Chapter 10 - IPSec VPN and SSL VPN

Chapter 10 – IPSec VPN and SSL VPN
HCSA-NGFW 2022
1 Concept of VPN
Contents
2 IPsecVPN
3 Policy-based IPsecVPN
4 Route-based IPsecVPN
5 SSLVPN
Concept of VPN
Virtural Private Network
• VPN（Virtual Private Network）

- Virtual Private Network across public wide area network (WAN)
- Provides a significant cost advantage
- Simplifies LAN and WAN operations
- Provides good compatibility and expansibility
- Helps an enterprise quickly start new services and connect its branches
around the world
- Needs security measures such as encryption, integrity verification and user

authentication
www.hillstonenet.com
VPN Implementation
Branch Headquarters
A X Y
B
From A to B From X to Y From A to B From A to B
• Provides a secure communication tunnel between remote computers across a

public wide area network (WAN)
• Guarantees connection security by encrypted tunnel

– Provides encapsulation service for private data between two public gateways
Three Elements of VPN
VPN guarantees secure data transmission over Internet by the
following three elements:
Confidentiality
• Hides and secures data in WAN
Integrity
• Ensures the data is not tampered
Authentication
• Verifies whether the data source is trusted
Confidentiality
• Ensures data confidentiality by encryption
• Data encryption is reversible
• Data encryption and decryption by secret keys
- Symmetric (secret) key
- Asymmetric (public) key
Symmetric Key
• Operates fast, suitable for encryption of large amount of data
• Typical key length: 40 bits to 1024 bits
• Example: DES, 3DES, AES
Sender Receiver
1 Original data
+ Encrypted data +
Encrypted data
3 Original data
www.hillstonenet.com | Hillstone Confidential
Asymmetric Key (Public Key)
• Slower than encryption with symmetric keys
• Typical key length: 512 bits to 2048 bits
Sender Receiver
Pub Pub
1
Original data
+ Pub Encrypted data
+ Priv
2 4
3
Original data
Encrypted data
Integrity
• Hash algorithm is widely used to provide data integrity service
• One-way hashing algorithm

– Cannot calculate the original data by reverse engineering
• Output of fixed length (specially depending on the algorithm)
• Algorithm example
– MD5, SHA
• MD5 provides 128-bit output
• SHA provides 160-bit output
One-Way Hash Procedure
Sender Receiver
Data Hash
Data
2 Data Hash
1 HASH algorithm
4
HASH algorithm
Data Hash
Hash 5 Hash
比对哈希值是否一致
Compare the hash values
Authentication
• Verifies data by authenticating the data source
• Uses HMAC (Hash message authentication code)

– PSK (pre-shared key)
– RSA-sig
– DSA-sig
Hash Calculation with a Secret Key
Sender Receiver
Data Hash
Data
Hash Key 3
2 Data
1 HASH algorithm Hash
Hash key
4 HASH algorithm
Data Hash
Hash 5 Hash
比对哈希值是否一致
Compare the hash values
SA(Security Association )
• Two types of SAs are used in IP security:
- ISAKMP SA - Protects secret key negotiation
- IPSec SA - Protects IP data
• When two IP entities communicates over IPSec VPN：

- First negotiates ISAKMP SA - Phase 1
◆ Two negotiation modes: Main mode and Aggressive mode
- Uses ISAKMP SA to negotiate IPSec SA - Phase 2
◆ One negotiation mode: Quick mode
- Uses IPSec SA to encrypt data
IPsec VPN
IPsec VPN Topology
Internet
E0/4 untrust E0/4 untrust

200.1.1.1/24 100.1.1.1
FW1 Tunnel FW2
E0/1 E0/2
trust dmz
192.168.10.0/24 192.168.20.0/24
IPSec VPN
• VPN is classified according to the data driver type：
- Policy-based
- Route-based
Server
LAN
Internet
Site1 Site2
Configuration Steps of IPSec VPN
• IKE VPN adopts the auto negotiation method. The configurations of IKE VPN
include:
• Step 1: Configure IKE VPN
– Configure Phase 1 proposal (optional)
– Configure ISAKMP gateway
– Configure Phase 2 proposal (optional)
– Configure IPSec Tunnel
• Step 2: Configure data-driven

• Option 1 (policy-based): Configure a VPN policy rule. The action of the
policy rule must be Tunnel or From tunnel
• Option 2 (route-based): Bind the configured VPN instance to a tunnel
interface, create a VPN tunnel route, and configure a permit policy rule
based on the zone the tunnel interface is bound to.
Configuring IPSec VPN - Phase 1 Proposal
Network > VPN > IPSec VPN > P1 Proposal, click 『 New 』
CLI:
isakmp proposal p1-name
authentication {pre-share/rsa-sig}
encryption {3des/des/aes/aes192/aes256}
hash {sha/md5}
group {1/2/5/14/15/16}
lifetime <300-86400>
Configuring IPSec VPN - Phase 2 Proposal
Network > VPN > IPSec VPN > P2 Proposal, click 『 New 』
CLI:
ipsec proposal p2-name
protocol {esp/ah}
encryption {3des/des/aes/aes-192/aes-256 /null}
hash {md5/sha/null}
group {no pfs/1/2/5/14/15/16}
lifetime <180-86400>
Configuring IPSec VPN P1- Peer ISAKMP Gateway
(WebUI)
Network > VPN > IPSec VPN > VPN Peer List，click『New』
Configuring IPSec VPN - Peer ISAKMP Gateway (CLI)
• Configuring an ISAKMP gateway (peer)

CLI:
isakmp peer peer-name
connection-type {bidirectional | initiator-only |responder-only}
interface interface-name
isakmp-proposal p1-proposal1
mode {main | aggressive}
type {dynamic | static} //IP type of peer side
peer ip-address //peer id address
pre-share string //pre-share key
Configuring IPSec VPN P2 - Tunnel (WebUI)
Network > VPN > IPSec VPN > IKE VPN List，click『New』
Configuring IPSec VPN Tunnel (CLI)
CLI:
tunnel ipsec tunnel-name auto
mode tunnel
isakmp-peer peer-name
ipsec-proposal p2-name
id {auto | local ip-address/mask remote ip-address/mask service service-name}
auto-connect
Note：
1、id is the LAN subnet address for both sides, which is the object that VPN need to protect.
2、Need to enable the auto-connect, otherwise the VPN connection will not be triggered actively
Policy-based IPsecVPN
Create Address Book
• Create the local and peer LAN address book in advance.
Configure a policy (WebUI):
• Local to peer action: “Tunnel”
• Peer to local action:“From tunnel”
• Select“Bi-directional policy”will create
bidirectional policies automatically
Configure a policy （CLI)
• Create outbound policy
policy-global
rule top from local to remote service any tunnel tunnel-name
• Create inbound policy

policy-global
rule top from remote to local service any fromtunnel tunnel-name
Create SNAT Rule
Policy > NAT > SNAT>, click 『new』 to create a No NAT rule, and put at top position.
Policy-Based IPSecVPN Configuration Steps
1. Create address entry of protected data flow
2. Set the phase 1 ISAKMP proposal
3. Create phase 1 ISAKMP peer instance
4. Set the ohase 2 IPSec proposal
5. Create phase 2 IPSecVPN instance
6. Use policy to call IPSec instance, put this policy at top position
7. Create no NAT SNAT rule and put at top position.
Route-based IPsecVPN
Create Address Book
• Create the local and peer LAN address book in advance.
Create a tunnel interface
Network > Interface, click『New』to create a “Tunnel Interface”
Create Destination Route（WEBUI）
Network > Routing > Destination Route, click『New』to create access route to peer side
Create Policy
• Create permit policy
- Create a policy with the action of permit based on the zone that the tunnel interface is
bound to.
- If the access is bidirectional, you should add an inbound policy. The inbound policy can be
configured by exchanging the source and destination zones
Route-based VPN (CLI)
• Create Tunnel interface
interface tunnelNumber
zone VPNHub
tunnel IPSec tunnel-name
• Create route entry
ip vrouter trust-vr
ip route A.B.C.D/M tunnelNumber
• Create inbound and outbound policies
policy-global
rule top from local to remote service any permit
rule top from remote to local service any permit
Route-Based IPSecVPN Configuration Steps
1. Create address entry of protected data flow
2. Set the phase 1 ISAKMP proposal
3. Create phase 1 ISAKMP peer instance
4. Set the ohase 2 IPSec proposal
5. Create phase 2 IPSecVPN instance
6. Create tunnel interface and call IPSec instance
7. Create VPN route
8. Create the policy to permit traffic between tunnel interface and LAN zone
Check VPN Status (WebUI)
Network > VPN >IPSec VPN, click 『Configuration』button，select IPSec VPN Monitor from the list
Check VPN Status（CLI）
1. Check P1 ISAKMP SA
SG-6000# show isa sa
Total: 1
================================================================================
Cookies Gateway Port Algorithms Lifetime
--------------------------------------------------------------------------------
4964a49b7e~ 100.1.1.1 500 pre-share md5/3des 85733
================================================================================
2. Check P2 IPSec SA, bidirectional for both outbound and inbound, the success status is Active
SG-6000# show ipsec sa

Total: 1
S - Status, I - Inactive, A - Active;
================================================================================
Id VPN Peer IP Port Algorithms SPI Life(s) S
--------------------------------------------------------------------------------
4 to-100.1.1.1 >200.1.1.1 500 esp:3des/md5/- 4eccb22b 28130 A
4 to-100.1.1.1 <200.1.1.1 500 esp:3des/md5/- 59f95ee0 28130 A
================================================================================
SSLVPN
SSL VPN – Remote access to Intranet
Internet
WAN Interface
E0/4：200.0.0.10/24
Headquarters LAN Interface

E0/1：192.168.10.1/24
Server/Database
SSL VPN Introduction
• Functions
– Remote secure access, SSLVPN also called SCVPN in Hillstone
• Elements
– PC host / Mobile host
– Local/Radius/LDAP/AD/Tacacs+ authentication server
SSL VPN Client
• Functions of SSL VPN server
– Accepting connections from the clients
– Assigning IP addresses, DNS server addresses, and WIN server addresses to SSL VPN clients
– Authenticating and authorizing SSL VPN clients
– Encrypting and forwarding IPSec data
• SSL VPN Client Access
– Client: Hillstone Security Connect
• SSL VPN Client Download
– Hillstone official website: https://www.hillstonenet.com/more/services/product-downloads/
Configuring SSL VPN
Network > VPN > SSL VPN，Click『New』to create SSL VPN, select the AAA server.
Support local and 3rd party AAA server
Configuring SSL VPN – Access Interface
Specify an SSL VPN service interface and a service port , configure a tunnel interface and an address pool, and then
click Next.
• If there are two links, client can

choose one of the egress
interface address to access
• Service port is the port for

SSLVPN connection, default is
4433, you can also change it
Configuring SSL VPN – Tunnel Interface
• The tunnel interface and
address pool must be in the
same IP address segment
without overlap.
• Must set IP for SSLVPN
tunnel interface because
this IP is the gateway IP for
client
Configuring SSL VPN – Address Pool
• Configure address pool to

distribute the IP for SSLVPN
client, it is recommended to
use some unusual IP
addresses to avoid address
conflict with the client IP.
• Tunnel interface IP must not
be included in address pool.
Configuring SSL VPN – Tunnel Route
Click『Tunnel Route』
• Tunnel route specify the server access after client connected with SSLVPN server
Configuring SSL VPN – Policy
• Configure SSLVPN permit policy:
- SSL VPN tunnel interface bound to zone VPNHub, need to permit the access to server zone
Questions
1. What types of VPN does a Hillstone device support?
2. How to configure site2site IPSec VPN, what are the steps？
3. There are two negotiation modes on P1 ISAKMP configuration, what are the
difference？
4. What are the requirements of address pool when configuring SSL VPN?
Thanks

Chapter 10 - IPSec VPN and SSL VPN

Uploaded by

Document Information

Copyright

Available Formats

Share this document

Share or Embed Document

Sharing Options

Did you find this document useful?

Is this content inappropriate?

Copyright:

Available Formats

Chapter 10 - IPSec VPN and SSL VPN

Uploaded by

Copyright:

Available Formats

Chapter 10 – IPSec VPN and SSL VPN

• VPN（Virtual Private Network）

- Provides a significant cost advantage

- Simplifies LAN and WAN operations

- Provides good compatibility and expansibility

- Needs security measures such as encryption, integrity verification and user

From A to B From X to Y From A to B From A to B

• Provides a secure communication tunnel between remote computers across a

• Guarantees connection security by encrypted tunnel

• One-way hashing algorithm

• Output of fixed length (specially depending on the algorithm)

• Uses HMAC (Hash message authentication code)

• When two IP entities communicates over IPSec VPN：

E0/4 untrust E0/4 untrust

• Step 2: Configure data-driven

• Configuring an ISAKMP gateway (peer)

• Create inbound policy

SG-6000# show ipsec sa

Headquarters LAN Interface

• If there are two links, client can

• Service port is the port for

• Configure address pool to

You might also like