sven sanders - docshare01.docshare.tipsdocshare01.docshare.tips/files/31425/314256405.pdf ·...
TRANSCRIPT
Gastles 19/4
• Peter Van Hemlryck – Fortinet▫ Fortigate firewall + praktische voorbeelden• Opdracht:▫ 3 “lessons learned”
Wat vind je belangrijk/relevant om te onthouden Wat mag gevraagd worden op het examen▫ Indienen op A4▫ Onmiddellijk na gastles • Inhoud onderdeel van leertof eigen
samenvatting
Sven Sanders - Odisee
2
Lessons learned encryptie
• Symmetrische encryptie vs asymmetrische encryptie▫ 1 geheime sleutel vs public-private paar▫ Snelheid vs gemak sleuteluitwisseling• SSL verbinding maakt gebruik van beide kwaliteiten: ▫ Asymmetrische encryptie voor uitwisselen van
symmetrische sleutel▫ Symmetrische encryptie voor datauitwisseling• Certificaten bevestigen identiteit eigenaar public key▫ Chain of trust
Sven Sanders - Odisee
3
VPN
• Veilige verbinding over onveilig netwerk▫ Door toepassen encryptie• Soorten:▫ Site-to-site – dial-in▫ IPsec – SSL
Sven Sanders - Odisee
5
IPsec
• Tunnel opbouwen▫ Vertrouwelijkheid: data encrypteren▫ Integriteit: message authentication ▫ Authentication: PSK of certificaat▫ Anti-replay: nummering• Tunnel modus – transport modus• ESP - AH
Sven Sanders - Odisee
6
IPsec
• Internet key exchange▫ Phase 1:
Veilig kanaal met DH Authenticatie Opzetten veilig kanaal symmetrische encryptie Aggressive of main mode▫ Phase 2:
Opzetten van tunnel voor data DH en symmetrische encryptie van data▫ Perfect forward secrecy
lifetime
Sven Sanders - Odisee
7
Route based site-to-site VPN
• Alternatief: policy based▫ Niet op palo alto, kan aan ander eindpunt tunnel
Sven Sanders - Odisee
8
10.2.0.0/24192.168.10.0/24
Ethernet 1/3
24.1.1.12
Ethernet 1/8
161.10.12.64
IPsec Tunnel
Tunnel.1
Routing Table
10.2.0.0/24 > Tunnel.1
Configuratie VPN
• Aanmaken tunnel interface• IPsec tunnel configureren▫ IPsec tunnel ▫ IKE gateway▫ Crypto profiles• Statische route toevoegen
Sven Sanders - Odisee
9
Tunnel interface
Sven Sanders - Odisee
10
Network > Interfaces > Tunnel
Adres enkel nodig indien IP verkeer nodig tussen
eindpunten tunnel, ihb routing protocol en tunnel monitor
Adres enkel nodig indien IP verkeer nodig tussen
eindpunten tunnel, ihb routing protocol en tunnel monitor
Tunnel IdentifierTunnel Identifier
IKE gateway
Sven Sanders - Odisee
12
In passive mode start de firewall het proces niet zelf
In passive mode start de firewall het proces niet zelf
IKE cryptographic profile
Sven Sanders - Odisee
13
Network > Network Profiles > IKE Crypto
Symmetric Bulk Data Encryption
Symmetric Bulk Data Encryption
Asymmetric Key Exchange
Asymmetric Key Exchange
Authentication supports md5, sh1, sha256,
sha384, sha512
Authentication supports md5, sh1, sha256,
sha384, sha512
IPsec tunnel
Sven Sanders - Odisee
14
Network > IPSec Tunnel
IKE GatewayIKE Gateway
Phase 2 crypto proposal
Phase 2 crypto proposal
To confirm route validity(if Tunnel interface has been configured with an IP address)
To confirm route validity(if Tunnel interface has been configured with an IP address)
IPsec cryptographic profiles
Sven Sanders - Odisee
15
Network > Network Profiles > IPSec Crypto Asymmetric Key Exchange:
DH Group 1, 2, 5, 14, no-pfs
Asymmetric Key Exchange:
DH Group 1, 2, 5, 14, no-pfs
Enable PFS
Enable PFS
IPsec tunnel
Sven Sanders - Odisee
16
Network > IPSec Tunnel
Override Default Proxy ID
Override Default Proxy ID
Static route
• Tunnel interface als exit interface• Next hop niet belangrijk
Sven Sanders - Odisee
17
Troubleshooting
Sven Sanders - Odisee
18
Issue Initiator Error Responder Error
Wrong IP / no connection P1 - Timeout P1 - Timeout
No matching P1 proposal P1 - Timeout No suitable proposal (P1)
Mismatched peer ID P1 - Timeout Peer identifier does not match
No matching P2 proposal No proposal chosen No suitable proposal (P2)
PFS Group mismatch P2 - Timeout PFS group mismatch
Mismatched proxy ID P2 - TimeoutCannot find matching phase-2 tunnel
Log messages (system log)
Sven Sanders - Odisee
19
peer identifier (type fqdn [bad.peer]) does not match remote Remote2.
IKE phase-2 negotiation failed when processing proxy ID. cannot find matching phase-2 tunnel for received proxy ID. received local id: 192.168.41.1/24 type IPv4_subnet protocol 0 port 0, received remote id: 192.168.42.1/24 type IPv4_subnet protocol 0 port 0.
Name of Local Phase 1 IKE Gateway ObjectRemote Sides Phase 1 Peer Configuration
The “Remote Proxy ID” from the other sideThe “Local Proxy ID” from the other side
GlobalProtect
• Dial-in VPN oplossing (+)• Host Information Profile (HIP)▫ Beperking ook op basis van AV, OS patches, disk
encryption
Sven Sanders - Odisee
21
Componenten
Sven Sanders - Odisee
22
Portal
Gateway
GP Agent
Gateway
Gateway
Gateway
Secur
e VPN
Config Info to Client
Bepaling intern-extern
Sven Sanders - Odisee
24
Client
External DNS Server
Reverse DNS Lookup
Internal DNS Server
Client
Reverse DNS Lookup
Advanced topology
Sven Sanders - Odisee
27
GlobalProtect GatewayGlobalProtect Portal
GlobalProtect Gateway
GlobalProtect Gateway
VPN
VPN
Certificaten
• CA certificaat▫ Optioneel: self signed/externe CA• GlobalProtect Portal certificaat• GlobalProtect gateway certificaat▫ Manueel op alle gateways• Optioneel: client certificaat
Sven Sanders - Odisee
30
Global Protect portal
Sven Sanders - Odisee
31
Network > GlobalProtect > Portals
Profiles and certificates are
created in advance
Interface hosting the portal
Pages loaded inDevice > Response
Pages
Client configuration - general
Sven Sanders - Odisee
33
If the hostname resolves to the IP address, then the internal gateway is used
Client configuration – agent tab
Sven Sanders - Odisee
37
View the Troubleshooting tab in the agent
Upgrade Options
Client VPN interfaces that take precedence
over the GlobalProtect interface
GP gateway – tunnel
Sven Sanders - Odisee
39
Network > GlobalProtect > Gateways > Client Configuration
This is the default. To make SSL the primary
method, uncheck this box.
Required for IPsec client connections
GP gateway – network settings
Sven Sanders - Odisee
41
Network > GlobalProtect > Gateways > Client Configuration > Network Settings
IP addresses distributed to clients
Routes installed on clients’ VPN connection
0.0.0.0/0 enforces
fixed-tunneling
GP gateway – network services
• Beschikbaar in tunnel mode
Sven Sanders - Odisee
42
Network > GlobalProtect > Gateways > Client Configuration > Network Settings