PA S2S or IPSEC VPN

Policy-based VPNs

Policy-based VPNs encrypt a subsection of traffic flowing through an interface as per configured policy in the access list. The policy dictates either some or all of the interesting traffic should pass through via VPN.

Dynamic routing is not supported.

Supports P2P network topology.

Traffic flowing through the VPN tunnel can’t be NATTed.

Remote access VPN can be implemented.

Route-based VPN

Route-based VPN works on routed tunnel interfaces as the endpoints of the virtual network. All traffic passing through a tunnel interface is placed into the VPN. Rather than relying on an explicit policy to dictate which traffic enters the VPN, static and/or dynamic IP routes are formed to direct the desired traffic through the VPN tunnel interface.

Supports dynamic routing over the tunnel interface.

Supports Hub-spoke, P2P and P2MP network topologies.

Traffic flowing through the VPN tunnel can be NATTed.

Remote access VPN can’t be implemented.

User-ID

User identification & logging, Global Protect, Captive Portal (username and password for Guest User) etc.

local user database

external database

LDAP Server

LDAP = Light Weight Directory Access Protocol TCP 389/636 [Secure]

AD = Active Directory is centralized Network Directory Database which keeps database of Users, Groups, Shared Resources, Computers etc.

Integration PA with AD

IP address of windows AD server [LDAP Server]

Domain Name e.g., Lab.local

Administrative Level of Access with Username / Password

Distinguished Name [DN]

VPN

Virtual Private Network or VPN doesn't necessarily mean Encryption or tunnel over the internet.

Layer 2 VPNs: Metro Ethernet [Q in Q], Frame Relay, VPLS [MPLS VPN], L2TP, ATOM [MPLS VPN] etc.

Layer 3 VPNs: GRE Tunnel, MPLS VPN, IPSEC VPN etc.

Why IPsec S2S VPN?

Route Based VPN

Static Provisioning by service provider is not required.

Scalable and feasible.

Cost effective solution [Internet]

Encrypted data

Encryption Keys:

1. Asymmetric --> Different keys are used for encryption and decryption [Public and Private Key Combination]. Very Secure but slow.

2. Symmetric --> Same key is used for encryption and decryption. Faster and used in Bulk data transfer.

Basically, Asymmetric key is used to compute symmetric key.

a. Site to Site VPN --> Always Available

b. Remote access VPN --> On Demand

IPSEC

IPsec is an IEFT (Internet Engineering Task Force) Standard Framework

1) Data Encryption [Confidentiality] AES128 / AES256 / 3DES / DES etc.

2) Data Integrity [Hashing] MD5/SHA1/SHA256 etc.

3) Anti Replay

4) Data Origin Authentication

IPsec Steps:

1. Interesting traffic

2. IKE phase 1 - Security association [Security Parameters are negotiated, SAS establishment, DH]

3. IKE Phase 2 - IPsec protocol [ESP/AH], Tunnel or Transport Mode, Encr / Hash, Proxy IDs etc.

IPsec Key Computation.

4. Bulk Data Transfer

5. Tunnel termination

IKE [Internet Key Exchange UDP 500]

Main Mode - 6 Packet, Aggressive Mode -> 3 packets [used only when out of two peers one is Active and Other is Passive]

1. IKE Phase1 [Main Mode]

A total of 6 packets are exchanged i.e. two three-way exchanges.

Packet 1 & 2 [proposal and agreement]

encryption e.g., AES128 / AES256 etc

Hashing e.g., SHA1/SHA256/MD5 etc

VPN Peers Authentication Method Preshared Secret Key / Certificate

SA Life Time 8 hrs [Pala Alto] / 24 hrs [cisco]

DH Group Group1 - 768 bits/ Group2 - 1024 bits

Packet 5 & 6

VPN Peers Authentication

2. IKE Phase 2 [Quick Mode]

3. Packets are Exchanged

- Encryption and hashing Method

- Life Time [1 hr.]

- DH Computation is optional

PFS -> Perfect Forward Secrecy [if disabled then no DH computation]

- Transport (encrypts layer 4 and above) or tunnel Mode (encrypts layer 3 and above)

- ESP or AH

AH [Authentication Header] -> Authentication and data integrity but no encryption above network layer. Its protocol number is 51. It is used in IPv6 authentication but not in IPsec.

ESP [Encapsulation Security Payload] = Encryption, Authentication, Integrity, Protocol number is 50. It is used in IPsec VPN

IPsec Site 2 Site Configuration

Step 1: Create a zone e.g., VPN Zone

Step 2: Create a tunnel interface and put it in VPN Zone and default virtual router.

Step 3: Create a static route to remote networks through tunnel interface [Route Based VPN]

10.0.0.0/8 via tunnel next hop IP 192.168.12.2

Step4: Configure IKE phase 1 parameters

Network Tab --> Network Profile --> IKE Crypto --> add

Step5: Configure IKE Phase 2 parameters

Network Tab --> IPsec Crypto --> add

Step 6: Configure IKE Gateway

Network Tab --> IKE Gateway

Step 7: Create IPSEC Tunnels

Network Tab --> IPSec Tunnels

Step 8: Create Security Policy and commit

Site A to Site B

------------------------

Source -> Inside Zone, 172.16.0.0/16

Destination --> VPN Zone, 10.0.0.0/8

Service/App -->

Action --> Allow

Site B to Site A

---------------------

Source --> VPN Zone, 10.0.0.0/8

Dest --> INSIDE Zone, 172.16.0.0/16

Service / App -->

Action --> Allow

Topology

0.0.0.0/0 Exit Interface e1/2 Next Hop 114.30.77.49

10.0.0.0/8 Exit Interface Tunnel1 Next Hop 192.168.12.2

IGW (config)# int tunnel 1

ip address 192.168.12.2 255.255.255.0

tunnel source 114.30.77.50

tunnel destination 114.30.77.51

tunnel mode ipsec ipv4

IGW (config)# ip route 172.16.0.0 255.255.0.0 tunnel 1

# crypto isakmp policy 10

# encryption aes

# hash md5

# authentication pre-share

# group 2

# lifetime 86400

# exit

crypto isakmp key 0 cisco123 address 114.30.77.51

crypto ipsec transform-set TSET12 esp-aes esp-md5-hmac

IGW(Config)# crypto ipsec profile PROFILE12

(ipsec-profile) # set transform-set TSET12

tunnel protection ipsec profile PROFILE12

(Config) crypto ipsec profile PROFILE12

set transform-set TSET12

int tunnel 1

tunnel protection ipsec profile PROFILE12

admin@PA-FW > show vpn ike-sa

# show crypto ipsec sa | i encryption

ping 172.16.0.1 source 10.10.10.10

IGW # show crypto ipsec sa | i encryption

show crypto ipsec sa | i spi

show vpn ipsec-sa

Cisco Router

Step 1: Create Tunnel Interface [Tunnel Mode Ipsec ipv4 --> SVTI]

Step 2: Create Static Route ip route 172.16.0.0 255.255.0.0 tunnel 1

Step 3: Create ISKMP Policy [IKE phase 1]

Step 4: Create transform set [Ipsec = IKE Phase 2]

Step 5: Configure IPSEC Profile

Step 6: Apply IPSEC Profile to the tunnel interface

clear crypto isakmp

debug crypto isakmp

show crypto isakmp sa

show crypto ipsec sa

show vpn ike-sa

show vpn ipsec-sa

--------------------------------------------------------------------------------------------------------------

Now let's reconfigure Site to Site VPN in version 10

Step 1: Let's create a tunnel interface with ip 192.168.12.1/24 in a new Zone name, it TUNNEL.

The other Side will have tunnel with ip address 192.168.12.2/24

Step 2: Let's Configure Internal, DMZ & VPN Zone.

Note: The Zone will be mostly an OUTSIDE i.e. internet connecting interface but it can be direct connectivity to business partner through MPLS link as well.

PA1: Internal network 10.10.10.0/24 and Firewall ip 10.10.10.1

DMZ network 10.10.11.0/24 and Firewall ip 10.10.11.1

VPN (Outside) network 192.168.168.1/24 (You may put 192.168.168.1/30)

PA2: Internal network 10.11.11.0/24 and Firewall ip 10.11.11.1

DMZ network 10.11.12.0/24 and Firewall ip 10.11.12.1

VPN (Outside) network 192.168.168.2/24 (You may put 192.168.168.2/30)

Step 3: Configure following

A) IKE Crypto or Phase1 (must be same on both sides)

B) IPsec Crypto (must be same on both sides)

C) Now create IKE Gateway

Configure NAT Traversal if Firewall is behind Router who is doing NAT

Step 4: Now Create IPsec Tunnel

Call Policy created for Phase2 and IKE Gateway

Step 5: Allow traffic as per VPN-USERS & VPN-USERS2. Also, allow traffic ike & ipsec-esp negotiation.

Step 6:

Configure routing for interesting traffic.

10.11.11.0/24 & 10.11.12.0/24 through tunnel interface & next hop 192.168.12.2

Step 7: Generate interesting traffic so that tunnel comes up