73. Lecture-73:Site-to-Site IPSec Policy-Based VPN Lab.
We discuss about two VPN and sidetoside one is policy based VPN and the other is route based VPN. Right now we done route based VPN we done routebased VPN and two method manually and template based but there is a side to side VPN policy based VPN what is policy? Policy based VPN policy based VPN sometimes we call them a tunnel mode as well. Tunnel mode VPN and we need only one policy to create it will work for both direction and these are the major difference policy based and route based VPN. So we already done route based VPN in two different ways.
Now in policy based VPN it can be available in netted mode and also in transparent which is route based is not available in transparent mode. So this is another beauty of policy based l two TVPN is allowed for both GRE is not possible in policy based because we need to assign IP address and policy base we doesn’t require security. Policy is required in this one a number of policy we only need one policy and policy based route but in this one we need at least two policy. If you have more then you create more policy. So this is the major difference between policy based VPN and route based VPN then we have done route based VPN in two different ways. Now coming to side to side VPN policy base we will use the same topology but you will feel the difference now.
So we are in the same topology here this side we have a firewall with 192 68 100 lane and one one one is van. This side we have two to two is when and 192168 200 is lane both are connected for management with 100 IP and here we have one servant one one. Here we have server two two here one we have one PC 111. Here we have PC two two gateway for these 200 and gateway for these two system is 100 this is our internet router. Here we have configure one, one two and this side we configure two two one so let me remove this VPN so if I try to remove it let me go to VPN this one so they are using four different references. I need to remove references then the delete will be available so click on this references. Two is using in policy yes we created two policy. Create those two policy then there is use again in policy. So remove that one. Then we are using a two route. Yes you remember and then you can delete side to start phase two.
And now you can delete this side to side VPN properly delete if you go to policy and object nothing is there everything is now either come here either delete everything from one spot now let’s go to the other one and delete everything. Because we need a different type of side to side VPN. So let me go to policy and object let me go to VPN IPsec tunnel click delete is not available. Click on References delete sorry I click to show me but by mistake. So let me go to is the proper page and click on references. Choose two and delete then one and delete and then two route which we create delete and then phase two delete and then phase one to delete it and that’s it. Choose and delete. That’s it. Now nothing is there. Again this PC will be not reachable before it was pinging. Yeah, look at it, it’s not pinging. The other side just before we test it it was pinging. Now it’s not working again because there is no route. But through VPN we can make them as a local. This time we need to do policy for Policy VPN. Where is Policy VPN? It is not enabled by default.
Go to system. Go to feature visibility. Some feature is not available and not visible. So go to Feature Visibility and choose here policy based VPN. This one. Policy based IPsec VPN. When you click as mentioned here that under object you will see VPN Policy and some many other thing. So choose this one and apply. Now if you come to VPN you will see Ipsunaluke. IPC Concentrator is now here. If you go to this one, there is no IPsec Concentrator. Can you see IPsec Concentrator? No because it’s not enabled. So go to system, click feature Visibility. On the other side firewall and choose policy based IPsec VPN. So now you will see the difference. There is extra thing which is Ipsic Concentrator. But how we will configure again we will use the tunnel either Ipsick wizard from tunnel I will create create new. It will go to wizard. So either come here either from here. So what is the difference? I will show you the difference. VPN two side two I say like this is the name of VPN.
But again I will choose Custom and click next. Up to this point we done last time as well. Yeah but last time this option was not available. When I removed this one policy based route and click on Ipsick visit this option will be not there. Let me click and give them any name and next okay let me go back to custom next. Can you see that sentence here? No but here look it under the comment there is another comment so it’s not here. Because if you enable the net will come. Go to setting and sorry feature Visibility and when you enable then you will see that sentence. What is policy based? This one and okay and now when you go to VPN and go to Ipsic Visit and give any name and custom and you click you will see that sentence is now available. So now let’s go to site one. We know that when you enable policy VPN so you will see this and Ipsic Concentrator these two things will be visible. So I give them the name VPN to site two. Now you need to disable this one to make them as a policy based route. Then they say remote IP. So remote IPS two. Two interface is when if you want your local. So my local is one, otherwise no need, it’s okay.
So this is the public IP to reach through this when interface. And this is my local IP. Again net reverser don’t need disable, get peer detection. Whatever error I already mentioned. Click in advance, no need of anything. Preheat key 123456 which we done last time as well. Up to this point everything is similar. Mode is you need to aggressive mode or main mode six packet or three packet, version one or version two. No need of so many things. Choose DS, choose MD Five and choose DP Helmet five lifetime and go to phase two. Phase two my local subnet is 109 2168-1024 which will reach to 224. Click on advance. I don’t need so many things, I just need one. DS will be encryption empty five and DP Helmet will be five. All local port, all remote port, all protocol auto negotiation if you want to enable and it’s still a time of phase two, that’s it. So what is the difference? Whatever I done in routebased VPN, I done the same thing here. Beside, I uncheck this one done.
Now go to policy. Go to IP four policy and route based VPN. What I done, I create two policy here I will create only one policy land to VPN either no need of land to VPN or a land to vent a simple policy like a normal policy. Land to vent source you can specify anywhere. My case is I say all for test purpose in all. But there is a third difference. Before. Did you see this? IP six. Now there is an Ipsecond in the policy before it was not available. Go back and watch my video. There was no Ipsick tab available, but after enable policy based. So now in the policy I have an Ipsick. So rather than to accept and deny, I will say IPsec. Then they say if you use IPsec, tell me your tunnel detail. So I say VPN two to side two which I just created here. And they say do you want to allow to initiate traffic from remote side? Yes, it can be initiated from them either from us and our session. So this is a third difference between route based VPN and policy based VPN. I unchecked that one.
Then I saw IP concentrated and then in the policy I see a different thing and also I just created only one policy and route, the Svpn. I created two different policy and okay, that’s it. I do need to create a route. Last time I created two route there as well. Let me show you one thing more. If I go to interfaces and go to when yes, that is the other one. Not in this one. OK, so now this side is almost done. Now let’s do the same thing on other side. So what I will need I already enabled. Okay, one thing more. Go to VPN and click IP concentrator. IPSA concentrator and create new give them any name VPN and choose that one which we just created. And okay, this is another step to do and policy based site to site VPN. Now let’s do this site. So go. To IPsec visit. This time I will say VPN to site one custom. Next. Uncheck this one. One change. Choose the opposite IP. One, one, one. Going through vein interface.
My local IPS. Two two net is not there. Debt. Peer is. I don’t care. I don’t care about advance anything. Pre shared keys 123456 let me verify we are using man mode. I just need one DS and MD. Five and five LDP. Helen group. DH group in phase. Two. My local subnet is opposite 192-160-2024 and remote tunnel is 10. Click on advance. Remove all of them. Just choose DS for phase two and choose DP. Helman five everything and keep alive. Everything and okay, go to IPsec. Concentrator, create new.
Give them any name and choose your one. This one. And okay, now I just need only one policy. Go to policy and object and create a new policy lane to win like a normal policy traffic. From lane to when. Source can be anything. Destination can be anything. Services can be anything. But action will be Ipsick. When I choose IPsix, do they say, Tell me your VPN setting. I say, this one and all. Session. And okay, let’s see if everything is correct properly. It should be ping. Now let me go to route. Maybe I done something wrong in the route. So let’s go to Static route. No need of this one and that. One is enough. By the way, let me go to network static route black hole. So maybe I left the last thing. Maybe I missed something. So let me go quickly. We’ve done this one.
Okay, interfaces we already configure. It. Okay. And VPN setup. We enable it. Then we custom it two to two. We done this part pre share key. We done it. Okay. Then we done. Phase two. Then we choose from here. Then we create length. To end policy but local subnet and we need to put by the way, this local subnet I will change it allow traffic to okay, the other side I did not allow the local subnet and site two I remember so let me go to policy because I’m generating from site A, so that can be the issue. So let’s go to policy and object and the policy I created I forgot to click this one. You remember I told you this one allow traffic to be initiated. So I’m initiating from the other side. So that’s why that can be the issue. So let me quickly do this one. And now check. Okay, so still it’s not reachable so that was not the issue so let’s figure out another issue. We’ve done this one.
Okay. By the way, this is the only thing, the only possibility can be these subnet so I will create the subnet quickly. Let’s see if I left something. I’m just wondering if I miss something because we don’t need a route here. By the way this is a policy based so yeah that can be the only thing. So let’s go to this length to end policy. This all instead of all my local subnet, let me create a local subnet. So my local subnet change the color, whatever you want and my local subnet is 192, 168, 100:24 let me copy this one and it can come from lane. Okay and static crowd, no need. So instead of this all I need to put local subnet and destination I need to create a new address. This is remote VPN subnet so remote VPNs 224 and it can be on any interface. Leave it. So choose this one. Okay and always all anything lend to when it’s okay okay, sorry I done. This is inside two so it said to be opposite because this is two. So this is local. So let me change them. So my remote is this one and I done it locally wrong. So they should be like this sorry, local where is local? Because this is two sides.
So side two, there’s the IP okay so let me change it while the local is not showing to me. So let me create them. There’s the address group. Just give me two minutes to fix this issue. So addresses we created here, let me change them by mistake. Local is two. Okay and remote is one. It has to be like this and if I go to policy now let me correct them. So local there’s the lane. Lane is subnet too because I’m in site too and remote is okay I see that it’s not showing here because maybe we choose not to show so click on this one and show in the address list. By the way it has to show and it’s to be unwin okay? And any by the way it has to show me remote. And now let’s go to policy. So from lane to local subnet to when one and this one is two now it’s correct and accept and initiate. Now let’s do this one policy correct this policy. So go to policy because you mentioned only these subnets so you have to mention them.
So instead of all just type them address for site A this is local subnet and our local subnet is one. This one and it can be any subnet okay? And this should be address remote VPN remote let’s give them remote. Don’t care, we don’t care whatever is the name you just need to understand okay? And this is remote. So local to remote and this one initiate it. It’s okay and okay now let’s this last thing to test it okay. So let’s go to VPN and try from here what is the issue? So it’s down refresh so it’s down. It means issue is inside the VPN. So let me go to VPN tunnel and edit this VPN and let’s verify everything. So our static gateway is one, local is one one one it’s correct. Authentication is preshare key if you try to see so 123456 aggressive mode MD five and local subnet is one and this is two. So that side is okay and now let’s go to VPN the other side and VPN tunnel double click to edit. So static IP one one and R one is 22. Okay we change this one to port one. Primary IP is two.
This is disable authentication. We have a doubt on authentication. So let me try this 123456 and verify and authentication is disabled to and go to one one one so I believe it’s okay and let’s try again. So still we have let’s go to concertray. Okay so it’s okay and here is also okay and let me try here. Okay let’s try from the other side. So ping 192 168 one dot one so both side is not working. Okay let me try IPsec tunnel just to double check. Okay policy and we need one route. Maybe the issue is the route as well. Maybe their drought is deleted. So no, it’s there if anything give it to 1112 yes it’s correct and let’s go to this route. This is the only thing which we need to check maybe this issue and let’s give it to two two one so I think as far as the configuration lend to when we check this one and if we try it will reach because we don’t have a wireshark to see what is the issue unfortunately. So let me go up and see the configuration. Yeah it’s okay. Ipsick tunnel reshare key when Sable VPN and custom we enable it and this is the route we have configured. Yeah it’s correct. So let’s try what else can be the issue? Maybe some issue in the topology? No. Okay. By the way yes. Last time mine was not working and I pressed there’s a button called bring up manual. You know why you bring it up and then when I press it works. Okay so let me try yes sometime so go to VPN no, there is okay.
No, it’s okay. I don’t think so bring it up all phases. So no, if I click on both here nipsec tunnel sorry the monitor one when everything is okay for some reason then but I think so there is something wrong in our configuration. Let me see again so no even still so let’s go to again verify here what is IPsec tunnel and if I click edit either let me do one thing edit is okay, no need to delete them. So let edit this one static IP reach to one one one local gateways two to two. Net is not there. Advanced? No need. Okay, authentication. We using pre share key MD five and DP Helmen is five. Okay. And phase 219-2162 to one. Yeah, this is in here. This one is also correct. And maybe we choose different. Yeah, this is Shaw. Okay, so this is Sha. And this side we configure them. Let me go there. I think. So here we choose empty file. Yes. So this was the issue. And now if we try again. So it’s okay now. So now from server one to server two, two to two. And from this side to server one, both side now we have and it will become green. Now it’s okay. Now if we go to monitor and IPsec monitor, so it’s green and everything is okay. So the only issue was because you are using different method there and here different method. So it will not work. It has to be similar, I think. Okay, so this is called policy based. Why? Because we call everything in policy. If we go to policy and IP four policy.
Okay, so we call inside the policy here IP sick. And also there is no route needed. And also we create only one policy rather than to create. And also we did not create any extra route like a route based VPN. Also you can apply this on both mode proxy mode and also net mode. Both mode. You can apply this side to side VPN, but route based VPN cannot be applied, which I mentioned you all the detail here, which we discuss here. This the difference between these two. And then we verify everything is okay. So this was policy based site to site VPN.
