IPSec Site to Site VPN

© 2009 GTA, INC. CONFIDENTIAL & PROPRIETARY, NOT FOR DISTRIBUTION.

1

IPSec Site to Site VPN

6/25/14 1

Course 4101 & 4102

http://www.gta.com/


2

IPSec Tunnels Overview ▪ Security Associations ▪ Custom Objects

▪ Encryption Objects ▪ IPSec Objects

▪ Site to Site Tunnels ▪ Pre-shared keys ▪ Certificates

▪ IPSec Security Policies ▪ Monitoring & Reporting ▪ Special Case VPN Configurations

▪ VPN Fail over ▪ NATing internal host thru a VPN. ▪ VPN to NON-GTA Firewalls


3

VPN Security Associations SA’s

▪ The number of SA’s is based on firewall type. ▪ The Number of SA’s a firewall has determines now many VPN may be configured. Each site to site VPN use at

minimum 2 SA’s. ▪ Example

▪ Firewall A has IPSec Tunnel to Firewall B. ▪ When IPSec Tunnel is built you have

▪ Network A1 to Network B1 = 1 SA ▪ Network B1 to Network A1 = 1 SA ▪ Combined this is 2 SA’s.

▪ Suppose you have Firewall A with networks A1 and A2 to Firewall B with only network B1. ▪ When IPSec Tunnel is built

▪ Network A1 to Network B1 = 1 ▪ Network A2 to Network B1 = 1 ▪ Network B1 to Network A1 = 1 ▪ Network B1 to Network A2 = 1 ▪ Combined this is 4 SA’s.


4

Custom Objects

▪ [Configure -> Objects -> Encryption Objects] ▪ [Configure -> Objects -> IPSec Objects] ▪ Typically used for creating VPN Encryption and Authentication methods to non GTA

Firewalls.

6/25/14 Global Technology Associates, Inc.

4


5

IPSec Tunnel Options

▪ Disable - Disable all access for the configured Site-to-Site IPSec VPN. ▪ Description - User Defined ▪ IPSec Object - A selection for the IPSec Object ▪ IPSec Key Mode - IKE (automatic key exchange) or Manual ▪ Notifications - Email, SMS, SNMP Trap ▪ Authentication Method - RSA or Pre-Shared key ▪ Failover - Select the Failover checkbox to enable VPN failover. ▪ Send Keep Alives - To prevent the VPN connection from closing prematurely, select the Send Keep Alives check box to have GB-OS

automatically send a keep alive packet every 20 seconds. This options is only available for Local Network directly connected to the firewall. ▪ Policy Compatibility - A toggle for firewalls that are not compatible with unique policies. Usually this is used with Dreytek firewall.


6

VPN Gateway Local Networks

▪ Gateway ▪ Primary – External Interface or alias IP address. ▪ Remote – IP Address of the remote host. Or fully qualified domain name [FQDN] ▪ Remote Identity – If authentication method is RSA then the VPN certificate selection

will display. Else, the options are IP Address, Domain Name or email address. ▪ Local

▪ NAT - NAT Internal host to the Local Gateway IP. ▪ Network - Local Network for the VPN. If NAT is used this field is suppressed. And

any local network will be sent through the VPN. ▪ Identity / Certificate – If authentication method is RSA then the VPN certificate will

display. Else, the options are IP Address, Domain Name or email address. ▪ Remote

▪ NAT – NAT the remote network to the remote gateway IP. ▪ Network - Remote Network to be accessed via the VPN.


7

VPN with Pre-Shared Key


8

VPN With Certificate (RSA)

▪ Each firewall will need the remote firewall Certificate.

▪ Use PKCS #7 format- gives the certificate and firewall CA – Not key

▪ Make sure the subject CN is resolvable [FQDN]

Certificate for QA & Training Firewall

Remote Firewall Certificate s


9

RSA


10

IPSec Security Policies


11

[Configure -> VPN -> Preferences]

▪ AH [Authentication Header IP protocol] – Protocol 51 ▪ ESP [Encapsulating Security Payload protocol] – Protocol 50 ▪ IKE – UDP 500 & 4500


12

[Configure -> VPN -> Preferences]FIPS

▪ FIPS – Force use of FIPS compliant algorithms. ▪ The FIPS Object Module supports the following algorithms: Triple DES, AES,

CMAC, CCM, RSA (for digital signatures), DH, DSA/DSA2, ECDSA/ECDSA2, SHA-1, SHA-224, SHA-256, SHA-384, SHA-512, and HMAC-SHA-1, HMAC-SHA-224, HMAC-SHA-256, HMAC-SHA-384, HMACSHA-512

▪ Does not allow DES or MD5


13

VPN Down Notification

!Email

------------------------------------------------------------------------------- Notification Type: VPN Failure Product: GB-OS GB-Ware Unrestricted Host Name: qa-training.gta.com Version: 6.1.4 Serial Number: 12000588 Date: 2011-12-02 15:31:57 EST (-0500) ------------------------------------------------------------------------------- !Unable to create VPN from 10.20.1.80 to 172.16.100.254


14

Monitoring


15

Reporting

▪ Inbound ▪ Outbound ▪ Service ▪ Denied


16

Using FQDN in Remote GatewaysOverview

The use of Fully Qualified Domain Names (FQDN) in the IPsec Tunnel Remote Gateway field allows an administrator to configure Main mode IPSec Tunnels using names instead of IP Addresses. This can be applied to firewalls with static IP address or Dynamic IP addresses. In the case of two firewalls with Dynamic IP address it allows both firewalls to act like firewalls with static IP address with no worries about the IP address changing.


17

Using FQDN in Remote Gateways Requirements

▪ DNS enabled ▪ Firewalls with Dynamic IP addresses -

Dynamic DNS service enabled ▪ Built in VPN or VPN option


18

Before Setting Up the VPN

▪ If the firewall’s external interface IP address is dynamic, Configure Dynamic DNS ▪ Supported Services

▪ Dynamic DNS ▪ Change IP ▪ Easy DNS ▪ NoIP

▪ Configured in the [Services -> Dynamic DNS] section ▪ Configure the Firewall DNS service

▪ Configured in [Services -> DNS] ▪ Ping each remote gateway from the firewall interface using the

remote gateway’s host name. ▪ Confirm remote gateways names resolve. ▪ Not necessary to actually ping them as long as name

resolves. ▪ Ping – Monitor [Tools -> Network Diagnostics] ▪ If firewall fails to resolve the remote firewall name then

recheck the DNS configured for the firewalls.

http://www.dyndns.com/

http://www.changeip.com/

https://web.easydns.com/

http://www.noip.com/


19

IPSec Tunnel

▪ VPN -> IPSec Tunnel define the VPN on both firewalls

▪ In remote Gateway Field use the host name of the firewall

▪ The host name should match the name used in the Host Name Field of the firewalls Network -> Interfaces. However, this is not required.

▪ The VPN Set up Wizards will accept host names for firewalls.


20

IPSec Tunnels

▪ Insert a new or modify an existing IPSec Tunnel

▪ Description – User defined ▪ VPN Object – select Standard Static.


21

IPSec Tunnels Gateways

▪ Gateways ▪ Local – select the local interface which will be the

local gateway. ▪ Remote

▪ Select User Define and enter a host name. The host name must be resolvable from the firewall.

▪ Identity – set to IP address


22

Multiple Networks

▪ To use multiple networks in a VPN. ▪ Create an address object holding each network. On each firewall.


23

Multiple Networks

▪ Use the object in the Local and Remote Gateway Field.

▪ Adding more networks to the same VPN is as simple as adding more networks to each object.


24

NAT Through VPN

▪ Problem Report Firewall 199.120.225.80 must see all VPN traffic coming from a public IP.

▪ Select NAT option in Site – Site VPN


25

NAT Through VPN


26

NAT Through VPN Using Static Address Mapping


27

NAT Through VPN Using Static Address Mapping


28

Monitor NAT -> VPN


29

NAT to Alias based on Destination


30

Hub & Spoke VPN

Small Remote Office can access resources via Site to Site IPSec Tunnel after accessing the first firewall. Without a direct VPN connection.

30


31

Hub & Spoke VPNRequires Objects creation on each Firewall. Use these objects in the IPSec Site to Site Tunnels as local and remote networks. ▪GB-300 <-> Firewall A

▪ Local - 172.16.2.0/24 ▪ Remote Network

▪ 172.16.0.0/24 ▪ 172.16.1.0/24

▪Firewall A <-> GB-300 ▪ Local –

▪ 172.16.0.0/24 ▪ 172.16.1.0/24

▪ Remote -172.16.2.0/24 ▪Firewall A <-> Firewall B

▪ Local – ▪ 172.16.0.0/24 ▪ 172.16.2.0/24

▪ Remote -172.16.1.0/24 ▪Firewall B <-> Firewall A

▪ Local – 172.16.1.0/24 ▪ Remote –

▪ 172.16.0.0/24 ▪ 172.16.2.0/24


32

IPSec VPN Failover

6/25/14 1

Course 4102


33

Requirements

▪ Built in VPN or VPN option. ▪ DPD (Dead Peer Detection) enabled for

VPN. ▪ 2 Internet Gateways


34

IPSec Site to Site Failover

IPSec Site to Site failover uses DPD to determine if the Primary Remote IPSec Gateway is down. If the remote gateway is down the firewall will automatically switches over to the secondary IPSec Gateway. Once the Primary Gateway Recovers the firewall will switch back with out user intervention.


35

Dead Peer DetectionDPD

Allows the firewall to determine remote IPSec Gateway is down and tear down the VPN.


36

VPN Failover Case 1

Site with single Internet connection connecting to a site with two Internet connections.


37

Firewall with One External Gateway tp Two External Gateways IPSec Tunnels - [VPN -> IPSec Tunnels]


38

VPN Failover Case 2

Both firewall have redundant Internet connections.


39

VPN Failover Case 2

▪ Each firewall has two Internet gateways on different networks for redundancy.

▪ If primary gateway fails the VPN will fail over to the secondary VPN gateways.

▪ On recovery of the primary VPN the VPN will fall back to primary connection.

▪ Configuration is different from the single gateway failover ▪ Each Primary Gateway will use the alternate Primary

gateway as remote gateway and each Secondary Gateway will use the secondary remote gateway.

▪ Static routes will need to be added for each remote gateway on each firewall.


40

Case 2 – Routes


41

Case 2 – IPSec Tunnel


42

Testing Fail Over

▪ The VPN Failover can be tested by disabling the Primary Interface. This can be done in the Monitor Section [Tools -> Interfaces]. Important: If you admin via the interface you VPN Failover will initiate the VPN via the secondary Gateway. ▪ It is recommended that Gateway Fail over is enabled for testing but

not required. ▪ Re-enable the primary interface the Gateway Failover will switch

the routes back to the primary gateway and VPN failover will switch the VPN back to the primary route.

▪ The VPN Transition will go through several states in which the VPN should remain up and active. ▪ Normal Primary UP ▪ Fail Over – Secondary coming up Primary dying ▪ Complete Fail over to secondary ▪ Primary Recovers ▪ Secondary starts dying off ▪ Complete recovery.


43

VPN Transitions

▪ Start Up of IPSec Tunnel

▪ Primary Gateway Up

▪ Primary Gateway Fail

▪ Primary Gateway recover

▪ Stable


44

DPD Log Indicating VPN Failure

Dec 2 15:16:39 pri=2 msg="IKE: DPD: remote is not responding; removing IPsec-SA" type=vpn src=172.16.100.254 srcport=500 dst=10.20.1.80 dstport=500


45

Failover from a Internal router to Site to Site VPN


46

Failover from a Internal router to VPN

Automatic failover from an internal MPLS router to a Site to Site IPSec VPN requires the us of a dynamic routing protocol such as RIP,OSPF, or BGP. !When the dynamic routing protocol is enabled on the firewall. And the same protocol is enabled on the MPLS routers. The firewall will learn the routes for the remote site(s) via the routing protocol. When the link goes down the route change should be communicated to the firewall. The firewall will then drop the route from it’s routing table. When packets arrive on the protected interface of the firewall instead of being redirected to the local router. The packets will be encapsulated and sent via the VPN. When the route is up, the firewall will redirect the packets to the internal router and not pass them via the VPN.


47

Continued

!1. Static routes pointing to local MPLS router will need to be removed from the firewalls. This will cause a route problem and VPN will not perform as expected. 2. Transition time to the VPN is based on how long it takes the route changes to propagate to the firewall. 3. VPN is set up as standard for a GTA to GTA Ipsec Tunnel. 4. This method can only be used when route to remote site is on protected LAN as displayed above. It cannot be used if MPLS routers are reached from another network or interface where packets must pass through the firewal before being sent to the MPLS router.


48

Continued

Above configuration does not work. Since packets pass through the firewall, they are encapsulate as it matches VPN.


49

Default Settings

▪ Firewalls used in this configuration where on v5.2.0 ▪ VPN Objects referenced are GTA’s Standard Static Object

using Aggressive Mode, AES192/SHA1/Key Group2 and GTA’s Standard Static

▪ VPN Security [Security Policies -> Policy Editor -> VPN Policies] are set to allow all through the VPN. Consult your own corporate security policy when setting up VPN policies.

▪ IPSec Tunnel VPN Automatic Policy is enable which allows connections for ESP (Protocol 50), UDP 500 and 4500.


50

VPN to Non GTA Devices ▪ Configuring a GB-OS Site-to-Site VPN to a Non-

GTA Firewall ▪ http://www.gta.com/downloads/external/pdf/

SiteToSiteVPN_NonGTAFirewall.pdf ▪ Configuring a GB-OS Site-to-Site VPN to Amazon

VPC VPN ▪ http://www.gta.com/downloads/external/61/General/

SiteToSiteVPN_to_AmazonVPCVPN.pdf

http://www.gta.com/downloads/external/pdf/SiteToSiteVPN_NonGTAFirewall.pdf

http://www.gta.com/downloads/external/61/General/SiteToSiteVPN_to_AmazonVPCVPN.pdf


51

VPN to Non GTA Devices Important Compatibility Requirements and Notes

▪Security Association (SA) Key Lifetimes: GB-OS firewalls will accept a key lifetime upto the configured lifetime in the IPSec Object. This configuration setting is located at Configure>Objects>IPsec Objects. The default SA lifetime is 90 minutes for Phase I and 60 minutes for Phase II. Mismatched SA key times can effect VPN negotiation and re-key. ▪Perfect Forward Secrecy (PFS) is enabled by default on all GTA firewalls and is the key group configured in Phase II of the IPSec Object. Most non-GTA devices do not have PFS enabled. Be sure PFS is enabled on remote firewall or create a new encryption object for Phase II with Key Group set to None. ▪IKE Proposal or ISAKMP Policy is equivalent to Phase I configuration. ▪IPSec Proposal or Crypto Map is equivalent to Phase II configuration. ▪Dead Peer Detection (DPD) is enabled by default on all GTA firewalls and is configured at Configure>Objects>IPsec Objects. Setting the DPD interval to zero (0) will stop the firewall from sending a DPD request. However, the firewall will still respond to remote DPD requests. The default for GTA firewalls is 30 seconds. ▪Identities: Use IP Address as the identity when setting up a Site-to-Site VPN. If the remote firewall has a dynamic IP address and is using a Dynamic DNS service, the remote gateway field should be set as the Dynamic DNS service host name (FQDN). The identity should be set to IP Address. The firewall will resolve the name to an IP address and use this for the identity. ▪Policy Compatibility Option – This option is located in the advanced section of an IPSec Tunnel. This option makes the firewall behave the same as older GB-OS versions below version 5.3.0. Usually this is only required when connecting to a Draytek router with multiple subnets or firewalls that are not compatible with unique policies. ▪GTA firewalls do not allow for the use of ranges in IPSec Tunnels. All VPN networks must be hosts or networks.


52

VPN to Non GTA Devices Known to work

▪ Astaro ▪ Checkpoint ▪ Cisco ASA ▪ Draytek ▪ Fortinet ▪ Netgear ▪ Netscreen ▪ Sonicwall ▪ PFsense


53

Frequently Ask Questions/Trouble Shooting

!▪ If using customer objects confirm the Addresses and encryption methods. ▪ If VPN is to a non GTA Firewall. Confirm PFS is enable or Disabled. Most non GTA

firewalls do not use PFS by default. ▪ When does the firewall resolve the host name?

▪ The host names used in the remote gateway field are resolved on start up of the IPSec Tunnel, rekey and when Dead Peer Detection detects a failure.

▪ What difference between main mode and aggressive mode for GTA firewalls? ▪ Aggressive mode is used on GTA firewalls for anonymous connections. Where the

remote firewall’s IP address is not known. Using names in the remote gateway field allows the firewall to resolve the name and use main mode.

▪ Can I use host names to a firewall not on 5.2. from a 5.2 system. ▪ Yes, a firewall on v5.2 can use host name to initiate a VPN to a firewall on 5.1 or below

▪ Can I use a host name to connect to a non – GTA firewall. ▪ Yes, as long as the identities, encryption, and key life times match

▪ Can I use host names in remote gateway field? ▪ Yes, you can use host names in remote gateway field. If the firewall IP addresses are

dynamic this would be a recommended configuration. ▪ Can I use VPN failover to connect to a non – GTA firewall.

▪ VPN fail over is designed around GTA firewalls. While it may work to non-GTA firewalls this has not been tested by GTA.


54

References▪ http://www.dyndns.com/ ▪ http://www.changeip.com/ ▪ http://www.noip.com/ ▪ https://web.easydns.com/ ▪ http://www.gta.com/support/documents/ ▪ http://www.gta.com/downloads/external/pdf/

SiteToSiteVPN_NonGTAFirewall.pdf ▪ http://www.gta.com/downloads/external/61/General/

SiteToSiteVPN_to_AmazonVPCVPN.pdf ▪ http://www.gta.com/downloads/external/61/General/GB-

OS_Certificate_Management.pdf ▪ FIPS - http://www.openssl.org/docs/fips/fipsnotes.html ▪ FIPS-140-2 information: http://csrc.nist.gov/publications/fips/

fips140-2/fips1402.pdf

http://www.dyndns.com/

http://www.changeip.com/

http://www.noip.com/

https://web.easydns.com/

http://www.gta.com/support/documents/

http://www.gta.com/downloads/external/pdf/SiteToSiteVPN_NonGTAFirewall.pdf

http://www.gta.com/downloads/external/61/General/SiteToSiteVPN_to_AmazonVPCVPN.pdf

http://www.gta.com/downloads/external/61/General/GB-OS_Certificate_Management.pdf

http://www.openssl.org/docs/fips/fipsnotes.html

http://csrc.nist.gov/publications/fips/fips140-2/fips1402.pdf


55

If you require additional assistance or have additional questions please contact GTA Technical Support. ▪ Email: support @gta.com ▪ Phone: 1.407.482.6925 ▪ Free User Support – http://forum.gta.com ▪ Partners Portal – https://partners.gta.com

6/25/14 55

mailto:[email protected]

http://forum.gta.com/

https://partners.gta.com/

http://www.gta.com/

Documents

IPSec Site to Site VPN