Configuring Policy for Remote Access VPN

In This Section: Configuring Remote Access Policy Creating and Configuring the Security Gateway Defining a Remote Access Community Defining Access Control Rules Access Roles for Remote Access Policy Definition for Remote Access Modifying Encryption Properties for Remote Access VPN Installing the Policy IPsec and IKE for Remote Access

Configuring Remote Access Policy

Configure Remote Access VPN policy in the Unified Access Control Policy Rule Base.

Make sure that:

• All Remote Access Gateways are part of a Remote Access VPN Community.
• The Remote Access Community is included in the VPN column of the rule.

For R80.x gateways, you can include Remote Access and VPN clients in rules as the Source of the rule. To do this create an Access Role for each client.

Creating and Configuring the Security Gateway

1. Create a Security Gateway network object.
2. On the General Properties page, select VPN.
3. Initialize a secure communication channel between the VPN module and the Security Management Server by clicking Communication
4. On the Topology page, define the interfaces and the VPN domain.

   The ICA automatically creates a certificate for the Security Gateway.

Defining a Remote Access Community

To define the VPN Remote Access community and its participants:

1. From the Objects Bar, click VPN Communities.
2. Double-click RemoteAccess.

   The Remote Access window opens.

3. On the Participating Gateways page, click the Add button and select the Security Gateways that are in the Remote Access Community.
4. On the Participating User Groups page, click the Add button and select the group that contains the Remote Access users.
5. Click OK.
6. Publish the changes.

Defining Access Control Rules

Access control is a layer of security not connected with VPN. When there is a Remote Access Community, it does not mean that members of that community have free, automatic access to the network. Security rules have to be created in the Access Control Policy Rule Base blocking or allowing specific services.

Create a rule in the Access Control Rule Base that handles with remote access connections.

1. Go to Security Policies and right-click the cell in the VPN column.
2. Select Specific VPN Communities.
3. Choose the community and click the add button (+).
4. Close the VPN community window.
5. Define Services & Applications and Actions columns.
6. Install the policy.

Example:

To allow remote access users to access the organization's SMTP server, called SMTP_SRV, create the following rule:

Source	Destination	VPN	Service	Action	Track
Any	SMTP_SRV	Remote_Access_ Community	SMTP	Accept	Log

Access Roles for Remote Access

For R80.x gateways, create Access Roles for Remote Access and VPN Clients to include them in rules in the Access Control Rule Base. This applies to Mobile Access and IPsec clients. When an Access Role for a client is in the Source column of a rule, the rule applies to traffic that originates from that client.

You can also use an Access Role in the Destination column.

You must enable Identity Awareness on each gateway that is an installation target for rules with Access Roles.

Creating Access Roles for Remote Access and VPN Clients

To create an Access Role for a new Remote Access or VPN client:

1. Open a New Access Role window in one of these ways:
   • In the object tree, click New> More > User > Access Role.
   • From the Source column of the Access Control policy Rule Base: Click > click > select Access Role.
2. Enter a Name for the access role.
3. Optional: Enter a Comment or click the down arrow to select a Color for the object.
4. From the left pane, select Remote Access Clients.
5. Expand the Specific Client list and click New > Allowed client.
6. Click to select a client and enter an object name.
7. Click OK.
8. Optional: To make the Access Role include only specified users, select Users from the left pane and define the allowed users.
9. Click OK.

Policy Definition for Remote Access

There must be a rule in the Security Policy Rule Base that grants remote users access to the LAN. Consider which services are allowed. Restrict those services that need to be restricted with an explicit rule in the Security Policy Rule Base.

Modifying Encryption Properties for Remote Access VPN

The encryption properties of the users participating in a Remote Access community are set by default. If you must modify the encryption algorithm, the data integrity method and/or the Diffie-Hellman group, you can either do this globally for all users or configure the properties per user.

To modify the user encryption properties globally:

1. From Menu, click Global Properties.
2. From the navigation tree, click Remote Access > VPN- Authentication and Encryption.
3. From the Encryption algorithms section, click Edit.

   The Encryption Properties window opens.

4. In the IKE Security Association (Phase 1) tab, configure the applicable settings:
   • Support encryption algorithms - Select the encryption algorithms that will be supported with remote hosts.
   • Use encryption algorithms - Choose the encryption algorithm that will have the highest priority of the selected algorithms. If given a choice of more than one encryption algorithm to use, the algorithm selected in this field will be used.
   • Support Data Integrity - Select the hash algorithms that will be supported with remote hosts to ensure data integrity.
   • Use Data Integrity - The hash algorithm chosen here will be given the highest priority if more than one choice is offered.
   • Support Diffie-Hellman groups - Select the Diffie-Hellman groups that will be supported with remote hosts.
   • Use Diffie-Hellman group - Client users utilize the Diffie-Hellman group selected in this field.
5. Click OK.
6. Install policy.

To configure encryption policies for specified users:

1. Open Global Properties, and click Remote Access > Authentication and Encryption.
2. From the Encryption algorithms section, click Edit.
3. In the Encryption Properties window, click the IPSEC Security Association (Phase 2) tab.
4. Clear Enforce Encryption Algorithm and Data Integrity on all users.
5. Click OK and close the Global Properties window.
6. For each user:
   1. From the Objects Bar, double-click the user.
   2. From the navigation tree, click Encryption.
   3. Click Edit.

      The IKE Phase 2 Properties window is displayed.

   4. Click the Encryption tab.
   5. Click Defined below.
   6. Configure the Encryption Algorithm and Data Integrity.
   7. Click OK and close the User Properties window.
7. Install policy.

Installing the Policy

Install the policy and instruct the users to create or update the site topology.

IPsec and IKE for Remote Access

For Remote users, the IKE settings are configured in Global Properties > Remote Access > VPN Authentication and Encryption.

IKEv2 is not supported for Remote Access.

For more information about IPsec and IKE, see the Site to Site VPN Administration Guide.