How to: MGS/AWG SSL VPN - Site-to-Site Tunnel

How to: MGS/AWG SSL VPN - Site-to-Site Tunnel

Contents

 

 

  1.0 Setup SSL VPN site-to-site tunnel 2

Before you start 2

Sample Setup. 2

Site A - Server 3

Site B - Client 3

Full Network Diagram Including SSL VPN Tunnel 4

2.0   Step 1 - Add SSL Server. 5

3.0   Step 2 - Copy Shared Key. 6

4.0   Step 3 - Server Firewall Rules. 7

5.0   Step 4 - Site B Client 8

6.0   Step 5 - Client Firewall Rules. 9

                                                

 

1.0           Setup SSL VPN site to site tunnel

Site to site VPNs connect two locations with static public IP addresses and allow traffic to be routed between the two networks. This is most commonly used to connect an organization’s branch offices back to its main office, so branch users can access network resources in the main office.

Before you start

Before starting with the configuration of an OpenVPN SSL tunnel you need to have a working activeARC® installation with a unique LAN IP subnet for each side of your connection (your local network needs to be different than that of the remote network).

Note

For the sample we will use a private IP for our WAN connection. This requires us to disable the default block rule on WAN to allow private traffic. To do so, go to Interfaces [WAN] and uncheck “Block private networks”. (Don’t forget to save and apply)

Sample Setup

For the sample configuration we use two activeARC® boxes to simulate a site-to-site tunnel, with the following configuration:

Network Site A

 

 

 

 

 

 

Site A - Server

Hostname

fw1

WAN IP

172.10.1.1/16

LAN IP

192.168.1.1/24

LAN DHCP Range

192.168.1.100-192.168.1.200

Tunnel Network

10.10.0.0/24

 

 

Network Site B

Site B - Client

Hostname

fw2

WAN IP

172.10.2.1/16

LAN Net

192.168.2.0/24

LAN DHCP Range

192.168.2.100-192.168.2.200

Tunnel Network

10.10.0.0/24

Full Network Diagram Including SSL VPN Tunnel

 

SSL VPN Site-to-Site tunnel network

 

 

2.0           Step 1 - Add SSL Server

Adding a new SSL VPN server is relatively simple. We’ll start by adding a server that uses a shared key. This setup offers a good protection and it is easy to setup.

Go to VPN OpenVPN Servers and click on click Add in the top right corner of the form.

For our example will use the following settings (leave everything else on its default):

Note

The setting Hardware Crypto is not used for new systems equipped with AESNI, when the aesni module is loaded it will be used automatically.

Server Mode

Peer to Peer (Shared Key)

Protocol

UDP

Device Mode

tun

Interface

WAN

Local port

1194

Description

SSL VPN Server

Shared Key

Leave on enabled (checked) to create a new key

Server Certificate

SSLVPN Server Certificate (CA: SSL VPN CA)

DH Parameters Length

4096

Encryption algorithm

AES-256-CBC (256-bit)

Auth Digest Algorithm

SHA512 (512-bit)

Hardware Crypto

No Hardware Crypto Acceleration

IPv4 Tunnel Network

10.10.0.0/24

IPv4 Local Network/s

192.168.1.0/24

IPv4 Remote Network/s

192.168.2.0/24

Compression

Enabled with Adaptive Compression

 

Click Save to add the new server.

3.0           Step 2 - Copy Shared Key

To copy the newly created shared key, click on the pencil icon next to the newly created SSL VPN server.

You will see the shared key, copy this and keep it safe!

Sample key:

#

# 2048 bit OpenVPN static key

#

-----BEGIN OpenVPN Static key V1-----

0960c87c3aafa8f306fe270c1564380b

7922543563a17b5d2636b4ef9412dd09

9ad44974ca1b293963e0f8ac9cbdd97c

2c31bf35f0df45c9e928ccb033e6d51d

2caaec02d649ad081c68d7bc7d28030e

9182c9597a83024097bea860e52d9c66

1b9e0048fbf951ce8659bc56edb7f9a1

14f7740fc9231a3750557e02eb112712

ac4b9980d4c740ec96a4357f3940ed90

d1bbf8eed3de135c886fe2eff8e8b943

ab1f52b59def4c9ebeacc5eb48425189

c43887a6237c29e0724f5f45a0f70635

10680bec8bfb67c21bf2b4866268594c

9ba093668064f9a898e6a6ad103b401d

b2047132f0dc8db2230db38444d689fa

ddba46bf6f892ae90c59415f94b82750

-----END OpenVPN Static key V1-----

 

 

4.0           Step 3 - Server Firewall Rules

To allow SSL VPN client connections, we should allow access to the OpenVPN server port on the WAN interface. When using multiple servers, we need to open up each port. For our configuration we only use one server accessible on UDP port 1194.                                                                                                                                                                                                                              

Next, we also need to allow traffic from the VPN client network (192.168.2.0/24). For our example we will allow client to access anything on our local network(s), however you may decide just to allow traffic to one or more IPs.

 

You are done configuring Site A.

 

 

5.0           Step 4 - Site B Client

Now we will have to setup the client. Login to the second firewall, go to VPN OpenVPN Clients and click on add client in the upper right corner of the form.


Now enter the following into the form (and leave everything else default):

Server Mode

Peer to Peer (Shared Key)

Protocol

UDP

Device Mode

tun

Interface

WAN

Server host or address

172.10.1.1

Server port

1194

Description

SSL VPN Client

Shared Key

Uncheck to paste the shared key

Paste your shared key

Server Certificate

SSLVPN Server Certificate (CA: SSL VPN CA)

DH Parameters Length

4096

Encryption algorithm

AES-256-CBC (256-bit)

Auth Digest Algorithm

SHA512 (512-bit)

Hardware Crypto

No Hardware Crypto Acceleration

IPv4 Tunnel Network

10.10.0.0/24

IPv4 Remote Network/s

192.168.1.0/24

Compression

Enabled with Adaptive Compression

Now click on Save to apply your settings.

The Connection Status can be viewed under VPN OpenVPN Connection Status

 

6.0           Step 5 - Client Firewall Rules

To allow traffic from the remote network just add a rule under Firewall Rules OpenVPN tab.

 

Completed

 


    • Related Articles

    • How to: MGS/AWG set up for Open VPN - SSL VPN Road Warrior

      Open VPN - SSL VPN Road Warrior - Table of Contents 1. OpenVPN - Setup SSL VPN Road Warrior. 2 1.1 Step 0 - Preparation. 4 1.1.1 Configure TOTP server 4 1.1.2 Add Certificate Authority. 4 1.1.3 Create a Certificate. 5 1.2 Adding a User. 6 2.0 Step 1 ...

    • How to: MGS/AWG - Setting up a Routed IPSec Tunnel

      Contents 1.0 Setup a routed IPSec Tunnel 3 1.1 Before you start 3 1.2 Sample Setup. 3 1.3 Firewall Rules Site A & Site B (part 1) 6 2.0 Step 1 - Phase 1 Site A. 6 2.1 General information. 6 2.2 Phase 1 proposal (Authentication) 6 2.3 Phase 1 proposal ...

    • How to - Setup a routed IPSec Tunnel for MGS/AWG Gateway/Firewall

      1.0 Setup a routed IPSec Tunnel Most Site-to-Site VPNs are policy-based, which means you define a local and a remote network (or group of networks). Only traffic matching the defined policy is pushed into the VPN tunnel. As the demands for more ...

    • Quick Start Guide - MGS/AWG Gateway/Firewall

      Intended audience This guide is designed to be used by network managers, IT administrators, and technicians who are responsible for installing, networking equipment in enterprise and service provider environments. Knowledge of telecommunication and ...

    • How to: Setting up Monit natively on the MGS/AWG Gateway

      MGS/AWG - Monit Package Monit plugin is a Unix system management and proactive monitoring tool. This document will help guide set up the Monit tool on the ICCN AWG gateway. This Monit package is included in the AWG system by default. Monit is a ...