How to: MGS/AWG - Setting up a Routed IPSec Tunnel
Contents
1.0 Setup a routed IPSec Tunnel
1.3 Firewall Rules Site A & Site B (part 1)
2.2 Phase 1 proposal (Authentication)
2.3 Phase 1 proposal (Algorithms)
3.3 Phase 2 proposal (SA/Key Exchange)
4.2 Phase 1 proposal (Authentication)
4.3 Phase 1 proposal (Algorithms)
5.3 Phase 2 proposal (SA/Key Exchange)
7.0 Step 5 - Add Static Routes
1.0 Setup a routed IPSec Tunnel
Most Site-to-Site VPNs are policy-based, which means you define a local and a remote network (or group of networks). Only traffic matching the defined policy is pushed into the VPN tunnel. As the demands for more complex and fault tolerant VPN scenarios increased over the years, most major router vendors added another kind of VPN, the route-based IPSec.
The difference is that local and remote network is just 0.0.0.0/0, so anything can travel through the tunnel, it just needs a route. A new Virtual Tunnel Interface (VTI) has to be used for this.
There are two benefits for this kind of VPN:
First, you can set up two tunnels to the same gateway and failover when one line goes down. Second, you can run dynamic routing protocols over the tunnel to create more redundant, or software-defined networks.
Before starting with the configuration of an IPsec tunnel you need to have a working activeARC® installation with a unique LAN IP subnet for each side of your connection (your local network needs a different one than the remote network).
For the sample configuration we use two activeARC® boxes to simulate a site to site tunnel, with the following configuration:
Network Site A
|
Hostname |
fw1 |
|
WAN IP |
1.2.3.4/24 |
|
LAN IP |
192.168.1.1/24 |
|
LAN DHCP Range |
192.168.1.100-192.168.1.200 |
Network Site B
|
Hostname |
fw2 |
|
WAN IP |
4.3.2.1/24 |
|
LAN Net |
192.168.2.0/24 |
|
LAN DHCP Range |
192.168.2.100-192.168.2.200 |
Full Network Diagram Including IPsec Tunnel
IPsec Site-to-Site tunnel network
1.3 Firewall Rules Site A & Site B (part 1)
To allow IPsec tunnel connections, the following should be allowed on WAN for on sites (under Firewall ‣ Rules ‣ WAN):
· Protocol ESP
· UDP Traffic on port 500 (ISAKMP)
· UDP Traffic on port 4500 (NAT-T)
You can further limit the traffic by the source IP of the remote host.
(Under VPN ‣ IPsec ‣ Tunnel Settings Press +) We will use the following settings:
|
Connection method |
default |
Default is “Start on traffic” |
|
Key Exchange version |
V2 |
|
|
Internet Protocol |
IPv4 |
|
|
Interface |
WAN |
Choose the interface connected to the internet |
|
Remote gateway |
4.3.2.1 |
The public IP address of your remote ActiveARC® |
|
Description |
Site B |
Freely chosen description |
2.2 Phase 1 proposal (Authentication)
|
Authentication method |
Mutual PSK |
Using a Pre-shared Key |
|
My identifier |
My IP address |
Simple identification for fixed IP |
|
Peer identifier |
Peer IP address |
Simple identification for fixed IP |
|
Pre-Shared Key |
At4aDMOAOub2NwT6gMHA |
Random key. CREATE YOUR OWN! |
2.3 Phase 1 proposal (Algorithms)
|
Encryption algorithm |
AES |
For our sample we will use AES/256 bits |
|
Hash algorithm |
SHA512 |
Use a strong hash like SHA512 |
|
DH key group |
14 (2048 bit) |
2048 bit should be sufficient |
|
Lifetime |
28800 sec |
Lifetime before renegotiation |
|
Install Policy |
Unchecked |
This has to be unchecked since we want plain routing |
|
Disable Rekey |
Unchecked |
Renegotiate when connection is about to expire |
|
Disable Reauth |
Unchecked |
For IKEv2 only re-authenticate peer on rekeying |
|
NAT Traversal |
Disabled |
For IKEv2 NAT traversal is always enabled |
|
Dead Peer Detection |
Unchecked |
|
Save your setting by pressing:
Press the button that
says ‘+ Show 0 Phase-2 entries’
You will see an empty
list:
Now press the + at the right of this list to add a Phase 2 entry. As we do not define a local and remote network, we just use tunnel addresses, you might already know from OpenVPN. In this example we use 10.111.1.1 and 10.111.1.2. These will be the gateway addresses used for routing
|
Mode |
Route-based |
Select Route-based |
|
Description |
Local LAN Site B |
Freely chosen description |
|
Local Address |
Local Tunnel IP |
Set IP 10.111.1.1 |
|
Remote Address |
Remote Tunnel IP |
Set IP 10.111.1.2 |
3.3 Phase 2 proposal (SA/Key Exchange)
|
Protocol |
ESP |
Choose ESP for encryption |
|
Encryption algorithms |
AES / 256 |
For the sample we use AES 256 |
|
Hash algorithms |
SHA512 |
Choose a strong hash like SHA512 |
|
PFS Key group |
14 (2048 bit) |
Not required but enhanced security |
|
Lifetime |
3600 sec |
|
Save your settings by pressing:
Enable IPsec for Site A, select:
Save:
And apply changes:
You are almost done configuring Site A (only some firewall settings remain, which will be addressed later). We will now proceed setting up Site B.
(Under VPN ‣ IPsec ‣ Tunnel Settings Press +) We will use the following settings:
|
Connection method |
Default |
Default is ‘Start on traffic’ |
|
Key Exchange version |
V2 |
|
|
Internet Protocol |
IPv4 |
|
|
Interface |
WAN |
Choose the interface connected to the internet |
|
Remote gateway |
1.2.3.4 |
The public IP address of your remote ActiveARC® |
|
Description |
Site A |
Freely chosen description |
4.2 Phase 1 proposal (Authentication)
|
Authentication method |
Mutual PSK |
Using a Pre-shared Key |
|
My identifier |
My IP address |
Simple identification for fixed ip |
|
Peer identifier |
Peer IP address |
Simple identification for fixed ip |
|
Pre-Shared Key |
At4aDMOAOub2NwT6gMHA |
Random key. CREATE YOUR OWN! |
4.3 Phase 1 proposal (Algorithms)
|
Encryption algorithm |
AES |
For our sample we will use AES/256 bits |
|
Hash algorithm |
SHA512 |
Use a strong hash like SHA512 |
|
DH key group |
14 (2048 bit) |
2048 bit should be sufficient |
|
Lifetime |
28800 sec |
Lifetime before renegotiation |
|
Install Policy |
Unchecked |
This has to be unchecked since we want plain routing |
|
Disable Rekey |
Unchecked |
Renegotiate when connection is about to expire |
|
Disable Reauth |
Unchecked |
For IKEv2 only re-authenticate peer on rekeying |
|
NAT Traversal |
Disabled |
For IKEv2 NAT traversal is always enabled |
|
Dead Peer Detection |
Unchecked |
|
Save your setting by pressing:
Press the button that
says ‘+ Show 0 Phase-2 entries’
You will see an empty
list:
Now press the + at the right of this list to add a Phase 2 entry.
|
Mode |
Route-based |
Select Route-based |
|
Description |
Local LAN Site A |
Freely chosen description |
|
Local Address |
Local Tunnel IP |
Set IP 10.111.1.2 |
|
Remote Address |
Remote Tunnel IP |
Set IP 10.111.1.1 |
5.3 Phase 2 proposal (SA/Key Exchange)
|
Protocol |
ESP |
Choose ESP for encryption |
|
Encryption algorithms |
AES / 256 |
For the sample we use AES 256 |
|
Hash algorithms |
SHA512 |
Choose a strong hash like SHA512 |
|
PFS Key group |
14 (2048 bit) |
Not required but enhanced security |
|
Lifetime |
3600 sec |
|
Save your setting by pressing:
Enable IPsec for Site B, Select:
Save:
And apply changes:
Firewall Rules Site A & Site B (part 2)
To allow traffic passing
to your LAN subnet you need to add a rule to the IPsec interface (under Firewall
‣ Rules ‣ IPsec).
The tunnel should now be up and routing the both networks. Go to VPN ‣ IPsec ‣ Status Overview to see current status.
Now that you have the VPN up and running you have to set up a gateway. Go to System ‣ Gateways ‣ Single and add a new gateway.
|
Name |
VPNGW |
Set a name for your gateway |
|
Interface |
IPSEC1000 |
Choose the IPsec interface |
|
IP Address |
10.111.1.2 |
Set the peer IP address |
|
Far Gateway |
Checked |
This has to be checked as it is a point-to-point connection |
|
Name |
VPNGW |
Set a name for your gateway |
|
Interface |
IPSEC1000 |
Choose the IPsec interface |
|
IP Address |
10.111.1.1 |
Set the peer IP address |
|
Far Gateway |
checked |
This has to be checked as it is a point-to-point connection |
7.0 Step 5 - Add Static Routes
When gateways are set up you can add a route for the remote network pointing to the new gateway. On Site-A add a route to Site-B and vice versa. Go to System ‣ Routes ‣ Configuration.
|
Network Address |
192.168.2.0/24 |
Set the network of Site-B |
|
Gateway |
VPNGW |
Select the VPN gateway |
|
Network Address |
192.168.1.0/24 |
Set the network of Site-A |
|
Gateway |
VPNGW |
Select the VPN gateway |
Now you are all set!
Related Articles
How to - Setup a routed IPSec Tunnel for MGS/AWG Gateway/Firewall
1.0 Setup a routed IPSec Tunnel Most Site-to-Site VPNs are policy-based, which means you define a local and a remote network (or group of networks). Only traffic matching the defined policy is pushed into the VPN tunnel. As the demands for more ...MGS/AWG Gateway - Setting Firewall Rule Setting
How to: MGS/AWG SSL VPN - Site-to-Site Tunnel
Contents 1.0 Setup SSL VPN site-to-site tunnel 2 Before you start 2 Sample Setup. 2 Site A - Server 3 Site B - Client 3 Full Network Diagram Including SSL VPN Tunnel 4 2.0 Step 1 - Add SSL Server. 5 3.0 Step 2 - Copy Shared Key. 6 4.0 Step 3 - Server ...How to: MGS/AWG - Setting up DHCP
DHCP DHCP automatically provides clients with an IP address (instead of clients having to set one themselves). DHCP is available for both IPv4 and IPv6 clients, referred to as DHCPv4 and DHCPv6, respectively. Settings Overview DHCPv4 settings can be ...How to: Setting up Monit natively on the MGS/AWG Gateway
MGS/AWG - Monit Package Monit plugin is a Unix system management and proactive monitoring tool. This document will help guide set up the Monit tool on the ICCN AWG gateway. This Monit package is included in the AWG system by default. Monit is a ...