Domain Based VPN
Domain Based VPN is a technique for controlling how VPN traffic is routed between Security Gateways and remote access clients within a community.
To route traffic to a host behind a Security Gateway, an encryption domain must be configured for that Security Gateway.
Configuration for VPN routing is performed either directly through SmartDashboard or by editing the VPN routing configuration files on the Security Gateways.
In the figure, one of the host machines behind Security Gateway A initiates a connection with a host machine behind Security Gateway B. For either technical or policy reasons, Security Gateway A cannot establish a VPN tunnel with Security Gateway B. Using VPN Routing, both Security Gateways A and B can establish VPN tunnels with Security Gateway C, so the connection is routed through Security Gateway C.
Overview of Domain-based VPN
Domain Based VPN controls how VPN traffic is routed between Security Gateways and remote access clients within a community. To route traffic to a host behind a Security Gateway, you must first define an encryption domain for that Security Gateway. Configuration for VPN routing is done with SmartDashboard or by editing the VPN routing configuration files on the Security Gateways.
In this figure, one of the host machines behind Security Gateway A tries to connect to a host computer behind Security Gateway B. For technical or policy reasons, Security Gateway A cannot establish a VPN tunnel with Security Gateway B. With VPN Routing, Security Gateways A and B can establish VPN tunnels through Security Gateway C.
Item
|
|
|
Security Gateway A
|
|
Security Gateway B
|
|
Security Gateway C
|
VPN Routing and Access Control
VPN routing connections are subject to the same access control rules as any other connection. If VPN routing is correctly configured but a Security Policy rule exists that does not allow the connection, the connection is dropped. For example: a Security Gateway has a rule which forbids all FTP traffic from inside the internal network to anywhere outside. When a peer Security Gateway opens an FTP connection with this Security Gateway, the connection is dropped.
For VPN routing to succeed, a single rule in the Security Policy Rule base must cover traffic in both directions, inbound and outbound, and on the central Security Gateway. To configure this rule, see Configuring the 'Accept VPN Traffic Rule.
Configuring Domain Based VPN
Common VPN routing scenarios can be configured through a VPN star community, but not all VPN routing configuration is handled through SmartDashboard. VPN routing between Security Gateways (star or mesh) can be also be configured by editing the configuration file $FWDIR/conf/vpn_route.conf.
VPN routing cannot be configured between Security Gateways that do not belong to a VPN community.
Configuring VPN Routing for Security Gateways through SmartDashboard
For simple hubs and spokes (or if there is only one Hub), the easiest way is to configure a VPN star community in SmartDashboard:
- On the Star Community properties window, Central Security Gateways page, select the Security Gateway that functions as the "Hub".
- On the Satellite Security Gateways page, select Security Gateways as the "spokes", or satellites.
- On the VPN Routing page, Enable VPN routing for satellites section, select one of these options:
- To center and to other Satellites through center. This allows connectivity between the Security Gateways, for example if the spoke Security Gateways are DAIP Security Gateways, and the Hub is a Security Gateway with a static IP address.
- To center, or through the center to other satellites, to internet and other VPN targets. This allows connectivity between the Security Gateways as well as the ability to inspect all communication passing through the Hub to the Internet.
- Create an appropriate access control rule in the Security Policy Rule Base. Remember: one rule must cover traffic in both directions.
- NAT the satellite Security Gateways on the Hub if the Hub is used to route connections from Satellites to the Internet.
The two DAIP Security Gateways can securely route communication through the Security Gateway with the static IP address.
To configure the VPN routing for SmartLSM Security Gateways:
- Create a network object that contains the VPN domains of all the Security Gateways managed by SmartProvisioning.
- Edit the vpn_route.conf file, so that this network object appears in the column (the center Security Gateway of the star community).
- Install this vpn_route.conf file on all LSM profiles that participate in the VPN community.
Configuration via Editing the VPN Configuration File
For more granular control over VPN routing, edit the vpn_route.conf file in the conf directory of the Security Management server.
The configuration file, vpn_route.conf, is a text file that contains the name of network objects. The format is: Destination, Next hop, Install on Security Gateway (with tabbed spaces separating the elements).
Consider a simple VPN routing scenario consisting of Hub and two Spokes (Figure 5‑3). All machines are controlled from the same Security Management server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:
Although this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:
Destination
|
Next hop router interface
|
Install on
|
Spoke_B_VPN_Dom
|
Hub_C
|
Spoke_A
|
Spoke_A_VPN_Dom
|
Hub_C
|
Spoke_B
|
In this instance, Spoke_B_VPN_Dom is the name of the network object group that contains spoke B's VPN domain. Hub C is the name of the Security Gateway enabled for VPN routing. Spoke_A_VPN_Dom is the name of the network object that represents Spoke A's encryption domain. For an example of how the file appears:
Configuring the 'Accept VPN Traffic Rule'
In SmartDashboard:
- Double click on a Star or Meshed community.
- On the General properties page, select the Accept all encrypted traffic checkbox.
- In a Star community, click Advanced to choose between accepting encrypted traffic on Both center and satellite Security Gateways or Satellite Security Gateways only.
- Click OK.
A rule will appear in the Rule Base that will accept VPN traffic between the selected Security Gateways.
Configuring Multiple Hubs
Consider two Hubs, A and B. Hub A has two spokes, spoke_A1, and spoke_A2. Hub B has a single spoke, spoke_B. In addition, Hub A is managed from Security Management server A, while Hub B is managed via Security Management server B:
For the two VPN star communities, based around Hubs A and B:
- Spokes A1 and A2 need to route all traffic going outside of the VPN community through Hub A
- Spokes A1 and A2 also need to route all traffic to one another through Hub A, the center of their star community
- Spoke B needs to route all traffic outside of its star community through Hub B
A_community is the VPN community of A plus the spokes belonging to A. B_community is the VPN community. Hubs_community is the VPN community of Hub_A and Hub_B.
Configuring VPN Routing and Access Control on Security Management server A
The vpn_route.conf file on Security Management server 1 looks like this:
Destination
|
Next hop router interface
|
Install on
|
Spoke_B_VPN_Dom
|
Hub_A
|
A_Spokes
|
Spoke_A1_VPN_Dom
|
Hub_A
|
Spoke_A2
|
Spoke_A2_VPN_Dom
|
Hub_A
|
Spoke _A1
|
Spoke_B_VPN_Dom
|
Hub_B
|
Hub_A
|
Spokes A1 and A2 are combined into the network group object "A_spokes". The appropriate rule in the Security Policy Rule Base looks like this:
Source
|
Destination
|
VPN
|
Service
|
Action
|
Any
|
Any
|
A_Community
B_Community
Hubs_Community
|
Any
|
Accept
|
Configuring VPN Routing and Access Control on Security Management server B
The vpn_route.conf file on Security Management server 2 looks like this:
Destination
|
Next hop router interface
|
Install On
|
Spoke_A1_VPN_Dom
|
Hub_B
|
Spoke_B
|
Spoke_A2_VPN_Dom
|
Hub_B
|
Spoke_B
|
Spoke_A1_VPN_Dom
|
Hub_A
|
Hub_B
|
Spoke_A2_VPN_Dom
|
Hub_A
|
Hub_B
|
The appropriate rule in the Security Policy Rule Base looks like this:
Source
|
Destination
|
VPN
|
Service
|
Action
|
Any
|
Any
|
B_Community
A_Community
Hubs_Community
|
Any
|
Accept
|
For both vpn_route.conf files:
- "A_Community" is a star VPN community comprised of Hub_A, Spoke_A1, and Spoke_A2
- "B_Community" is a star VPN community comprised of Hub_B and Spoke_B
- "Hubs-Community" is a meshed VPN community comprised of Hub_A and Hub_B (it could also be a star community with the central Security Gateways meshed).
VPN for a SmartLSM Profile
If branch office Security Gateways are managed by SmartProvisioning as SmartLSM Security Gateways, enable VPN routing for a hub and spoke configuration by editing the vpn_route.conf file on the Security Management server.
To configure VPN For a single SmartLSM Profile with multiple gateways:
- In SmartDashboard, create a that contains the encryption domains of all the satellite SmartLSM Security Gateways and call it Robo_domain
- Create a that contains all the Center Security Gateways and call it Center_gws
- In
vpn_route.conf , add the rule:
Destination
|
Router
|
Install on
|
Robo_Domain
|
Center_gws
|
Robo_profile
|
If access to the SmartLSM Security Gateway through the VPN tunnel is required, the Security Gateway's external IP address should be included in the ROBO_domain.
Multiple router Security Gateways are now supported on condition that:
- The Security Gateways are listed under "install on" in vpn_route.conf or
- The satellites Security Gateways are selected in SmartDashboard
VPN with One or More LSM Profiles
You can configure a VPN star community between two SmartLSM Profiles. The procedures below show a SmartLSM Profile Gateway and Cluster. You can also configure the community with two SmartLSM Profile Clusters or two SmartLSM Profile Gateways. All included SmartLSM Profile Gateways and Clusters must have the IPsec VPN blade enabled.
The procedure requires configuration in:
- SmartDashboard
- Security Management Server CLI
- SmartProvisioning Console
- Center Gateway CLI
Using SmartDashboard
In SmartDashboard create network objects that represent the VPN community members and their networks. You must create a star community with as the selected option for (> > ).
To configure a VPN star community between two SmartLSM Profiles in SmartDashboard:
- Create and configure a SmartLSM Profile Cluster.
When you configure the topology, make sure that the interface name exactly matches the name of the physical interface.
- Create and configure a SmartLSM Profile Gateway.
- Create a regular Security Gateway to be the Center Gateway.
Note - Security Gateway 80 gateways cannot be the Center Gateway.
- Create a VPN Star Community, select IPsec VPN > New > Star Community.
- Select from the tree.
- Click and select the Security Gateway that you created to be the Center Gateway.
- Select from the tree.
- Click and select the SmartLSM Profile Cluster and SmartLSM Profile Gateway (or second cluster).
- Select > from the tree.
- Select .
- Create a object that represents the internal network of each satellite in the VPN community.
- From the Network Objects tree, right-click and select .
- In the field, enter the IP address that represents the internal IP address of the satellite. If the satellite is a cluster, enter the internal Virtual IP.
- Create a object that represents the external IP address of each satellite in the VPN community.
- From the Network Objects tree, right-click and select > .
- In the IP field, enter the IP address that represents the external IP address of the satellite. If the satellite is a cluster, enter the external Virtual IP.
- Create a object that represents the networks for each satellite object:
- From the Network Objects tree, right-click and select > > .
- Enter a for the group that is unique for one satellite.
- Select the object that you created for that satellite's internal network and click .
- Select the object that you created for that satellite's external IP address and click .
- Create a object that represents the Center Gateway.
- From the Network Objects tree, right-click and select > > .
- Enter a for the group that is unique for the Center Gateway.
- Select the Gateway object and click .
Using the CLI
Edit the routing table of the Domain Management Server or Security Management Server to enable two SmartLSM Profile Gateways or Clusters to communicate with each other through the Center Gateway. Do this in the vpn_route.conf file in the CLI.
To edit the vpn_route.conf file:
Open the vpn_route.conf file.
- In a Multi-Domain Security Management environment, on a Domain Management Server:
- If satellites are 80 series Gateways or Clusters:
/var/opt/CPmds-<version>/customers/<Domain Management Server_name>/CPSG80CMP-<version>/conf/vpn_route.conf
- If satellites are on a different SecurePlatform appliance or open server:
/opt/CPmds-<version>/customers/<Domain Management Server_name>/CPsuite-<version>/fw1/conf/vpn_route.conf
- In a Security Management Server environment:
- If satellites are 80 series Gateways or Clusters:
/opt/CPSG80CMP-<version>/conf/vpn_route.conf
- If satellites are on a different SecurePlatform appliance or open server:
/opt/CPsuite-<version>/fw1/conf/vpn_route.conf
If two SmartLSM Gateways on different LSM Gateway profiles will communicate with each other through the Center gateway, edit the file:
# destination
|
router
|
[install on]
|
< of internal network of SmartLSM Gateway>
|
<Center Gateway>
|
<Name of second LSM Profile>
|
<of internal network of second SmartLSM Gateway>
|
<Center Gateway>
|
<Name of LSM Profile>
|
If more than one SmartLSM Gateway in the same LSM Profile will communicate with each other through the Center gateway, edit the file:
# destination
|
router
|
[install on]
|
< of internal network of SmartLSM Gateway>
|
<Center Gateway>
|
<Name of LSM Profile>
|
Install policy on the SmartLSM Profiles and on the Center Gateway.
Completing the Configuration
Complete the configuration in the SmartProvisioning Console and the CLI of the Center Gateway.
To complete the VPN configuration:
- Open the SmartProvisioning Console.
- Create a new SmartLSM Cluster or Gateway based on the type of device you have. Select > > select an option.
- Generate a VPN certificate for each Gateway or Cluster member:
- Open the cluster or gateway object > tab.
- Select .
- Click .
- Do these steps again for each cluster member.
|
Note - If topology information, including date and time, changes after you generate the certificate, you must generate a new certificate in the tab and update the gateway ( > ).
|
- In the CLI of the Center Gateway, run:
LSMenabler on
- In the SmartProvisioning GUI Console, right-click the Center Gateway and select > .
- In the tab of each object, make sure that the topology of provisioned objects is correct for each device:
- Make sure that the interfaces have the same IP addresses as the actual gateways.
- Make sure that the external and internal interfaces are recognized and configure correctly as "External" and "Internal".
- If the interfaces show without IP addresses, click: .
- In the tab, configure the VPN domain:
- For SmartLSM Profile Gateways choose an option.
- For SmartLSM Profile Clusters, select and manually add the encryption domains that you want to include.
- .
All traffic between the satellites and Center Gateway is encrypted.
|