Smoothwall (VPNs)

 

::::3 types of VPN::::
1.IPSec
2.L2TP
3.SSL

::::2 ways to connect VPNs::::
1.subnets i.e. site to site
2.roadwarrior i.e. client to site/remote access vpn

::::4 options on smoothwall for VPNs::::
1.IPSec subnets (for site to site vpn)
2.IPSec roadwarrior (for client to site/remote access vpn)(windows/MacOSX/linux)
3.L2TP roadwarrior (for client to site/remote access vpn)(windows/iOS/Android)
4.SSL roadwarrior/OpenVPN (for client to site/remote access vpn)
(grant access to local network to individual users)
(based on OpenVPN)(need OpenVPN client software installed on the machine)
(windows/MacOSX/linux/Android/iOS)
(this is the widely used VPN)
(integrated with the AD and user login using the directory credentials)
(SSL VPN is the most appropriate solution if more than 10 clients use VPN service as L2TP and IPSec requires manual setup)

::::SSL VPN Server Setup::::
(smoothwall uses certificates for identification and security purposes)
(e.g. CAs are VeriSign or GlobalSign)

1. create a self-signed CA. (VPN » VPN » Certificate authorities)
(only one CA is required to generate all the certificates. So only one device can be used to generate certificates for all)
2. cretae a self-signed certificate for OpenVPN. (ID type and ID value) (VPN » VPN » Certificates)
(3 ID types: 1.host and domain(FQDN) 2.IP address 3.email address(user FQDN))
(use host and domain name type)
(follow naming convention in your environment)
3. set the newly created certificate as the default local certificate for smoothwall (VPN » VPN » Global)
4. SSL VPN settings
Enable SSL VPN:
transport protocol: TCP(HTTPS)(port 443 can not have any port forwards on the primary IP)
SSL VPN network address: (virtual network)
(SSL VPN has a virtual network setup, whereas all other types of VPN gets the IP from the local LAN)
(setting the DNS is very important in case of SSL VPN as clients don’t get an IP inside the LAN and accessing resources is not possible unless configured)
(also setup zone bridging rule for SSL VPN to access the internal resources)
Enable SSL VPN:
Force clients to use SSL VPN as gateway: (to filter all openvpn client traffic)
SSL VPN client gateway(s): (If the UTM firewall is behind another firewall)
5. L2TP and SSL VPN client configuration settings
Primary and seconary DNS: (internal DNS server)
6. save and then restart.
7. Now the SSL VPN server will be ready to accept incoming client VPN connections.
8. Generate client archive – (all config files and windows OpenVPN client downloaded)
(need admin privileges on windows system to install this client)
9. Open the OpenVPN client and connect.
(users are authenticated using the AD connection or through local user database if no AD user is detected)
(tunnelblick on MacOSX and Linux can also use these configuration files)(https://code.google.com/p/tunnelblick/)
(OpenVPN client on iOS and Android can also use these config files)
10. check if the user is allowed to connect at all. (VPN » VPN » SSL roadwarriors)
(by default all the groups should be allowed to connect)
(select group->untick enable under SSL VPN group settings->save)
11. to allow accedd to the OpenVPN clients to the resources that the user can access on the local network.
(Networking » Filtering » Zone bridging)
source interface: SSL VPN
destination interface: e.g. port1-LAN
src/dst IP
service/port
(add)
12. any issues connecting OpenVPN logs on the client and the smoothwall will give indication of the issue.
(RealTime- Logs and reports » Realtime » System -> section->SSL VPN)
(Static- Logs and reports » Logs » System-> section->SSL VPN)
13. to check the active VPN connections.
(VPN » VPN » Control->SSL road warriors)
(roadwarrior connections can be disconnected using this control, but the client need to connect themselves)

(can also be used to restart the whole VPN engine)(VPN » VPN » Control->Manual control->restart)

::::IPSec VPN (site to site VPN)::::
(e.g. connecting main office to the branch office)

1. create a self-signed CA. (VPN » VPN » Certificate authorities)
(only one CA is required to generate all the certificates. So only one device can be used to generate certificates for all)
2. cretae a self-signed certificate for IPSec VPN. (ID type and ID value) (VPN » VPN » Certificates)
(3 ID types: 1.host and domain(FQDN) 2.IP address 3.email address(user FQDN))
(use host and domain for IPSec tunnel) (does not have to be a registered domain name)
(follow naming convention in your environment)
(crete one certificate for main office and the other for branch office)
(hub.vpn.test and branch01.vpn.test)
3. set the newly created certificate as the default local certificate for smoothwall (VPN » VPN » Global)
(e.g. the main Hub VPN)
4. save and then restart.
5. Create a Tunnnel on the main office:
(VPN » VPN » IPSec subnets)
Name: Tunnel to Branch01
Enabled: ticked
Local IP: is the external IP by default. blank by default. 1.1.1.3
Local network: (192.168.2.0/24)(network to tunnel data from)(or supernetting 192.168.0.0/16)(or create multiple tunnels)
Local ID type: default local certificate ID
Local ID value:
Remote IP or hostname (blank for ANY): 1.1.1.4
Remote network: 192.168.4.0/24
Remote ID type: user specified host and domain name
Remote ID value: branch01.vpn.test
Authenticate by: (certificate presented by the peer)
Initiate the connection: ticked (not the case in case of behing the NAT)
(add)
6. Export the CA in pem file format:
(VPN » VPN » Certificate authorities)
7. Export the certificate in pem file format:
(VPN » VPN » Certificates)
(enter password)
(export certificate and key as PKCS#12)
(contains both public and private keys)
8. Import CA created on the main UTM CA to the branch office UTM:
(VPN » VPN » Certificate authorities)
(it will not be marked as a local CA)
9. Import certificate created on the main UTM CA to the branch office UTM:
(VPN » VPN » Certificates)
(it will not be marked as a local CA)
10. set the newly imported certificate as the default local certificate for smoothwall (VPN » VPN » Global)

11. save and restart.

12. Create a Tunnnel on the branch office:
(VPN » VPN » IPSec subnets)
Name: Tunnel to main office
Enabled: ticked
Local IP: is the external IP by default. blank by deafult. 1.1.1.4
Local network: 192.168.4.0/24 (network to tunnel data from)(192.168.2.0/24)(or supernetting 192.168.0.0/16)(or create multiple tunnels)
Local ID type: default local certificate ID
Local ID value:
Remote IP or hostname (blank for ANY): 1.1.1.3
Remote network: 192.168.2.0/24
Remote ID type: user specified host and domain name
Remote ID value: hub.vpn.test
Authenticate by: (certificate presented by the peer)
Initiate the connection: ticked (not the case in case of behing the NAT)
(add)
13. Bring up the tunnel:
(VPN » VPN » Control->Manual control->Running(green))
(VPN » VPN » Control)(IPSec subnets->up->Open(green))
14.Now configure network access rules:
(Networking » Filtering » Zone bridging)
15. check the logs for any problems on the main office UTM:
(2 phases to complete in the tunnel)
(phase 1 is for IKE(Identity Key exchange) – manage the initial contact and identity exchange)
(starts from initiating main mode and finishes at ISAKMP SA established)
(phase 2 is IPSec phase, where the routing is sorted out and the tunnel is established)
(starts from the Quick mode, then tunnel negotiation and then finishes at IPSec SA established)
(Logs and reports » Realtime » IPSec)

16. check the logs for any problems on the branch office UTM:
(2 phases to complete in the tunnel)
(phase 1 is for IKE(Identity Key exchange) – manage the initial contact and identity exchange)
(responds to the main mode and finishes at ISAKMP SA established)
(phase 2 is IPSec phase, where the routing is sorted out and the tunnel is established)
(responds to the Quick mode, then tunnel negotiation and then finishes at IPSec SA established)
(Logs and reports » Realtime » IPSec)

(in case of a 3rd party device in the branch office advanced option is used)
(VPN » VPN » IPSec subnets)(3rd party can support multiple proposals)
Local certificate:
Interface:
Perfect forward secrecy: ticked / DH(diffie hellman)
Authentication type: ESP(encapsulating security payload)
Phase 1 cryptographic algo: 3DES/AES 128/AES 256
Phase 1 hash algo: MD5/SHA
Phase 2 cryptographic algo: 3DES/AES 128/AES 256
Phase 2 hash algo: MD5/SHA
Key Life (mins): (do not have to match on the peer. ho wmany times to renegotiate the tunnel)
Key Tries (0 means never give up): (attempts to bring up the tunnel if down)
Do not rekey: unticked (used if behind NAT)
Local internal IP:

(multiple locations and subnets ipsec vpn need a proper routing plan)
(same subnets used in to locations traffic can not be routed)
(multiple subnets can not be added to the same tunnel config, but separate tunnels can be created with different subnets)

::::L2TP roadwarrior::::
(requires a certificate for each client and a static IP allocated to the connection)

1. Create a certificate:
VPN » VPN » Certificates
(the only difference while creating the certificate is to set the ID type as the email address and the ID value as the email address)
(easy to identify which certificate was created for which user)
2. export the CA and the certificate and import them on the client.
3. check the settings in the global area:
VPN » VPN » Global->L2TP and SSL VPN client configuration settings-> primary and secondary DNS
L2TP settings->L2TP client internal interface:
4. setup a new connection for the user:
VPN » VPN » L2TP roadwarriors-> Create new tunnel
Name:
Enabled:
Client IP: (IP that the client will be receiving when the client connects)
username:
password:
Authenticate by: (select the certificate we created)
L2TP client OS: Microsoft
Local certificate: default
Interface: primary (expect the incoming connection on the primary external connection)
5. L2TP wizard application on windows can be downloaded from the smoothwall’s website:
6. run L2TP wizard as an admin:
CA.pem and ertificate.p12
IP address->username and password
(multiple users can not connect if they are coming from the same IP address)
(we can use pre-shared key instead of the certificate for L2TP e.g mobile devices)

Advertisements

Posted on May 12, 2014, in Smoothwall. Bookmark the permalink. Leave a comment.

Leave a Reply

Fill in your details below or click an icon to log in:

WordPress.com Logo

You are commenting using your WordPress.com account. Log Out / Change )

Twitter picture

You are commenting using your Twitter account. Log Out / Change )

Facebook photo

You are commenting using your Facebook account. Log Out / Change )

Google+ photo

You are commenting using your Google+ account. Log Out / Change )

Connecting to %s

%d bloggers like this: