72. Lecture-72:Site-to-Site IPsec Route-Based VPN Custom Lab.
So last time we done side to side VPN but using a template just neck neck next and the thing was done so easy to create a side to side VPN and FortiGate firewall today, first of all we will do manually. In this way we will see the things whatever we study and first class related to VPN so now we will see step by step each and everything and this way I will explain you as well. Through templates there was nothing just next and after three click our side to side VPN was ready. So let’s create a topology like this and we will do manually. So let me I need two firewall so let me type 40 gate firewall okay and make them two and okay so this is site one and site two.
Then in the middle I need a router to play a role like an internet. So go to ILO IOL and take one router from here okay and let me put them here as an internet and let me change the name by the way to internet and if there is any internet sort of thing so that will be great. So let me go to I cannot see anything which is like internet but anyway let me make them like this is internet. Okay? So connect port one 20 and connect port 1201 of this router. Okay now we need two switches so go back to Arlo and from here take two switches and make them switch and change the icon to switches.
Okay so this is side switch and the side is switched so let me change the name to switch to either switch one. This is switch one side and let me change the name which is very difficult here and let me make them as a switch two and okay so this is representing my lane. I need few PC to test them. So what I need I will take our router to router by the way so let me go to router we will make them as a server so SRV and change the icon to server. Okay so this is server one. I don’t know why they’re giving them six. So this is server one and this side we have a server two.
Let me change them to SRV two. Okay so both side we have a server then I need client. So what can I do? We can use VPC as well by the way, it’s not a big issue, we just need a ping to test so why not use PPC? So let me make them PCs. Let me make them as a PC one. For some reason they give them PC eight. Okay so server one and PC one and here we have server two and PC two. Let me change it to PC two. This is a small topology which we need so let me connect port one will be connected here and from switch we don’t care anything to be connected and connect this one as well and connect this one and connect to server one. And connect this one to PC one. This is a small topology which is representing our topology.
Okay. Okay, now what I need, I need management. So for management I will take cloud. In my case, cloud one is connected to my PC. So here I will say management and okay, from both I will connect this to port three and from here also port three. So my management is this one. So this is my management. Let me select all and make them align. For some reason it’s not going to make this one. Okay, let me start our node. Okay, so this is site one, this is site two. So here we have something and this side we have now until the device starts, what I need to do 192, 168, one dot 00:24. This is our this side subnet. This side subnet is this one and the opposite side this side two subnet is two.
Okay. And here we will use one one one range which we normally do. So one one should be this PC or this firewall. And one, two two should be the other side. This one two two is this firewall. Public IP. On router we will put which is internet representing internet one two. And this side should be two one. For server one the IP will be 109, 216811. So let me put them as better to assign it one dot one and PC two, which is PC one. So let me assign them elear one. The same case here is this is one, two two. Okay. And duplicate. This one is 222. This is our IP Schema. Now let’s fire on this one.
Before this one, let’s assign this one the IP address. So we have two interfaces, zero slash zero is connected to this file. So we will assign interface zero, one one IP. Note that config tinterface e zero, slate zero IP address one, one, two and 2550 no shut, exit and enter exit interface e zero slash one. And this side we will assign two, two dot one, the other side and no shut. That’s the internet router. That’s what we need in the right internet router. That’s it. Config hostname internet and paste and do right, that’s it. Show IP interface brief just to verify. Yeah.
So one, one and two two and both are up. We don’t need anything else here and close it. What else we need this router. So this router interface is easier, slay zero, but the IP address is 192-1681, dot one one which we decide and this should be two, five, five and this should be two, five, five and no shut down, no need of this one exit and IP route will be 001-921-6810, which is this gateway. Another thing I need to do is to enable telnet just to check if it is encrypted or not. So line VT y zero to four transport input all and login. So let me copy this one and go to this router which is representing our server and open it and apply this thing. So no okay let me change the name to SRV first. Then we will apply and the same thing we will do on this side. So let me open this SRV too as well. So enable config hostname SRV and paste those material. So one that one has been assigned no shut down. They end static route and login VTY.
They say there is no password set. So line VT y zero to four, transport input, input all and password I forgot. So one, two, three and login and write. So let me type here a password one, two, three okay and just change this IP to two two and change this gateway to two 10 and paste on the other side of router either let me type hostname SRV two so everything will be done at once. So this is the no. Okay, other side router. Okay. So this one I’m doing this one it is two two, yeah. Okay enable and paste. So change SRV two and IP address two dot two no shutdown and gateway until it is done. So do right? Okay these two are done. PC is okay. We will assign IP later on.
Now the thing is we are using port three and port three as a management. So let’s configure 40 gate port three first so that we can get access. Admin password is nothing. Enter 123123, go to config system interface and edit port one tab one, tab two, tab three and enter and type here set allow access http http ping SSH and ping is allowed. Yeah, that’s it. Which we need ten let don’t need anyway and end also sorry, one thing I forgot. Make this system interface edit four three and set mode DHCP so it will get the IP DHCP when you end it automatically. Save no need of anything until that get IP. Let’s do the other side with the same configuration admin enter 123123 and config system interface, edit port one, tab two, tab three tab and set mode DHCP and set allow access http https ping, telenet SSH, et cetera.
And what else? Yeah, that’s it. Go to this one and tell them show me the IP address. So it’s get IP on the third interface which is we are using for management and type. I get IP here and type admin and one, two, three to login. Change them site a site one. Just give them a site one name. Let’s go to the other 14 eight and show system interface. So let’s get 134. So this is 10 four and it’s far away. 134 admin and one, two, three and tell them to begin and give them name site two.
Okay, change the color of site two. Go to system, go to setting and change the theme to where is the theme? Green to this one. Okay so done. One side is green color and side two which is written here they have magenta color so it’s changed now so at least we can identify in which firewall we are. Okay so basic stuff is done. This is the basic configuration. Okay now we need to assign port one one one and this side two two two. Then we need to configure gateway to give everything to one one two and from this side to give everything to two two one, which we do. Then we need to go to port two and assign 100 and year 200. Then we need to give the name of these three interfaces so it will be identified quickly management interface when interface and lane interface. No need of DNS in this case but if it is connected to internet then we need to configure DNS and then we will configure VPN.
So now let’s go to this firewall 14 eight one which is site A. What we need is usual start from interfaces, click on interfaces port one, port one is connected to when and give them a name when either internet is up to you and assign IP which you decide one one with eight. Let me copy this one. And no need of Http, no need of SSH. No need. This is administrative access. We already know this one n. Okay, so one interface is done, which is when port two is our lane interface, as we know from the topology and assign here 192, 168, 100 with 24 just allowed ping for test purpose and done. So port two is done. Now we need to go to port three. IP is already there, just type Mg. Mt is a management and make them manual and allowed. Everything is okay because this is a management IP and press okay so all three interfaces is done here, no need of DNS. Normally we do static route so I will say anything, give it to one one two which is Internet router. Create a route here and say one one two. Give it to anything on which unwin interface, anything and done. Test the first firewall. Now let’s go to the other one. From here we will repeat the same thing.
Click on port one which is a vane interface and IP addresses two two, no need of this one, only allowed ping and okay, port two is our lane interface and assign IP 192, 168, two 10, you know yeah, we already decided this one and allowed ping and done. Port number three is which is through DSCP. Make them manual and time mgmt so that we know this is a management interface and okay, go to static route. In this case they will give two two to one everything which is a router IP, internet router. So here I will say gateway two two one and this was through vain interface N. Okay, that’s it, this is the basic configuration. If you test from here this public IP has to be reachable from which one? This is the first requirement. So if I execute ping two two is reachable. But keep in mind which I repeat 100 times the other subnet is not reachable below 1192 168 two two. We configure that server. Yeah, it’s not reachable even you cannot ping this 1200. Yeah, after VPN it will be accessible. But there is no route in internet internet these two are reachable because they are directly connected with each other and both interfaces is connected to internet router.
That’s why they both are reachable. And that’s why I configure give everything to here and give everything to but it doesn’t mean that they have to be reached here. 242 has to be reach here. No, because to reach here if they give everything to internet internet don’t know about 10 subnet, they only know one. So if you give anything for one one, then internet can give it to one one. But if you give anything else, internet router will say no because there is nothing, only two IPV configure. So keep in mind just to clarify so my basic topology is ready now let’s start side to side VPN we need land to land VPN we call them side to side VPN we call it okay private to private VLN we call them. So that my private 192 and 68 reach to 192 168 two. But nobody can see the traffic in the middle. Internet router will say one one is going to 22. Right now it’s not pinging the other way, but now it will ping because Internet will consider that header as a one one. Inside that one one is hiddenly going this and this concept we call them VPN. So now let’s go to the first firewall site A. We give them this name and go to VPN this Tvn. And this is Ipsick wizard because IP tunnel again when you click. So it will take you here, which I told you last time. So give them the name. Suppose VPN two. Yeah. VPN from VPN Two. It’s okay means from here I’m going to two. Either VPN two, site two which VPN side to side. But I don’t need side to side custom. I need a custom one. We already did in site to sign last time. This is a template based click on custom one. Now everything is changed. Click next type of comments if you want. And they say which version of site to site VPN you want to configure? We need an IPV four. They say tell me remote gateway IP remote gateway two two two.
So I say remote IP gateway is two two two. And my one is this one. This is my local gateway. If you want to mention Secretary IP, you can mention. And we are reaching through this interface mode configuration. No need. If you want to enable net reverser I mentioned you in the middle. There is no router or no device coming where net is enabled. So I can enable net reverser I can disable and I can force them. I mentioned all these things right now I say no, we don’t need any net because there is nothing in it coming. I already also mentioned this one. If the other one is down, it will try to enable it. If you want, you can put on demand on idle. I already mentioned theoretically and forward error correction if something is wrong or something. So you can put this on eggress and egress and outside both interfaces. And if you click on advanced device creation these two things if you want aggregate more than one VPN, this is for that one right now make them disable. We no need, I will show you later on. This is authentication. You know, in VPN I told you many things. The first one is authentication through signature means certificate either pre shared key so we say we use preshare key 123456 it has to be same on both sides 123456 and this is Ike has two version ike version one and Ike version two. This is updated version and this is the old method. But still we are using Ike version one most of the time because it support in every firewall and router.
So IK ike version one, then Ike version one. There are two mode aggressive mode and main mode. Aggressive mode there will be three packet will be exchanged and first phase in main mode, six packet will be exchange, four packet will be in clear text and the last two packets will be encrypted. In the second phase everything will be encrypted. Aggressive mode, they will all the things which do by six packet, it will do in three packet. That’s why it’s called them aggressive. Anyway, I will say main mode which is more widely used. Then there is phase one encryption authentication. They give us many things I don’t need, I just need one. So I remove all because this is not a licensed device, so it’s only showing Des. I already discussed these. There is Des three DS, AES AES 28, 192 and so many because this far wall is not a register one, there only showing us DS. We will use DS authentication. We have MD five pensha which we discuss theoretically you can use any. We will use MD five, DP helmet we discuss they are supporting all of them. Let’s do five. Five is already selected. So for phase one we use encryption method des for authentication, empty five authentication means so nobody can alter the data. It will generate hash which I told you lifetime of the first page will be this one which become maybe one day or something. No need of local ID, x authentication we don’t need authentication. I already told you this was for client authentication. Now coming to phase two. For phase two we will do the same thing. So let me go to advance so I don’t need so many, I just need one for phase two. Again, encryption will be DS and this should be MD Five. Suppose I keep both the same empty replay. I already told you, this is Ipsick feature. So nobody can change the packet and send them later on, so it will be discarded. And this is also security related. Like a phase one. And again DP helmet for phase two. So I choose five local port and remote port and protocol. You say use all. If you want to specify, you can specify remote port. But I say the traffic can be for any port, for any remote port, for any protocol. Protocol is up to 2255. If I type 256, maybe it will give error. I told you, there are 255, so maximum. They say this one anyway, say all auto negotiation, they will do Auto negotiation. And for Auto negotiation there will be a keep alive message continuously. They will do Auto negotiation automatically. If you want to do and this is the lifetime. Like a phase one lifetime, we have a phase two lifetime. And second it can put in kilobyte in both if you want. So this is all the thing. Because side to side VPN is in two tunnel. The first one we call them a Management management tunnel. The other one we call them data tunnel. Either the first one is like security guard. And second one is the actual person which visiting any other country. And the first phase purpose is to protect the second phase. But first phase the first few packet will be not in clear text. But it’s okay. They are just exchanging that which method we will use. Like a des MD five, which hashing you are using. Let’s do this one, they will decide everything in four packet. And then the phase two will be encrypted the actual data. And this done. So this is custom base, which I created. But we are not finished here. Last time we had done it as a template, which we done in two minutes. And everything was created automatically. Routing and everything.
But here no, no routing has been enabled. No policy is there. We need to do it our own. So if I go to policy and object IPO four policy, there is no policy created. Look at only implicit. One last time when we had done as a template, everything was done even here as well. So now I have to create a policy for this to allow VPN traffic. So I need to create two policy. Lane to VPN and VPN to lane. So first the traffic will go from lane to VPN. And from lane subnet can be all. Either you can create your own address group, which we discuss. But anyway I say all in destination. You can put the specific destination. This is 200. But anyway I put all because I need to create two. Last time they created automatically. You remember this? The beauty of the template base and services will be all any services you can restrict http, alternate, whatever inspection mode, we don’t care net it we don’t need. So let me disable it all session. I need to see the logs and done. But only one policy. I created the traffic from lane to VPN. Now I need to create a new policy from VPN to lane to lane which was created and template based automatically. So choose VPN to lane lane subnet VPN subnet sorry, VPN to lane subnet but in this case we don’t have anything and no need of net and Rssion but we are not finished yet.
So manual procedure take many things. Maybe you can be confused rather than to use a template in actual word, but you have to know how we can do it. Now I need a route as well because it’s route based VPN, not a policy based VPN. So I need to go to network and go to static route. So there is we created but that is for the other purpose here I will say that if somebody tried to go to 192 168 20 subnet which is the opposite side VPN subnet so give it to our VPN, where is our VPN? This one. So give it to the VPN. Because if somebody is trying to go to two subnet it means they want to tunnel them this they want to encrypt in this packet, not other subnet and okay, why it’s not taking anything else? I need to submit I correctly the destination is this 1200? Yes 192 one six I did I something wrong now it’s correct for some reason it’s not making them. Okay, let me see. Maybe I didn’t mistake something. So when we done last time it created automatically these things I will show you here. When they create automatically everything.
This one is template based, but I just need to show you they create look at last time they create local subnet address group, remote address group and also static route they created and black hole route they created automatically and they created two policy automatically. But this time we don’t have we have to do it ourselves. So let me choose for some reason why it’s not taking, let me make them again. So if somebody wants to go to 192-1682 dot 00:24 okay and gateway is I don’t need a gateway in this case. Okay 192 168 sorry, one one, two but here I need to choose no, something is wrong here I’m doing because you can choose an interface directly. Okay, it’s done now. Last time it was not taking. Now you can choose directly. If this is the submit, give it to VPN the third thing if you want, which is not required if anything. Okay and choose the black hole. But put this administrative distance to 54, the last one. So if any traffic which is not matching and maybe one side is down and somebody is sending the traffic. So definitely one will be burdened on your firewall.
So it will be destroyed here by this black hole. In Cisco we use a null interface. We call them a null interface. I explain you there. In Eagrp OSPF BGP we are using null interface. So when some route is coming like Summarization, when we do Summarization an EIGRP and OSPF there is a null interface is created automatically for this purpose. If a route is coming which is coming under Summarization and it’s not dear on the other side, so it will be destroyed by that null interface. Here we are using black hole if you want for safety purpose and this is done. So my one side is ready for VPN. We will do the same thing on the other side. So what I need to do first I think so interface is we already done and everything. So now let’s go to VPN IP ship visit choose custom one but type their VPN to site one choose custom next IP four and remote gateway is one.
One interface is when if you use your own local. So you can use your own local s two to two net revolver we don’t need debt pair deduction. If you want to use pre shared key we will use 123456 which has to be the same on both side. We are using version one main mode and we use encryption method DS and MD five and using DP helmet five. Okay and phase two. Okay. Our local subnet is where is IPU four? I did not put that local subnet, I forgot there. So I need to go back there. So our local subnet is this 119-216-8224 and the remote subnet is opposite which is one this one and go to advance remove all of them. We don’t need all to apply DS. This is phase two. Now phase two we also use MD five and we also use the pilgrimage five and we enable everything and auto negotiation and okay let me go back either let me finish this one because we left one thing there. Second thing what I need the policies which is not created automatically.
We need to create two policy to work. First policy from lane to VPN. So my lane is going to VPN by the way you have to put your range. But anyway I choose here all and for all services no need of net and all session. One policy is created which is that traffic will be allowed from lane to VPN, lane to VPN but there will be traffic coming back from VPN to lane. So VPN and choose lane source should be anything destination all and services should be all, no need of net and all session and okay last thing we need a network. Go to static route, create a static route and say 192, 106, 810254 any traffic which is going to one subnet from Firewall to so give it to VPN. This should go to encrypted version and okay and also effort traffic is coming and I’m down for some reason. Okay suppose anything. Let me put anything. So what need to do black hole and give them the highest administrative distance for security reason, for safety reason. Now I need to go back. I done one mistake.
I did not put local and remote subnet. So go to VPN and it should be created already internal here. Just create and edit here I put zero zero. So I need to edit with this pencil icon and local subnet is the opposite 192-1681 dot zero is my local and the opposite side one is two dot zero. So basically when this 192 160 at one and zero means anyone like a one two up to 254 is going to 192 160 at two to two three four up to 254. Anyone is going between these two header has to be encrypted. That’s the only thing. So now we are done almost. So let’s test it. But before test let me earn our shock here. Sorry right click and capture port one this one. So that we can see the traffic end of the file is pipe. Okay. So they’re not working. Let me try this one. If they can capture port one okay so for some reason it’s not capturing anyway. So what I need to do now we need to try them. So from this router to this one two two. Let me generate ping that we can reach or not. So SRV one. Okay enable config no CDP run do right? Because they will give you this error again and again. So it’s better to disable. Okay and ping 192 168, two two. So if everything is okay it has to be reached here. So four dot four I am reachable there now to this PC without any restriction before you remember from here to here. When I try it was not working. Now it’s working even from here to here I can reach now. Okay so enable config and no CTP. So do right? So now this PC is reached to this PC. Unfortunately I cannot capture otherwise I will show you. Let me try here. If I capture zero actually I’m running this from server.
So maybe this is the reason from remote server. Because from remote server cannot capture. It has to be inside there. So this can be the issue anyway. Okay so now we refine this one before it was down because now we generate a traffic. So if you refresh by the way here it has to be green and up now it means it’s working. And also from monitor there is IPsec monitor and if you go there so there is a traffic 608 by coming in out which is showing here. Okay. And also from the other side if we go to VPN so VPN tunnel. So it’s green and up now. And we can verify from here.
If we go to IPsec monitor. And click here. So there is a pod. So now it’s showing the traffic and everything is working. Unfortunately, I need to show you, by the way, to capture the packet. You will see six packet and then encrypted packet. And everything, but unfortunately but anyway, it’s working from here to here. Now I can reach easily. Otherwise I can show you from here before, when we try to admin. One, two, three. Execute ping from here again. It will not work. But I need to port as a source this one. Because we mentioned if the source is 192 168 one any IP and going to the destination 192-1682 any IP to encrypt the traffic. And now one one. And two will see in the middle.
But this packet will be encrypted going here, reach here. So after this, the traffic will be decrypted after this port. But encryption will start from here. And it will go to this. Point. Unfortunately, Warshock is not working otherwise will show you ten net traffic. If you capture telenet traffic, it will be shown here but when you capture it, they will show ESP which I mentioned you and theoretically so this. Is called side to side VPN but we’ve done it in manual way. Template base was so easy. They create everything automatically address profile local address profile remote then they create static route then they create black hole route. Then they create local policy then they create remote policy which we create ourself we create two policy we create two route and local address we are using all which I did not create local address I say all so this is the difference between template based and this one. And then we verify. From here you can go to IPsec, monitor the traffic edge here. That’s it. That’s the only thing to see here.
