Documente Academic
Documente Profesional
Documente Cultură
IPSec VPN
IPSec VPN
Module 6
2013 Fortinet Training Services. This training may not be recorded in any medium, disclosed, copied, reproduced or distributed to anyone without prior written consent of an authorized representative of Fortinet. Rev. 20130215-C
Module Objectives By the end of this module participants will be able to:
Define the architectural components of IPSec VPN Define the protocols used as part of an IPSec VPN Identify the phases of Internet Key Exchange (IKE) Identify the FortiGate unit IPSec VPN modes Configure IPSec VPN on the FortiGate unit
01-50000-0201-20130215-C
IPSec VPN
IPSec VPN
Private network
Data confidential
Sender authenticated
3
IPSec VPN IPSec is a set of standard protocols and services used to encrypt data so that it cannot be read or tampered with as it travels across a network Provides:
Authentication of the sender Confidentiality of data Proof that data has not been tampered with
01-50000-0201-20130215-C
IPSec VPN
IPSec VPN can protect upper layer protocols (such as TCP) but the complexity and overhead of the exchange is increased
For example, IPSec cannot depend on TCP to manage reliability and fragmentation
Internet Key Exchange Internet Key Exchange (IKE) allows the parties involved in a transaction to set up their Security Associations Phase 1 authenticates the parties involved and sets up a secure channel to enable the key exchange Phase 2 negotiates the IPSec parameters to define an IPSec tunnel
01-50000-0201-20130215-C
IPSec VPN
Negotiates a matching SA policy between the computers to protect the exchange Performs a Diffie-Hellman exchange
The keys derived from this exchange are used in Phase 2
01-50000-0201-20130215-C
IPSec VPN
Renegotiates IPSec SAs regularly to ensure security Optionally, additional Diffie-Hellman exchange may be performed
10
01-50000-0201-20130215-C
IPSec VPN
Interface Mode Creates a virtual IPSec network interface that applies encryption or decryption as needed to any traffic that it carries
Also known as Route-Based
Create two firewall policies between the virtual IPSec interface and the interface that connects to the private network The firewall policy action is ACCEPT Needs static routes over VPN tunnels Required if dynamic routing, GRE over IPSec or altering of incoming subnet is needed
11
Tunnel Mode Easy to configure, single internal external firewall policy supports bi-directional traffic Policy action is IPSec, Phase1 tunnel selected IPSec policies should be located first in your policy list Vulnerable to errors in quickmodes or policies Order of policies is very important
12
01-50000-0201-20130215-C
IPSec VPN
Tunnel Mode
Less configuration involved Dependent on policy order for proper operation Less granular Required for GRE over IPSec Required if manipulation of packet source IPs is necessary Required to have FortiGate unit participate in dynamic routing communication over the IPSec connection More control
Interface Mode
13
Overlapping Subnets Site-to-site route-based VPN configurations sometimes experience a problem where private subnet addresses at each end of the connection are the same After a tunnel is established, hosts on each side can communicate with hosts on other side using the mapped IP addresses
Use NAT with IP Pool
Interface mode can NAT both the incoming and outgoing traffic Tunnel mode can only NAT outgoing traffic
14
01-50000-0201-20130215-C
IPSec VPN
Site-to-site
Branch office
15
Green arrow indicates that the negotiations were successful and tunnel is UP Red arrow means tunnel is DOWN or not in use
16
01-50000-0201-20130215-C
IPSec VPN
17
18
01-50000-0201-20130215-C
IPSec VPN
Configuration
19
20
01-50000-0201-20130215-C
IPSec VPN
21
01-50000-0201-20130215-C