Internet access through central site over IPSec VPN

Usually remote sites have local internet access but in some cases you would like to route all traffic (even internet traffic) through central site. For that case you could use MPLS services or your could go with site-to-site IPSec VPN over internet. This means that you would put all traffic from remote site into IPSec VPN tunnel.

Benefits of doing that is that you get better control over traffic, which means you can monitor all you internet traffic on one location. Implementing additional services like AntiVirus, IPS, IDS, proxy, DLP, etc is done on one location.

In example bellow i will cover how to route all traffic through site-to-site IPSec VPN over internet from remote sites through central (Data center) site.

DisableInternetExit
NETWORK DIAGRAM

Picture legend:

  • red and blue lines represent internet access for remote sites
  • green line represents communication between Site A and Site B through Data center site.
  • all traffic between data center site and remote sites is routed through site-to-site IPSec VPN

Data center SRX configuration notes:

  • For Site B configure correct Proxy-ID for IPSec VPN (check config bellow marked blue)
  • To allow communication between Site A and Site B, configure hairpin firewall policy (check config bellow marked green)

Site A SRX configuration notes:

  • SRX is configured to use route based IPSec VPN which means that with routes you can instruct SRX which traffic to put into IPSec VPN.
  • For this reason additional routing instance is needed. Additional routing instance will be used for WAN connectivity (check config bellow marked purple) and default routing instance will be used for private network and IPSec VPN.

 

FIREWALL INTERFACE SETTINGS

Config \ Firewall SRX Datacenter SRX Site A ASA Site B
Public Interface ge-0/0/0 ge-0/0/0 outside
Public IP 1.1.1.1 2.2.2.2 3.3.3.3
Private interface ge-0/0/1 ge-0/0/1 inside
Private subnet 10.0.0.0/24 172.30.1.0/24 192.168.1.0/24

SRX Datacenter configuration

edit interfaces st0 
set unit 0 description "VPN TO SiteA"
set unit 0 family inet
set unit 1 description "VPN TO SiteB"
set unit 1 family inet

edit routing-options static
set route 172.30.1.0/24 next-hop st0.0
set route 192.168.1.0/24 next-hop st0.1

edit security ike proposal IKE-Proposal-SiteA 
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc

edit security ike proposal IKE-Proposal-SiteB
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc
set lifetime-seconds 86400

edit security ike policy IKE-POLICY-SiteA
set mode main
set proposals IKE-Proposal-SiteA
set pre-shared-key ascii-text "Bingo1"

edit security ike policy IKE-POLICY-SiteB
set mode main
set proposals IKE-Proposal-SiteB
set pre-shared-key ascii-text "Bingo2"

edit security ike gateway IKE-GW1-SiteA
set ike-policy IKE-POLICY-SiteA
set address 2.2.2.2
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 2
set external-interface ge-0/0/0

edit security ike gateway IKE-GW1-SiteB
set ike-policy IKE-POLICY-SiteB
set address 3.3.3.3
set external-interface ge-0/0/0

edit security ipsec proposal IPSec-Proposal-SiteA
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc

edit security ipsec proposal IPSec-Proposal-SiteB
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc
set lifetime-seconds 3600
set lifetime-kilobytes 4608000

edit security ipsec policy IPSec-Policy-SiteA
set proposals IPSec-Proposal-SiteA

edit security ipsec policy IPSec-Policy-SiteB
set proposals IPSec-Proposal-SiteB

edit security ipsec vpn VPN1-SiteA
set bind-interface st0.0
set ike gateway IKE-GW1-SiteA
set ike ipsec-policy IPSec-Policy-SiteA

edit security ipsec vpn VPN1-SiteB
set bind-interface st0.1
set ike gateway IKE-GW1-SiteB
set ike proxy-identity local 0.0.0.0/0
set ike proxy-identity remote 192.168.1.0/24
set ike ipsec-policy IPSec-Policy-SiteB

edit security policies from-zone trust to-zone VPN
set policy trust-to-VPN match source-address any
set policy trust-to-VPN match destination-address any
set policy trust-to-VPN match application any
set policy trust-to-VPN then permit

edit security policies from-zone VPN to-zone trust  
set policy VPN-to-trust match source-address any
set policy VPN-to-trust match destination-address any
set policy VPN-to-trust match application any
set policy VPN-to-trust then permit

edit security policies from-zone VPN to-zone VPN
set policy VPN-to-VPN match source-address any
set policy VPN-to-VPN match destination-address any
set policy VPN-to-VPN match application any
set policy VPN-to-VPN then permit

edit security policies from-zone VPN to-zone untrust
set policy VPN-to-untrust match source-address any
set policy VPN-to-untrust match destination-address any
set policy VPN-to-untrust match application any
set policy VPN-to-untrust then permit

edit security zones security-zone VPN  
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0
set interfaces st0.1

 

SRX Site A configuration

edit interfaces st0
set unit 0 description "VPN TO Datacenter"
set unit 0 family inet

edit routing-instances WAN 
set instance-type virtual-router
set interface ge-0/0/0.0
set routing-options static route 0.0.0.0/0 next-hop 2.2.2.1

edit routing-options static
set route 0.0.0.0/0 next-hop st0.0

edit security ike proposal IKE-Proposal-Datacenter 
set authentication-method pre-shared-keys
set dh-group group2
set authentication-algorithm sha1
set encryption-algorithm aes-128-cbc

edit security ike policy IKE-POLICY-Datacenter 
set mode main
set proposals IKE-Proposal-Datacenter
set pre-shared-key ascii-text "Bingo1"

edit security ike gateway IKE-GW1-Datacenter
set ike-policy IKE-POLICY-Datacenter
set address 1.1.1.1
set dead-peer-detection always-send
set dead-peer-detection interval 10
set dead-peer-detection threshold 2
set external-interface ge-0/0/0

edit security ipsec proposal IPSec-Proposal-Datacenter
set protocol esp
set authentication-algorithm hmac-sha1-96
set encryption-algorithm aes-128-cbc

edit security ipsec policy IPSec-Policy-Datacenter 
set proposals IPSec-Proposal-Datacenter

edit security ipsec vpn VPN1-Datacenter
set bind-interface st0.0
set ike gateway IKE-GW1-Datacenter
set ike ipsec-policy IPSec-Policy-Datacenter
set establish-tunnels immediately

edit security policies from-zone trust to-zone VPN
set policy trust-to-VPN match source-address any
set policy trust-to-VPN match destination-address any
set policy trust-to-VPN match application any
set policy trust-to-VPN then permit

edit security policies from-zone VPN to-zone trust
set policy VPN-to-trust match source-address any
set policy VPN-to-trust match destination-address any
set policy VPN-to-trust match application any
set policy VPN-to-trust then permit

edit security zones security-zone VPN
set host-inbound-traffic system-services all
set host-inbound-traffic protocols all
set interfaces st0.0

 

ASA Site B configuration

object-group network SiteB
 network-object 192.168.1.0 255.255.255.0

object-group network Nat_ANY
 network-object 0.0.0.0 0.0.0.0

object-group network Nat0
 group-object Nat_ANY

access-list VPN-Datacenter-10000 extended permit ip object-group SiteB any 

nat (inside,outside) source static SiteB SiteB destination static Nat0 Nat0 no-proxy-arp route-lookup

route outside 0.0.0.0 0.0.0.0 3.3.3.1

crypto ipsec transform-set ASET-SHA esp-aes esp-sha-hmac 

crypto map VPNMap 10000 match address VPN-Datacenter-10000
crypto map VPNMap 10000 set peer 1.1.1.1 
crypto map VPNMap 10000 set transform-set ASET-SHA
crypto map VPNMap 10000 set security-association lifetime seconds 3600
crypto map VPNMap interface outside

crypto isakmp identity address
crypto ikev1 enable outside

crypto ikev1 policy 1
 authentication pre-share
 encryption aes
 hash sha
 group 2
 lifetime 86400

tunnel-group 1.1.1.1 type ipsec-l2l
tunnel-group 1.1.1.1 ipsec-attributes
 ikev1 pre-shared-key Bingo2

 

 

 

 

 

 

 

 

 

 

 

 

 

Advertisements