Acceso a la justicia en el Ecuador

In this process, the tunnel definitions are made at one point and then exported, and then the definitions are imported at the destination firewall;

thus, the whole process of determining the objects of the tunnel is automatic.

In the case of dynamic tunnels, the tunnels are automatically activated, while in the case of static tunnels, they have to be manually activated. In the case of dynamic tunnel, the firewall administrator does not have any control over the protocols that can be allowed in the tunnel, that is, all the protocols are allowed inside the tunnel.

In our discussion, we will demonstrate the implementation of dynamic tunnels. The implementation of the dynamic tunnel is comprised of the following steps:

1. Define tunnel.

2. Export tunnel.

3. Import tunnel (at the destination firewall).

4. Activate the tunnel.

As discussed earlier, dynamic tunnels will allow all the protocols inside the tunnel by default.

The first step is to create a tunnel definition. To create a tunnel definition, choose the Virtual Private Networks option on the SecureWay Firewall GUI (Figure 16 on page 57). It will open the dialog box shown in Figure 79 on page 173.

Figure 79. VPN main menu

Now we need to define the tunnel. To define the tunnel, click <New>, and the dialog in Figure 80 on page 174 should appear.

Figure 80. Tunnel definition

In the tunnel's definition, the following fields have special importance:

• Tunnel Name: Enter the name of the tunnel.

• Filter Type: This can be either static or dynamic.

When we select Dynamic, the firewall will generate dynamic filter rules each time the tunnel is activated. This means that all the traffic between the specified users will be accepted in the tunnel.

When we select Static, we must create the filter rules for the tunnel. We have the possibility to create multiple tunnels; we can decide which protocol will

use each tunnel. These filter rules may be more selective, for example, allow specific protocols traffic through the tunnel.

• Local Tunnel Address: IP address of the nonsecure interface of the loca|

firewall. Clicking Select gives us the list with the interfaces.

• Remote Tunnel Address: IP address of the remote partner's nonsecure interface. Clicking Select gives us the list of the network objects.

• Local User Address: IP address of the secure network or secure host who will use the tunnel. Clicking Select gives us the list with the network objects (only dynamic tunnels).

• Remote User Address: IP address of the remote network or host to which we will connect through the tunnel. Clicking Select gives us the list with the network objects (only used for Dynamic Filter type).

• Remote SPI: Specifies the security parameter index (SPI) value the tunnel partner will use. The value entered must be greater than 255. The

definition of SPI is described in RFC 2401. Basically, the SPI in

conjunction with the target address will uniquely identify the set of security information (such as encryption key(s), key lifetime, and so on) for your tunnel partner. You should check with the tunnel partner and obtain an unassigned SPI from it.

• Local SPI: Specifies the security parameter index (SPI) value the tunnel owner will use. The value is entered automatically.

• Policy: Defines which policy we will use; we can select Authentication (AH), Encryption (ESP), or both (ESP/AH).

• Authentication Algorithm (AH): The type of authentication algorithm we will use; the types available are HMAC_MD5 and HMAC_SHA.

• Encryption Algorithm (ESP): The type of authentication algorithm and encryption algorithm we will use. The encryption types are CDMF,

DES_CBC, 3DES_CBC, or none, depending on the country version of the firewall. For authentication, we can select HMAC-MD5, HMAC-SHA, or none.

We cannot select None for both authentication and encryption with ESP.

Once we have defined the tunnel parameters, we need to export this tunnel to the partner firewall. To do this, you need to highlight the tunnel you have just defined and click on Export. You will be able to see the panel shown in Figure 81 on page 176.

Figure 81. Exporting the tunnel definitions

Typically, you would export the tunnel definition onto a floppy. You would also have to find a secure way to send these tunnel definition parameters to the partner firewall. One of the methods could be to send the definition in a encrypted manner to the partner firewall.

At the partner firewall: Once you have got the tunnel definition parameters to the partner firewall, you need to import them into your firewall. To do this, you need to select Virtual Private Networks from the firewall main menu and then select import in the VPN panel. Once you do this, you will be able see the panel shown in Figure 82.

Figure 82. Importing a tunnel definition at the partner firewall

You will need to input the tunnel file location into a directory (for example, a:\vpn\), and when you click on the Select option in the tunnel list, you will be able to see the tunnel definition and that the secureway firewall automatically picks up the tunnel ID from it. Once the import process is over, you would

notice the local tunnel address and the remote tunnel address have been interchanged to reflect the correct configuration on the partner firewall side.You can view the tunnel configuration parameters on the partner side firewall by selecting the tunnel which you have just imported. You would be able to view all the details of the tunnel, as shown in Figure 83.

Figure 83. View of the imported tunnel

You should be ready with all the required network object definitions so that the tunnel creation process is made simpler.

If for some reason, you wish to deactivate a tunnel manually, you could do so by selecting the tunnel and selecting Deactivate. You could also reactivate the tunnel, as shown in Figure 84 on page 178.

Figure 84. Activating the tunnel