I have a route based VPN between Site A and B, remote site config below.
I get that I have to have an outbound policy that allows traffic from remote to main, however I want to sanity check the policy that allows "all" from main to remote.
This SSG will be sitting connected directly to the internet and as I understand it, other than using private IPs (which are non internet routable) the rule basically allows full access to the LAN that's behind the SSG, it doesn't say "only allow this traffic if it comes over the VPN tunnel".
Also should bgroup0 be in NAT or route mode? I don't want to be NAT'ing traffic over the VPN as hosts on each side need to be able to talk to one another directly.
The config is more or less as per Chapter 4 of 630_ce_VPN.pdf.
I'd welcome being told I'm being overly-cautious here.
unset key protection enable
set clock ntp
set clock timezone 0
set clock dst recurring start-weekday 2 0 3 02:00 end-weekday 1 0 11 02:00
set vrouter trust-vr sharable
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
unset auto-route-export
exit
set alg appleichat enable
unset alg appleichat re-assembly enable
set alg sctp enable
set auth-server "Local" id 0
set auth-server "Local" server-name "Local"
set auth default auth server "Local"
set auth radius accounting port 1646
set admin name "netscreen"
set admin password "random"
set admin http redirect
set admin auth web timeout 10
set admin auth dial-in timeout 3
set admin auth server "Local"
set admin format dos
set zone "Trust" vrouter "trust-vr"
set zone "Untrust" vrouter "trust-vr"
set zone "DMZ" vrouter "trust-vr"
set zone "VLAN" vrouter "trust-vr"
set zone "Untrust-Tun" vrouter "trust-vr"
set zone "Trust" tcp-rst
set zone "Untrust" block
unset zone "Untrust" tcp-rst
set zone "MGT" block
unset zone "V1-Trust" tcp-rst
unset zone "V1-Untrust" tcp-rst
set zone "DMZ" tcp-rst
unset zone "V1-DMZ" tcp-rst
unset zone "VLAN" tcp-rst
set zone "Untrust" screen tear-drop
set zone "Untrust" screen syn-flood
set zone "Untrust" screen ping-death
set zone "Untrust" screen ip-filter-src
set zone "Untrust" screen land
set zone "V1-Untrust" screen tear-drop
set zone "V1-Untrust" screen syn-flood
set zone "V1-Untrust" screen ping-death
set zone "V1-Untrust" screen ip-filter-src
set zone "V1-Untrust" screen land
set interface "ethernet0/0" zone "Untrust"
set interface "ethernet0/1" zone "Null"
set interface "bgroup0" zone "Trust"
set interface "tunnel.1" zone "Untrust"
set interface bgroup0 port ethernet0/2
set interface bgroup0 port ethernet0/3
set interface bgroup0 port ethernet0/4
set interface bgroup0 port ethernet0/5
set interface bgroup0 port ethernet0/6
unset interface vlan1 ip
set interface ethernet0/0 ip 193.35.1.37/24
set interface ethernet0/0 route
set interface bgroup0 ip 192.168.99.1/24
set interface bgroup0 route
set interface tunnel.1 ip unnumbered interface ethernet0/0
set interface ethernet0/0 gateway 193.35.1.254
set interface tunnel.1 mtu 1500
unset interface vlan1 bypass-others-ipsec
unset interface vlan1 bypass-non-ip
set interface ethernet0/0 ip manageable
set interface bgroup0 ip manageable
set interface ethernet0/0 manage ping
set interface ethernet0/0 manage web
set interface bgroup0 manage mtrace
set interface "serial0/0" modem settings "USR" init "AT&F"
set interface "serial0/0" modem settings "USR" active
set interface "serial0/0" modem speed 115200
set interface "serial0/0" modem retry 3
set interface "serial0/0" modem interval 10
set interface "serial0/0" modem idle-time 10
set flow tcp-mss
unset flow tcp-syn-check
unset flow tcp-syn-bit-check
set flow reverse-route clear-text prefer
set flow reverse-route tunnel always
set domain mira.co.uk
set hostname ssg5-remote
set pki authority default scep mode "auto"
set pki x509 default cert-path partial
set dns host dns1 10.65.1.1 src-interface bgroup0
set dns host dns2 10.65.1.2 src-interface bgroup0
set dns host dns3 0.0.0.0
set address "Trust" "remote_LAN" 192.168.99.0 255.255.255.0
set address "Untrust" "main_LAN" 10.65.0.0 255.255.0.0
set crypto-policy
exit
set ike gateway "To_main" address 193.35.1.253 Main outgoing-interface "ethernet0/0" preshare "AuGozwX4NBai5As3rdCbZlJ9NHn5Y4XyqA==" sec-level standard
set ike respond-bad-spi 1
set ike ikev2 ike-sa-soft-lifetime 60
unset ike ikeid-enumeration
unset ike dos-protection
unset ipsec access-session enable
set ipsec access-session maximum 5000
set ipsec access-session upper-threshold 0
set ipsec access-session lower-threshold 0
set ipsec access-session dead-p2-sa-timeout 0
unset ipsec access-session log-error
unset ipsec access-session info-exch-connected
unset ipsec access-session use-error-log
set vpn "remote_main" gateway "To_main" no-replay tunnel idletime 0 proposal "nopfs-esp-aes128-sha"
set vpn "remote_main" monitor source-interface bgroup0 destination-ip 10.65.254.254 optimized rekey
set vpn "remote_main" id 0x3 bind interface tunnel.1
set url protocol websense
exit
set anti-spam profile ns-profile
set sbl default-server enable
exit
set policy id 3 from "Untrust" to "Trust" "main_LAN" "remote_LAN" "ANY" permit
set policy id 3
exit
set policy id 2 name "To main" from "Trust" to "Untrust" "remote_LAN" "main_LAN" "ANY" permit
set policy id 2
exit
set policy id 4 from "Trust" to "Untrust" "Any" "Any" "ANY" permit log
set policy id 4
exit
set nsmgmt bulkcli reboot-timeout 60
set ssh version v2
set config lock timeout 5
unset license-key auto-update
set telnet client enable
set ntp server "10.65.1.1"
set ntp server src-interface "bgroup0"
set snmp port listen 161
set snmp port trap 162
set snmpv3 local-engine id "0162122006002063"
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
set source-routing enable
unset add-default-route
set route 10.65.0.0/16 interface tunnel.1
set route 10.65.0.0/16 interface null metric 10
set route source 192.168.99.0/24 interface tunnel.1 gateway 10.65.3.237
exit
set vrouter "untrust-vr"
exit
set vrouter "trust-vr"
exit