About This Solution

This article details the archived configuration steps to establish a certificate-based IPsec connection to the Symantec Web Security Service. Originally written in 2012, this article provides an alternative to the VPN-to-VPN method that uses the mutual Preshare Key method to authenticate the Symantec WSS. A common use case that requires the cert-based method is there are many firewalls behind the NAT firewall, which prevents the use of a unique gateway IP address.

Version Demonstrated

• ASA 9.1 devices (ASDM 7.1(1)52).

Other devices that support Simple Certificate Enrollment Protocol (SCEP) might work, but Symantec cannot guarantee the results.

Prerequisites and Concerns

• Do not send Auth Connector traffic to the WSS.

Note: Symantec has seen outages occur if the Phase 2 Timeout value is set to longer than four (4) hours. If the current setting is less than four hours, you can leave that value. Otherwise, adjust the time. The screenshots in the following procedure might not reflect this advisory.

Procedure

Step 1—Obtain the One-Time Password (OTP) 
The one-time password (OTP) and authentication token are required to obtain and validate authentication certificates used by the firewall device and the WSS.

1. Log in to the Web Security Service portal 
2. Browse to Service mode, select Account Maintenance > Integrations
3. If you have no API Credentials listed, create one.
   1. Click " + New Integration"
   2. Select API Credentials
      
      
       
   3. A username and password will be generated. 
      
      
       
   4. Define Expiry and Select Access Options.
   5. Click Save.
4. In the browser, enter the API generation string.
   https://portal.threatpulse.com/api/locations?name=location_name&type=cert-firewall
   Where location_name is the name you assign.
   For example:
   https://portal.threatpulse.com/api/locations?name=Store103&type=cert-firewall
   Creates a new location, Store103, and defines it as a cert-based firewall IPsec connection. 
5. The Web Security Service generates the OTP.
   For example:
   {"oneTimePassword":"4d2e183e-1936-4ffc-b298-00ef9529d1d0"}
   Record the OTP value for later reference in this prodcedure. You need this string value (without the quotes) when configuring the firewall device below.
   
   Notes:
   - The OTP remains valid for one week. After that, you must generate a new one. 
   - If you call a new API but use the same location, you receive a new OTP; however, a 30-day timer begins. At the end of the 30 days, the WSS revokes the previous     certificate.
    
6. Verify that the WSS created the new location
   
   

Step 2—Import the root certificates (2048-bit) to your firewall device

Symantec partners with Entrust to provide authentication certificates. You must import the 2048-bit certificate to your
device. 

1. Obtain the Entrust 2048 and L1C certificates from Entrust.
   1.  In a browser, navigate to: https://www.entrust.com/get-support/ssl-certificate-support/root-certificate-downloads
   2. ​Locate the Entrust.net Certificate Authority (2048) certificate identified by the following:
      • Thumbprint: 50 30 06 09 1d 97 d4 f5 ae 39 f7 cb e7 92 7d 7d 65 2d 34 31
      •  Serial Number: 38 63 de f8
   3. Click Download and open the file in a text editor.
2. In the ASDM interface, select Configuration > Device Management, CA Certificates.
3. Click Add.
   The device displays the Install Certificate dialog.
   ​
   1. Name the Trustpoint. 
      For example, Entrust2048.
   2. Copy the Entrust.net Certification Authority (2048) certificate contents from the text file created in substep 1c.
   3. Select Paste certificate in PEM format and paste in the certificate contents.
   4. Click Install Certificate.
   5. Repeat this sub-step and paste in the contents of the Entrust L1C Chain Certificate (SHA2) certificate.

Step 3—Create an Identity Certificate on the Firewall Device

Configure the device to perform a SCEP challenge and pair the identity certificate.

1. In your ADSM interface, access the Identity Certificate dialog.
   ​
   1. Name the Trustpoint as BlueCoatIssuingCA.
   2. Select Add a new identity certificate.
   3. You can accept the default Key Pair, but it must be 2048 bits.
   4. Click Advanced.
      The device displays the Advanced Options dialog.
2. Enable the SCEP enrollment mode.
   
   1. Click the Enrollment tab.
   2. Select Request from a CA.
   3. In the Enrollment URL (SCEP) field, enter: 
      bluecoatasweb.managed.entrust.com/scep

3. Set the SCEP challenge password.
   

   1. Click the SCEP Challenge Password tab.

   2. In the Password and Confirm Password fields, enter the OTP that you obtained in Step 1.

   3. c. Click OK, which returns you to the Add Identity Certificate dialog.

4. Click Install Certificate.

Step 4—Create the site-to-site VPN tunnel

Enable IKE access on the interface that will establish a VPN tunnel to the WSS.

1. In the ASDM interface, click Configuration.
2. Click Site-to-Site VPN.
3. Click Connection Profiles.
4. In the Access Interfaces area, select Allow IKE v1 Access for the (outside) interface.
5. In the Connections Profile area, click Add.
   The device displays the Add IPsec Site-to-Site Connection Profile dialog.
   ​
   1. Select the Peer IP Address: Static option and enter the regional WSS primary IP address for this location. The Connection Name (selected by default) automatically fills in the same information.
   2. For the Protected Networks: Local Network option, select the originating hosts or subnets that will transmit web traffic through this tunnel.
   3. The Protected Networks: Remote Network setting depends on the Access Method:
      • For stand-alone deployments, select any.
      • For deployments, enter the Symantec WSS explicit proxy IP address: 199.19.250.205.
   4. You can accept the default Group Policy Name, but verify that the Enable IKE v2 option is cleared (the Web Security Service does not support IKEv2 connections for static IP VPN tunnels).
   5. Select the Device Certificate that you created in Step 3.
   6. The Encryption Algorithms: IKE Policy option must contain an rsa-sig authentication.
   7. Enter an Encryption Algorithms: IPSec Proposal.
   8. From the left-menu, click Crypto Map Entry.
      The device displays the Edit IPsec Site-to-Site Connection Profile screen.
6. Define the Crypto Map and enable NAT-T.
   
   1. Enable the Perfect Forward Secrecy option.
   2. Enable the NAT-T option.
   3. Select the Device Certificate that you created in Step 3.
   4. Click OK.
7. Click OK to close the Connection Profile dialog.

Step 5—Create a backup peer

Enable IKE access on the interface that will establish a VPN tunnel to the WSS.

1. In the ASDM interface, click Configuration.
2. Click Site-to-Site VPN.
3. Select Advanced > Crypto Maps.
4. Select the Crypto Map that you created in Step 4 and click Edit.
   The device displays the Edit IPSec Rule dialog.
   
   1. Enter a second WSS data center IP address.
   2. Click Add to move it to the peer list.
      At any time, you can return to this screen and use the Move Up and Down buttons to change the order.
   3. Click OK.

Step 6—Define NAT rules

Exclude web traffic on ports 80 and 443 from NAT.

1. On the ASDM interface, navigate to the NAT Rules page.
2. Click Add.
   The device displays the Add NAT Rule dialog.
   ​
   1. (Optional) Select a Source Interface.
   2. For the Source Address, select the host or internal subnet.
   3. (Optional) Select a Destination Interface.
   4. From the Destination Address drop-down, select any.
   5. From the Service drop-down, select HTTP.
      Note: If the HTTP and HTTPS service objects have not been created, you must do so in the ASDM interface.
   6. Verify that the Action: Translated packet / Source Address option is --Original--.
   7. Select the Disable Proxy ARP on egress interface option.
   8. Click OK.
3. Repeat this step and create a NAT rule for the HTTPS service.