VPNs & Tunnelling
VPNs & Tunnelling
It enables host to access the private network of company via public network or Internet via secure connection.
There are two types of VPN connection.
- SSL VPNs
- IPSEC VPNs
In SSL VPN, the upper layer protocol and Transport layer protocols is replaced with another delivery protocols SSL/TLS.
The TLS (Transport Layer Security) and other protocols like Secure Socket Layer are cryptographic protocols based on X.509 digital certificates. It is like client – server process and below is the step of operation.
- A host starts website requiring SSL Connection.
- Server will send SSL certificates including server public key
- Clients verify the certificates and if valid creates the symmetric key which is encrypted with server public key and send back to server.
- Server decrypts the symmetric session key using private key and send back acknowledgement.
- All subsequent data is now encrypted with session key.
There are two modes of SSL VPN configuration.
- Web-only mode
- Tunnel Mode.
SSL VPN with Web-only Mode:
In web-only mode, user creates the VPN connection via web browser which has built-in SSL encryption and supported Java runtime. Before SSL VPN is created, User must be authorised.
As soon as SSL VPN session is established with fortinet unit, a web portal will be available which list all the supported services like HTTP, HTTPS, and TELNET, SSH etc. just like below screen shot.
SSL VPN with Tunnel Mode:
In this mode VPN tunnel will be created by logging in to Web SSL VPN Portal. In this mode following are the steps.
- Fortinet unites authenticates host or client via Radius or AD services.
- The Browser redirects it to portal page
- A verification of installed VPN client occurs and plugin will be installed if needed.
- Clients receives VPN address from pool and SSL VPN tunnel is established.
How to configure SSL VPN Portal:
While configuring SSL VPN portal we have to follow three steps:
- SSL VPN Portal Configuration
- Users and Groups Configuration
- Policy Configuration.
Before we start configuring above three steps, we must configure Addresses that will be dedicated to SSL VPN Clients. Go to Policy and Objects | Addresses and configure Addresses.
Configuring SSL VPN Portal:
To configure SSL Portal Go to VPN | SSL VPN Portal and create New SSL VPN Portal with following details in figure.
- In first session Name of the VPN Session
- Second Session explains Tunnel mode with split tunneling enabled with local Subnets used for SSL Clients
- Third Session enables web mode with theme blue when client will get the web portal access along with all session information.
- And Fortigate client download option enabled.
Configure Users and Groups:
For SSL users we have to configure users and groups and for this Go to User & Device | User | User Definition and User Group
Configure Policy for traffic:
Allow or deny for source and destination via Policy & Objects.
HUB – and – Spoke VPN:
This type of VPN is IPSEC VPN from hub to each spoke or Branch. For Spoke the configuration will be same as we have discussed in IPSEC VPN LAB section. Where all the tunnels are terminated on the hub and hub requires some additional configuration:
- It is necessary to have a static public IP address on the hub, while spokes can still use DDNS and dialup
- We will have to configure a VPN on the hub for every single spoke
Depending upon type of VPN there are two different procedure to enable hub and spoke VPN.
Policy based VPN:
For a policy-based VPN:
- Two security policies are required (type VPN and subtype IPsec) for each spoke (one policy for every direction)
- The hub is configured as a VPN concentrator
A concentrator allows traffic between the networks connected to the various spokes passing traffic from one tunnel to another. On the hub, from the CLI, we can see in the following schema:
To enable route-based VPN we are required to configure security policies (type firewall and subtype address). There are three different ways to configure this kind of VPN:
- Gather all the IPsec interfaces into a zone and enable intra-zone traffic as we can see in the following screenshot:
- Gather all IPsec interfaces into a zone and create a single zone-to-zone security policy. The first step will be similar to the one seen in the previous screenshot, but we will leave the Block intra-zone trafficflag selected. Then we will configure a security policy to allow traffic to and from the zone
- Create a security policy for each pair of spokes that are allowed to communicate with each other. For example, let's say that we have TunnelA connecting the hub to SpokeA and TunnelC connecting the hub to SpokeC