Wednesday, May 14, 2014

Site 2 Site vpn ( Fortinet Fortigate to Cisco ASA route-based )

In this blog, I will demo the  basic configuration for defining a site2site vpn. This vpn uses only one proposal, no pfs, and will allow the defined networks src/dst to be encrypted.

But 1st a topology map;




===================CISCO ASA  CONFIGURATION===================

Now the cisco ASA configurations;

A: tunnel-group 

 
tunnel-group 1.1.1.5  type ipsec-l2l

tunnel-group 1.1.1.5  ipsec-attributes

ikev1 pre-shared-key  ImSoSecuredHaHaha!


NOTE: Please use a strong PSK between peers

B: define a  crypto policy


crypto ikev1 policy 1

 encryption aes-256

 integrity sha

 group 5 2

 prf sha

 lifetime seconds 28800


NOTE: the crypto policies on a cisco firewall must offer a proposal that the peer will present. It should match exactly the cipher type and hash and df-group #

C: ACL for matching interesting traffic ( this must match the traffic exactly )


access-list VPN2FGTHQ extended permit ip 10.200.41.67 255.255.255.255  192.168.254.0 255.255.255.0

 NOTE: this acl should match the  phase2 settings on the  fortigate exactly. Do not try to use a 0.0.0.0/0:0 or a "any". Make it specific to the src & dst-subnets that the lan will pass thru the encryption domain.

D: A  NO-NAT or aka  nat-exemption

object network remotelan
    subnet 192.168.254.0 255.255.255.0

object network myhost
    host 10.200.41.67

nat (INSIDE,EXTERNAL02) source static myhost myhost destination static  remotelan remotelan route-lookup
 

NOTE: if you are using nat-controls, you will need to exempt traffic that should not be NAT over the vpntunnel. The local src network myhost and destination  remotelan, will NOT be nat'd.

E: defining a transform set that will be used later in the crypto-map



crypto ipsec ikev1 transform-set ESP-AES-256-SHA esp-aes-256 esp-sha-hmac


F: Putting it all together into a crypto-map


crypto map EXTERNAL02_map0 10 match address VPN2FGTHQ

crypto map EXTERNAL02_map0 10 set peer 1.1.1.5

crypto map EXTERNAL02_map0 10 set ikev1 transform-set ESP-AES-128-SHA ESP-AES-256-SHA

NOTE: A crypto-map uses sequences #s, so you can have multiple  peers defined and unique by using different sequences numbers. Only one crypto-map can be applied to a interface.

G: enabling the crypto-map and ike-policy on our uplink wan interface named "EXTERNAL02"

 
crypto ikev1 enable EXTERNAL02
crypto map EXTERNAL02_map0 interface EXTERNAL02  


NOTE: this step is critical. If you don't enable & bind  ike and the crypto-map to the interface(s) that uplinks to the internet, than your VPN will NOT work !



===================FORTIGATE  CONFIGURATION===================

A: Phase1-interface interface configurations


config vpn ipsec phase1-interface

   edit "FGT2MAcontext2"

        set interface "wan1"

        set dhgrp 2

        set proposal aes256-sha1

        set remote-gw 1.1.1.6

        set psksecret ImSoSecuredHaHaha!

        set keepalive 30

    next

end


NOTE: Please use a strong PSK between the vpn peers

B: Phase2-interface interface configurations

 
config vpn ipsec phase2-interface

   edit "FGT2MAcontext2-P2-1"

        set auto-negotiate enable

        set pfs disable

        set phase1name "FGT2MAcontext2"

        set proposal aes256-sha1

        set replay disable

        set dst-subnet 10.200.41.67 255.255.255.255

        set keylifeseconds 3600

        set src-subnet 192.168.254.0 255.255.255.0

    next

end



NOTE: Please be specific and limit the number of items in the proposal. Also ensure that if you are not using PFS, to disable it within this configuration


C: Static route

 

config router static

    edit 55

        set device "FGT2MAcontext2"

        set dst 10.200.41.67 255.255.255.255

    next

end

NOTE: a static route  is required  ( since this a route-based vpn )


D: Fwpolicies to allow traffic for the lan2lan segments 


config firewall address 
   edit  MYLOCALLAN
         set subnet 192.168.254.0/24
   next
   edit  CISCONETWORK
       set subnet 10.200.41.67/32
   end

 config firewall policy
    edit 0
        set srcintf "switch"
        set dstintf "FGT2MAcontext2"
            set srcaddr "MYLOCALLAN"           
            set dstaddr "CISCONETWORK"           
        set action accept
        set schedule "always"
            set service "ANY"           
    next
    edit 0
        set srcintf "FGT2MAcontext2"
        set dstintf "switch"
            set srcaddr "CISCONETWORK"           
            set dstaddr "MYLOCALLAN"           
        set action accept
        set schedule "always"
            set service "ANY"           
    end



NOTE: A lack of a firewll policy will NOT keep the tunnel from establish, but will prevent traffic. Ensure fwpolicies meets your security policy and posture and allows the traffic that you need. In the above, I'm allowing all traffic types from our management host (10.200.41.67 ) 




===================ASA T-shoot and Tips ===================


The following show command will give you great details on  the ike SA;


show crypto ikev1  sa


The following show commands will give you great details on  the ispec-SA status;

show crypto ipsec sa sum
show crypto ipsec sa  peer 1.1.1.5

NOTE: SPIs for inbound and outbound should match the fortigate outbound and inbound respectively


The following diag commands will give you great details ike issues if the tunnel does not command up. I like to start with level 200 but adjust the level for terse or verbose output

debug crypto ikev1 200
debug crypto ipsec 200




==================Fortigate T-shoot and Tips ===================

I would like to refer you to one of my earlier posts;

http://socpuppet.blogspot.com/2013/10/site-2-site-routed-vpn-trouble-shooting.html



Ken Felix
Freelance Network / Security Engineer
kfelix  ----a---t---socpuppets ---d---o---t---com

     ^      ^
=(  @   @ )=
          o
       /     \


3 comments:

  1. Do you keep ANY logs which would allow you to match an IP-address and a time stamp to a user of your service? If so, exactly what information do you hold and for how long? http://top10-bestvpn.com/

    ReplyDelete
  2. You have shared nice information on site to site vpn. Recently, hired services of fast Expressvpn after taking details on them through the tech reviews. Happy to get fast speed and really happy to get access to different websites.

    ReplyDelete