2007 July1 DFL-210/800/1600/2500 Training Material DFL fundamental Part I Created on 2007...
-
Upload
christian-sharp -
Category
Documents
-
view
215 -
download
2
Transcript of 2007 July1 DFL-210/800/1600/2500 Training Material DFL fundamental Part I Created on 2007...
2007 July 1
DFL-210/800/1600/2500 Training Material
DFL fundamentalPart I
Created on 2007©Copyright 2007. All rights reserved
2007 July 2
Agenda
• Firewall traffic flow• Chapter 1
– Routing table
• Chapter 2– Core v.s Interface(WAN,LAN,DMZ)
• Chapter 3– PBR
• Chapter 4– NAT combine with semi-transparent mode(ProxyArp)
• Chapter 5– Traffic Shaping
• Chapter 6– VPN
2007 July 3
New feature on firmware v2.12
• New function implement – Full CLI support– IP rules (insert, move to, disable)– Interface: PPPoE schedule– The DPD in IPSEC tunnel– Configurable ID type (IP, DNS, FQDN) in IPSEC tunnel– Session control in Threshold– Blacklist in threshold and IDS/IDP– DHCP status improvement
2007 July 4
Firewall traffic flow
2007 July 5
Firewall traffic flow
Incoming traffic
1. Check the routing table of “main”
2. Check the PBR, if match one of the routing rules, then it flow to the specific PBR’s table.
3. Check IP rules
7. Finally the traffic can pass through the firewall
4. Queue for other examine
5. Check if anyone of the IDP/IDS rules is matched:Match, comparing the signature DB of IDS/IDP
6. Check if anyone of the Piperules is matched : Match , applying the rule of traffic shaping.
If traffic lookup failed in main routing table, then the traffic will be dropped by default-access-rule. You can depend on setting the “Access” to ignore the checking of main routing table.
(Allow/FWDFast/NAT/SAT…)
2007 July 6
2007 July 7
Chapter 1
Routing Table
2007 July 8
Routing Table 1/6How to read the routing table ?
• Interface: The interface to be routed• Network: The network to route• Gateway: The gateway to send routed packets to• Local IP Address: The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, The firewall's interface IP address will be used.• Metric: Specifies the metric for this route. (Mostly used in route fail-over scenario)
Note.1.The entry with the feature of “longest match value” will be first applied.2.If we got the same feature of “Longest value” between two routing entries, which one will be applied is based on the “Metric” value.
2007 July 9
Routing Table 2/5The generic concept for selecting the routing
entry
1.The entry with the feature of “longest match value” will
be first apply.Mask:255.255.255.xxxIP:192.168.0.0
192.168.0.5192.168.0.30
2007 July 10
Routing Table 3/5 The gereric concept for selecting the routing entry
Lower Mertic Value with higher priority.
2. If we got the same Longest value between two routing entries, which one will be applied is based on the Metric value.
2007 July 11
Routing Table 4/5 The gereric concept for selecting the routing entry
The entry with longest value will be first apply.
LAN: 1.1
PC1: 1.5G/W: 1.1
Router2
Router1
E0 1 .254
0.254
E0 0.2
192.168.1.0/24
192.168.0.0/24
1. PC1 send a packet to the host 192.168.0.150, which route match?
2. PC1 send a packet to the host 192.168.0.60, which route match?
1.2
B
A
192.168.0.128/25
C
DST:192.168.0.150DST:192.168.0.60E1
E1
2007 July 12
Routing Table 5/5
How to verify the lookup result?
1 Routes -lookup=IP address
2 Ping -srcip=“Src IP” “Ds IP” -verbose
2007 July 13
Routing TableScenario hands-on
Create a static route to network B
G1_LAN: 192.168.10.1
G2_LAN: 192.168.20.1
G3_LAN: 192.168.30.1
G4_LAN: 192.168.40.1
G5_LAN: 192.168.50.1
G6_LAN: 192.168.60.1
G7_LAN: 192.168.70.1
G8_LAN: 192.168.80.1
Sub-if1: 192.168.10.254 Sub-if2: 192.168.20.254 Sub-if3: 192.168.30.254 Sub-if4: 192.168.40.254 Sub-if5: 192.168.50.254 Sub-if6: 192.168.60.254 Sub-if7: 192.168.70.254 Sub-if8: 192.168.80.254
server
Creating a static route on LAN for internal user to reach the 192.168.200.60
LAN 192.168.200.0/24
B
200.60
200.254E0
E1
2007 July 14
Routing tableDebug-CLI
Routes -lookup=[insert the IP address]
Routes -all -verbose [routing table name]
Rule -ruleset=main -verbose
Ping -s [source IP address] [destination IP address]
Arpsnoop [interface name] -verbose
arp -show
2007 July 15
Routing tableCase study-01
Relay Syn to DS
Syn to 200.60 RCV Syn From 10.5
Drop ACK from A
Syn ACK to 10.5RCV Syn Ack
ACK to 200.60
?? Wait Syn ACK
Connection table
2007 July 16
Routing tableCase study-02
2007 July 17
Chapter 2
Core vs Interfaces (WAN,DMZ,LAN)
2007 July 18
Core vs interfaces(WAN,DMZ,LAN) 1/10What means the “Core” in DFL units
Core owns the IP addresses
int extCore
192.168.1.1 218.210.16.26
2007 July 19
Core vs interfaces(WAN,DMZ,LAN) 1/5
Each interface-- WAN LAN DMZ, those interfaces have their own direction, but the “Core” is no meaning any direction. For example:Below is the routing table
2007 July 20
Core vs interfaces(WAN,DMZ,LAN) 2/5
1
3
If we set the IP rule as below:
DFL-800 only pass the traffic who contacts with WAN1 interface directly, and the traffic will map into the specific server(192.168.1.6) without contacting the “Core”.
2
2007 July 21
Core vs interfaces(WAN,DMZ,LAN) 3/5
Core
WAN1
DMZ
LAN
WAN2127.0.0.1218.210.16.26192.168.1.1192.168.120.254172.16.100.254
ARP publish:218.210.16.27
server: 192.168.1.6
Destination IP: 218.210.16.27
2007 July 22
Core vs interfaces(WAN,DMZ,LAN) 4/5
If we set the IP rule as below:
1
2
The traffic from any physical interfaces are allowed to access the IP 218.210.16.26.
2007 July 23
Core vs interfaces(WAN,DMZ,LAN) 5/5
Core
WAN1
DMZ
LAN
WAN2127.0.0.1218.210.16.26192.168.1.1192.168.120.254172.16.100.254
ARP publish:218.210.16.27
server: 192.168.1.6
Destination IP: 218.210.16.26
Internal User 192.168.1.58
Note. For internal users, we shall add one NAT rule between SAT and allow rule sets .
2007 July 24
Core vs interfaces(WAN,DMZ,LAN)Summarize
• Core’s IP address we also call it as “loop back IP address”.
• No matter where the traffic from, it can access into Core interface.
• If we bind an IP address on one of the physical interface, the traffic to this IP address will only through this specific physical interface.
2007 July 25
Chapter 3
Policy Based Route
2007 July 26
PBR
PBR’s table
2007 July 27
PBR How is the PBR working?
The sequence of Policy-based Routing execution in conjunction with the main routing table and the rule-set can be summarized as follows:
1. Check main routing table - 2. Look up Routing rules - If the lookup in step 1 allows packets to go through, NetDefendOS will perform a lookup in the Policy-based Routing rules. The first matching rule will be the one to use.
3. Select the PBR’s table (By the ordering of “First”, “Default” or “Only”)
Default Default means that the main routing table will be consulted first. If the only match is the default route (0.0.0.0/0), the PBR’s table will be consulted. First First means that the PBR’s table is consulted first of all. If this lookup fails, the lookup will continue in the main routing table. Only Only means that the PBR’s table is the only one consulted. In another words, that the named routing table is consulted first of all. If this lookup fails, the packet will be dropped.
2007 July 28
PBRScenario 1-Link Sharing
ISP1 ISP2
HTTP/FTP server7.7.7.5
WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24
PC1: 192.168.1.50
LAN: 192.168.1.1/24
PC1: 192.168.1.101
1. The traffic of FTP is outgoing via WAN1(Red one)2. The traffic of HTTP and ICMP are outgoing via WAN2 (Black one)
GW:1.1.1.2 GW:3.3.3.2
WAN1 IPGroup1: 1.1.1.11Group2: 1.1.1.12Group3: 1.1.1.13
WAN2 IPGroup1: 3.3.3.11Group2: 3.3.3.12Group3: 3.3.3.13
……
2007 July 29
PBRTips
Step 1 Setup the IP address for each physical interface
Step 2 Create the PBR’s table and set the entry of default
route to ISP2
Step 3 Create a Routing Rule set
Step 4 Create the IP rule sets for deciding the traffic’s behavior
Step 5 Using the command of “rules -ruleset=pbr -verbose” and “rules -ruleset=main -verbose” to verify the configuration
2007 July 30
PBRScenario 1 Settings 1/5
1 Set the object of IP4 address 2 Alter the routing table of “Main”
2007 July 31
PBRScenario 1 Settings 2/5
3 Creating the PBR’s table
Note.If Remove Interface IP Routes is enabled, the default interface routes are removed, i.e. routes to the core interface (127.0.0.1) (which are routes to NetDefendOS itself).
2007 July 32
PBRScenario 1 Settings 3/5
4 Creating the “Routing Rules” for triggering to use the specific PBR’s table.
Why we set the destination interface to WAN1 instead of “wan2” ?
Due to all the traffic still will lookup the “Main” routing table, so in here we shall set this value to the default gateway of routing table of “Main”. Based on our scenario, the default gateway in the “Main” routing table is the “WAN1” interface, so we shall set “wan1” on above figure.
2007 July 33
PBRScenario 1 Settings 4/5
Finally step we shall create the IP rule set for allowing the specific service.
5
2007 July 34
PBRScenario 1 Settings 5/5
6 To verify the configuration via console.
2007 July 35
PBRScenario 1-Link Sharing
ISP1 ISP2
HTTP/FTP server7.7.7.5
WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24
PC1: 192.168.1.50
LAN: 192.168.1.1/24
PC1: 192.168.1.101
1. The traffic of FTP is outgoing via WAN1(Red one)2. The traffic of HTTP and ICMP are outgoing via WAN2 (Black one)
GW:1.1.1.2 GW:3.3.3.2
WAN1 IPGroup1: 1.1.1.11Group2: 1.1.1.12Group3: 1.1.1.13
WAN2 IPGroup1: 3.3.3.11Group2: 3.3.3.12Group3: 3.3.3.13
……
2007 July 36
PBR Scenario 2 Link Sharing with failover
ISP1 ISP2
HTTP/FTP server
7.7.7.5
WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24
PC1: 192.168.1.50
LAN: 192.168.1.1/24
PC1: 192.168.1.101
1. The traffic of FTP is outgoing via WAN1. When wan1 is broken the traffic will switch to WAN2. . 2. The traffic of HTTP and ICMP are outgoing via WAN2. When wan2 is broken the traffic will switch to WAN1
FTP
HTTP
2007 July 37
PBRSecenario2-Tips
Based on the configuration of previous scenario
Step 1 Cancel the feature of auto add default route for both physical interfaces wan1 and wan2.
Step 2 Manually add the default gateway routing along with the monitoring feature in Main routing table for wan1 and wan2 respectively, and give the wan1 with higher priority than wan2.
Step 3 Setup the PBR’s table and repeat the step 2 but the wan2 with higher priority than wan1 instead.
Step 4 Grouping the wan1 and wan2 interface for easy configuration.
Step 5 Setup the IP rule set for allowing the specific traffic via both wan1 and wan2 interfaces.
2007 July 38
Policy Base RouteScenario 2 Settings 1/3
1 Add the value of default gateway for WAN2 then enable the function of monitor and set different priority (Metric) for failover on both interfaces.
2007 July 39
Policy Base Route Scenario 2 Settings 2/3
2Add PBR’s table for wan2 and repeat the same action with step 1 to enable the function of monitor and change the value of metric
3 Add a “routing rules” for triggering the HTTP service to use the table of “http-go-wan2” .
2007 July 40
Policy Base RouteScenario 2 Settings 3/3
4 Add interface group including wan1 and wan2 for simply configuration.
5 Creating the IP rules set for both kinds of services.
2007 July 41
PBR Scenario 2 Link Sharing with failover
ISP1 ISP2
HTTP/FTP server
7.7.7.5
WAN1: 1.1.1.1/24 WAN2: 3.3.3.1/24
PC1: 192.168.1.50
LAN: 192.168.1.1/24
PC1: 192.168.1.101
1. The traffic of FTP is outgoing via WAN1. When wan1 is broken the traffic will switch to WAN2. . 2. The traffic of HTTP and ICMP are outgoing via WAN2. When wan2 is broken the traffic will switch to WAN1
FTP
HTTP
2007 July 42
Chapter 4
NAT combine with Semi-Transparent mode
(ProxyArp)
2007 July 43
NAT combine with Semi-Transparent mode(ProxyArp)
What is Proxy ARP
RFC 1027 - Using ARP to implement transparent subnet gateways
Fools the sender of the ARP request into thinking that the router is the destination.
The router is acting as a proxy agent for the destination, relaying packets to it from other hosts
Proxy ARP is also known as promiscuous ARP or the ARP hack
2007 July 44
NAT combine with Semi-Transparent mode(ProxyArp)
How it worksHow it works?
Router
E0 E1
A B
E0 IP address: 1.1.1.1 /24 MAC:00:13:46:aa:bb:ccE1 IP address:192.168.1.1 /24 MAC:00:13:46:aa:bb:ddHost A IP address:1.1.1.100 /24 MAC:00:11:22:33:44:bb:aaHost B IP address:1.1.1.200 /24 MAC:55:66:77:dd:bb:ff
Sender’s MAC address (Host B)
Sender’s IP address (Host B)
Target’s MAC address
Targer’s IP address (Host A)
55:66:77:dd:bb:ff 1.1.1.200 00:00:00:00:00:00 1.1.1.100
1
Sender’s MAC address (E1)
Sender’s IP address (E1)
Target’s MAC address (Host B)
Targer’s IP address (Host B)
00:13:46:aa:bb:dd 1.1.1.100 55:66:77:dd:bb:ff 1.1.1.200
Request from :Host B Host A
2 Reply from : E1 Host B
Subnet B192.168.1.0/24
Subnet A1.1.1.0/24
bb:ff1.1.1.200
bb:aa1.1.1.100
bb:dd192.168.1.1
bb:cc1.1.1.1
2007 July 45
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1
1.2 3.2
Server 7.7.7.5
WAN1 3.1
Proxy Arp the IP of ISP1 to LAN1
Proxy Arp the IP of ISP2 to LAN2
LAN1Hosts IP address 1.1.1.5~1.1.1.100Gateway:1.1.1.2
LAN2Hosts IP address 3.3.3.5~3.3.3.100Gateway:3.3.3.2
DHCP server on LAN1DHCP pool: 1.1.1.5~1.1.1.100----------------------------------DHCP server on LAN2DHCP pool: 3.3.3.5~3.3.3.100 ISP1
1.1
1.1.1.0/24
ISP2
3.3.3.0/24
WAN2
2007 July 46
NAT combine with Semi-Transparent mode(ProxyArp)
Tips 1
• The traffic between WAN1 and LAN1– The settings in main routing table
• Proxy ARP the ISP1’s IP address to LAN1• The hosts located at LAN1 side we have to proxy those
hosts’ IP address to WAN1 interface.• Default route go through WAN1 interface
2007 July 47
NAT combine with Semi-Transparent mode(ProxyArp)
Tips 2
• The traffic between WAN2 and LAN2– The settings in main routing table
• Proxy ARP the ISP2’s IP address to LAN2• The hosts located at LAN2 side we have to proxy those
hosts’ IP address to WAN2 interface.
– The setting in “Access” component• Add an Access rule, let incoming traffic won’t lookup the
main routing table.
2007 July 48
Tips 3
2007 July 49
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-011 Create the object of IP4 address 2
Create the routing in main routing table for the settings of ProxyARP
2007 July 50
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-02
3 Proxy the IP address of WAN1’s gateway to the interface of LAN1
2007 July 51
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-03
4 Add another route on the interface of LAN1, and Proxy the IP addresses of LAN1’s hosts to the interface of WAN1.
2007 July 52
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-04
5 Based on the same concept with step 3 to create the route for WAN2.
2007 July 53
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-05
6 Based on the same concept with step 4 to create the route for LAN2.
2007 July 54
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-06
7Then create a route of default gateway on WAN1 for the “main” routing table.
8 Add PBR’s table for the traffic between WAN2 and LAN2
2007 July 55
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-07
9 Create the necessary routes as below figure on the PBR’s table of “wan2-lan2”
2007 July 56
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-08
10 Create the routing rule for triggering to use the PBR’s table of “wan2-lan2”
Notice
2007 July 57
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-911 We created a PBR rule for wan2-lan2 as below:
12 Under the “Rules” ”Access”, we add an access rule for the interface of “WAN2”.
2007 July 58
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-1013 Add the interface groups for easy to set the “IP rules”
up.
14 Add the “IP rules” for allowing the traffic from bi-direction.
2007 July 59
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1-setup-1115 Based on the scenario requirement, we shall set the DHCP server on both interfaces of “LAN1”
and “LAN2” respectively.
2007 July 60
NAT combine with Semi-Transparent mode(ProxyArp)
Cast Study1
1.2 3.2
Server 7.7.7.5
WAN1 3.11
Proxy Arp the IP of ISP1 to LAN1
Proxy Arp the IP of ISP2 to LAN2
LAN1Hosts IP address 1.1.1.110~119
LAN2Hosts IP address 3.3.3.110~119
DHCP server on LAN1DHCP pool: 1.1.1.110~119----------------------------------DHCP server on LAN2DHCP pool: 3.3.3.110~119 ISP1
1.11
1.1.1.0/24
ISP2
3.3.3.0/24
WAN2
2007 July 61
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARPUnknown client7.7.7.7/24
Proxy Arp the IP of ISP2 to LAN2
LAN1--NAT modeHosts IP address 192.168.1.0/24Gateway:192.168.1.1
LAN2--Semi-Transparent mode Hosts IP address 3.3.3.5~3.3.3.100Gateway:3.3.3.2
LAN1:192.168.1.1 /24
1.2 3.2
ISP1
1.1.1.0/24
ISP2
3.3.3.0/24
WAN1 3.1
WAN21.1
2007 July 62
Scenario2Tips
• Based on the previous scenario, we only have to adjust two settings:– Under the “IP rules”
• The traffic from LAN1 to WAN1, we set the Action field to “NAT”.
• Disable the Allow rule set between WAN1 and LAN1
2007 July 63
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARP--Setup-01
1 Create the object of IP4 address Create the routing in main routing table for the settings of ProxyARP
2
2007 July 64
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARP--Setup-023
4
Add a route on the interface of WAN2, and Proxy the Gateway IP addresses of WAN2 to the interface of LAN2.
Add another route on the interface of LAN2, and then Proxy the IP addresses of LAN2’s hosts to the interface of WAN2.
2007 July 65
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARP--Setup-035 Setup default gateway(1.1.1.2) on the interface of WAN1
Below figure is a glance of main routing table:
2007 July 66
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARP--Setup-046 Add a PBR’s table for the traffic from LAN2
Below figure is a glance of PBR’s table of “wan2-lan2”:
2007 July 67
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARP--Setup-057 Add the PRB for triggering the traffic
from LAN2 to use the routing table of “wan2-lan2”
2007 July 68
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARP--Setup-068
9
Under the “rules” ”access”, add an access rule for wan2 interface to ignore the checking of routing table.
Under the “IP Rules” create the necessary IP rules sets for lan1 to wan1, bi-direction traffic of lan2-wan2 and lan1-lan2 .
2007 July 69
NAT combine with Semi-Transparent mode(ProxyArp)
NAT combine with ProxyARPUnknown client7.7.7.7/24
Proxy Arp the IP of ISP2 to LAN2
LAN1--NAT modeHosts IP address 192.168.1.0/24Gateway:192.168.1.1
LAN2--Semi-Transparent mode Hosts IP address 3.3.3.5~3.3.3.100Gateway:3.3.3.2
LAN1:192.168.1.1 /24
1.2 3.2
ISP1
1.1.1.0/24
ISP2
3.3.3.0/24
WAN1 3.1
WAN21.1
2007 July 70
Chapter 5
Traffic Shaping
2007 July 71
Traffic shapingAlgorithm
Two predominant methods for shaping traffic existing:
1. Token bucket Reference : http://en.wikipedia.org/wiki/Token_bucket
2. Leaky bucket Reference : http://en.wikipedia.org/wiki/Leaky_bucket
2007 July 72
Traffic shapingTerminology
Two major components and two sub-items in DFL’s traffic shaping:
• Pipe object• PipeRule
– Traffic filter factor• Service (protocol)• Direction (the traffic from…to…)
– Pipe Chain• First Pipe
– (a kinds of statement for declaring the traffic’s precedence)
• Following Pipe– ( Assign the token for specific traffic)
2007 July 73
Traffic shaping Terminology
• Pipe– Is an object for loading up all kinds of traffics.– We can limit the total bandwidth or dynamic
balancing bandwidth for First Pipe and Following Pipe respectively.
2007 July 74
Traffic shaping Terminology
• PipeRule– Traffic filter factor
• Set up the specific traffic which you want to control.
– Pipe Chain• Assign the role to Pipe (First / Following)for bi-direction
(Forward chain, Return chain) traffic. • Declare the precedence of First pipe by following way:
– Use the default from first pipe– Fixed precedence (0~7)– Use IP DSCP (TOS)
• Assign the traffic’s token by Following pipe.
2007 July 75
Traffic shaping Terminology
• First Pipe– The role is assigned by PipeRule – Bandwidth control– Declare the precedence level (0~7)
• Following Pipe– The role is assigned by PipeRule – Total bandwidth control– Assign the token for the traffic from First Pipe
2007 July 76
Prec 5 : 200 Prec 5 : 150 Prec 5 : 100
Traffic shapingFlow chartTwo tiers concept
First Pipe Following Pipe
Raw Packet A100 kbps
BW Limitation: 50 kbpsDeclared precedence : 5
Total BW Limitation: 200 kbps
Prec 7 : 200 Prec 6 : 200
Prec 4 : 200 Prec 3 : 200 Prec 2 : 200 Prec 1 : 200
Total BW : 200
BufferRaw Packet A
50 kbpsOut
Prec 0 : 200
Raw Packet A50 kbps (5)
Raw Packet A50 kbps (5)
Prec 5 : 200
Raw Packet A50 kbpsRaw Packet A50 kbps
2007 July 77
Prec 5 : 100
Prec 0 : 200 Prec 0 : 100
Prec 4 : 100 Prec 3 : 100
Prec 1 : 100 Prec 2 : 100
Raw Packet A 100 kbps (5)
Raw Packet A 100 kbps (0)
Prec 5 : 0
Traffic shapingFlow chartTwo tiers concept
First Pipe Following Pipe
Raw Packet A200 kbps
BW Limitation: No limitationDeclared precedence : 5
Total BW Limitation: 200 kbps
Prec 7 : 100 Prec 6 : 100
Total BW : 200
OutRaw Packet A
200 kbps
2007 July 78
Traffic shapingScenario hands-on 1
ISP
HTTP/FTP server7.7.7.5
GW:3.3.3.2
14
15
11
16
13
17
12
18
Network: 3.3.3.0 /24
Upstream commit rate is 500 kilobits/per secDownstream commit rate is 500 kilobits/per sec
1. Insure the HTTP CR to 200 kbps for bi-direction traffic. (Marking the HTTP traffic to precedence 7 (highest priority) . HTTP doesn’t utilize the rest of bandwidth.2. Set 400 kbps to precedence 1 for FTP bi-direction traffic. When the FTP token is running out, the part of overflow have flow to precedence 0 to compete with other services , it’s so-called “utilize remaining bandwidth ”.
2007 July 79
Traffic shapingTips1
Step 1 Create the “IP rule” set for specific service you want to control, and then
make sure this rule set will be first triggered in all of the IP rules
Step 2 Create the Pipe objects for containing each kinds of traffic.
Step 3 Create the same rule set we created before in Step 1 under the pipe rule.
Step 4 In the tab of traffic shaping, select the desired pipe object respectively for both forward sessions and return sessions along with the chain concept, and then announce the precedence by “Use defaults from first pipe”, “Use Fixed Precedence” or “Map IP DSCP (ToS)” for first pipe object of return chain or forward chain.
Step 5 Make sure whether the specific pipe rule will be first triggered in all of the pipe rules.
2007 July 80
Traffic shapingTips2
2007 July 81
Traffic shapingScenario hands-on 1 Settings-01/12
1 Changing the WAN1 IP address and subnet mask
2 Set the default gateway on interface on wan1
2007 July 82
Traffic shapingScenario hands-on 1 Settings-02/12
3 Add the necessary IP rule sets in IP rules
2007 July 83
Traffic shapingScenario hands-on 1 Settings-03/12
4 Add a pipe object for inbound FTP traffic, and we don’t have to set anything in the tag of “Pipe limits”
2007 July 84
Traffic shapingScenario hands-on 1 Settings-04/12
5 Add a pipe object for outbound FTP traffic, and we don’t have to set anything in the tag of “Pipe limits”
2007 July 85
Traffic shapingScenario hands-on 1 Settings-05/12
6 Add a pipe object for inbound HTTP traffic, and we shall set the total Kbps to limit the HTTP traffic
2007 July 86
Traffic shapingScenario hands-on 1 Settings-06/12
7 Add a pipe object for outbound HTTP traffic, and we shall set the total Kbps to limit the HTTP traffic
2007 July 87
Traffic shapingScenario hands-on 1 Settings-07/12
8Add a pipe object for:1.marking the total downstream commit rate.2.pointing out the bandwidth for each precedence, in another words, it’s marking out how much token we will give for each precedence level.
2007 July 88
Traffic shapingScenario hands-on 1 Settings-08/12
9Add a pipe object for marking the total upstream commit rate and also pointing out the bandwidth for each precedence level.
2007 July 89
Traffic shapingScenario hands-on 1 Settings-09/12
10 Under the Pipe Rule, we have to point out which one target, service and traffic flow shall be applying the Shaper.
How to read the tab of Traffic Shaping in right page ?
Outgoing FTP service (Forward Chain) which the traffic will flow to the First Pipe-- ftp-out and declare the precedence 1 first, then this traffic will take the token from Following Pipe--total-out. Vice versa for the traffic of Return FTP service.
Outgoing traffic
Step1 P 1Step2 give p1 token
2007 July 90
Traffic shapingScenario hands-on 1 Settings-10/12
11 Under the Pipe Rule, we have to point out which one target, service and traffic flow shall be applying the Shaper.
2007 July 91
Traffic shapingScenario hands-on 1 Settings-11/12
12 Under the Pipe Rule, we shall mark the other services to precedence level “0”, let those services compete with each other under the precedence level zero.
2007 July 92
Traffic shapingScenario hands-on 1 Settings-12/12
13 Below is an overview of pipe rule sets. The theory of operation is the same with the “IP rules”, it also following the rule of “first trigger first go ”. So based on the below rule’s order, you can’t put the pipe index 3 to the index 1 because of the original index 1 won’t be triggered anymore.
2007 July 93
Traffic shapingScenario hands-on 1
ISP
HTTP/FTP server7.7.7.5
GW:3.3.3.2
14
15
11
16
13
17
12
18
Network: 3.3.3.0 /24
Upstream commit rate is 500 kilobits/per secDownstream commit rate is 500 kilobits/per sec
1. Insure the HTTP CR to 200 kbps for bi-direction traffic. (Marking the HTTP traffic to precedence 7 (highest priority) ). HTTP have no Utilizing the rest of bandwidth.2. Setting the 400 kbps in precedence 1 for FTP bi-direction traffic. When the FTP token is running out, the part of overflow can flow to precedence 0 to compete with other services , it’s so-called “utilizing remaining bandwidth ”.
2007 July 94
Traffic shapingTraffic flow 1/5-Http-download
1. Check IP rules
2. Pipe rules
Triggered
2007 July 95
Traffic shapingTraffic flow 2/5-Http-download
2007 July 96
Traffic shapingTraffic flow 3/5-Http-download
Following Pipe CLI
2007 July 97
Traffic shapingTraffic flow 4/5-Http-download
The bandwidth limitation to First pipe
First Pipe
Following Pipe
2007 July 98
Traffic shapingTraffic flow 5/5-Http-download
We don’t give the limitation to First Pipe
First Pipe Following Pipe
2007 July 99
Traffic shaping-Sum up the traffic flow
IP rule pipe ruleset precedence for each service based on1.use from default first pipe 2. fixed precedence setting 3. Map IP DSCP (TOS)pipe pipe chain (if required) prioritize packets in memory queue packet outgoing
Note. the traffic shaper will buffer and delay packets when the speed specified in the pipe is reached. If the buffers get full we remove the longest and the lowest precedence packet when a new packet arrive.
2007 July 100
Traffic ShapingHow to observe the traffic shaping status
The relative command:Pipe [pipename]
Showing the specific pipe status, in common way we always showing the overall pipe object for checking the status easily.
Pipe –users Showing the status of the pipe’s overall usage.
2007 July 101
Chapter 6
VPN-IPSEC
2007 July 102
VPN-IPSEC
• For IPSec, we have two roles in IPSec terminology for distinguishing from server and client : – Initiator (Client)
• Who is the role to initial the IPSec session for establishing the IPSec tunnel.• It’s a security gateway (IPSec server) or road warrior (Roaming client).
– Responder (Server)• Who is the role to receive the request from initiator, and response some necessary information for establishing the IPSec Tunnel • It’s a security gateway (IPSec Server)
2007 July 103
IPSEC Tunnel
IPSEC VPN Main mode Phase1
InitiatorResponder
IPSEC serverRoad Warrior/Security Gateway
Initiator Responder
M1 UDP(500,500)
M2
(Source Port, Destination port)
UDP(500,500)
UDP(500,500)Key Exchange
M3
UDP(500,500)
Key Exchange
M4
UDP(500,500)ID,Auth
M5(encrypt)
UDP(500,500)
IDr,AuthM6
(encrypt
Provide proposal lists, support features
Reply which one proposal matched and supported feature
Provide key material for encrypting.
Provide key material for encrypting
Provide ID, authenticate request if necessary
Provide ID, authenticate reply, produce key material for phase 2 process
2007 July 104
IPSEC Tunnel
IPSEC VPN Main mode Phase1
InitiatorNAT Responder
IPSEC serverRoad Warrior/IPSEC server
Initiator Responder
M1
NATedUDP(500,500) UDP(x,500)
M2
(Source Port, Destination port)
UDP(500,x)UDP(500,500)
UDP(500,500)NAT-D,NAT-D
UDP(x,500)NAT-D,NAT-D
M3
UDP(500,x)
NAT-D,NAT-DUDP(500,500)
NAT-D,NAT-D
M4
UDP(4500,4500)UDP(Y,4500)M5
UDP(4500,Y)UDP(4500,4500) M6
Both peers must support the feature of NAT-T
2007 July 105
VPN-IPSEC The Quick mode Phase2
InitiatorResponder
IPSEC serverRoad Warrior
Initiator Responder
M1Hash using Phase 1 information,Message ID, SA Proposal List, Nonce I, [DH Public Key I ], Proxy ID
M2
Hash using Phase 1 information,Message ID, SA Proposal List Accept, Nonce R, [DH Public Key I ], Proxy ID
Hash using Phase 1 information,NotifyM3
Security Tunnel established(Data be protected by AH/ESP protocol)
2007 July 106
VPN-IPSEC
• Several key components must consistent between the Initiator and Responder– Initiator’s Remote net the same with Responder’s Local net– Responder must has one of the proposal lists match the prop
osal which’s provided by Initiator.– If both peers based on the preshare key to authenticate, the keyi
ng value must the same to each other. – Both peers must base on the same IKE mode (main or aggress
ive)with the same DHGroup(1,2,5) in Phase 1 exchange.– The PFS feature also require consistence to each other in Phas
e2 exchange.– For security protocol (AH or ESP), both peers must base on the
same mode (tunnel or transport) to transmit.
2007 July 107
VPN-IPSECDFL IPSEC-General page
1.Establish the SA for the usage of input traffic mapping
2.Establish the SA for the usage of output traffic mapping
3.For the local device can initial the IPSEC session to specific remote peer. (Be the role of initiator in IPSEC process )
4. Select the encapsulation mode of tunnel or transport for the ESP packet.
5. Select the support proposal lists of IKE hash algorithm for IKE phase 1 (main mode or aggressive mode)
6. Select the support proposal lists of IPSEC hash algorithm for IKE phase 2 (Quick mode)
2007 July 108
VPN-IPSECDFL IPSEC-IKE settings
1. Select IKE main mode or aggressive mode Note. Both peers must using the same mode for establishing the IPsec tunnel.
2. Enable the function of PFS (perfect forward secrecy) or not. The value must consistent on both peers.
3. Select the way for producing Security Association . Select to Per Host or Per Net, these options will affect
the mapping relation between SPI (or SPD) and IP addresses. 4. Select if the NAT Traversal feature should be enabled or not. There have three options, Off. On if supported and NATed, On if supported.
5. The DPD feature, it pinpoint detect the tunnel status using the ISAKMP protocol.
2007 July 109
VPN-IPSECTunnel Mode-scheme-2
2007 July 110
VPN-IPSECTransport Mode-Scheme
2007 July 111
VPNScenario hands-on
2007 July 112
VPN-IPSECScenario1 Hands-on
IPSEC-VPN-----LAN to LAN (Spilt tunnel)
WAN1:5.5.5.5 /24GW:5.5.5.2
WAN1:1.1.1.1 /24GW:1.1.1.2
LAN1:192.168.123.1 /24
LAN:192.168.1.1/24
HostA: 192.168.123.58GW:192.168.123.1
HostB: 192.168.1.60GW:192.168.1.1
IPSEC Tunnel
DFL-800Branch office
DFL-1600Headquarter
DS:192.168.123.58DS: xx.xx.xx.xx xx=ANY, except local and remote nets
Setup the Spilt Tunnel
2007 July 113
VPN-IPSECScenario1 Hands-on
Tips
• Step1 Set the IP address and default gateway for physical interface if necessary.
• Step2 Add an object of Pre-shared key
• Step3 Create Proposal lists for IPsec and IKE respectively if necessary
• Step4 Add IPsec interface
• Step5 Add IP Rule for allowing the bi-direction traffic
• Step6 Input the below commands via console for verify the IPSEC status– vpnstat -verbose -ike– Vpnstat -verbose -ipsec– ikesnoop -on -verbose
Branch office
2007 July 114
VPN-IPSECScenario1 Hands-on
1
1
2 Under the Authentication Object, add pre-shared key (value: testtest)
Create the IPSec objects and change the IP of wan1 and lan, subnet mask of lan1 and wan1, under the Address Book
Branch office
2007 July 115
VPN-IPSECScenario1 Hands-on
2
Add an object of IKE Algorithm under VPN objects, and select the encryption algorithm to 3DES, the integrity algorithm to SHA1
3
Note. This IKE proposal list must match one of the proposals of remote peer (headquarter-DFL1600).
Branch office
2007 July 116
VPN-IPSECScenario1 Hands-on
3
Add an object of IPsec Algorithm under VPN objects, and select the encryption algorithm to 3DES, the integrity algorithm to MD5
4
Note. This IPSEC proposal list must have one of the proposals match to remote peer (headquarter-DFL1600).
Branch office
2007 July 117
VPN-IPSECScenario1 Hands-on
4
6 In the General tab, set the necessary parameter for establishing VPNLocal Network: lannet (192.168.1.0/24)Remote Network: ipsec-remote-net (192.168.123.0/24)Remote Endpoint:ipsec-endpoint1 (3.3.3.3)Encapsulation Mode: TunnelIKE Algorithms: ph1-3des-sha1 (3DES-SHA1)IKE Life Time: 28800 (Secs)IPSec Algorithms:ph2-3des-md5 (3DES-MD5)IPSec Life Time: 3600 (seconds)IPSec Life Time: 0 kilobytes (unlimited)
Under Interface, add the IPSEC tunnel interface.
5
Branch office
2007 July 118
VPN-IPSECScenario1 Hands-on
5
7Select the authentication way, in this scenario we using the way of pre-shared key (testtest)
8 No using the Xauth feature in this scenario.
Branch office
2007 July 119
VPN-IPSECScenario1 Hands-on
6
9 The settings of routing page as below: Make sure the IKE settings is the same with HQ.
10
Branch office
2007 July 120
VPN-IPSECScenario1 Hands-on
7
The Keep-alive feature 12 Select auto add route feature 13 Put the IPSec and LAN interface into a group for easily configure the IP rule sets.
11
Branch office
2007 July 121
VPN-IPSECScenario1 Hands-on
8
14 Create the Allow (routing) IP rule sets for the bi-direction traffic between LAN and IPSEC tunnel.
15 Create the NAT IP rule sets for internal hosts using the way of NAT wan1 interface to go to the internet.
Branch office
2007 July 122
Scenario1 Hands-on1
1Create the IPSec objects and change the IP of wan1 and lan1, subnet mask of lan1 and wan1, under the Address Book
2 Under the Authentication Object, add pre-shared key (value: testtest)
HQ
2007 July 123
Scenario1 Hands-on2
At the IKE algorithms, we choice using one of the default proposals—Medium for high compatibility.
3
Note. why we selected a series of proposals in HQ? Since the HQ will based on that proposal lists to compromise with remote peer till no any proposal lists can be matched, then we will receive the log message of “No proposal chosen” on both peers.
HQ
2007 July 124
Scenario1 Hands-on2-1
Initiator’s IPSEC fail logsHQ
2007 July 125
Scenario1 Hands-on3
5 In the General tab, set the necessary parameter for establishing VPNLocal Network: lan1net (192.168.123.0/24)Remote Network: ipsec-remote-net (192.168.1.0/24)Remote Endpoint:ipsec-endpoint1 (1.1.1.1)Encapsulation Mode: TunnelIKE Algorithms: Medium IKE Life Time: 28800 (Secs)IPSec Algorithms:MediumIPSec Life Time: 3600 (seconds)IPSec Life Time: 0 kilobytes (unlimited)
Under Interface, add the IPSEC tunnel interface.
4
HQ
2007 July 126
Scenario1 Hands-on4
6Select the authentication way, in this scenario we using the way of pre-shared key (testtest)
7 No using the Xauth feature in this scenario.
HQ
2007 July 127
Scenario1 Hands-on5
8 The routing page’s settings as below: Make sure the IKE settings is the same with HQ.
9
HQ
2007 July 128
Scenario1 Hands-on6
The Keep-alive feature 11 Select auto add route feature 12 Put the IPSec and LAN1 interface into a group for easily configure the IP rule sets.
10
HQ
2007 July 129
Scenario1 Hands-on7
14 Create the Allow (routing) IP rule sets for the bi-direction traffic between LAN1 and IPSEC tunnel.
15 Create the NAT IP rule sets for internal hosts using the way of NAT wan1 interface to go to the internet.
HQ
2007 July 130
VPN-IPSECScenario2 Hands-on
IPSEC-VPN-----LAN to LAN (Non-split tunnel)
WAN1:5.5.5.5 /24GW:5.5.5.2
WAN1:1.1.1.1 /24GW:1.1.1.2
LAN1:192.168.123.1 /24
LAN:192.168.1.1/24
HostA: 192.168.123.58GW:192.168.123.1
HostB: 192.168.1.60GW:192.168.1.1
IPSEC Tunnel
DFL-800Branch office
DFL-1600Headquarter
DS:192.168.123.58DS: xx.xx.xx.xx xx=ANY, except local and remote nets
Setup the Non-Spilt Tunnel
2007 July 131
VPN-IPSECScenario1 Hands-on
Tips-1 For HQ settings
• Step1 Set the IP address and default gateway for physical interface if necessary.
• Step2 Add an object of Pre-shared key• Step3 Create Proposal lists for IPsec and IKE
respectively if necessary• Step4 Add IPsec interface (Local-net= all-nets)• Step5 Add IP Rule
– Allowing the bi-direction traffic (the partial of LAN to LAN)– Create the NAT rule let the traffic from IPSEC remote peer c
an outgoing to internet
• Step6 Verify by CLI
HQ
2007 July 132
VPN-IPSECScenario1 Hands-on
Tips-2 For Branch settings
• Step1 Set the IP address and default gateway for physical interface if necessary.
• Step2 Add an object of Pre-shared key• Step3 Create Proposal lists for IPsec and IKE
respectively if necessary• Step4 Add IPsec interface (Remote net: all-net)• Step5 Add a static routing entry as below in routing table.
• Step6 Add IP Rule for allowing all of the traffic via IPsec tunnel.
Branch office
2007 July 133
VPN-IPSECScenario2 Hands-on
DFL-800-1
1
Based on the settings of scenario 1, we only have to change three parts on DFL-800 for achieving the scenario 2 requirement.
In the tag of General, change the Remote Network to “all-nets” which the value is 0.0.0.0/0, it means the DFL unit allow the unknown traffic outing via IPSEC tunnel.
Branch office
2007 July 134
VPN-IPSECScenario2 Hands-on
DFL-800 -2
2 Under the IP Rules, add an IP rule set for allowing the LAN net users’ outgoing traffic pass through the IPSEC tunnel by routing.
3 Under the Routing table of main, add a static routing entry for the DFL can initial the IPSEC session to remote peer(DFL-1600) which IP address is 5.5.5.5.
Branch office
2007 July 135
VPN-IPSECScenario2 Hands-on
DFL-800 -3
Now we shall check again the whole routing status on DFL-800 first, to make sure all of the traffic is following our direction.
Select the Routes which is under the tab of Status on web GUI
1. You can find it from left page have two default route entries on the main routing table, you shall make sure the ipsec-tunnel with a lower metric value than WAN1, since all of the outgoing traffic must be put into the IPSEC tunnel, let the HQ do the centralize control.
2. Because of the ipsec-tunnel not yet exists in the main routing table before we initial the IPSEC tunnel, so we must inform the DFL unit the way of how to contact IPSEC remote peer(DFL-1600).
Branch office
2007 July 136
VPN-IPSECScenario1 Hands-on
DFL-1600 -1
Regarding the headquarter (DFL-1600) settings, we just only have to adjust two components based on the settings of scenario 1.
1 In the tag of General, change the Local Network to “all-nets” which the value is 0.0.0.0/0, it means the DFL unit accept unknown traffic (destination field) incoming via IPSEC tunnel.
HQ
2007 July 137
VPN-IPSECScenario1 Hands-on
DFL-1600 -2
2Under the IP Rules, add an IP rule set for allowing the traffic from IPSEC tunnel can outgoing to wan1 using the way of NAT..
HQ
2007 July 138
VPN-IPSECScenario1 Hands-on
DFL-1600 -3
Now we still shall check again the whole routing status on DFL-1600 first, to make sure all of the traffic is following our direction.
HQ
2007 July 139
L2TP-over-ISPECFor roaming user
VPN-Gateway1.1.1.1
Road WarriorWindows XP SP2
CompanyNetwork
192.168.123.0/24
5.5.5.60
L2TP-over-IPSEC Tunnel
DFL-1600
2007 July 140
L2TP-over-ISPECFor roaming user
2007 July 141
L2TP-over-ISPECFor roaming user----DFL-1600-settings-1/7
1Create the IP pools, L2tp-server’s IP address and change the IP of wan1 and lan1, subnet mask of lan1 and wan1, under the Address Book
2Under Authentication Objects, create a pre-share key for the usage of IPSEC tunnel
2007 July 142
L2TP-over-ISPECFor roaming user----DFL-1600-settings-2/7
3 Under the Interfaces, create the IPSEC interface for roaming users.
1. Why I select the Local Network to wan1_ip?
Because we shall let the remote roaming users knowing the firewall is a final destination.Or you can set this value to all-nets, let the DFL unit auto search suitable policy.
2. Due to we don’t know the roaming user address ,we also let DFL unit auto search suitable policy.
2007 July 143
L2TP-over-ISPECFor roaming user----DFL-1600-settings-3/7
4Under the authentication, select the pre-shared key “ipsec-pre” that we created in step 2
5In this scenario we have no use the Xauth feature.Under the Routing field, enable the function of “Dynamically Add Route To Remote Net..”
2007 July 144
L2TP-over-ISPECFor roaming user----DFL-1600-settings-4/7
6
Under IKE Settings: IKEMode: Main (Mainmode) DHGroup: 2 PFS: None SetupSAPer: Host (Per host) DeadPeerDetection: Yes NATTraversal: OnIfNeeded (Only if needed)
Disable Keep-alive feature
Under Advanced: AutoInterfaceNetworkRoute: No
2007 July 145
L2TP-over-ISPECFor roaming user----DFL-1600-settings-5/7
7 Under Interfaces field, add L2TP server’s interface, below is a step-by-step settings. Note the field of “Outer Interface Filter” shall set to IPSEC interface which is created at STEP 3
2007 July 146
L2TP-over-ISPECFor roaming user----DFL-1600-settings-6/7
8Add Local User DatabaseAdd User Authentication rule
2007 July 147
L2TP-over-ISPECFor roaming user----DFL-1600-settings-7/7
9Add Interface Groupes, grouping the interface of L2TP and LAN1 for easy setup. Create IP Rules set, allow bi-direction traffic between the interfaces of L2TP and lan1.
2007 July 148
L2TP-over-ISPECFor roaming user----Windows XP –settings-1/3
1 Checking the status of IPSEC service on Windows XP to make sure the IPSEC service is enabled.
2007 July 149
L2TP-over-ISPECFor roaming user----Windows XP –settings-2/3
1 Under the Network Connections--->Create a new connection and following the procedure as below to set it up.
2007 July 150
L2TP-over-ISPECFor roaming user----Windows XP –settings-2/3
2 After the wizard step by step settings, we shall adjust some advance value for fitting the settings with DFL-1600
2007 July 151
L2TP-over-ISPECFor roaming user—Confirmation-1/2
1 On the Windows platform, we shall try to connect the DFL-1600 server and checking the connection status and to see if we can get the IP address from L2TP server by using the command tool “ipconfig” and “ping”.
2007 July 152
L2TP-over-ISPECFor roaming user—Confirmation-2/2
Under the Status field, select User Authentication Status
2007 July 153
Thanks
2007 July 154
Appendix A
IPSec pass through V.S NAT-T
2007 July 155
IPSec pass through V.S NAT-T
IPSec pass through• IPSec pass through feature is the old way for
solving the issue which one of the IPSec peers behind the NAT device.
• This feature is implemented in the NAT device which is playing the role of intermediate during the IPSEC process.
• Have no standard for descript how to implement it, so each vendor have different solutions for it.
2007 July 156
IPSec pass through V.S NAT-T
NAT traversal• The new way for solving the same issue which
one of the remote peers is behind the NAT device• The feature is implemented on the both peers of
IPSec tunnel respectively.• Only both peers support this feature and
necessary then the function will be enabled.• The feature fully replace the IPSec Pass through.• The intermediate doesn’t involving the process.
2007 July 157
IPSEC NAT-traversalOn DFL unit
• NAT traversal drafts supported by NetDefendOS firewall: (DFL-210/800/1600/2500)– draft-ietf-ipsec-nat-t-ike-00– draft-ietf-ipsec-nat-t-ike-01– draft-ietf-ipsec-nat-t-ike-02– draft-ietf-ipsec-nat-t-ike-03
2007 July 158
IPSEC NAT-traversalThe timing for using the function of NAT-T
• Initiator hosts are behind the NAT device.
WAN1:5.5.5.5 /24IPSEC server
Host BDS601
Host ADS-601
NAT-device
Internet
IPSEC-tunnel 1
IPSEC-tunnel 2
Both peers must support the function of NAT-traversal
2007 July 159
IPSEC NAT-traversalHow to detection
NAT traversal is only used if both ends has support for it.
NAT-device DFL-800IPSec server
NAT-Traversal
Client A(DS-601) ˇ ˇ x ˇ
DFL units ˇ ˇ ˇ x
NAT-Discover required unnecessary N/A N/A
Result Enable Disable Disable Disable
Client A(DS-601)
2007 July 160
Appendix B
VPN limitation &
solution in DFL / DS-601
2007 July 161
IPSEC-Limitation 1/4The remote peer is behind the NAT device and with the same
identification
WAN1:7.7.7.7/24IPSEC server
Internet
IPSEC-tunnel 1
IPSEC-tunnel 2
NAT-device2WAN1:1.1.1.1/24LAN: 192.168.1.1/24
NAT-device1 WAN1:3.3.3.1/24LAN: 192.168.1.1/24
Network192.168.80.0/24
Network192.168.90.0/24
DFL-800-A
DFL-800-B
WAN1:192.168.1.80
WAN1:192.168.1.80
Company Network192.168.3.0/24
LAN1:192.168.3.1
The first IPSEC session will be replaced by the later session, It’s due to both remote peers along with identical ID in the IPSEC tunnel.
2007 July 162
IPSEC-Limitation 2/4
DFL solution
Changing the local ID value for one of remote peers.
2007 July 163
IPSEC-Limitation 3/4Roaming users behind the NAT device and with the same
identification
WAN1:7.7.7.7/24IPSEC server
Internet
IPSEC-tunnel 1
NAT-device1
Company Network192.168.3.0/24
LAN1:192.168.3.1
DS-601Road Warrior 2IP: 192.168.1.80
The earlier IPSEC session will be replaced by the later session, It’s due to both remote peers along with identical ID in the IPSEC tunnel.
1.1
IP: 192.168.1.80
IPSEC-tunnel 2
NAT-device2
DS-601Road Warrior 1
1.1
WAN: 1.1.1.1
WAN: 3.3.3.3
2007 July 164
IPSEC-Limitation 4/4DS-601 Solution
Changing the Local ID value on one of the DS-601 client.Note. At present our DFL unit support four kinds of ID type:
1. IP address2. IP subnet address3. FQDN4. User FQDN (so-called E-mail)
2007 July 165
Appendix C
Certification
2007 July 166
L2TP-over-ISPEC(Certification)With certification which is issued by CA server
SC--CA server
DFL-1600
Road Warrior3.3.3.100
Root CASC’s CA
Gateway CADFL’s self-signed CA
Certification1
Certification2
Personal CARequest from SC--CA server
Trusted CASC’s CA
Certification1
Certification2
Revoke listEnroll list
1.Roaming client send the ISAKMP packet (proposal list) for initialing IPSEC tunnel.
6. VPN gateway ask the CA server to see if the client’s certification include in enroll list. (it also called CRL check -- certificate revocation lists).
7. Reply the CRL lists to DFL
9. Encrypt the sensitive data by the initiator’s certification (PKI).
8.Approve the certification from roaming client.
2.DFL reply one of the suitable proposals which is requested by initiator.
3. (message#3) Send packet of NAT-discover.
4.Send certificate request to initiator
5.Encrypt the ISAKMP packet by itself certification (PKI).
WAN1:1.1.1.1/24
IP : 7.7.7.7
LAN:192.168.123.1/24
2007 July 167
L2TP-over-ISPEC(Certification)The authentication is based on the certificate
• DFL requirement:
Gateway certificate
The X.509 certificate of CA-server
DNS setting
•Roaming clients requirement:
Request a X.509 certification from CA server for end-user
Make sure the personal certificate is available
Install the personal certification into the certificates of “Local Computer” and ”Current User” ”personal”
Add the X.509 certification of CA server into the certificates of “Local Computer” and ”Current User” ”Trusted Root Certification Authorities ”
Enable the function of L2TP over IPSEC along with certification.
2007 July 168
L2TP-over-ISPEC(Certification)CA-server settings
--Preparing the CA server
Before you start using the CA server, one setting should be changed on the CA server to simplify creation of certificates:
Start the program Administrative Tools\Certification Authority.
Right-click on your CA server and select Properties.
Open up the tab Policy Module and select Properties.
Select Follow the settings in the certificate template.......
This setting will enable the CA server to automatically issue a pending certificate request that is created from the Web page dialogue.
2007 July 169
L2TP-over-ISPEC(Certification)Certificate
Save the CA server root certificate1
•Open up the page http://DFL.win2k3/certsrv with Internet Explorer and select Download a CA certificate......
•Select DER encoding and Download CA certificate. Select a name for your CA root certificate (for example certnew.cer) and save it on a folder on the server.
2007 July 170
L2TP-over-ISPEC(Certification)Certificate
Generate client certificates2
•Open up the page http://DFL.win2k3/certsrv with Internet Explorer. •Select Request a certificate, advanced certificate request and Create and submit a request to this CA.
•Enter the certificate information and select IPsec Certificate.
•Install the certification and export it with password from the MMC console of certificate-current user.
Repeat the steps for every client certificate.
2007 July 171
L2TP-over-ISPEC(Certification)Certificate
Generate gateway certificate3
•All of the generate procedure just the same with client’s certificate.
Repeat the steps for every gateway certificate.
2007 July 172
L2TP-over-ISPEC(Certification)Certificate
Preparing the gateway certificate for import4
•Install the Crypto4 tool first in your computer and then select the gateway certificate which is produced by step 3, unpacked the gateway certificate into two files:
One is the format of certificate, another is the private key and the extended file name is *.cer and *.key respectively.
2007 July 173
L2TP-over-ISPEC(Certification)Certificate
Importing certificates for DFL5
•Certcache for checking the certificate status.
•Under Authentication Object add CA certificate and gateway certificate on DFL unit respectively.
•Set DNS value on DFL unit for downloading and checking the CRL from CA server.
•Save and Activate the DFL unit, and then using the command of Certcache to check the certificate status again.
2007 July 174
L2TP-over-ISPEC(Certification)Certificate
Importing certificates for Windows XP6
•Run and input mmc.
•Add/Remove snap-in and select Certificate for My user account and Computer account.
•Install the personal certificate (summer.pfx) into both personal certificates of user account and computer account respectively.
•Install the CA certificate (certnew.cer) into both personal certificates of user account and computer account respectively.
Repeat the steps for importing both certificates into Current User and Local Computer respectively.
2007 July 175
L2TP-over-ISPEC(Certification)Certificate-Windows Client
Configure the Windows client7
•We can based on the previous scenario’s settings to change the client’s value as right figure
2007 July 176
L2TP-over-ISPEC(Certification)Certificate-Confirm
Confirm the result on windows platform.8
2007 July 177
L2TP-over-ISPEC(Certification) Certificate-Confirm
Confirm the result on DFL-16009
2007 July 178
VPN-IPSECIPsec-debug-CLI
ipsecstats -ike -verbose (vpnstats -ike -verbose)
ipsecstats -ipsec -verbose (vpnstats -ipsec -verbose)
ipsecstats -ipsec -u (vpnstats -ipsec -u)
ipsecstats -ike -u (vpnstats -ike -u) -----IKE utilization
ikesnoop -on -verbose
killsa -all
ipsecglobalstats -verbose