Implementation

Configuring the main site

Creating network objects

The creation of this site-to-site IPSec VPN connection requires at least five network objects:

  • the local network of the main site: Private_Net_Main_Site,
  • the public address of the main IPS-Firewall: Pub_Main_FW,
  • the local network of the remote site: Private_Net_Remote_Site,
  • the public address of the remote IPS-Firewall: Pub_Remote_FW,
  • the intranet server to contact on the main site: Intranet_Server.

These objects can be defined in the menu: Configuration > Objects > Network objects.

Creating IPSec tunnels

Click on Configuration > VPN > IPSec VPN. Select the encryption policy you wish to configure.

You can rename it by clicking on Edit.

Click on Add > Site-to-site tunnel.

A wizard will automatically launch:

  • In the Local network field, select your object Private_Net_Main_Site,
  • In the Remote network field, select the object Private_Net_Remote_Site,

  • Next, select a peer. If the peer you wish to use does not yet exist, as in this example, you can create it by clicking on the hyperlink Create a peer (this step corresponds to the parameters that can be defined directly in the Peer tab in the menu Configuration > VPN > IPSec VPN),
  • The wizard will then ask you to select the remote gateway. In this current case, this is the public address of the remote IPS-Firewall (object Pub_Remote_FW). By default, the name of the peer will be created by adding a prefix “Site_” to this object name; this name can be customized:

 

Next, select the authentication method: select the method “Pre-shared key (PSK)”.

In the fields Pre-shared key (ASCII) and Confirmer, enter a complex password that will be exchanged between both sites in order to set up the IPSec tunnel, and then confirm.

NOTE

To define a pre-shared key that is sufficiently secure, you are advised to do the following:

  • Keep to a minimum length of 8 characters,
  • Use uppercase and lowercase letters, numbers and special characters,
  • Do not use a word found in a dictionary for your password.

Example: 7f4V8!>Xdu.

The wizard will then show a summary of the peer that you have just created. Click on Finish to close this window. Click again on Finish to close the wizard.

The IPSec tunnel is now defined on the main site:

NOTE

The tunnel will be enabled automatically (Status “on”).

Click on Enable this policy.

Creating filter rules

The VPN tunnel is meant to interlink two remote sites securely, but its purpose is not to filter traffic between these two entities. Filter rules therefore need to be set up in order to:

  • Authorize only necessary traffic between identified source and destination hosts,
  • Optimize performance (host resources, internet access bandwidth) by preventing unnecessary packets from setting up a tunnel.

In the menu Configuration > Security policy > Filtering and NAT, select your filter policy. In the Filtering tab, click on the menu New rule > Standard rule.

For better security, you can create a more restrictive rule on the IPS-Firewall that hosts the intranet server by specifying the source of the packets. To do so, when selecting the traffic source, indicate the value “IPSec VPN tunnel” in the field Via (Advanced properties tab):

In the case presented, a client workstation located on the local network of the remote site must be able to connect in HTTP to the intranet server located on the local network of the main site (rule no. 1). You can also temporarily add, for example, ICMP to test the setup of the tunnel more easily (rule no. 2).

The filter rule will look like this:

NOTE

The advanced features on IPS-Firewalls (use of proxies, security inspection profiles, etc) can of course be implemented in these filter rules.

Configuring the remote site

The aim of this section is to reproduce on the remote site a configuration symmetrical with the one created on the main IPS-Firewall.

Creating network objects

The objects are the same as those defined on the main IPS-Firewall. Please refer to section Configuring the main site, under Creating network objects.

Creating IPSec tunnels

Please refer to section Configuring the main site, under Creating the IPSec tunnel. For the remote site, the fields to be entered in the wizard will have the following values:

  • Local network: Private_Net_Remote_Site,
  • Remote network: Private_Net_Main_Site,
  • Remote gateway: Pub_Main_FW,
  • Pre-shared key: the same password as the one entered on the main IPS-Firewall.

Creating filter rules

In the menu Configuration > Security policy > Filtering and NAT, select your filter policy. In the Filtering tab, click on the menu New rule > Standard rule.

In the case presented, a client workstation located on the local network of the remote site must be able to connect in HTTP to the intranet server located on the local network of the main site (rule no. 1). You can also temporarily add, for example, ICMP to test the setup of the tunnel more easily (rule no. 2).

The filter rule will look like this: