View Full Version : Setup Hints for VPN and Remote Management

2005-08-13, 15:41
Setup Hints for VPN and Remote Management
What configuration should be done to improve success of encryption related functions when rolling out enforcement points, especially in a distributed topology?

There are many things one should do when performing the initial setup of the firewall that can eliminate many problems that you might encounter along the way with putkeys, VPNs, and SecuRemote.

The local hosts file (Unix: /etc/hosts, NT: %SystemRoot%system32driversetc) should have an entry for the nodename (Unix: uname -n; NT: The NetBIOS name). This is the "nodename IP" of the system.
The nodename IP above should be a routable address. All VPN partners, management consoles, firewall modules, and SecuRemote clients should be able to reach the nodename IP through standard routing. In most cases, the nodename IP for the box should be the IP of the external interface as it is usually routable.
The network object that represents your firewall should use the same name as your nodename. It should also have the same IP address as your nodename IP (and again, this should usually be your external IP).
Do not call your firewall object (or firewall box for that matter) 'fw', 'fw1' or any other reserved word (4.1) in INSPECT. For FireWall-1 NG, refer to sk6648 (not public) in Secure Knowledge.
When putkeys are used, use the nodename IP address of the remote box.


-- RobertGraham - 08 Jan 2004

FAQs.Class: EncryptionFAQs, SecureClientFAQs