Lecture-71:Fortigate Firewall- Site-to-Site IPSec Route-Based VPN Template Lab

Video Statistics and Information

Video
Captions Word Cloud
Reddit Comments
Captions
so now let's start the lab we will create a topology like this one side to side vpn first we will do side to side vpn and this is route based vpn we discussed there are two type of vpn route base vpn side to side and the other one is policy based vpn first we will do route base vpn then we will do side to side vpn route base but manual method first we will do through template then we will do manually then we will do policy base and then we will do remote access vpn two different way so let's go this is the topology we will use in the middle i will take one router to represent an internet router this side we will assign one one one ip to 40 get firewall port one and this is another fortigate firewall we will assign them two to two port number three on both sides we will make them as a management interfaces and port number two is my lane this side which is 192.168.1 range and this side another branch is a range 192.168 range so our main point is that these two pc can reach encryptedly to this branch and nobody can see the traffic what is going on between these two even we will enable telnet here this router so when you send the telnet traffic even we know telnet traffic is visible yeah it will be not visible because these interface will make them encrypted encryption will start from here and it will end because we will use tunnel mode which i told you and internet nobody will see this actual ip they will see that 2 2 is going to 1 1 but actually inside this packet like a public car which i told you these packet will go so this is the story of vpn so outside we will use one one on side one schema local we will use one network remote s2 network inside our lab3 interface is 1.100 management interface we have 114 and server ips 110 other side they will use two to two local hdr2 and remote is one definitely and inside they have two dot hundred server and management exchange now we have 144 and server there are two to two so this is the story to create this type of topology now let's go so first of all i need one router to represent our internet and let me give them name internet now i need to firewall so let me drag to firewall from here this is site a and this is site b okay now i need two switches so let me take two switches by the way let me connect this to so port one is connected to zero and port one is connected to port one let me on this at least it will start and now i need switch so let me take this dummy switch okay so let me take this switch let me change this one to change symbol so this is switch this side and let me duplicate it this the switch for this side so switch switch anything it's okay switch one let me make this switch two because this is side two and this is site one okay so now i have two switches now i need to net cloud for management so that i can access them so i take management cloud one and management cloud two okay let me put them here by the way it's okay this is the management cloud okay and let me connect them to port 3 which we desired port 3 for management and this one is for management 3. port 2 is connected to local lane and port 2 is connected to local lane okay and i need to pc for test purpose so this side i will take one server this is web server okay this is one web server and one client web term okay so we can see the traffic which is not encrypted that it will be encrypted or not and this side i will use one pc and also a router to make the measure telnet server so that i can show you that telnet traffic will be also encrypted so this is my whole topology let me to the middle so this my line by the way let me exchange this one to here this is pc2 and pc1 as this side and r1 is this side so this is telnet srv so this is my telnet server and this is pc one and this is web server srv so one side is web server other results so this is http which is not encrypted and this was we will create a telnet so in this way we will test both now coming to here what i need to do let me change this symbol to a client so client let me choose this one and let me say mgmt one and let me change this one to client okay and this is mg empty two okay and let me put them here like this way this is our management okay and now let me put here this way okay let me connect this interfaces to telnet server and pc and here pc2 and here web server now the ip schema we need the ip schema to assign so for ips schema we decide 192 168 1.2 range should be this side that's what we decide for this site and for this side we decide to okay now for pc let's assign this is one and this is elay one suppose and here web server is whatever 11 okay let's do it the same and this is one but this is 2.1 and 2.11 and here is we have 1.1 and this is our ip schema and here we will use 1.1.1.1 range okay and this side we will use 2 2.2.2 range is our schematic so this ip should be let me duplicate this one this will be dot 2 and this side should be 1.1.1 in interfaces you already know i don't want to write them if you say so let me write down port 1 this is port 1 and this is also port 1. this is port two port two and port three is connected to management this is port 2 and this is port 3 no need to mention that and port 3 or management is 192.168.114.024 which is by default net cloud range okay then this is the basic schema first let me configure this router so right click on router start and go to console make them as a telnet server [Music] so configure interface e0 0 ip address 192 168 1 dot 1 i think yeah 2 5 5 2 5 5 2 5 5 0 no shut down exit do right and we will configure ip route that whatever you have 0.0.0 give it to 192.168.1.100 this is firewall ip which we will assign line with ui 0 to 4 transport transport input all and password is password is 1 2 3 and login i enable telnet on this one and do right that's it so my http telnet server is ready now configure this one so right click on this one edit configuration remove r2 remove this one this one this one and this one so we decide one and this should be lay one this should be 100 and this should be one no need to dns because we not require dns so ctrl c and 1.11 is done now go to pc2 edit configuration ctrl a ctrl v just change this one to 2 and this one is 2 1 and this one has to do control a control c save and right click on web server control a control v 2 dot 11 only change this one so let me check double check edit configuration 2.1 okay and this should be go to edit configuration 2.11 yes and this one is 1. 1.11 yes it's correct just to double check now we can enable these if you want no need but we will need them later on okay so ip is done now coming to firewall but before going to firewall let's configure internet router go to internet router internet router we just need two ips that's it because we don't have any control on internet router so on internet router what i will do go to configuration interface this interface is zero slash zero okay and this one is zero slash one so interface e0 0 here i will assign 1.1.2 255.0.0 no shutdown that's it n interface e0 slash 1 here i will assign 2 2 2 and this should be 1 2 1 no shutdown so show ip interface brief only two ip nw right that's it i no need anything up here because we don't have any controller internet router so this is by the way two if i have two somewhere let me copy so i assigned two ip here and this side i assign one ip two two one two two one let me that's the okay now coming to firewall now the last thing so right click go to console and login to this device because dhcp is enabled on port 1 so we will not get any ip so first login admin no password enter 1 2 3 1 2 3 go to config port three config sorry config interface config system interface and edit which port port one two three and enable sorry set allow access http https and ping telnet okay and ssh whatever you want to allow enter and set mode dhcp so it will get dhcp and end show system interface so port number three we will get ip after a while okay port number three is thcp yeah so is we get 141 141 so one router is ready sorry firewall we will get access to this one and now let's go to the other one so right click on this one go to console admin one two three one two three config system interface edit port one two three and set allow access http https ping ssh whatever you want to allow and set mode dhcp and end so now if i check show system interface so port number three will get iep through dhcp after a while because we are connected to net cloud let's get 142. so it's good one one side we get 141 otherwise 4142 so this is one so let me login the first one admin and one two three let me change the name so this is site 1 so hostname side 1 so that we will understand this which side this so this is side 1 and let me log into admin and one two three and let me give them the name this firewall site two site two so good now let me change the color of one firewall so you will not be confused go to system go to setting and there is to change the theme whereas we can change them yeah this is so let me bake them this one so set one is this color and this one is green color so this is side one now what i need first i need interfaces which we normally do go to interfaces go to interfaces port one whereas port one can connected this one this is when so give them the name when and what is the ipv we decide remember one one one one so let me assign one dot one dot one slash eight that's what we decide no need of ssh no need of http just need paying this is not that one that's it done so our main interface is done now we have another interface two so two interfaces our lane interface and the ipv decide 192 168 1.100 that's what we decide yeah you remember this one hundred and we just need a ping to test them two third interface is port three which is management just for the sake of understanding we will type mgmt and we will make them as manual the same ip but we will make them manual and okay because they say you are connected you will be disconnected i say it's okay so lane management and when three interfaces we are using no need of dns because in this case we don't have anything otherwise you can configure dns no need of static route no nothing we need nothing that's it now go to the other one do the same thing go to interface and here first interface is the vane interface this is other side firewall manual ip but we decide ip should be 2.2.2 okay this one so the other side public ips 2.2 no need of anything only ping is allowed and okay so one interface is done which is port one port two is the lane interface of site 2 and ip address 192 168 2.100 and put lane here so that we know and allowed ping on this interface done third interface is the management interface so here mgmt and make them manual 142 that one's 4 141 and and ok done so these are the basic setup interfaces name just for understanding purpose and we assign them ip interfaces lane when and management they have interfaces ip now go to any firewall start from site a let's configure side to side vpn but before side to side vpn what we want to do we need to configure one static route from firewall that if you have anything anything give it to internet router so here i will use here when and what is the nip 1.1.2 this is one day one one two this one this is side one i say give it to this guy and okay on the other firewall i will say whatever you have give it to 221 so here i will say static route create new and here i will choose when and here will say 2.2.2.1 anything give it to this guy let me see i configure this one correctly at one one two yeah and this is 2 2 1 this router ip now before configuring firewall do you think this router is reachable to pc1 no let's test them from this router let me ping this ip 192 168 2.1 ping 192 168 2.1 no i'm not reachable because it's not possible there is no routing no routing in the middle router this is internet router an internet router will never accept our private type is to reach here and neither they can put a route for us until you pay them so if you pay them so why then what is the advantages of vpn this internet router only know one one ip and this side they only know two to ip but the communication is going from 190 to 168 1.1 to 192 160 2.1 which is not acceptable it's not working and even if you are not sure let me from pc1 to web server access it will not work let me open this and web server ips 192 168 2.11 it will not work and sending the traffic here and this traffic will be visible here if i start a wireshark you will see that somebody is sending http traffic but private ips is not allowed there is no route to reach there why i am showing you because now when we configure vpn the things will be changed so let me generate traffic again okay still generating you will see visible that who is going it has to show me yeah is showing a bit slowly 192 168 because we this traffic is not reaching here it has to reach by the way here it has to show 192. let's see is one one two is showing some arp entry but not the other one but this is to show us but it's not reachable because there is no route let me quit this one right now i don't need this one stop so it's not reachable look at 2.11 is not reachable this web server neither from here neither from this side now let's configure side to side vpn between forty get one to forty gate two how go to vpn here and site when i'm in site one this is overlay controller vpn which i told you need to register in 40 cloud which i told you we do need to touch this one then the second one is ipsec tunnel so there is nothing when i click ipsec tunnel it will take me to ipv ipsec wizard so either coming from here either from here is the same thing but here it will show you when it's created it will show you here but ipsec visit it is a visit i told you what is a visit it's a template base so either click on create new ipsec aggregate if you want to combine more than one vpn as a one i will show you when you create ipsec tunnel it will take you here either from here or direct here let me start from here ipv6 ipsec wizard name them so i will say site 1 2 site 2 this i just give them the name either s2 and make them more simple s1 to s2 this my name they say what is template type i told you what is template side to side hub to spoke and remote access are custom side to side means a showing here one side four to get for one the other how to spoke one to more if you are connected more this is how to spoke remote access if you are connected your client pc to your firewall and custom if you want to customize them but i say no side to side right now i want to do this one then they say net configuration is there any native devices no because you are direct connected through if there is so it will show you like this this is the router now i say this side behind net then they will apply you know net reversal which i told you if you say remote set so then the router is on that side but in our case you don't have any native devices done now they say remote device type is a fortigate or cisco so it can be configured with any vendor router and firewall keep in mind so i say 40 gate so 40 get to 40 side to side okay and click next now it's asking me dynamic dns if you don't know and the ips are changing then you can use dynamic dns it's a good option by the way if you have a environment like a home and small office so small office they don't have static ip then you can use dynamic dns dynamic dns there is a dns concept i will tell you some other day but it's possible but in our case we have a static ip what is the remote ip 2.2.2 this the when interface which i am reaching you know this 2 2 2 this 2 2 2 next ip now authentication method i told you two type of authentication method pre-share key and signature we will use pre-share key i will type one two three four five six done now click next now they say which ip you want to encrypt to send that site so i say my lane so it's get automatically my lane this my lane 192.168 in which they say where you want to send your traffic so this is the opposite one so this is my local lane 19168 1.0 so i say when this local lane go to this local lane remove this one do they say that they want to access internet or not either share local either you use remote either none so in this case they are not using any internet these lan and just done and create it was so simple they created each and everything look it they create a group for us they create a remote address group they create a phase two they create a static route for us they create a black hole route which i told you they'll create a local subnet for us you know the ip and also remote local policy and everything there done it how we know let's go to policy does we created policy before no there will be policy automatically look at two policies automatically there from here from lane to vpn and another policy is from vpn to lane keep in mind next time we will do this manually so which policy they create we will create this policy manually which they created lend to vpn and vpn to lead let's go to network static route oh they created two route as well s1 to s2 remote and s1 to s2 remote black hole you know black hole which i told you to 254 the last one so in case the network is down on one side they will be destroyed and this they create a vpn tunnel as we vpn route as well so they create a policy and let's go to object and policy and addresses they created addresses for us as well look at this is our local subnet 192.168.1 and this is the remote one 192 168 and look at ssl tunnel address as well they created addresses for us they created a policy they created a route they created addresses everything they done automatically just in three click need to do on the other side now we need to do the same job on the other side of firewall you will call security engineer look at there is no route let me show you there is no policy sorry where is there is no policy nothing after a while you will see each and everything nothing only implicit deny now let's go to vpn on the other side click on ipsec wizard and this side i will say site 2 to site 1 side to side no native devices 40 and next remote address is 1.1 public ip okay and pre share key we put there one two three four five sixes should be similar and click next my local is this one opposite and the other one is one and create done everything local remote face to static black hole route local remote policy remote to local policy they created everything for us if we go to object and addresses there will be addresses created automatically this one they created if we go to policy they already created two policy for us this wizard land to site to set and side to side to land two policies been created and if you go to network and route you will see two route is also created but before testing i want to wire shark here to show you the capture and now we will generate traffic and you will see it will be encrypted and it will show the public ip not our private ip communication will do the private ip and it will show public ips and also how to verify so if we go to monitor there is a ipsec monitor now if we check switch down down arrow because there is no traffic generated right now so let me go to capture okay and let me type isa came just the first page nothing is there now let's generate the traffic before it was not working i hope so it will work now look it and telnet when we trying it was not working look it is working but here look it quick mode what is the other one there are six picket they miss them okay let me see like here maybe they give them some other name okay so from where it started there are six picket so it maybe we missed them yeah they just started directly with quick mode second mode this is these phase two mode which is encrypted by the way all the traffic will be encrypted but before a quick mode which is three packet there are six packets they exchange more information which i missed for some reason they start from phase two and there is no phase one they missed the phase one we need to clear now there is esp look at who is going 1.1 i am sending a clear text http traffic but here is showing me esp this is the last packet yeah how many one zero five now you will see more if i refresh one zero five now you will see one zero five one zero let me put them as a esp only look at 1 1 15 yeah let me generate traffic 1 150 now s 1 28 and who is going 1-1 is going to 2-2 it's not showing that basically 192 168 2.1 is going to 192 168 2.11 it's been encrypted by esp and esp you remember ipsec is using encapsulating security payload to encrypt our traffic nothing is visible let me do a telnet you know when we always say that telnet is not secure let me do a telnet from this side so telnet to this telnet server 192 the other server 1916 here one dot one and password is one two three do you think there will be telnet traffic no is no such this been converted by esp which is encrypted and nobody can see anything an encryption i told you a garbage data this is the beauty of vpn now everything even if it is in clear text it's going in oh yes telnet is sorry encryption is starting from this point and ending on this point if i capture a packet here it will be 10 net and if i capture applicator will be telnet let me show you let me start capture here here it will show tell net but in which go out from the interface it will become esp so let's start this one and let me generate 10 net again exit let me show you let's start and now let's do you will see 10 net look at one two three there is a telnet inside there is return net but when we go out there is no telnet is is become ssh sorry esp ns convert public ips doing communication for us even we don't have a route but these two have a route because this is the prerequisite that public iep has to be reachable so this public ip is reachable here and they're hiding information and they're deceiving the internet router their 2 2 is going to one one and they said they say this is one one is going to 2 2 hiding the information and how to verify now if you refresh it will be green and up this much data is gone to the other side and now we can see and from the other side if you log login you can see here as well go to monitor and there is ipsec monitor from here you can verify here so it's green and up got it so let me go through if i miss something for some reason so we configure this one okay and then we management interfaces we test them so nothing was working before the test then we configure vpn from one side okay and we check them that they configure each and everything automatically then we monitor them and then the other side we configure from the other side we configure vpn and what we done then when we start so it's working and and wireshark is showing esp rather than the actual data and it will show you six packet if i capture here yeah i did not capture those six picket as well so it's esp and this is the testing phase that's it so this was side to side vpn route base okay
Info
Channel: Ahmad Ali
Views: 909
Rating: undefined out of 5
Keywords:
Id: 5ihpImbliUU
Channel Id: undefined
Length: 39min 19sec (2359 seconds)
Published: Sun Sep 20 2020
Related Videos
my SUPER secure Raspberry Pi Router (wifi VPN travel router)
NetworkChuck
373K
FortiGate SSL VPN Configuration (FortiOS 6.4.0 Basic)
Fortinet Guru
73K
Azure Routing explained in plain English with a story in 10 mins-User Defined Routes, Route priority
azuremonk - cloud in plain english
25K
Redington & Fortinet-FortiGate IPsec VPN:Site-to-Site &Client-to-Site Webinar Session-1st April 2020
Redington Value Distribution
4.7K
Site To Site VPN with VTIs on Cisco ASA (Route Based)
William Shanaei
1.4K
Fortigate Firewall Troubleshooting : Become Expert in 30 minutes.
Technical_Scoop
48K
FortiGate 60F HA Cluster Build
Fortinet Guru
1.8K
VPN - Virtual Private Networking
Eli the Computer Guy
2.1M
Configuring Route-Based Site-to-Site IPSec VPN on the SRX
JuniperNetworks
59K
Fortigate client SSL VPN setup 5.6
Julian
37K
I Built This From A 1972 Popular Mechanics Magazine Plan. Does It Work?
Fireball Tool
2.2M
Note
Please note that this website is currently a work in progress! Lots of interesting data and statistics to come.