71. Lecture-71:Site-to-Site IPSec Route-Based VPN Template Lab.
So now let’s start the lab. We will create a topology like this one side to side VPN. First we will do site to site VPN and this is route based VPN we discussed there are two type of VPN routebased VPN side to side and the other one is policy based VPN. First we will do route based VPN then we will do side to side VPN route based but manual method. First we will do through template then we will do manually. Then we will do policy based and then we will do remote access VPN two different way. So let’s go. This is the topology we will use in the middle I will take one router to represent an internet router. This side we will assign one one one IP to 40 gate firewall port one and this is another 40 gate firewall. We will assign them two to two port number three on both sides we will make them as a management interfaces. And port number two is my lane this side which is 192-1681 range and this side another branch is a range 192-1682 range. So our main point is that these two PC can reach encryptedly to this branch and nobody can see the traffic what is going on between these two.
Even we will enable telnet here this router. So when you send the telnet traffic even we know telenet traffic is visible. Yeah it will be not feasible because these interface will make them encrypted. Encryption will start from here and it will end because we will use tunnel mode which I told you. And internet nobody will see this actual IP they will see that 22 is going to one one but actually inside this packet like a public car which I told you this packet will go. So this is the story of VPN. So outside we will use one one on side one schema local we will use one network. Remote is two network inside our layer three interface is 100 management interface we have one one four and server IP is 110 other side they will use two to two local is there two and remote is one definitely and inside they have 200 server and management is changed. Now we have 144 and server they have two to two. So this is the story to create this type of topology. Now let’s go. So first of all I need one router to represent our internet and let me give them name internet. Now I need two firewall.
So let me drag two firewall from here. This is site A and this is site B. Okay now I need two switches so let me take two switches. By the way let me connect this to so port one is connected to zero and port one is connected to port one. Let me on this please. It will start. And now I need switch. So let me take this demi switch. Okay so let me take this switch. Let me change this one to change symbol. So this is switch this side and let me duplicate it. This is the switch for this side. So switch anything. It’s okay. Switch One. Let me make this switch too, because this is site two and this is site One. Okay, so now I have two switches. Now I need to net Cloud for Management so that I can access them. So I take management cloud one and management cloud two. Okay, let me put them here. By the way, it’s okay. This team Management cloud okay. And let me connect them to Port Three, which we decide. Port Three for management. And this one is for Management three. Port two is connected to local lane and port two is connected to local lane.
Okay? And I need two PC for test purpose. So this side, I will take one server. This is web server. Okay? This is one web server and one client web term, okay? So we can see the traffic, which is not encrypted, that it will be encrypted or not. And this side, I will use one PC and also a router to make them as a telnet server so that I can show you. The telnet traffic will be also encrypted. So this is my whole topology. Let me to the middle. So this might by the way let me exchange this one to here. This is PC Two. And PC One is this side and R One is this side. So this is Telnet SRV. So this is my Telenet server and this is PC One and this is Web server SRV. So one side is Web server other as well so this is Http which is not encrypted and this was we will create a ten net so in this way we will test both. Now coming to here what I need to do. Let me change this symbol to a client. So client, let me choose this one. And let me say mgmt one. And let me change this one to blue client. And this is Mgmt Two. Okay? And let me put them here like this way. This is our management, okay? And let me put here this way, okay? Let me connect these interfaces to Internet server and PC.
And here PC two. And here web server. Now the IP schema we need the IP schema to assign so for IP schema we decide 192, 168 one two range should be this side this is what we decide for this side and for this side we decide two. Okay, now for PC, let assign. This is one. And this is Ela one suppose. And here with server is whatever ela One. Okay, let’s do it the same. And this is one. But this is two, one and 211. And here is we have one, one and 111. This is our IP Schema. And here we will use one one range. Okay, in this side we will use two two range. So this IP should be let me duplicate this one. This will be two. And this side should be one. One an interface you already know I don’t want to write them. If you say so. Let me write down port one. This is port one. And this is also port one. This is port two. Port two and port three is connected to management. This is port two and this is port three. No need to mention that. And port three our management is 192-16-8114 dot 00:24 which is by default net cloud range. Okay then this is the basic schema. First, let me configure this router. So right click on router start and go to console. Make them as a TenneT server. So configure interface e zero slash zero. IP address 192 168. One dot one, I think. Yeah. 255-255-2550. No shutdown exit. Do right. And we will configure IP route. That. Whatever you have. Zero, zero. Give it to 109. 216810. This is parallel IP, which we will assign line with ty zero to four transport. Transport input all and password is one, two, three and login. I enable ten net on this one and do right. That’s it. So my Http telnet server is ready. Now configure this one. So right click on this one. Edit configuration remove auto remove this one, this one, this one and this one. So we decide one. And this should be eleven. This should be 100. And this should be one. No need to DNS because we not required DNS so control C and one dot eleven is done. Now go to PC two edit configuration control A control V just change this one to two. And this one is to one. And this one is to two. Control A control C save and right click on Web server control A control V 211 only change this one. So let me check. Double check edit configuration two one okay, and this should be go to edit configuration 211 yes. And this one is 111 yes, is correct.
Just to double check. Now we can enable these if you want no need, but we will need them later on. Okay, so IP is done now coming to firewall. But before going to firewall, let’s configure Internet router. Go to Internet router. Internet router we just need two IPS, that’s it. Because we don’t have any control on Internet router. So on Internet router, what I will do go to configuration interface. This interface is zero slash zero. Okay? And this one is zero slash one. So interface E zero slash zero here I will assign 112-2550 no shutdown that’s it. N interface e zero one here I will assign two, two two. And this should be 1221 no shut down. So show IP interface brief only two IP NW Right, that’s it. I don’t need anything up here. Because we don’t have any controller internet router. So this is by the way two. If I have two somewhere, let me copy. So I assign two IP here and this side I assign one IP 221221. Let me rest. Okay, now coming to firewall. Now the last thing. So right click, go to console and login to this device because DHCP is enabled on port one, so we will not get any IP. So first login admin, no password, enter 123123, go to config port three config sorry, config interface, config system interface and edit which port? Port one, two, three and enable. Sorry, set allow access http https and ping telnet. OK and SSH, whatever you want to allow. Enter and set mode DHCP.
So it will get DHCP and end, show system interface. So port number three we will get IP after a while. Okay, port number three is DHCP. Yeah. So we get 141, 141. So one router is ready. Sorry, firewall. We will get access to this one. And now let’s go to the other one. So right click on this one. Go to console, admin 123123, config, system, interface, edit port one, two, three and set allow access Http, https, ping, SSH whatever we want to allow and set mode DHCP and end. So now if I check show system interface support number three will get IP through DHCP after a while because we are connected to net cloud. So it’s get 142. So it’s good. One one side will get 141, otherwise 4142. So this is one. So let me log in the first one, admin n one, two, three. Let me change the name. So this is site one. So hostname site one, so that we will understand the switch side. This so this is site one. And let me log in to admin and one, two, three, and let me give them the name. This firewall. Site two. Site two. So good, now let me change the color of one firewall, so you will not be confused. Go to system, go to setting and there is to change the theme. Whereas we can change them. Yeah, this is so let me break them. This one. So site one is this color and this one is green color. So this is site one.
Now what I need first I need interfaces, which we normally do. Go to interfaces, go to interfaces. Port one. Where is port one connected? This one. This is when. So give them the name, when and what is the IPV? Decide. Remember one, one, one. So let me assign one, one eight. This is what we decide. No need of SSH, no need of Http, just need ping. This is not that one. That’s it. Done. So our main interface is done. Now we have another interface, two. So two interface is our lane interface. And the IP we decide 192, 168, 100. That’s what we decide. Yeah, you remember this 100 and we just need a ping to test them. Two third interface is port three, which is management. Just for the sake of understanding, we will type mgmt and we will make them as manual, the same IP but we will make them manual. And okay, because they say you are connected, you will be disconnected. I say it’s okay. So lane management and when three interfaces we are using, no need of DNS because in this case we don’t have anything, otherwise you can configure DNS, no need of static crowd, no nothing, we need nothing.
That’s it. Now go to the other one, do the same thing, go to interface. And here first interface is the vein interface. This is other side firewall, main wall IP. But we decide IP should be two two. Okay this one. So the other side public IP is two two, no need of anything, only paying is allowed. And okay, so one interface is done, which is port one. Port two is the lane interface of site two. And IP address 192 one six 8200 and put lane here so that we know an allowed ping on this interface. Done. Third interface is the management interface. So here mgmt and make them manual 142, that one’s 141 and okay, and okay, done. So these are the basic setup. Interface is named just for understanding purpose and we assign them IP interfaces, lane when and management. They have interfaces IP.
Now go to any firewall start from site A. Let’s configure side to side VPN but before side to side VPN. What we want to do, we need to configure one static route from firewall that if you have anything, anything, give it to Internet router. So here I will use here when and what is the vein IP one dot one, one dot two. This is one, one two this one, this is site one. I say give it to this guy n. Okay. On the other firewall I will save whatever you have given to two, two, one. So here I will say static route create new and here I will choose when. And here will say two dot two two dot, two dot one anything. Give it to this guy. Let me see. I configure this one correctly at one, one, two. Yeah.
And this is two, two one this router IP. Now, before configuring firewall, do you think this router is reachable to PC one? No. Let test them from this router. Let me ping this IP 109 216821 ping 109 216821 no, I am not reachable because it’s not possible. There is no routing, no routing in the middle router. This is Internet router. An internet router will never accept our private IPS to reach here. And neither they can put a route for us until you pay them. So you pay them. So why then what is the advantages of VPN? This internet router only know one one IP and they said they only know 22 IP. But the communication is going from 109 216811 to 1921-6821 which is not acceptable. It’s not working. And even if you are not sure, let me from PC one to web server access it will not work. Let me open this and web server IP is 192 168 211 it will not work. I’m sending the traffic here and this traffic will be visible here. If I start a wireshark, you will see that somebody is sending Http traffic. But private IP is not allowed. There is no route to reach TM why I’m showing you because now when we configure VPN, the things will be changed. So let me generate traffic again.
Okay, still generating. You will see visible that who is going? It has to show me. Yeah, it’s showing us bit slowly 192 168 because this traffic is not reaching here, it has to reach by the way, here it has to show 192. Let’s see one, one, two is showing some ARP entry but not the other one. But it says to show us, but it’s not reachable because there is no route. Let me quit this one right now I don’t need this one. Stop. So it’s not reachable. Look at 211 is not reachable this web server neither from here, neither from this side. Now let’s configure side to side VPN between 40 gate one to 40 gate two how go to VPN here and site one. I’m in site one. Okay. This is URL controller VPN which I told you need to register in 40 cloud which I told you we don’t need to touch this one. Then the second one is IPsec tunnel so there is nothing. When I click IPsec tunnel, it will take me to IPsec wizard. So either coming from here either from here is the same thing but here it will show you when it’s created, it will show you here. But ipsick wizard. It is a widget. I told you what is a widget? It’s a template based. So either click on create new IPsec aggregate if you want to combine more than one VPN as a one, I will show you when you create IPsec tunnel, it will take you here either from here or direct here. Let me start from here. Ipvsc IPsec wizard name them. So I will say site one two site two this I just give them the name either S two and make them more simple. S one to S two this is my name. They say what is template type? I told you what is template? Side to side hub to spoke and remote access are custom. Side to side means issuing here one side four ticket for all the other hub to spoke. One, two more if you are connected more. This is how to spoke remote access. If you are connected your client PC to your firewall and custom if you want to customize them. But I say no side to side right now.
I want to do this one. Then they say net configuration is there any native devices? No, because you are direct connected through if there is, so it will show you like this. This router now I say this side behind net. Then they will apply net trivial service. I told you if you say remote side so then the router is on that side. But in our case we don’t have any native devices. Done. Now they say remote device type is a 40 gate or Cisco. So it can be configured with any vendor, router and firewall. Keep in mind. So I say 40 gate. So 40 gate to 40 gate, side to side. Okay? And click next. Now it’s asking me dynamic DNS. If you don’t know and the IPS are changing, then you can use dynamic DNS. It’s a good option. By the way, if you have an environment like a home and small office. So small office, they don’t have static IP, then you can use dynamic DNS. Dynamic DNS, there is a die DNS concept. I will tell you some other day, but it’s possible. But in our case we have a static IP. What is the remote IP? Two. Two just the vein interface which I’m reaching 2222. Next IP. Now, authentication method. I told you two type of authentication method. Preshare key and signature.
We will use pre share key. I will type 123456. Done. Now click next. Now they say which IP you want to encrypt to send that side. So I say my lane. So it’s get automatically my lane, this my lane. 100 to 168 in which they say where you want to send your traffic. So this is the opposite one. So this is my local lane. 192 and 68 10. So I say when this local lane, go to this local lane remote, this one. Do they say they want to access Internet or not? Either share local either you use remote either none. So in this case they are not using any internet. These len and they’ve done and create it was so simple. They created each and everything. Look at, they create a group for us. They create a remote address group. They create a phase two. They create a static route for us. They create a black hole route, which I told you. They’ll create a local subnet for us, the IP and also remote local policy and everything they’ve done. It how we know. Let’s go to policy. Does we created policy before? No, there will be policy automatically. Look at two policies automatically. There from lane to VPN and another policy is from VPN to lane. Keep in mind next time we will do this manually.
So which policy they create? We will create this policy manually, which they created lane to VPN and VPN to lane. Let’s go to network. Static route. Oh, they created two route as well. S one to S two remote and S one to S two remote. Black hole. You know, Blake hole which I told you to 254, the last one. So in case the network is down on one side, they will be destroyed. And this they create a VPN tunnel sue VPN route as well. So they create a policy. And let’s go to object and policy and addresses. They created addresses for us as well. Look at, this is our local subnet 192 168 one. And this is the remote 1192 68. And look at SSL tunnel address as well. They created addresses for us. They created a policy. They created a route, they created addresses. Everything they had done automatically just in three click. Need to do on the other side, Edmund. Now we need to do the same job. On the other side of firewall, you will call security engineer. Look at. There is no route. Let me show you. There is no policy. Sorry, there is no policy. Nothing. After a while you will see each and everything. Nothing only implicit deny. Now let’s go to VPN on the other side, click on IPsec visit. And this side I will say site two two side, one side to side, no netted device is 40 gate. And next remote address is one. One public IP. Okay. And pre share key we put there 123456 should be similar. And click next my local is this one opposite and the other one is one. And create done everything local remote phase two static black hole route local remote policy remote to local policy. They created everything for us. If we go to object and addresses, there will be addresses created automatically.
This one they created if we go to policy. They already created two policy for us. This visit land to side to side and side to side to land. Two policy has been created. And if you go to network and route, you will see two route is also created. But before testing, I want to wireshark here to show you the capture. And now we will generate traffic and you will see it will be encrypted and it will show the public IP, not our private IP. Communication will do the private IP and it will show public IPS and also how to verify. So if we go to monitor, there is IPsec monitor. Now if we check so as down arrow because there is no traffic generated right now. So let me go to capture. Okay? And let me type isaacam, just the first phase. Nothing is here. Now let’s generate the traffic.
Before it was not working. I hope so it will work. Now look it and tell Netwin we try. It was not working. Look, it is working. But here, look it. Quick mode. What is the other one? There are six pickets. They missed them. Okay, let me see. Like here. Maybe they give them some other name. Okay, so from where it started, there are six pickets. So maybe we missed them. Yeah, they just started directly with quick mode. Second mode. This is the phase two mode, which is encrypted. By the way, all the traffic will be encrypted, but before a quick mode, which is three packet, there are six packet they exchange more information which I missed for some reason they start from phase two and there is no phase one. They missed the phase one we need to clear now there is ESP look at who is going one one I’m sending a clear text http traffic but here is showing me ESP just the last picket here how many? 10 five. Now you will see more if I refresh 10 five. Now you will see 10510. Let me put them as a ESP only. Look at 1115. Yeah, let me generate traffic. 1115. Now it’s 128.
And who is going? One. One is going to two. Two. It’s not showing that basically 192-1682. Dot one is going to 192-1682. Dot eleven. One has been encrypted by ESP and ESP. You remember. IPsec is using encapsulating security payload to encrypt our traffic. Nothing is visible. Let me do a telnet. We always say that telnet is not secure. Let me do a telnet from this side. So telnet to this telnet server. 192. The other server. 191. 68. One, one. And password is one, two, three. Do you think there will be telenet traffic? No, there is no such this being converted by ESP which is encrypted and nobody can see anything. And encryption I told you a garbage data. This is the beauty of VPN now everything even if it is in clear text it’s going in. Yes sorry. Encryption is starting from this point and ending on this point. If I capture a packet here it will be telnet and if I capture a packet it will be telnet. Let me show you. Let me start capture here. Here it will show telnet but in with go out from the interface it will become ESP. So let’s start this one. And let me generate TenneT again exit. Let me show you. Let’s start. And now let’s do. You will see telnet. Look at one two three there is a telnet inside there is a telnet but when we go out there is no telnet. It’s become SSH.
Sorry ESP and it’s converted public IPS doing communication for us even we don’t have a route. But these two have a route. Because this is the prerequisite that public IP has to be reachable. So this public IP is reachable here and they’re hiding information. And they’re deceiving the internet router that 22 is going to eleven. And this side they say this is one. One is going to two. Two hiding the information and how to verify now if you refresh it will be green and up. This much data is gone to the other side and now we can see. And from the other side if you log in you can see here as well. Go to monitor and there is IPsec monitor. From here you can verify. So it’s green and up. Got it? So let me go through if I miss something for some reason so we configure this one and then we management interfaces. We test them so nothing was working before the test. Then we configure VPN from one side and we check them that they configure each and everything automatically. Then we monitor them and then the other side we configure from the other side we configure VPN and what we done then when we start so it’s working and environment and it will show you six picket if I capture here. Yeah, I did not capture those six picket as well. So it’s ESP and this is the testing phase. That’s it. So this was sidetoside VPN routebased. Okay.
