Dialup client may have a dynamic IP address, but there are restrictions
This example if derived form Allieds Helpfull scripts, section 6 example 3.
Each site has a private network, there are no IP address clashes between the sites. Each firewall has a valid public IP address for access to the internet.
Roaming users has a laptop with a dialup connection.
There are no restrictions placed on access from the private network, to the internet.
There is no access from the intenet to the private network except for
traffic that has been tunneled from the other site.
In both cases eth0 is the private network, and eth1 the public network.
It is worth checking the free space in the Flash memmory and compacting if
nessesary
While logged in as manager.
Create keys on both firewalls.
If the above shows any problem fix before proceeding further.
An interface may only be defined as private in one policy,
An interface may be defined as public in two policies.
A Policy may have multiple private and public interfaces.
Default rules are :-
Note the default rulles block ICMP traffic such as pings this stops
cirtain abuses, but makes diagnosing and testing VPN tunels a pain.
So the rules here reenable them.
Note this command is pushing the max line length limit of a command, you
will probabaly have to either abrevieate the options to their minimum length.
or leave the target out, do a
This example will specify AH using SHA, and ESP using DES+MD5, and key
management via ISAKMP.
The Firewall supports 256 Security Association Specifications.
The defined SAspecifications are combined into upto 256 bundles,
when negotiating with a potential peer it is the SAspecs within the
bundle selected for use with the peer that are checked.
Start by defining Security Association Specifications and Bundles.
See
IPsec
For are current purposes we want trafic between our firewalls
using the public interfaces encripted,
but traffic out to the web in general passed as is.
Note this command is pushing the max line length limit of a command, you
will probabaly have to either abrevieate the options to their minimum length.
or leave the target out, do a
If the above shows any problem fix before proceeding further.
Note this command is pushing the max line length limit of a command, you
will probabaly have to either abrevieate the options to their minimum length.
or leave the target out, do a
This example will specify AH using SHA, and ESP using DES+MD5, and key
management via ISAKMP.
The Firewall supports 256 Security Association Specifications.
The defined SAspecifications are combined into upto 256 bundles,
when negotiating with a potential peer it is the SAspecs within the
bundle selected for use with the peer that are checked.
For are current purposes we want trafic between our firewalls
using the public interfaces encripted,
but traffic out to the web in general passed as is.
Note this command is pushing the max line length limit of a command, you
will probabaly have to either abrevieate the options to their minimum length.
or leave the target out, do a
As it is out bound on eth1, the source address is checked against
the NAT filters. The address matches so NAT processing is trigered and
the source address rewriten.
Packet is sent, and a reply receved.
The receved packet pases through eth1, the destination is local.
Local packet proccessing routes the packet to the inbound NAT
modual that has been listening for replies.
NAT module rewites the detination address from its saved values, and
packet is passed for routing.
Packet set over eth0 to the host that started the session.
A check of the destination addrerss
with the routing tables idecates it should be sent on eth1.
Packet is compared with IPSEC filters, a match is found for policy
Fire2Fire, so the packet is Queued awiting tunnel initalization.
ISAKMP negociation starts by sending a UDP packet to port 500 on
the unit handleing the remote end of the tunnel and awaits a reply.
The ISAKMP packet is routed outbound on interface eth1
THe ISAKMP packet is compared against the NAT filters.
As the source is the local NAT proccessing is skiped.
The ISAKMP packet is compared to the IPSEC filters, a match is found for policy
isakmp, with an action of permit so the packet is sent.
A reply is receved from the remote unit {UDP port 500}
This passes inbound on eth1, to the local ISAKMP agent.
Negociation continues through pases 1 and to with a number of Further packets being exchanged.
The Tunnel is established.
The queued packets are encripted according the the agreed security
associations and the resulting packets are sent outbound on eth1.
Oddly it would apear that tunnel packets skip the outbound filters.
NAT on outbound IPsec packets is suppresed
The returning ESP tunnel packets, are reseived on eth1, and sent
for local processing.
The payload is unpacked and decripted.
The packet is not local, and routing indecates that it should be
delivered via eth0.
Packet set over eth0 to the host that started the session.
And the same fro the local private networks.
However you should now be able to ping or traceroute from devices,
on one of the private networks to the other, or to the internet.
Note if the tunnel is working properly you should not see any intermediate
routers apearing in the trace route listing when tracing between the
sites private networks.
If you suspect a problem on the network between two routers, you must trace
to the remote routers public interface, so that your trace packets do not
use the tunnel, but follow the route of the tunnels transport layer.
Config used for Eval and notes
Setup is for a
private network->Firewall->DMZ->ISP router
, type config.
Site specific info for first site {Roadtech}
Site specific info for second site {hitech-logistics}
The Base configuration should have already been, set and saved.
eth0 is the private interface, and eth1 the public interface.
Both have been configured as per the
notes.
Show Flash
Activate Flash compaction
Private Network interface
If you have not already done so, configure the IP address and
setings for the private interface
eth0.
Public Network interface
If you have not already done so, configure the IP address and
setings for the public interface
eth1.
Create Security officer
If you have not already created a Security Officer
Login you need to do so now.
Please remember to keep a note of the name and password,
add
user=Arther
password=qlbp
priv=securityofficer
Create IPsec Keys
We are going to use preshared keys for Authentication.
The key will be created on the First Firewall and then instaled on the
second. Each Firewall can store a list of 65,535 keys.
show enco key
will show the keys currently in use.
Create tunnel conditions and rules
Basicaly what we setup here, Tells the route, that packets from
networks on out private network {Identified as an address and network mask}
to a remote network {Identified as an address and network mask}
are to be encripted and tunneled to the public address of the remote
firewall.
First Firewall
Before continuing any further it is woth checking that your routing table
looks sensible and that you can at leased ping something on both your private
network and the internet while loged on as manager to the Firewall.
show ip route
ping 193.133.123.131
ping 192.168.124.122
If not already done add a default routing entery.
Nemiss Firewall Module Config
We need to designate a minimum of one policy, with both a public and
a private network.
enable fire
create fire poli=main
#
# Assign public and private interfaces
add fire poli=main int=eth0 type=private
add fire poli=main int=eth1 type=public
#
# Enable ICMP pings.....
enable firewall policy=main icmp_forwarding=all
#
# Enable the firewall modules NAT functions
add fire poli=main nat=enhanced int=eth0 gblint=eth1
#
# Permit ISAKMP traffic originating at the firewall
add fire poli=main rule=1 int=eth1 action=allow
ip=193.133.123.140
prot=udp
port=500
gblip=193.133.123.140
gblpo=500
#
# Diasable NAT for intersite traffic that is encapsulated in IPSEC
add fire poli=main rule=2 int=eth1 action=nonat
prot=all ip=192.168.124.1-192.168.124.254 encap=ipsec
#
# Rule 3 for internaly initiated VPN traffic to remote office.
add fire poli=main ru=3 ac=nonat int=eth0
prot=all ip=192.168.124.1-192.168.10.254
set fire poli=main ru=3 remoteip=172.28.3.17-172.28.3.30
#
gre show
note entry number, and then use the set gre=1 entry=n .....
form to finish
configuring the entry.
IPsec Module Config
We now need to create the specifications for the Security
Associations to be negotiated on the VPN to connect this LAN
to the remote LAN, so traffic between the LAN's is encrypted.
show IPSec
note entry number,
and then use multiple set IPSec policy=Fire2Fire .....
commands to finish
configuring the entry.
# ISAKMP traffic permited port 500-500 any where.
create IPSec policy=isakmp
int=eth1
action=permit
set IPsec policy=isakmp
lad=193.133.123.140
RPOrt=500
LPOrt=500
TRANsportprotocol=UDP
# IPsec to remote site, from our private network {LADD,LMASk} to their
network {RADD,RMASK}
create IPSec policy=Fire2Fire
int=eth1
action=IPSec
KEYManagement=isakmp
BUNDlespecification=1
PEERaddress=193.133.123.213
set IPSec policy=Fire2Fire
isa=Fire2Fire
set IPSec policy=Fire2Fire
RADDress=172.28.3.16
RMASk=255.255.255.0
LADDress=192.168.124.0
LMASk=255.255.255.0
# policy for our roaming user.
create IPSec policy=roaming1 int=eth1 ACTion=ipsec key=isakmp bund=1
peer=dynamic isa=roaming1
set IPSec policy=roaming1 lad=192.168.123.0 LMAsk=255.255.255.0 rname=roaming1
# Internet access
create IPSec policy=the_rest
int=eth1
action=permit
enable IPSec
User authentication
You have a choice here either create the users on the firewall or
configure a radius server.
add user=mikey pass=ratspass login=false
add ip route=0.0.0.0 int=eth1
next=193.133.123.129
mask=255.255.255.255
Second Firewall
Before continuing any further it is worth checking that your routing table
looks sensible and that you can at leased ping something on both your private
network and the internet while logged on as manager to the Firewall.
show ip route
ping 193.133.123.194
ping 172.28.3.19
Nemmiss Firewall Module Config
enable fire
create fire poli=main
# Assign public and private interfaces
add fire poli=main int=eth0 type=private
add fire poli=main int=eth1 type=public
#
# Enable the firewall modules NAT functions
add fire poli=main nat=enhanced int=eth0 gblip=eth1
#
# Permit ISAKMP traffic originating at the firewall
add fire poli=main rule=1 int=eth1 action=allow
ip=193.133.123.213
prot=udp
port=500
gblip=193.133.123.213
gblpo=500
#
# Diasable NAT for intersite traffic that is encapsulated in IPSEC
add fire poli=main rule=2 int=eth1 action=nonat
prot=all ip=172.28.3.17-172.28.3.30 encap=ipsec
#
# Rule 3 for internaly initiated VPN traffic to remote office.
add fire poli=main ru=3 ac=nonat int=eth0
prot=all ip=172.28.3.17-172.28.3.30
set fire poli=main ru=3 remoteip=192.168.124.1-192.168.124.254
gre show
note entry number, and then use the set gre=1 entry=n .....
form to finish
configuring the entry.
IPsec Module Config
We now need to create the specifications for the Security
Associations to be negotiated on the VPN to connect this LAN
to the remote LAN, so traffic between the LAN's is encrypted.
show IPSec SAspec
Will list alredy defined specs.
show IPSec bundles
will list existing bundles.
create IPSec SASpec=1 prot=esp hasha=null encalg=des keyman=isakmp
create IPSec SASpec=2 prot=ah mode=TUNNel hasha=sha keyman=isakmp
create IPSec bundlespec=1 keym=isakmp string="1 and 2"
show IPSec
note entry number,
and then use multiple set IPSec policy=Fire2Fire .....
commands to finish
configuring the entry.
# ISAKMP traffic permited port 500-500 any where.
create IPSec policy=isakmp
int=eth1
action=permit
RPOrt=500
LPOrt=500
set IPSec policy=isakmp
TRANsportprotocol=UDP
# IPsec to remote site
create IPSec policy=Fire2Fire
int=eth1
action=IPSec
KEYManagement=isakmp
BUNDlespecification=1
PEERaddress=193.133.123.213
set IPSec policy=Fire2Fire
isa=Fire2Fire
set IPSec policy=Fire2Fire
RADDress=192.168.124.0
RMASk=255.255.255.0
LADDress=172.28.3.16
LMASk=255.255.255.240
# Internet access
create IPSec policy=the_rest
int=eth1
action=permit
enable IPSec
isakmp config
Note this example is using the same key for both sites and the roaming user
this is probabaly a very bad idea.
# Remote site
create isakmp
policy=Fire2Fire
peer=193.133.123.140
hashalg=sha
key=1
set ISAkmp pol=Fire2Fire
senddeletes=on setcommitbit=on sendnotify=on
#
enable isakmp
add user=mikey pass=ratspass login=false
Roaming Client
Create key
ISAKMP
create isakmp
policy=roaming1
peer=193.133.123.140
hashalg=sha
key=1
set isakmp
policy=roaming1
senddeletes=on setcommitbit=on sendnotify=on
# User authentication
set isakmp
policy=roaming1
xauth=client
xauthname=mikey
xauthpass=ratspass
IPSEC
create IPSec SASpec=1 prot=esp hasha=null encalg=des keyman=isakmp
create IPSec SASpec=2 prot=ah mode=TUNNel hasha=sha keyman=isakmp
create IPSec bundlespec=1 keym=isakmp string="1 and 2"
How it works
Site to web
A packet from a host on the private network, arrives at the router.
It is compared with the GRE filters for the receving interface eth0.
It does not match, the detination address is not local, and a check
with the routing tables idecates it should be sent on eth1.
Site to Site
A packet from a host on the private network, arives at the router.
Testing
You should still be able to ping addresses on the public internet,
from the router.