Scribd
Upload
69 views41 pages

12 Chapter12 IPSec VPN and SSLVPN v5.5r2

The document discusses VPN configuration on Hillstone firewalls. It covers: 1. Configuring policy-based VPN which involves creating an IPSec tunnel and then a policy rule with the action set to "Tunnel" or "From tunnel". 2. Configuring route-based VPN which involves binding a configured VPN instance to a tunnel interface, creating a VPN tunnel route, and configuring a permit policy rule based on the zone the tunnel interface is bound to. 3. The steps for general IPSec VPN configuration including creating phase 1 and 2 proposals, an ISAKMP gateway, and an IPSec tunnel.

Uploaded by

Robson Peripolli Rodrigues
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
69 views41 pages

12 Chapter12 IPSec VPN and SSLVPN v5.5r2

The document discusses VPN configuration on Hillstone firewalls. It covers: 1. Configuring policy-based VPN which involves creating an IPSec tunnel and then a policy rule with the action set to "Tunnel" or "From tunnel". 2. Configuring route-based VPN which involves binding a configured VPN instance to a tunnel interface, creating a VPN tunnel route, and configuring a permit policy rule based on the zone the tunnel interface is bound to. 3. The steps for general IPSec VPN configuration including creating phase 1 and 2 proposals, an ISAKMP gateway, and an IPSec tunnel.

Uploaded by

Robson Peripolli Rodrigues
Copyright
© © All Rights Reserved
We take content rights seriously. If you suspect this is your content, claim it here.
Available Formats
Download as PDF, TXT or read online on Scribd
You are on page 1/ 41

Goals

• After this chapter, you will able to:


– Understand the concept of VPN
– Configure policy-based VPN
– Configure route-based VPN
– Configure SSL VPN

www.hillstonenet.com | Hillstone Confidential


Agenda: VPN

 Introduction of VPN
• Hillstone IPSec VPN Configuration
– Configuring policy-based VPN
– Configuring route-based VPN
– Lab
• Hillstone SSL VPN Configuration
– Configuring SSL VPN
– Lab

www.hillstonenet.com | Hillstone Confidential


Virtual Private Network

• VPN(Virtual Private Network)


– Virtual Private Network across public wide area
network (WAN)
– Provides a significant cost advantage
– Simplifies LAN and WAN operations
– Provides good compatibility and expansibility
– Helps an enterprise quickly start new services and
connect its branches around the world
– Needs security measures such as encryption,
integrity verification and user authentication

www.hillstonenet.com | Hillstone Confidential


Virtual Private Network

Branch Headquarters
Internet

A X Y

From A to B From X to Y From A to B From A to B

• Provides a secure communication tunnel between remote computers


across a public wide area network (WAN)

• Guarantees connection security by encrypted tunnel


– Provides encapsulation service for private data between two public
gateways

www.hillstonenet.com | Hillstone Confidential


Three Elements of IPSec VPN

IPSec VPN guarantees secure data transmission


over Internet by the following three elements:

Confidentiality
• Hides and secures data in WAN

Integrity
• Ensures the data is not tampered

Authentication
• Verifies whether the data source is trusted

www.hillstonenet.com | Hillstone Confidential


Confidentiality

• Ensures data confidentiality by encryption


• Data encryption is reversible
• Data encryption and decryption by secret keys
– Symmetric (secret) key
– Asymmetric (public) key

www.hillstonenet.com | Hillstone Confidential


Symmetric Key

• Operates fast, suitable for encryption of large amount of data


• Typical key length: 40 bits to 448 bits
• Example: DES, 3DES, AES

Sender Receiver

1 Original data
+ Encrypted data +

Encrypted data 3 Original data

www.hillstonenet.com | Hillstone Confidential


Asymmetric Key (Public Key)
Sender Receiver

1 Pub Pub

Original data + Pub Encrypted data + Priv


2 4
3 Original data
Encrypted data

• Slower than encryption with symmetric keys


• Typical key length: 512 bits to 2048 bits

www.hillstonenet.com | Hillstone Confidential


Integrity

• Hash algorithm is widely used to provide data


integrity service
• One-way hashing algorithm
– Cannot calculate the original data by reverse engineering
• Output of fixed length (specially depending on
the algorithm)
• Example
– MD5, SHA
• MD5 provides 128-bit output
• SHA provides 160-bit output

www.hillstonenet.com | Hillstone Confidential


One-Way Hash Procedure

Sender Receiver

Data Hash
Data

1 2 Data Hash

4
Data Hash
Hash 5 Hash

Compare the hash values

www.hillstonenet.com | Hillstone Confidential


Authentication

• Verifies data by authenticating the data source

• Uses HMAC (Hash message authentication code)


– PSK (pre-shared key)
– RSA-sig
– DSA-sig

www.hillstonenet.com | Hillstone Confidential


Hash Calculation with a Secret Key

Sender Receiver
Data Hash
Data

Hash key 3

1 2 Data Hash
Hash key
4
Data Hash
Hash 5 Hash

比对哈希值是否一致
Compare the hash values

www.hillstonenet.com | Hillstone Confidential


SA (Security Association )

• Two types of SAs are used in IP security:


– ISAKMP SA - Protects secret key negotiation
– IPSec SA - Protects IP data
• When two IP entities communicates over IPSec VPN:
– First negotiates ISAKMP SA - Phase 1
• Two negotiation modes: Main mode and
aggressive mode
– Uses ISAKMP SA to negotiate IPSec SA - Phase 2
• One negotiation mode: Quick mode
– Uses IPSec SA to encrypt data

www.hillstonenet.com | Hillstone Confidential


Agenda: IPSec VPN Configuration

• Introduction of VPN
 Hillstone IPSec VPN Configuration
– Configuring policy-based VPN
– Configuring route-based VPN
– Lab
• Hillstone SSL VPN Configuration
– Configuring SSL VPN
– Lab

www.hillstonenet.com | Hillstone Confidential


IPSec VPN

• VPN is classified at Hillstone FW according to the


data driver type:
– Policy-based VPN
– Route-based VPN

Server
LAN

Internet

Site2 Site1

www.hillstonenet.com | Hillstone Confidential


IPSec VPN Configuration Steps

• IKE VPN adopts the auto negotiation method. The


configurations of IKE VPN include:
– Step 1: Configure IKE VPN
• Configure Phase 1 proposal (optional)
• Configure ISAKMP gateway
• Configure Phase 2 proposal (optional)
• Configure IPSec Tunnel

– Step 2 A (policy-based): Configure a VPN policy rule.


The action of the policy rule must be Tunnel or From
tunnel
– Step 2 B (route-based): Bind the configured VPN
instance to a tunnel interface, create a VPN tunnel
route, and configure a permit policy rule based on the
zone the tunnel interface is bound to.

www.hillstonenet.com | Hillstone Confidential


Configuring IPSec VPN - Phase 1 Proposal

 Configure Phase 1 proposal


Network > VPN > IPSec VPN. in the P1 Proposal tab, click New.

CLI: isakmp proposal p1-name


• authentication pre-share/rsa-sig
• encryption 3des/des/aes/aes192/aes256
• hash sha/md5
• group 1/2/5
• lifetime <300-86400>
www.hillstonenet.com | Hillstone Confidential
Configuring IPSec VPN - Peer ISAKMP
Gateway (WebUI)
 Configuring an ISAKMP gateway (Peer)
Network > VPN > IPSec VPN. In the VPN Peer List tab, Click New.

www.hillstonenet.com | Hillstone Confidential


Configuring IPSec VPN - Peer ISAKMP
Gateway (CLI)

 Configuring an ISAKMP gateway (peer)


CLI: isakmp peer peer-name
• connection-type {bidirectional | initiator-only
|responder-only}
• interface interface-name
• isakmp-proposal p1-proposal1
• mode {main | aggressive}
• type {dynamic | static}
• peer ip-address
• pre-share string

www.hillstonenet.com | Hillstone Confidential


Configuring IPSec VPN - Phase 2
Proposal (WebUI)
 Configure Phase 2 proposal
Network > VPN > IPSec VPN. in the P2 Proposal tab, click New.

CLI: ipsec proposal p2-name


protocol {esp | ah}
encryption {3des | des | aes | aes-192 | aes-256 | null}
hash {md5 | sha | null}
group {nopfs | 1 | 2 | 5}
lifetime seconds
www.hillstonenet.com | Hillstone Confidential
Configuring an IPSec VPN Tunnel
(WebUI)
 Configure IKE VPN Tunnel
Network > VPN > IPSec VPN. In the IKE VPN list tab, click New.

www.hillstonenet.com | Hillstone Confidential


Configuring an IPSec VPN Tunnel (CLI)

tunnel ipsec tunnel-name auto


• mode tunnel
• isakmp-peer peer-name
• ipsec-proposal p2-name
• id {auto | local ip-address/mask remote ip-
address/mask service service-name}

Note: id is the LAN subnet address for both sides,


which is the object that VPN need to protect.

www.hillstonenet.com | Hillstone Confidential


A. Policy-based VPN
 Configure a policy (WebUI):

www.hillstonenet.com | Hillstone Confidential


A. Policy-based VPN

 Configure a policy (CLI):


– create outbound policy
• policy-global
– rule top from local to remote service any
tunnel tunnel-name
– create inbound policy
• policy-global
– rule top from remote to local service any
fromtunnel tunnel-name

www.hillstonenet.com | Hillstone Confidential


A. Adding a No SNAT Rule
Policy > NAT > SNAT, click New.

www.hillstonenet.com | Hillstone Confidential


B. Route-based VPN (WebUI)
 Configure a tunnel interface
Network > Interface, click New to create a tunnel interface.

www.hillstonenet.com | Hillstone Confidential


B. Route-based VPN (WebUI)
 Configure a route to tunnel interface:
Network > Routing > Destination Route, Click New.

www.hillstonenet.com | Hillstone Confidential


B. Route-based VPN (WebUI)
 Creating a policy with the action of permit
Create a policy with the action of permit based on the zone that the tunnel interface is
bound to.

If the access is bidirectional, you should add an inbound policy. The inbound policy can
be configured by exchanging the source and destination zones
www.hillstonenet.com | Hillstone Confidential
B. Route-based VPN (CLI)

– To create a tunnel interface


• interface tunnelNumber
– zone VPNHub
– tunnel IPSec tunnel-name
– To create a routing entry
• ip vrouter trust-vr
– ip route A.B.C.D/M tunnelNumber
– To create inbound and outbound policies
• policy-global
– rule from local to remote service any permit
– rule from remote to local service any permit

www.hillstonenet.com | Hillstone Confidential


Troubleshooting

• Steps
– Step 1 Use the command show ipsec sa to verify whether
phase2 SA has been established; if so, the VPN negotiation has
been completed successfully.
– Step 2 If phase2 SA has not been established, use the
command show isakmp sa to verify whether phase1 SA has
been established. If so, typically the problem occurred in
phase2 configuration, for example, inconsistent phase2
proposals or proxy ID; if not, you need to review the
configuration of phase1 peer or network, for example,
inconsistent phase1 proposals, pre-shared key, or no available
route to the peer.
– By default the VPN negotiation is triggered by traffic. To
enable auto connection, select Enable for Auto connect under
the Advance tab of phase2 tunnel configuration dialog.

www.hillstonenet.com | Hillstone Confidential


Agenda: SSL VPN Configuration

• Introduction of VPN
• Hillstone IPSec VPN Configuration
– Configuring policy-based VPN
– Configuring route-based VPN
– Lab
 Hillstone SSL VPN Configuration
– Configuring SSL VPN
– Lab

www.hillstonenet.com | Hillstone Confidential


SSL VPN – Remote access to Intranet

https://200.0.0.10:4433

Internet

E0/4:
200.0.0.10/24
SSL VPN Pool:
Server 10.200.0.2–100

E0/0: Tunnel interface:


192.168.10.1/24 10.200.0.1/24

Server/Database Server1:
192.168.10.10/24

www.hillstonenet.com | Hillstone Confidential


Introduction to SSL VPN

• Functions
– Remote secure access
• Elements
– PC hosts
– SSL VPN access point
– Local/Radius/LDAP/AD/Tacacs+
authentication server

www.hillstonenet.com | Hillstone Confidential


SSL VPN Client

• Downloading SSL VPN client(Hillstone Security Connect)


– Downloading via Internet Explorer (IE)
– Downloading via Nescape or firefox
• Connect to SSL VPN server
– Connect via Internet Explorer (IE)
– Connect via the client software
• Functions of SSL VPN server
– Accepting connections from the clients
– Assigning IP addresses, DNS server addresses, and WIN
server addresses to SSL VPN clients
– Authenticating and authorizing SSL VPN clients
– Encrypting and forwarding IPSec data

www.hillstonenet.com | Hillstone Confidential


Configuring SSL VPN
 Hillstone device provides wizard-based SSL VPN configurations. The
configuration steps are shown as follows:
Network > VPN > SSL VPN. In the SSL VPN page, click New.

www.hillstonenet.com | Hillstone Confidential


Configuring SSL VPN
Specify an SSL VPN service interface and a service port , configure a
tunnel interface and an address pool, and then click Next.

To configure a tunnel interface and an SSL VPN address pool, see the next slide.
www.hillstonenet.com | Hillstone Confidential
Configuring SSL VPN
Configure a tunnel interface and an SSL VPN address pool. The tunnel
interface and address pool should be in the same IP address segment
without overlap. (must set ip for SSLVPN tunnel interface because this ip
is the gateway ip for client)

www.hillstonenet.com | Hillstone Confidential


Configuring SSL VPN
Configure a tunnel route and policy:

www.hillstonenet.com | Hillstone Confidential


Questions

1. What types of VPN does a Hillstone device support?


2. How to configure site2site IPSec VPN?
3. There are two modes on P1 ISAKMP configuration, what
are the difference?
4. What are the requirements of address pool when
configuring SSL VPN?

www.hillstonenet.com | Hillstone Confidential

You might also like