FortiGate v7.2 IPSEC Basic Configuration & Troubleshooting

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
hey there guys and edric burger hope you're doing well so this is going to be quite an interesting video because i'm going to show you how to create ipsec tunnels on a fortigate firewall now i feel like this might be one of the most important lectures on firewalls because besides policies a lot of stuff that you're going to set up is stuff like vpn tunnels in order to access remote networks you will see a lot of providers set up stuff like to the cloud to aws or azure or even to other network providers or even stuff like banks i mean it's crazy so you are definitely going to be dealing a lot with stuff like ipsec tunnels and hopefully this video will just show you how to create an ipsec tunnel how to get everything up and running and just some of the things that i can just give you tips on on how to troubleshoot some ipsec tunnel issues if you ever run into so many kinds of problems so let's get into the video all right so i've got a diagram open that i created on draw.io again very useful open source software can create diagrams just like this and i find it very useful to just explain what we're trying to achieve now in this diagram we're in essence going to have two remote sites namely site a and site b and you can think of this as a side to side vpn but it doesn't need to just be side to side this can be applicable to a cloud provider or a bank or whatever so this is just two endpoints that will be forming an ipsec tunnel and what is the goal of an ipsec tunnel well it is there to encrypt and decrypt traffic between two devices like firewalls so that traffic behind the firewalls behind the networks that live on that firewall can be sent across the tunnel securely so you can get to a remote land range over the internet and if anybody was able to intercept your packets they wouldn't see anything because the traffic is encrypted so that's why ipsec is so useful so let's actually jump into a virtual environment using these 40 gates and we will configure our ipsec tunnels all right so here we are connecting onto our site a firewall so i will just log in with my credentials and what i'd like you to take note of firstly is if we want to work with ipsec it will all be happening under the vpn menu so you'll navigate to the vpn and you can set this all up in the cli as well if you feel more comfortable with it but i know many people just tend to use the gui because it's it's really friendly like fortinet really built a nice gui to work on so if we're going to be configuring any type of ipsec tunnels we can just go to the ipsec tunnels menu but i do want to stress out something there's an ipsec wizard here and this wizard has many different types of setups that fortinet has come across over the years to just quickly make it easy for you to configure any type of vpn using a template now if i navigate to the ipsec tunnel template this is where you'll see the type of templates that are predefined that you can use in a wizard where you can set stuff up like side to side side to side sd-wan dial-up cisco side-to-side dial-up cisco etc just all of these different modes that you might see people use ipsec with you don't need to use any of the templates to configure it it's just a quick and easy way to pre-define subnets and that the policies and routing and stuff is just automatically created for you i just feel like it is worth mentioning that if you do want to use any type of these wizard templates because you can select a template type like the side-to-side wizard hub and spoke remote access and what we will primarily be working with this custom because i tend to just do the custom setup because i like to make sure that i define all of the settings correctly if we just click on ipsec tunnels we'll see it's currently empty but if you create any tunnels you will see if the tunnel is here and what its status is but let's create a new tunnel and this is in essence you're just going to go back to the wizard to run the wizard now you can give the tunnel a name obviously so i might make it something like ipsec to site b or something and i will again just set this to custom or continue and now we get to fill in some details now ip6 relies on two main factors when it comes to connectivity namely your phase one which i want you to think of as the authentication method like what is the ipsec tunnel going to be connecting to how is it going to connect like what type of authentication is it going to use it going to use a password is it going to use some type of certificate how is it actually going to connect to them outside and it will also determine the ike version or the internet key exchange version is it version one which is legacy it's the old stuff and then version two which is a lot newer where you can define stuff like an id and it also just works a bit faster and it has more encryption methods that you can use and then it's got some base encryption here and stuff like a diffie-hellman group so that is the phase one which covers more or less the authentication and then we get our phase two selectors which i want you to think of the encryption where you will be defining stuff like which networks you will be allowing to cross this ipsec tunnel or which networks you are allowing to communicate with each other you can leave it as zero zero zero zero zero zero zero zero that just means that anything can traverse the tunnel it's typically frowned upon to do that for ipsec configurations because it's a little bit less secure but um if you have a remote side maybe it's like a dial up connection like a dial up ipc connection and you want to push all of the internet traffic over the tunnel then it's definitely fine to set it as such but typically you'd like to just pre-define exactly what the source and destination subnets are so that only those are encrypted over the tunnel and if we go to advanced it's just more or less some additional features that you can set like the encrypted methods and and whatnot again so let's actually configure our tunnel and the first thing that we need to know is we need to know what the remote gateway is sorry i'm going over tangent here but i need to explain this with ipsec as well because plenty of times when it comes to ipsec you are going to be working with somebody else and i feel like this is where it confuses a lot of people because you can have everything configured perfectly on your side but if the remote person mismatches something with their config then there's a high chance that the tunnel will not establish and then you're going to have to go into some troubleshooting session so it's definitely worthwhile to make sure that both administrators of both firewalls um come to some form of agreement like knowing exactly what they're going to be configuring are you going to be using defini helm and what what groups are you using are you using dead peer detection is nat traversal needed stuff like that but you'll mainly be just creating some form of a template and if you are working for an ispr company they most likely already have some type of template like this so ask them if you if you've never done ipsec before ask them can they give you the templates you can just kind of see what it looks like to understand what type of information they would request from a other administrator just to ensure that both people are speaking the same language or on the same level so that there isn't the need to go into some lengthy debugging call even though it still happens you probably you might still go into some debugging sessions sometimes but i feel that having that type of template just makes it a lot easier to configure the tunnels because then both ends just know what they need to do all right back on point let's configure this we are going to say we are using a static ip to connect to now i can now i can state what the ip addresses of the remote firewall that i'm going to connect to so this could be your azure vpn gateway or network gateway but for me this is just the remote firewall that i've configured which is 164 0.10 now the interface is basically going to be stating on which interface the traffic will be sourced as because you do need to define where the traffic is going to be originating from so i have two wan uplinks on this specific firewall but i know i will be connecting two or i'll be connecting from this 100.64 the 255.2 ipsor select when one is my interface this is also important because the remote end will need to make sure we'll need to ensure they connected this ipv4 or whatever address or ipv6 address even as their remote gateway now we can set a few additional details i'll leave everything based set up i will leave nitroversal enabled i'll leave the dead period detection on but the main point i want to get here is our authentication here we can switch between ike v one or two again i strongly recommend using two wherever possible however some legacy firewalls might have some issues or even it might be a fortigate but it might have a very old version of uh 4dos on it and then it can only support stuff even though it says v2 and can definitely do v2 most of the times i find like there's definitely some finicky stuff sometimes but if you're struggling with v2 just switch to v1 see if you can get the tunnel up that way but definitely try and always use v2 wherever possible now you can select the authentication method are you going to use a pre-shared key or a psk for short or a signature now signature is more or less just a secure certificate which is verified by both ends and this will just allow them to automatically use the certificate to authenticate with each other but we'll just use a pre-shared key very standard password and you can use something like a pre-shared key generator to generate a custom password which is strong and i definitely recommend making sure your ip6 passwords are strong but for our demonstration i'm going to make it something simple like one two three four five six seven eight again i highly recommend not doing that use the secure password now we get to set our phase one proposal now this is the encryption on the phase one side now i typically like to use aes 256 shot 256 but you can definitely play around with what you feel is more secure you just need to do some research on what you feel will work best for your organization we can sit our diffie-hellman groups and i typically set this for five we can sit our key life time and this is important even though it seems like such a minimal setting this definitely needs to match on both ends of the firewalls and this is just kind of setting how long the key will stay alive so let's just leave it as that and we can basically say our phase one proposal is done so let's look at our phase two proposal or phase two selectors now here we can determine again what what is our local address and by default your address type is set to subnet you can click on this and you can change it to something else and this is quite nice because you could do something like a named address and then if you have a address or address group you can reference that in your addresses but i'm just going to leave that on subnet since we're just doing between two basic subnets again that's also why address groups are quite useful because then you can specify multiple subnets in a single selector instead of having to create multiple different selectors but let's leave it as subnet and then i can set my local address which is 192.1680.0624 on this firewall it's my subnet my lan devices and then my remote address which is the remote lan i'd like to access which is 172 0 24. now i can set my phase 2 proposal now this is just this encryption so again i'm just going to make that aes 256 shard 256 and i will enable replay detection and i will also just enable pfs or perfect for secrecy which is just daffy hellman so i'll put that for five again and i'll leave my key lifetime the default again i'll click on accept i'll click on ok and hey we've configured a tunnel on one end now with 40 gate even though you configure a tunnel and it's on both ends done 48 is very specific that you also need to ensure that you have matching firewall policies to allow the traffic and besides the policies you probably want to add some routing as well just to make sure that that traffic is being pushed over the ipsec tunnel so let's just quickly do that what i can do is go to my policies and objects go into my firewall policy and then i can just create a new policy and i can say lan ipsec access my incoming interface will be my lan interface and my outgoing interface is going to be the ipsec tunnel which is currently down my source i will set as the lan network so 1.92168024 and my destination is going to be 172 1600 24. now i highly recommend ensuring always that you are as specific on your policies as possible so let's just call the site bland and then i can just reference that and we can set our service to whatever protocols we need to allow over this tunnel but for this demonstration i'll just set this as all i am not going to enable net because we do not need the traffic to be netted between these two local networks if there was a requirement then you would enable nat for that i will hit on ok and we now have a single ip6 policy to allow traffic from our lan to the remote side if i want the remote side to be able to connect i also need to ensure i have a relevant policy however 40 gate does make it easier you can just right click and you can say clone reverse and then this will create a policy with your source interface destination interface source address and source or destination addresses just being swapped around so this we can then say is the ipsec lan axis and i could just right click and enable this so now we have two matching policies to allow the incoming traffic and also allow outgoing traffic last bit is just adding a static route i'm going to go into my static routes add a new route and then i will say if i want to get to 172 1600 24 my interface will be the ipsec tunnel you'll see the gateway goes away immediately it just will push the traffic over the ipsec tunnel and i can just give it a comment maybe so i can say this is site b lan range click on ok and there we go so the site a48 has been configured now we actually need to configure the site b48 so i'll just navigate onto there and i'm going to be honest with you guys it is the same setup but just in reverse now so in essence the only changes should be is that my my local and remote subnet should be swapped around so i'm just going to go into my vpn go into my ipsec tunnel create a new tunnel set it for custom call this site a ipsec or something continue and now i need to configure this with static ip i'll use the ip address for the site a 48 which is 164 255.2 my interface will be wan which is the ip that the site a firewall is connecting to i will then also just scroll down i will set this to ikev2 i'll put this for pre-shared key and my pre-show key was one two three four five six seven eight we'll set our proposals which is aes 256 sha-256 my daffy helmet is five and now i'm done with the phase one let's do the phase two quickly i'll set my local address which is one seven two sixteen zero zero slash 24 and my remote address is one nine two one six eight zero zero twenty four my encryption here is also aes 256 sha256 lifty helmet five and my key lifetime i'm leaving the same so i'll just hit on that tick click on ok now we have the tunnel so again we will need policies and we will need routing so let's quickly add the so policies create a policy here let's just say site blan ipsec access so here i will define the site b lan interface my outgoing interface is going to be the site a ipsec my source will be the site b lan and my destination will be the site a subnet so let's just create a new address object for this site a lan [Music] now my service i will again just set this for all i will turn off nat and i will click on ok and again just to quickly create a reverse policy i'll just right click clone reverse and then i can also just give this the name of [Music] ipsec access or ip6 site b lan access right click and enable the policy and then let's set our routing quickly so here i will just say if i want to get to one nine two one six eight zero zero search 24 my interface will be the ip6 interface but i see the tunnel already established but that is because we have policies on both ends and i'll click on ok and now we actually have a working ipsec environment so you know what they say the proof is in the pudding so let's actually test this tunnel and see if it's working so i can just do that by initiating a very basic ping test from one host sitting behind a firewall to something else sitting across the ipsec tunnel so i will go into my hypervisor which is vmware i'll go to this windows 10 client which is a vm sitting behind the site a firewall and first thing i'd like to see is can i ping 172 16 0.1 which is the remote end lan ip so it's a remote end 40 gate lan interface ip so i can ping that so i'm very happy with that can i actually ping 172 16 0.2 which is an ubuntu vm that sits behind the site b48 and that i can ping as well so i'm very happy with this because this means our tunnel is up and running and we are able to push traffic across it and now i'm just going to show you guys how we can verify some details and troubleshoot some things on the tunnel if we ever need to so first thing i'd like to do is just navigate back onto my management side if we ever needed to troubleshoot some type of traffic issue we can use a flow tool and this you can do on the gui or from the command line but let's do it from the gui because the gui is actually super cool since the new version so what you can do is go on to your network you can go to diagnostics you can do a debug flow and you can just turn on some filters set it for advanced and then you can do something like say what your source ip is so 192.1680.2 which is my windows 10 vm and then i want to see what happens when traffic goes to 172 16 0.2 which is the ubuntu vm on the remote end i'll start the debug flow and let's run a ping again and see what happens so i'm running the same thing command let's go back to our firewall and there we can see what the flow is looking like and i love the flows it actually shows you what the whole thing is doing like if the traffic's being accepted if it's being rejected what's happening so here we can see the root v dom received a packet from 0.2 destined to 0.2 or 172.16.0.2 on icmp and it will tell you exactly what happened with this traffic it will tell you which policy accepted the traffic was it allowed and here we can see it was entered into the ipsec interface so it was basically encrypted and then it was sent out over the ibsec tunnel so we know this is successful if you want to do this via the command line because maybe you're using the older version of the 4dos like a six four point something it's as simple as just doing diagnose debug flow filter first add your filters so say what your source address is so in our case it was 192.1680.2 say what your destination address is so 172 160.2 and then we just need to start the trace and this is just how long you want this trace to be so maybe you just want to see the first nine traces so i'll set that for nine and then we can just diagnose debug enable and there we can see i'm still running my ping because it's continuous and if i just cancel this or type diagnose debug disable you can copy this into a notepad if you'd like or you can just read this directly and see exactly what has happened is it's basically the same details you can see where the traffic came from where it went to and the most important bit for us is just to make sure that the traffic was accepted and that it was encrypted and sent over the tunnel and like that's it if there was some type of error you would pick it up on the flow like if a missing policy was there and the traffic wasn't being allowed uh let's do that quickly we can emulate it just by going into our policies and then i can just disable this policy from the lan um to the remote end let's just disable that and i'm going to just run the flow again i'll just use the network diagnostic tool again for that so let's do filters i'm not going to go too deep into it now i'm just going to say what the source is because i know the traffic will only be coming from that source actually let's define the destination otherwise i might see internet traffic as well and we don't want that so i'll just say 172 160.2 start the flow again and it's busy capturing the packets and there we can see they are timing out and we can see hey there's definitely something different happening here so if i stop this flow and we just read through it quickly we can see it's trying to form that station on that ipsec tunnel but nothing else is happening and this is another place that i actually wanted to show you guys is if you need to also just troubleshoot some very basic stuff with your ipsec tunnels um you can come into the system events and then vpn events and it will show you exactly what's happening with all of the vpn events so all of the tunnels if you configure multiple tunnels you can see what the tunnel is and it will basically just tell you if the tunnel has been successful you want to see that does install this uh ip6sa which is just security association and then that should mean that the tunnel is up and running let's just quickly make sure that our tunnel is still up it is up but as you know our stuff is failing because of the policy so let me just re-enable that now here's one big thing that i want to actually just show you guys and this is more or less relating to if you really want to deep dive your troubleshooting with ipsec to see why things aren't working then just um let's break this tunnel quickly just by changing the psk so i will just go to my vpn ipsec tunnels and i will change my psk to something else so it's wrong so maybe i'll make it 87654321 save that ok it and now in theory my tunnel should go down there we can see the trunk the tunnel has dropped so if we want to diagnose our tunnels to see what's happening i highly encourage this from the command line so let's head into the console but really guys you need to think of the console as your friend it's there to help you i can promise you this is going to be where you're going to find the most information if you're ever running into some issues because let's just open this up and we're going to be debugging the application now or the ike application so we'll do it diagnose debug application ike i'll just type -1 but that'll just basically be telling us for how long it's going to be debugging the stuff and then if i do a diagnose debug enable we're going to start getting a ton of different log messages or debug messages of what's happening with this tunnel or all of our tunnels if we had multiple tunnels it might get a bit messy so in that case you could filter the traffic based off of a very specific tunnel name just so you only see things related to that specific tunnel so here we can see already there's a bunch of logs and i'm just going to try and re-initiate the tunnel by going into the dashboard i'll go into my ipsec monitor and i'll just right click here to try and bring up the tunnel and this is also something you can do if you ever see your tunnels just down and you want to try and force the tunnel up you can right click in your ipsec monitor on the tunnel that's down and just try and bring it up this way but this is just an essence forcing traffic now over the tunnel so if i go back to my command line we should see there's a bunch of different things here and i can already see the error message why it's not working but let's just copy this to the clipboard and i'll just do a diagnose debug disabled so we stop getting spammed by the messages and then i recommend just pasting this into a notepad because now you can properly go through all of the logs or the debug messages to see what has happened so if we scroll down we can see how far the firewall gets to actually trying to connect but if we look at these log messages specifically we can see that it's received an auth message it's got the identifier it's trying to authenticate and here we know is our issue it sees that the authentication failed and it's telling us psk auth failed probable pre-shared key mismatch so now we can tell the guy on the remote and hey i'm seeing this in my log messages it's telling me that we might have the incorrect keys can you just confirm that you're using the correct key and then you just send them the key again and then most likely they're going to type in the new key and the tunnel will come up afterwards but what's nice is this is not just for determining if somebody's uh typing in the key incorrectly you'll see many different uh details on here like here you can see the phase two details that we're trying to use to negotiate it will even pick up what the remote end is sending you and then based off of that you can then see hey they might have the wrong defendant group or they might have the wrong encryption method and then you can just update your method silently so that they don't even know that you fix it that way but it's always best to use whatever agreed method you guys have stated so then reach out to the person tell them hey i can see that you're not sending me the correct authentication method update it to this please once they make that update i can assure your tunnel will come up and i want you to understand it's it's so fun to troubleshoot these issues because it allows you to see what's happening with the packets and then you can determine exactly what the problem is and you know find that fault finally fix it and it just feels so good all right i actually think this is where i'm going to end off this lesson because this should just be an introduction to getting an ipsec tunnel up and running but also i want to show you how to troubleshoot some basic trouble um give you some basic troubleshooting skills when it comes to ibsec tunnels especially the diagnose debug application for the ike it will give you so much information to work with anyways guys this is well end of the video i hope you had fun i hope you learned something new and again i'd like to thank my patreon and youtube members for helping support the channel and i'll catch you guys in the next video see ya [Music]
Info
Channel: The Network Berg
Views: 13,464
Rating: undefined out of 5
Keywords: #FortiGate, #IPSEC, #NSE4, fortinet firewall, network berg, rwxrob, sccm
Id: meH6ADWJas8
Channel Id: undefined
Length: 29min 25sec (1765 seconds)
Published: Mon Aug 08 2022
Related Videos
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.