Professional Documents
Culture Documents
HCSA-NGFW 2020
1 Concept of VPN
Contents
2 IPsecVPN
3 Policy-based IPsecVPN
4 Route-based IPsecVPN
5 SSLVPN
Concept of VPN
3
Virtural Private Network
- Helps an enterprise quickly start new services and connect its branches
around the world
www.hillstonenet.com
Virtural Private Network
Branch Headquarters
Internet
A X Y
Confidentiality
• Hides and secures data in WAN
Integrity
• Ensures the data is not tampered
Authentication
• Verifies whether the data source is trusted
6 www.hillstonenet.com
Confidentiality
• Ensures data confidentiality by encryption
• Data encryption is reversible
• Data encryption and decryption by secret keys
- Symmetric (secret) key
- Asymmetric (public) key
7 www.hillstonenet.com
Symmetric Key
• Operates fast, suitable for encryption of large amount of data
• Typical key length: 40 bits to 1024 bits
• Example: DES, 3DES, AES
Sender Receiver
www.hillstonenet.com
www.hillstonenet.com | Hillstone Confidential
Asymmetric Key (Public Key)
• Slower than encryption with symmetric keys
• Typical key length: 512 bits to 2048 bits
Sender Receiver
1 Pub Pub
3
Original data
Encrypted data
www.hillstonenet.com
www.hillstonenet.com | Hillstone Confidential
Integrity
• Hash algorithm is widely used to provide data integrity service
• Algorithm example
– MD5, SHA
• MD5 provides 128-bit output
• SHA provides 160-bit output
10 www.hillstonenet.com
One-Way Hash Procedure
Sender Receiver
Data Hash
Data
3
2 Data Hash
1
Data Hash
Hash 5 Hash
12 www.hillstonenet.com
Hash Calculation with a Secret Key
Sender Receiver
Data Hash
Data
3
Hash key
2 Data Hash
1
Hash key
4
Data Hash
Hash 5 Hash
www.hillstonenet.com
www.hillstonenet.com | Hillstone Confidential
SA(Security Association )
• Two types of SAs are used in IP security:
- ISAKMP SA - Protects secret key negotiation
- IPSec SA - Protects IP data
14 www.hillstonenet.com
IPsec VPN
15
IPsec VPN Topology
Internet
E0/1 E0/2
trust dmz
192.168.10.0/24 192.168.20.0/24
www.hillstonenet.com
IPSec VPN
• VPN is classified according to the data driver type:
- Policy-based
- Route-based
Server
LAN
Internet
Site2 Site1
www.hillstonenet.com
Configuration Steps of IPSec VPN
• IKE VPN adopts the auto negotiation method. The configurations of
IKE VPN include:
• Step 1: Configure IKE VPN
– Configure Phase 1 proposal (optional)
– Configure ISAKMP gateway
– Configure Phase 2 proposal (optional)
– Configure IPSec Tunnel
18 www.hillstonenet.com
Configuring IPSec VPN - Phase 1 Proposal
Network > VPN > IPSec VPN > P1 Proposal, click 『 New 』
CLI:
isakmp proposal p1-name
authentication {pre-share/rsa-sig}
encryption {3des/des/aes/aes192/aes256}
hash {sha/md5}
group {1/2/5/14/15/16}
lifetime <300-86400>
19 www.hillstonenet.com
Configuring IPSec VPN - Peer ISAKMP Gateway
(WebUI)
Network > VPN > IPSec VPN > VPN Peer List,click『New』
20 www.hillstonenet.com
Configuring IPSec VPN - Peer ISAKMP Gateway (CLI)
21 www.hillstonenet.com
Configuring IPSec VPN - Phase 2 Proposal
Network > VPN > IPSec VPN > P2 Proposal, click 『 New 』
CLI:
ipsec proposal p2-name
protocol {esp/ah}
encryption {3des/des/aes/aes-192/aes-256 /null}
hash {md5/sha/null}
group {no pfs/1/2/5/14/15/16}
lifetime <180-86400>
22 www.hillstonenet.com
Configuring IPSec VPN Tunnel (WebUI)
Network > VPN > IPSec VPN > IKE VPN List,click『New』
23 www.hillstonenet.com
Configuring IPSec VPN Tunnel (CLI)
CLI:
tunnel ipsec tunnel-name auto
mode tunnel
isakmp-peer peer-name
ipsec-proposal p2-name
id {auto | local ip-address/mask remote ip-address/mask service service-name}
auto-connect
Note:
1、id is the LAN subnet address for both sides, which is the object that VPN need to protect.
2、Need to enable the auto-connect, otherwise the VPN connection will not be triggered actively
24 www.hillstonenet.com
Policy-based IPsecVPN
25
Create Address Book
• Create the local and peer LAN address book in advance.
www.hillstonenet.com
Configure a policy (WebUI):
• Local to peer action: “Tunnel”
• Peer to local action:“From tunnel”
• Select“Bi-directional policy”will create bidirectional policies automatically
www.hillstonenet.com
Configure a policy (CLI)
• Create outbound policy
policy-global
rule top from local to remote service any tunnel tunnel-name
www.hillstonenet.com
Create SNAT Rule
Policy > NAT > SNAT>, click 『new』 to create a No NAT rule。
29 www.hillstonenet.com
Policy-Based IPSecVPN Configuration Steps
1. Create address entry of protected data flow
2. Set the phase 1 ISAKMP proposal
3. Create phase 1 ISAKMP peer instance
4. Set the ohase 2 IPSec proposal
5. Create phase 2 IPSecVPN instance
6. Use policy to call IPSec instance, put this policy at top position
7. Create no NAT SNAT rule and put at top position.
30 www.hillstonenet.com
Route-based IPsecVPN
31
Create Address Book
• Create the local and peer LAN address book in advance.
www.hillstonenet.com
Create a tunnel interface
Network > Interface, click『New』to create a “Tunnel Interface”
www.hillstonenet.com
Create Destination Route(WEBUI)
Network > Routing > Destination Route, click『New』to create access route to peer side
34 www.hillstonenet.com
Create Policy
• Create permit policy
- Create a policy with the action of permit based on the zone that the tunnel interface is
bound to.
- If the access is bidirectional, you should add an inbound policy. The inbound policy can be
configured by exchanging the source and destination zones
35 www.hillstonenet.com
Route-based VPN (CLI)
• Create Tunnel interface
interface tunnelNumber
zone VPNHub
tunnel IPSec tunnel-name
• Create route entry
ip vrouter trust-vr
ip route A.B.C.D/M tunnelNumber
• Create inbound and outbound policies
policy-global
rule top from local to remote service any permit
rule top from remote to local service any permit
36 www.hillstonenet.com
Route-Based IPSecVPN Configuration Steps
1. Create address entry of protected data flow
2. Set the phase 1 ISAKMP proposal
3. Create phase 1 ISAKMP peer instance
4. Set the ohase 2 IPSec proposal
5. Create phase 2 IPSecVPN instance
6. Create tunnel interface and call IPSec instance
7. Create VPN route
8. Create the policy to permit traffic between tunnel interface and LAN zone
37 www.hillstonenet.com
Check VPN Status
• WebUI
• CLI
38 www.hillstonenet.com
Troubleshooting
• VPN troubleshooting:
- Step 1 Use the command show ipsec sa to verify whether phase2 SA has been
established; if so, the VPN negotiation has been completed successfully.
- Step 2 If phase2 SA has not been established, use the command show isakmp sa to
verify whether phase1 SA has been established. If so, typically the problem occurred
in phase2 configuration, for example, inconsistent phase2 proposals or proxy ID; if
not, you need to review the configuration of phase1 peer or network, for example,
inconsistent phase1 proposals, pre-shared key, or no available route to the peer.
- By default the VPN negotiation is triggered by traffic. To enable auto connection,
select Enable for Auto connect under the Advance tab of phase2 tunnel
configuration dialog.
39 www.hillstonenet.com
SSLVPN
40
SSL VPN – Remote access to Intranet
Internet
E0/4:
200.0.0.10/24
Server E0/1:
192.168.10.1/24
Server/Database Server1:
192.168.10.10/24
www.hillstonenet.com
SSL VPN Introduction
• Functions
– Remote secure access
• Elements
– PC host
– SSL VPN access point
– Local/Radius/LDAP/AD/Tacacs+ authentication server
42 www.hillstonenet.com
SSL VPN Client
• Downloading SSL VPN client(Hillstone Security Connect)
– Downloading via Internet Explorer (IE)
– Downloading via Nescape or firefox
• Connect to SSL VPN server
– Connect via Internet Explorer (IE)
– Connect via the client application
• Functions of SSL VPN server
– Accepting connections from the clients
– Assigning IP addresses, DNS server addresses, and WIN server addresses to SSL VPN
clients
– Authenticating and authorizing SSL VPN clients
– Encrypting and forwarding IPSec data
43 www.hillstonenet.com
Configuring SSL VPN
Network > VPN > SSL VPN,Click『New』
44 www.hillstonenet.com
Configuring SSL VPN – Access Interface
Specify an SSL VPN service interface and a service port , configure a tunnel interface and an address pool, and then
click Next.
45 www.hillstonenet.com
Configuring SSL VPN – Tunnel Interface
• The tunnel interface and
address pool must be in the
same IP address segment
without overlap.
• Must set IP for SSLVPN
tunnel interface because
this IP is the gateway IP for
client
46 www.hillstonenet.com
Configuring SSL VPN – Address Pool
47 www.hillstonenet.com
Configuring SSL VPN – Tunnel Route
48 www.hillstonenet.com
Configuring SSL VPN – Policy
• Configure SSLVPN permit policy:
- SSL VPN tunnel interface bound to zone VPNHub, need to permit the access to server zone
49 www.hillstonenet.com
Questions
1. What types of VPN does a Hillstone device support?
2. How to configure site2site IPSec VPN, what are the steps?
3. There are two negotiation modes on P1 ISAKMP configuration, what are the
difference?
4. What are the requirements of address pool when configuring SSL VPN?
50 www.hillstonenet.com
Thanks
51