Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN
Module 6

2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C

Module Objectives By the end of this module participants will be able to:
Define the architectural components of IPSec VPN Define the protocols used as part of an IPSec VPN Identify the phases of Internet Key Exchange (IKE) Identify the FortiGate unit IPSec VPN modes Configure IPSec VPN on the FortiGate unit

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN

Private network

Data confidential

Data has integrity

Sender authenticated
3

IPSec VPN IPSec is a set of standard protocols and services used to encrypt data so that it cannot be read or tampered with as it travels across a network Provides:
Authentication of the sender Confidentiality of data Proof that data has not been tampered with

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN IPSec VPN operates at the network layer (layer 3)

Encryption occurs transparently to the upper layers Applications do not need to be designed to use IPSec

IPSec VPN can protect upper layer protocols (such as TCP) but the complexity and overhead of the exchange is increased
For example, IPSec cannot depend on TCP to manage reliability and fragmentation

Internet Key Exchange Internet Key Exchange (IKE) allows the parties involved in a transaction to set up their Security Associations Phase 1 authenticates the parties involved and sets up a secure channel to enable the key exchange Phase 2 negotiates the IPSec parameters to define an IPSec tunnel

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Phase 1 IKE Phase 1 performs the following:

Authenticates and protects the parties involved in the IPSec transaction
Can use pre-exchanged keys or digital certificates

Negotiates a matching SA policy between the computers to protect the exchange Performs a Diffie-Hellman exchange
The keys derived from this exchange are used in Phase 2

Sets up a secure channel to negotiate Phase 2 parameters

Defining Phase 1 Parameters

KB IDs: 11657 13574

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Phase 2 IKE Phase 2 performs the following:

Negotiates IPSec SA parameters
Protected by existing IKE SA

Renegotiates IPSec SAs regularly to ensure security Optionally, additional Diffie-Hellman exchange may be performed

Defining Phase 2 Parameters

10

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Interface Mode Creates a virtual IPSec network interface that applies encryption or decryption as needed to any traffic that it carries
Also known as Route-Based

Create two firewall policies between the virtual IPSec interface and the interface that connects to the private network The firewall policy action is ACCEPT Needs static routes over VPN tunnels Required if dynamic routing, GRE over IPSec or altering of incoming subnet is needed

11

Tunnel Mode Easy to configure, single internal external firewall policy supports bi-directional traffic Policy action is IPSec, Phase1 tunnel selected IPSec policies should be located first in your policy list Vulnerable to errors in quickmodes or policies Order of policies is very important

12

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Tunnel Versus Interface Mode

Tunnel Mode

Less configuration involved Dependent on policy order for proper operation Less granular Required for GRE over IPSec Required if manipulation of packet source IPs is necessary Required to have FortiGate unit participate in dynamic routing communication over the IPSec connection More control

Interface Mode

13

Overlapping Subnets Site-to-site route-based VPN configurations sometimes experience a problem where private subnet addresses at each end of the connection are the same After a tunnel is established, hosts on each side can communicate with hosts on other side using the mapped IP addresses
Use NAT with IP Pool

Interface mode can NAT both the incoming and outgoing traffic Tunnel mode can only NAT outgoing traffic

14

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec Topologies (Site-to-Site)

Headquarters

Site-to-site

Branch office

15

IPSec VPN Monitor Monitor activity on IPSec VPN tunnels

Stop and start tunnels Display address, proxy IDs, timeout information

Green arrow indicates that the negotiations were successful and tunnel is UP Red arrow means tunnel is DOWN or not in use

16

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

IPSec VPN Monitor

17

Configuration Step 1: Configure Phase 1

Choose interface to listen for connections Choose remote location Choose advanced options (DH Group, XAUTH, ..)

Step 2: Configure Phase 2

Possibility for multiple Phase 2s on a single Phase 1 tunnel

Step 3: Create Firewall VPN policy(s)

May need more than 1 policy to allow all the access required

18

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Configuration

19

Labs Lab 1: IPSec VPN

Ex 1: Site to Site IPSec VPN

20

01-50000-0201-20130215-C

Course 201 - Administration, Content Inspection and VPNs

IPSec VPN

Classroom Lab Topology

21

01-50000-0201-20130215-C