Task
● Overview of site to site VPN
● Configure new security gateway with hostname of Branch-firewall and give a ip address of 172.11.5.1 and set a ip address of eth 1 interface is 172.11.6.1 and integration with SM
● Create vpn tunnel both firewalls with secret key authentication and use vpn communities as star type and peer ip would be for dc-SG is 172.11.2.1 and for Branch_SG is 172.11.6.1 and interesting traffic would be same
Explanation
ipsec vpn software blade is used for encrypt and decrypt traffic to and from external networks and client use smart Dashboard to easily configure VPN connections between security gateways and remote devices the vpn tunnel guarantees
Authentication :- Uses standard authentication method like pre shared and certificate based
Privacy : – all vpn data is encrypted
Integrity :- uses industry- standard integrity assurance methods
IKE and IPsec
Check point VPN solution uses these secure VPN protocols to manage encryption keys , and send encrypted packets IKE (internate key EXchange) is a standard key management protocol that is used to create the vpn tunnels ipsec is protocol that supports secure ip communication that are authenticated and encrypted on private or public networks
Site to Site VPN :-
The basis of site to site VPN is the encrypted VPN tunnel . Two security gateways negotiate a link and create a VPN tunnel and each tunnel can contain more than one VPN connections One security gateways can maintain more than one VPN tunnel at the same time.
VPN Communities :- A VPNdomain is a collection ofinternal networks that use security Gateways to send and receive Its a collection of VPN tunnels and their attributes Network resources of different VPN Domains can securely communicate with each other through VPN tunnels that terminate at the security gateways in the VPN communities vpn communities are based on star and mesh topology . in mesh community , there are vpn tunnels b/w each pair of security gateways
Routing VPN traffic :- configure the security gateways to route VPN traffic based on VPN domains or based on the routing settings of the operating system
For each VPN gateway . you must configure an existing gateway as a default gateway
Domain based VPN :- The vpn traffic is routed according to the VPN domain based routing to let satellite security gateways send VPN traffic to each other the center security gateway creates VPN tunnels to each satellite and the traffic is routed to the correct VPN domain
Routed based VPN :- VPN traffic is routed according to the routing setting (static or dynamic) of the security gateway operating system the security gateway uses a VTI (VPN Tunnel Interface) to second the VPN traffic as if it were a physical interface the VTI of Security gateways in a VPN community connect and can support dynamic routing protocols
Configuration
Now we have take GUI of SG from management interface ip-address with username-admin and uninets@123 and open any browser and type https://172.11.5.1 and put credential
and click on login
and we have click on next
and we will choose first option and click on next
here if we want change IP-address of interface and we can also provide default -gateway and click to next
Here we can change the hostname and give domain-name and primary DNS and secondary DNS all details are optional so we not configuring it now we will configure it according to need here we to configure time zone and time for device we have two methods one is manual and another is through NTP but here we don’t have any NTP server so we selected manual method and click on next
Here we are configuring our IOS working we two options one is for act as a security gateway or security management and one is multi-domain server and its use for manage multiple security managements but we have one security management we will choose first and click on next
So here we are operating devices in distributed mode (As we discussed earlier ) so we will select Security-Gateway and click on next
Here its asking for ip-gateway assignment to firewall from Dhcp but already give manual so selected NO
here giving password for SIC Process so SM can authenticate SG
click on Finish IF configured properly then its our final view
Now we to set ip address on interface eth1 so login into Branch_SG and enter login credential is username- admin password-uninets@123
BRANCH-SG>
BRANCH-SG> set interface eth1 ipv4-address 172.11.6.1 subnet-mask255.255.255.0
BRANCH-SG> set interface eth1 state on
BRANCH-SG> show interface eth1
state on
mac-addr 50:13:00:04:00:01
type ethernet
link-state link up
mtu 1500
ipv4-address 172.11.6.1/24
here we can see that we gave ip address to interface eth1 and now we have login into smart dashboard and add new security gateway like we added before
here we are going to add new security gateway on security manager
no click on click mode
here we need to mention firewall name and their ip address and click on communication tab put sic process password and initialized it then click on ok here we can see that Branch- SG has been added on Sm
Now we have to enable VPN blades on both firewalls
So check mark on IPSec VPN blade then click on ok enable on next firewall
Now we enabled ipsec blade on DC-SG Now we have to define vpn communities to define VPN peers and other VPN attributes then click on vpn communities and select site to site VPN
Click on new site to site and select topology type meshed because we have just two firewalls
give to any name we gave S2S then click on participating gateways tab
click on add
Click on ok here adding both firewall then click on encryption tab
We choose default but we want use customize configuration then select custom then select methods from there then click on then click on advance setting tab
Here we don't need to change anything then click on ok
Here we can see that S2S communities has been created Now we have to define rule base for vpn so click on policy tab
We are not mention any source or destination now we have to add communities so click on VPN tab and click on edit cell
Here we select third option and click on add
Here we are choosing our created communities S2S click on ok
click on ok here also
we want track it so click on track and select log click on ok and save the policy then push the policy
we selected both security gateways to push policies so now click on ok
Verification :-
BRANCH-SG> ping 172.11.2.1
PING 172.11.2.1 (172.11.2.1) 56(84) bytes of data.
64 bytes from 172.11.2.1: icmp_seq=5 ttl=64 time=1.06 ms
64 bytes from 172.11.2.1: icmp_seq=6 ttl=64 time=0.924 ms
64 bytes from 172.11.2.1: icmp_seq=7 ttl=64 time=1.00ms
Now we have to verify through smart view tracker
Here we can check tunnel has been created here source is Branch-SG and destination is DC-SG and all traffic has been encrypted Now we can verify through cmd so logon into Branch-SG
BRANCH-SG> expert
Enter expert password:
Warning! All configuration should be done through clash You are in expert mode now.
[Expert@BRANCH-SG:0]# vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
1
Peer 172.11.2.1 SAs:
[Expert@BRANCH-SG:0]# vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
Peer 172.11.2.1 SAs:
INBOUND:
OUTBOUND:
Same thing we can check on DC-SG so login into DC-SG and verify all SA for phase-1 and PHASE-2 SA (ipsec-sa)
Enter expert password:
Warning! All configuration should be done through clish
You are in expert mode now.
[Expert@firewall-Gateway:0]# vpn tu
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
*******************************************
1
Peer 172.11.5.1 SAs:
Hit key to continue …
********** Select Option **********
(1) List all IKE SAs
(2) List all IPsec SAs
(3) List all IKE SAs for a given peer (GW) or user (Client)
(4) List all IPsec SAs for a given peer (GW) or user (Client)
(5) Delete all IPsec SAs for a given peer (GW)
(6) Delete all IPsec SAs for a given User (Client)
(7) Delete all IPsec+IKE SAs for a given peer (GW)
(8) Delete all IPsec+IKE SAs for a given User (Client)
(9) Delete all IPsec SAs for ALL peers and users
(0) Delete all IPsec+IKE SAs for ALL peers and users
(Q) Quit
Peer 172.11.5.1 SAs:
INBOUND 1. 0x167c1afe
OUTBOUND: 1. 0x7e02c903
here we verify that Phase-1 and phase-2 has been created and data is encrypting and decrypting on both sides
Amar Singh is a senior security architect and a certified trainer. He is currently working with a reputed organization based out of India. His accomplishments include CCNA, CCNP Security, CEH, Vmware, Checkpoint and Palo Alto Certifications. He is holding more than 12 years of experience in Network security domain. In his career he has been ...
More... | Author`s Bog | Book a Meeting