Domain Based VPN

In This Section: Overview of Domain-based VPN VPN Routing and Access Control Configuring Domain Based VPN

Overview of Domain-based VPN

Domain Based VPN controls how VPN traffic is routed between Security Gateways and remote access clients within a community. To route traffic to a host behind a Security Gateway, you must first define an encryption domain for that Security Gateway. Configuration for VPN routing is done with SmartDashboard or by editing the VPN routing configuration files on the Security Gateways.

In this figure, one of the host machines behind Security Gateway A tries to connect to a host computer behind Security Gateway B. For technical or policy reasons, Security Gateway A cannot establish a VPN tunnel with Security Gateway B. With VPN Routing, Security Gateways A and B can establish VPN tunnels through Security Gateway C.

Item
A	Security Gateway A
B	Security Gateway B
C	Security Gateway C

VPN Routing and Access Control

VPN routing connections are subject to the same access control rules as any other connection. If VPN routing is correctly configured but a Security Policy rule exists that does not allow the connection, the connection is dropped. For example: a Security Gateway has a rule which forbids all FTP traffic from inside the internal network to anywhere outside. When a peer Security Gateway opens an FTP connection with this Security Gateway, the connection is dropped.

For VPN routing to succeed, a single rule in the Security Policy Rule Base must cover traffic in both directions, inbound and outbound, and on the central Security Gateway. To configure this rule, see Configuring the 'Accept VPN Traffic Rule.

Configuring Domain Based VPN

Common VPN routing scenarios can be configured through a VPN star community, but not all VPN routing configuration is handled through SmartDashboard. VPN routing between Security Gateways (star or mesh) can be also be configured by editing the configuration file $FWDIR/conf/vpn_route.conf.

VPN routing cannot be configured between Security Gateways that do not belong to a VPN community.

Configuring VPN Routing for Security Gateways through SmartDashboard

For simple hubs and spokes (or if there is only one Hub), the easiest way is to configure a VPN star community in SmartDashboard:

On the Star Community properties window, Central Security Gateways page, select the Security Gateway that functions as the "Hub".

1. On the Satellite Security Gateways page, select Security Gateways as the "spokes", or satellites.
2. On the VPN Routing page, Enable VPN routing for satellites section, select one of these options:
   • To center and to other Satellites through center. This allows connectivity between the Security Gateways, for example if the spoke Security Gateways are DAIP Security Gateways, and the Hub is a Security Gateway with a static IP address.
   • To center, or through the center to other satellites, to internet and other VPN targets. This allows connectivity between the Security Gateways as well as the ability to inspect all communication passing through the Hub to the Internet.
3. Create an appropriate access control rule in the Security Policy Rule Base. Remember: one rule must cover traffic in both directions.
4. NAT the satellite Security Gateways on the Hub if the Hub is used to route connections from Satellites to the Internet.

The two DAIP Security Gateways can securely route communication through the Security Gateway with the static IP address.

To configure the VPN routing for SmartLSM Security Gateways:

1. Create a network object that contains the VPN domains of all the Security Gateways of the relevant SmartLSM profiles.
2. Add a routing entry to the $FWDIR/conf/vpn_route.conf file:
   1. Enter the newly created network object in the Destination column.
   2. Enter the Central Gateway (in the center of the Star Community) in the Router column.
   3. Enter relevant SmartLSM profiles in the Install on column.
3. Install policy onto the SmartLSM profiles that participate in the VPN community.

Configuration via Editing the VPN Configuration File

For more granular control over VPN routing, edit the vpn_route.conf file in the conf directory of the Security Management Server.

The configuration file, vpn_route.conf, is a text file that contains the name of network objects. The format is: Destination, Next hop, Install on Security Gateway (with tabbed spaces separating the elements).

Consider a simple VPN routing scenario consisting of Hub and two Spokes. All machines are controlled from the same Security Management Server, and all the Security Gateways are members of the same VPN community. Only Telnet and FTP services are to be encrypted between the Spokes and routed through the Hub:

Although this could be done easily by configuring a VPN star community, the same goal can be achieved by editing vpn_route.conf:

Destination	Next hop router interface	Install on
Spoke_B_VPN_Dom	Hub_C	Spoke_A
Spoke_A_VPN_Dom	Hub_C	Spoke_B

In this instance, Spoke_B_VPN_Dom is the name of the network object group that contains spoke B's VPN domain. Hub C is the name of the Security Gateway enabled for VPN routing. Spoke_A_VPN_Dom is the name of the network object that represents Spoke A's encryption domain. For an example of how the file appears:

Configuring the 'Accept VPN Traffic Rule'

In SmartDashboard:

1. Double click on a Star or Meshed community.
2. On the General properties page, select the Accept all encrypted traffic checkbox.
3. In a Star community, click Advanced to choose between accepting encrypted traffic on Both center and satellite Security Gateways or Satellite Security Gateways only.
4. Click OK.

A rule will appear in the Rule Base that will accept VPN traffic between the selected Security Gateways.

Configuring Multiple Hubs

Consider two Hubs, A and B. Hub A has two spokes, spoke_A1, and spoke_A2. Hub B has a single spoke, spoke_B. In addition, Hub A is managed from Security Management Server A, while Hub B is managed via Security Management Server B:

For the two VPN star communities, based around Hubs A and B:

• Spokes A1 and A2 need to route all traffic going outside of the VPN community through Hub A
• Spokes A1 and A2 also need to route all traffic to one another through Hub A, the center of their star community
• Spoke B needs to route all traffic outside of its star community through Hub B

A_community is the VPN community of A plus the spokes belonging to A. B_community is the VPN community. Hubs_community is the VPN community of Hub_A and Hub_B.

Configuring VPN Routing and Access Control on Security Management Server A

The vpn_route.conf file on Security Management Server 1 looks like this:

Destination	Next hop router interface	Install on
Spoke_B_VPN_Dom	Hub_A	A_Spokes
Spoke_A1_VPN_Dom	Hub_A	Spoke_A2
Spoke_A2_VPN_Dom	Hub_A	Spoke _A1
Spoke_B_VPN_Dom	Hub_B	Hub_A

Spokes A1 and A2 are combined into the network group object "A_spokes". The appropriate rule in the Security Policy Rule Base looks like this:

Source	Destination	VPN	Service	Action
Any	Any	A_Community B_Community Hubs_Community	Any	Accept

Configuring VPN Routing and Access Control on Security Management Server B

The vpn_route.conf file on Security Management Server 2 looks like this:

Destination	Next hop router interface	Install On
Spoke_A1_VPN_Dom	Hub_B	Spoke_B
Spoke_A2_VPN_Dom	Hub_B	Spoke_B
Spoke_A1_VPN_Dom	Hub_A	Hub_B
Spoke_A2_VPN_Dom	Hub_A	Hub_B

The appropriate rule in the Security Policy Rule Base looks like this:

Source	Destination	VPN	Service	Action
Any	Any	B_Community A_Community Hubs_Community	Any	Accept

For both vpn_route.conf files:

• "A_Community" is a star VPN community comprised of Hub_A, Spoke_A1, and Spoke_A2
• "B_Community" is a star VPN community comprised of Hub_B and Spoke_B
• "Hubs-Community" is a meshed VPN community comprised of Hub_A and Hub_B (it could also be a star community with the central Security Gateways meshed).

VPN for a SmartLSM Profile

If branch office Security Gateways are managed by SmartProvisioning as SmartLSM Security Gateways, enable VPN routing for a hub and spoke configuration by editing the vpn_route.conf file on the Security Management Server.

To configure VPN For a single SmartLSM Profile with multiple gateways:

1. In SmartDashboard, create a Group that contains the encryption domains of all the satellite SmartLSM Security Gateways and call it Robo_domain
2. Create a Group that contains all the Center Security Gateways and call it Center_gws
3. In vpn_route.conf, add the rule:

Destination	Router	Install on
Robo_Domain	Center_gws	Robo_profile

If access to the SmartLSM Security Gateway through the VPN tunnel is required, the Security Gateway's external IP address should be included in the ROBO_domain.

Multiple router Security Gateways are now supported on condition that:

• The Security Gateways are listed under "install on" in vpn_route.conf or
• The satellites Security Gateways are selected in SmartDashboard

VPN with One or More LSM Profiles

You can configure a VPN star community between two SmartLSM Profiles. The procedures below show a SmartLSM Profile Gateway and Cluster. You can also configure the community with two SmartLSM Profile Clusters or two SmartLSM Profile Gateway. All included SmartLSM Profile Gateways and Clusters must have the IPsec VPN blade enabled.

The procedure requires configuration in:

• SmartDashboard
• Security Management Server CLI
• SmartConsole
• Center Gateway CLI

Using SmartDashboard

In SmartDashboard create network objects that represent the VPN community members and their networks. You must create a star community with To center and to other satellites through center as the selected option for VPN Routing (Star Community Properties > Advanced Settings > VPN Routing).

To configure a VPN star community between two SmartLSM Profiles in SmartDashboard:

1. Create and configure a SmartLSM Profile Cluster.

   When you configure the topology, make sure that the interface name exactly matches the name of the physical interface.

2. Create and configure a SmartLSM Profile Gateway.
3. Create a regular Security Gateway to be the Center Gateway.

   Note - Security Gateway 80 gateways cannot be the Center Gateway.

4. Create a VPN Star Community, select IPsec VPN > New > Star Community.
   1. Select Center Gateways from the tree.
   2. Click Add and select the Security Gateway that you created to be the Center Gateway.
   3. Select Satellite Gateways from the tree.
   4. Click Add and select the SmartLSM Profile Cluster and SmartLSM Profile Gateway (or second cluster).
   5. Select Advanced Settings > VPN Routing from the tree.
   6. Select To center and to other satellites through center.
5. Create a Network object that represents the internal network of each satellite in the VPN community.
   1. From the Network Objects tree, right-click Networks and select Network.
   2. In the Network Address field, enter the IP address that represents the internal IP address of the satellite. If the satellite is a cluster, enter the internal Virtual IP.
6. Create a Node object that represents the external IP address of each satellite in the VPN community.
   1. From the Network Objects tree, right-click Nodes and select Node > Gateway.
   2. In the IP Address field, enter the IP address that represents the external IP address of the satellite. If the satellite is a cluster, enter the external Virtual IP.
7. Create a Group object that represents the networks for each satellite object:
   1. From the Network Objects tree, right-click and select New > Groups > Simple Group.
   2. Enter a Name for the group that is unique for one satellite.
   3. Select the Network object that you created for that satellite's internal network and click Add.
   4. Select the Node object that you created for that satellite's external IP address and click Add.
8. Create a Group object that represents the Center Gateway.
   1. From the Network Objects tree, right-click and select New > Groups > Simple Group.
   2. Enter a Name for the group that is unique for the Center Gateway.
   3. Select the Gateway object and click Add.

Using the CLI

Edit the routing table of the Domain Management Server or Security Management Server to enable two SmartLSM Profile Gateways or Clusters to communicate with each other through the Center Gateway. Do this in the vpn_route.conf file in the CLI.

To edit the vpn_route.conf file:

Open the vpn_route.conf file.

• In a Multi-Domain Security Management environment, on a Domain Management Server:
  • If satellites are 80 series Gateways or Clusters:
    /var/opt/CPmds-<version>/customers/<Domain Management Server_name>/CPSG80CMP-<version>/conf/vpn_route.conf
  • If satellites are on a different SecurePlatform appliance or open server:
    /opt/CPmds-<version>/customers/<Domain Management Server_name>/CPsuite-<version>/fw1/conf/vpn_route.conf
• In a Security Management Server environment:
  • If satellites are 80 series Gateways or Clusters:
    /opt/CPSG80CMP-<version>/conf/vpn_route.conf
  • If satellites are on a different SecurePlatform appliance or open server:
    /opt/CPsuite-<version>/fw1/conf/vpn_route.conf

If two SmartLSM Gateways on different LSM Gateway profiles will communicate with each other through the Center gateway, edit the file:

# destination	router	[install on]
<Simple Group Name of internal network of SmartLSM Gateway>	<Center Gateway>	<Name of second LSM Profile>
<Simple Group Name of internal network of second SmartLSM Gateway>	<Center Gateway>	<Name of LSM Profile>

If more than one SmartLSM Gateway in the same LSM Profile will communicate with each other through the Center gateway, edit the file:

# destination	router	[install on]
<Simple Group Name of internal network of SmartLSM Gateway>	<Center Gateway>	<Name of LSM Profile>

Install policy on the SmartLSM Profiles and on the Center Gateway.

Completing the Configuration

Complete the configuration in the SmartProvisioning and the CLI of the Center Gateway.

To complete the VPN configuration:

1. Open the SmartProvisioning Console.
2. Create a new SmartLSM Cluster or Gateway based on the type of device you have. Select File > New > select an option.
3. Generate a VPN certificate for each Gateway or Cluster member:
   1. Open the cluster or gateway object > VPN tab.
   2. Select Use Certificate Authority Certificate.
   3. Click Generate.
   4. Do these steps again for each cluster member.

      Note - If topology information, including date and time, changes after you generate the certificate, you must generate a new certificate in the VPN tab and update the gateway (Actions > Update Gateway).

4. In the CLI of the Center Gateway, run: LSMenabler on
5. In the SmartProvisioning GUI Console, right-click the Center Gateway and select Actions > Update Corporate Office Gateway.
6. In the Topology tab of each object, make sure that the topology of provisioned objects is correct for each device:
   • Make sure that the interfaces have the same IP addresses as the actual gateways.
   • Make sure that the external and internal interfaces are recognized and configure correctly as "External" and "Internal".
   • If the interfaces show without IP addresses, click: Get Actual Settings.
7. In the Topology tab, configure the VPN domain:
   • For SmartLSM Profile Gateways choose an option.
   • For SmartLSM Profile Clusters, select Manually defined and manually add the encryption domains that you want to include.
8. Push Policy.

All traffic between the satellites and Center Gateway is encrypted.