This example if derived form Allieds example 22 with the, errors fixed:-)
Each site has a private network, there are no IP address clashes between the sites. Each firewall has a valid public IP address for access to the internet.
There are no restrictions placed on access from the private network, to the internet.
There is no access from the intenet to the private network except for
traffic that has been tunneled from the other site.
In both cases eth0 is the private network, and eth1 the public network.
It is worth checking the free space in the Flash memmory and compacting if
nessesary
While logged in as manager.
Create keys on both firewalls.
If the above shows any problem fix before proceeding further.
The GRE tables support Generic Routing Encapsulation.
upto 99 GRE table may be defined, each with multiple sets of address patterns
When a packet is received on an interface the interface definition is
checked to see if a GRE table is defined for the interface.
If a table is defined the table is scanned for a match using the
source and destination addresses.
If a match is found additional processing is done.
You can check is any GRE tables have already been setup with the command.
Note this command is pushing the max line length limit of a command, you
will probabaly have to either abrevieate the options to their minimum length.
or leave the target out, do a
Configure are private network interface to check against the, the GRE list
we have just created.
Tell the IP module to use the GRE table for locally generated traffic
We now need to creat the specifications for the security Associations to be negotiated on the VPN to connect this LAN
to the remote LAN, so traffic between the LAN's is encrypted.
This example will specify AH using SHA, and ESP using DES+MD5, and key
management via ISAKMP.
The Firewall supports 256 Security Association Specifications.
The defined SAspecifications are combined into upto 256 bundles,
when negotiating with a potential peer it is the SAspecs within the
bundle selected for use with the peer that are checked.
For are current purposes we want trafic between our firewalls
using the public interfaces encripted,
but traffic out to the web in general passed as is.
Note this command is pushing the max line length limit of a command, you
will probabaly have to either abrevieate the options to their minimum length.
or leave the target out, do a
set ipsec policy=Fire2Fire
RADDress=193.133.123.213
RMASk=255.255.255.255
LADDress=193.133.123.140
LMASk=255.255.255.255
create ipsec policy=the_rest
int=eth1
action=permit
Enable NAT for connections from private addresses to the Internet.
If not already done add a default routing entery.
If the above shows any problem fix before proceeding further.
Tell the IP module to use the GRE table for locally generated traffic
Enable NAT for connections from private addresses to the Internet.
As it is out bound on eth1, the source address is checked against
the NAT filters. The address matches so NAT processing is trigered and
the source address rewriten.
Packet is sent, and a reply receved.
The receved packet pases through eth1, the destination is local.
Local packet proccessing routes the packet to the inbound NAT
modual that has been listening for replies.
NAT module rewites the detination address from its saved values, and
packet is passed for routing.
Packet set over eth0 to the host that started the session.
Match found so the GRE modual encapsulates the packet in a new GRE packet.
The GRE packet is passed to routing modula, the detination address
is not local, and a check
with the routing tables idecates it should be sent on eth1.
As it is out bound on eth1, the source address is checked against
the NAT filters. As the source is the local NAT proccessing is skiped.
Packet is compared with IPSEC filters, a match is found for policy
Fire2Fire, so the packet is Queued awiting tunnel initalization.
ISAKMP negociation starts by sending a UDP packet to port 500 on
the unit handleing the remote end of the tunnel and awaits a reply.
The ISAKMP packet is routed outbound on interface eth1
THe ISAKMP packet is compared against the NAT filters.
As the source is the local NAT proccessing is skiped.
The ISAKMP packet is compared to the IPSEC filters, a match is found for policy
isakmp, with an action of permit so the packet is sent.
A reply is receved from the remote unit {UDP port 500}
This passes inbound on eth1, to the local ISAKMP agent.
Negociation continues through pases 1 and to with a number of Further packets being exchanged.
The Tunnel is established.
The queued packets are encripted according the the agreed security
associations and the resulting packets are sent outbound on eth1.
Oddly it would apear that the tunnel packet skip the outbound filters.
The returning ESP tunnel packets, are reseived on eth1, and sent
for local processing.
The payload is unpacked and decripted.
The resulting packets of Type GRE are delivered localy to the GRE modual.
The GRE modual unpacks the packet.
The packet is not local, and routing indecates that it should be
delivered via eth0.
Packet set over eth0 to the host that started the session.
And the same fro the local private networks.
However you should now be able to ping or traceroute from devices,
on one of the private networks to the other, or to the internet.
Note if the tunnel is working properly you should not see any intermediate
routers apearing in the trace route listing when tracing between the
sites private networks.
If you suspect a problem on the network between two routers, you must trace
to the remote routers public interface, so that your trace packets do not
use the tunnel, but follow the route of the tunnels transport layer.
Config used for Eval and notes
Setup is for a
private network->Firewall->DMZ->ISP router
, type config.
Site specific info for first site {Roadtech}
Site specific info for second site {hitech-logistics}
The Base configuration should have already been, set and saved.
eth0 is the private interface, and eth1 the public interface.
Both have been configured as per the
notes.
Show Flash
Activate Flash compaction
Private Network interface
If you have not already done so, configure the IP address and
setings for the private interface
eth0.
Public Network interface
If you have not already done so, configure the IP address and
setings for the public interface
eth1.
Create Security officer
If you have not already created a Security Officer
Login you need to do so now.
Please remember to keep a note of the name and password,
add
user=Arther
password=qlbp
priv=securityofficer
Create IPsec Keys
We are going to use preshared keys for Authentication.
The key will be created on the First Firewall and then instaled on the
second. Each Firewall can store a list of 65,535 keys.
show enco key
will show the keys currently in use.
Create tunnel conditions and rules
Basicaly what we setup here, Tells the route, that packets from
networks on out private network {Identified as an address and network mask}
to a remote network {Identified as an address and network mask}
are to be encripted and tunneled to the public address of the remote
firewall.
First Firewall
Before continuing any further it is woth checking that your routing table
looks sensible and that you can at leased ping something on both your private
network and the internet while loged on as manager to the Firewall.
show ip route
ping 193.133.123.131
ping 192.168.124.122
enable gre
show gre
gre show
note entry number, and then use the set gre=1 entry=n .....
form to finish
configuring the entry.
add gre=1
SOUrce=192.168.124.0
SMAsk=255.255.255.0
DESt=172.28.3.16
DMAsk=255.255.255.240
TARget=193.133.123.213
set ip int=eth0 gre=1
set ip local gre=1
show ipsec SAspec
Will list alredy defined specs.
show ipsec bundles
will list existing bundles.
create ipsec saspec=1 prot=ah hasha=sha keyman=isakmp
set ipsec sas=1 mode=transport
create ipsec saspec=2 prot=esp hasha=md5 encalg=des keyman=isakmp
set ipsec sas=2 mode=transport
create ipsec bundlespec=1 keym=isakmp string="1 and 2"
show ipsec
note entry number,
and then use multiple set ipsec policy=Fire2Fire .....
commands to finish
configuring the entry.
create ipsec policy=isakmp
int=eth1
action=permit
set ipsec policy=isakmp
RADDress=193.133.123.213
RMASk=255.255.255.255
RPOrt=500
LADDress=193.133.123.140
LMASk=255.255.255.255
LPOrt=500
TRANsportprotocol=UDP
create ipsec policy=Fire2Fire
int=eth1
action=ipsec
KEYManagement=isakmp
BUNDlespecification=1
PEERaddress=193.133.123.213
enable ipsec
create isakmp
policy=Fire2Fire
peer=193.133.123.213
key=1
enable isakmp
enable ip nat
add ip nat ip=192.168.124.0 mask 255.255.255.0 gblip=193.133.123.140
add ip route=0.0.0.0 int=eth1 next=193.133.123.129 mask=255.255.255.255
Second Firewall
Before continuing any further it is worth checking that your routing table
looks sensible and that you can at leased ping something on both your private
network and the internet while loged on as manager to the Firewall.
show ip route
ping 193.133.123.194
ping 172.28.3.19
enable gre
add gre=1
source=172.28.3.16
smask=255.255.255.240
dest=192.168.124.0
dmask=255.255.255.0
target=193.133.123.140
set ip int=eth0 gre=1
set ip local gre=1
show ipsec SAspec
Will list alredy defined specs.
show ipsec bundles
will list existing bundles.
create ipsec saspec=1 prot=ah hasha=sha keyman=isakmp
set ipsec sas=1 mode=transport
create ipsec saspec=2 prot=esp hasha=md5 encalg=des keyman=isakmp
set ipsec sas=2 mode=transport
create ipsec bundlespec=1 keym=isakmp string="1 and 2"
create ipsec policy=isakmp
int=eth1
action=permit
set ipsec policy=isakmp
RADDress=193.133.123.213
RMASk=255.255.255.255
RPOrt=500
LADDress=193.133.123.140
LMASk=255.255.255.255
LPOrt=500
TRANsportprotocol=UDP
create ipsec policy=Fire2Fire
int=eth1
action=ipsec
keymanagement=isakmp
bundlespecification=1
peeraddress=193.133.123.140
set ipsec policy=Fire2Fire
raddress=193.133.123.140
rmask=255.255.255.255
laddress=193.133.123.213
lmask=255.255.255.255
create ipsec policy=the_rest
int=eth1
action=permit
enable ipsec
create isakmp
policy=Fire2Fire
peer=193.133.123.140
key=1
enable isakmp
enable ip nat
add ip nat ip=172.28.3.16 mask 255.255.255.240 gblip=193.133.123.213
How it works
Site to web
A packet from a host on the private network, arrives at the router.
It is compared with the GRE filters for the receving interface eth0.
It does not match, the detination address is not local, and a check
with the routing tables idecates it should be sent on eth1.
Site to Site
A packet from a host on the private network, arrives at the router.
It is compared with the GRE filters for the receving interface eth0.
Testing
You should still be able to ping addresses on the public internet,
from the router.