VPN Between a SoftRemote Client and the firewall (KB64219)

    Creating a VPN between Firewall Enterprise with a dynamic IP address, and a UTM Firewall/SnapGear with a static IP address (KB65730)

    Firewall Enterprise/Sidewinder/Secure Firewall: VPNs with rules using NAT and redirection (KB68501)

    Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to create a VPN between two Firewall Enterprise firewalls when the Remote Networks have a Different Address Space (KB64218)

    Firewall Enterprise/Sidewinder/Secure Firewall 7.x: How to create a VPN between two Firewall Enterprise firewalls when the Remote Networks share the same address space (KB64313)

    Firewall Enterprise/Sidewinder/Secure Firewall 7.x: Configuration for Shrew Soft VPN to Sidewinder 7.0.1 using a client Certificate and password extended authentication (KB67215)

More Like This

  • Retrieving data ...

Bookmarked By (0)

Legend

  • Correct Answers - 5 points
  • Helpful Answers - 3 points