Presentation is loading. Please wait.

Presentation is loading. Please wait.

2007 July1 DFL-210/800/1600/2500 Training Material DFL fundamental Part I Created on 2007 ©Copyright 2007. All rights reserved.

Published byChristian Sharp Modified over 9 years ago

Similar presentations

Presentation on theme: "2007 July1 DFL-210/800/1600/2500 Training Material DFL fundamental Part I Created on 2007 ©Copyright 2007. All rights reserved."— Presentation transcript:

1 2007 July1 DFL-210/800/1600/2500 Training Material DFL fundamental Part I Created on 2007 ©Copyright 2007. All rights reserved

2 2007 July2 Agenda Firewall traffic flow Chapter 1 –Routing table Chapter 2 –Core v.s Interface(WAN,LAN,DMZ) Chapter 3 –PBR Chapter 4 –NAT combine with semi-transparent mode(ProxyArp) Chapter 5 –Traffic Shaping Chapter 6 –VPN

3 2007 July3 New feature on firmware v2.12 New function implement –Full CLI support –IP rules (insert, move to, disable) –Interface: PPPoE schedule –The DPD in IPSEC tunnel –Configurable ID type (IP, DNS, FQDN) in IPSEC tunnel –Session control in Threshold –Blacklist in threshold and IDS/IDP –DHCP status improvement

4 2007 July4 Firewall traffic flow

5 2007 July5 Firewall traffic flow Incoming traffic 1. Check the routing table of “main” 2. Check the PBR, if match one of the routing rules, then it flow to the specific PBR’s table. 3. Check IP rules 7. Finally the traffic can pass through the firewall 4. Queue for other examine 5. Check if anyone of the IDP/IDS rules is matched: Match, comparing the signature DB of IDS/IDP 6. Check if anyone of the Piperules is matched : Match, applying the rule of traffic shaping. If traffic lookup failed in main routing table, then the traffic will be dropped by default-access-rule. You can depend on setting the “Access” to ignore the checking of main routing table. (Allow/FWDFast/NAT/SAT…)

6 2007 July6

7 7 Chapter 1 Routing Table

8 2007 July8 Routing Table 1/6 How to read the routing table ? Interface: The interface to be routed Network: The network to route Gateway: The gateway to send routed packets to Local IP Address: The IP address specified here will be automatically published on the corresponding interface. This address will also be used as the sender address in ARP queries. If no address is specified, The firewall's interface IP address will be used. Metric: Specifies the metric for this route. (Mostly used in route fail-over scenario) Note. 1.The entry with the feature of “longest match value” will be first applied. 2.If we got the same feature of “Longest value” between two routing entries, which one will be applied is based on the “Metric” value.

9 2007 July9 Routing Table 2/5 The generic concept for selecting the routing entry 1.The entry with the feature of “longest match value” will be first apply. Mask:255.255.255.xxx IP:192.168.0.0 192.168.0.5 192.168.0.30

10 2007 July10 Routing Table 3/5 The gereric concept for selecting the routing entry Lower Mertic Value with higher priority. 2. If we got the same Longest value between two routing entries, which one will be applied is based on the Metric value.

11 2007 July11 Routing Table 4/5 The gereric concept for selecting the routing entry The entry with longest value will be first apply. LAN: 1.1 PC1: 1.5 G/W: 1.1 Router2 Router1 E0 1.254 0.254 E0 0.2 192.168.1.0/24 192.168.0.0/24 1. PC1 send a packet to the host 192.168.0.150, which route match? 2. PC1 send a packet to the host 192.168.0.60, which route match? 1.2 B A 192.168.0.128/25 C DST:192.168.0.150DST:192.168.0.60 E1

12 2007 July12 Routing Table 5/5 How to verify the lookup result? 1 Routes -lookup=IP address 2 Ping -srcip=“Src IP” “Ds IP” -verbose

13 2007 July13 Routing Table Scenario hands-on Create a static route to network B G1_LAN: 192.168.10.1 G2_LAN: 192.168.20.1 G3_LAN: 192.168.30.1 G4_LAN: 192.168.40.1 G5_LAN: 192.168.50.1 G6_LAN: 192.168.60.1 G7_LAN: 192.168.70.1 G8_LAN: 192.168.80.1 Sub-if1: 192.168.10.254 Sub-if2: 192.168.20.254 Sub-if3: 192.168.30.254 Sub-if4: 192.168.40.254 Sub-if5: 192.168.50.254 Sub-if6: 192.168.60.254 Sub-if7: 192.168.70.254 Sub-if8: 192.168.80.254 server Creating a static route on LAN for internal user to reach the 192.168.200.60 LAN 192.168.200.0/24 B 200.60 200.254 E0 E1

14 2007 July14 Routing table Debug-CLI Routes -lookup=[insert the IP address] Routes -all -verbose [routing table name] Rule -ruleset=main -verbose Ping -s [source IP address] [destination IP address] Arpsnoop [interface name] -verbose arp -show

15 2007 July15 Routing table Case study-01 Relay Syn to DS Syn to 200.60 RCV Syn From 10.5 Drop ACK from A Syn ACK to 10.5 RCV Syn Ack ACK to 200.60 ?? Wait Syn ACK Connection table

16 2007 July16 Routing table Case study-02

17 2007 July17 Chapter 2 Core vs Interfaces (WAN,DMZ,LAN)

18 2007 July18 Core vs interfaces (WAN,DMZ,LAN ) 1/10 What means the “Core” in DFL units Core owns the IP addresses int ext Core 192.168.1.1 218.210.16.26

19 2007 July19 Core vs interfaces (WAN,DMZ,LAN ) 1/5 Each interface-- WAN LAN DMZ, those interfaces have their own direction, but the “Core” is no meaning any direction. For example: Below is the routing table

20 2007 July20 Core vs interfaces (WAN,DMZ,LAN ) 2/5 1 3 If we set the IP rule as below: DFL-800 only pass the traffic who contacts with WAN1 interface directly, and the traffic will map into the specific server(192.168.1.6) without contacting the “Core”. 2

21 2007 July21 Core vs interfaces (WAN,DMZ,LAN ) 3/5 Core WAN1 DMZ LAN WAN2 127.0.0.1 218.210.16.26 192.168.1.1 192.168.120.254 172.16.100.254 ARP publish: 218.210.16.27 server: 192.168.1.6 Destination IP: 218.210.16.27

22 2007 July22 Core vs interfaces (WAN,DMZ,LAN ) 4/5 If we set the IP rule as below: 1 2 The traffic from any physical interfaces are allowed to access the IP 218.210.16.26.

23 2007 July23 Core vs interfaces (WAN,DMZ,LAN ) 5/5 Core WAN1 DMZ LAN WAN2 127.0.0.1 218.210.16.26 192.168.1.1 192.168.120.254 172.16.100.254 ARP publish: 218.210.16.27 server: 192.168.1.6 Destination IP: 218.210.16.26 Internal User 192.168.1.58 Note. For internal users, we shall add one NAT rule between SAT and allow rule sets.

24 2007 July24 Core vs interfaces (WAN,DMZ,LAN ) Summarize Core’s IP address we also call it as “loop back IP address”. No matter where the traffic from, it can access into Core interface. If we bind an IP address on one of the physical interface, the traffic to this IP address will only through this specific physical interface.

25 2007 July25 Chapter 3 Policy Based Route

26 2007 July26 PBR PBR’s table

27 2007 July27 PBR How is the PBR working? The sequence of Policy-based Routing execution in conjunction with the main routing table and the rule-set can be summarized as follows: 1. Check main routing table - 2. Look up Routing rules - If the lookup in step 1 allows packets to go through, NetDefendOS will perform a lookup in the Policy-based Routing rules. The first matching rule will be the one to use. 3. Select the PBR’s table (By the ordering of “First”, “Default” or “Only”) Default Default means that the main routing table will be consulted first. If the only match is the default route (0.0.0.0/0), the PBR’s table will be consulted. First First means that the PBR’s table is consulted first of all. If this lookup fails, the lookup will continue in the main routing table. Only Only means that the PBR’s table is the only one consulted. In another words, that the named routing table is consulted first of all. If this lookup fails, the packet will be dropped.

28 2007 July28 PBR Scenario 1-Link Sharing ISP1 ISP2 HTTP/FTP server 7.7.7.5 WAN1: 1.1.1.1/24WAN2: 3.3.3.1/24 PC1: 192.168.1.50 LAN: 192.168.1.1/24 PC1: 192.168.1.101 1. The traffic of FTP is outgoing via WAN1(Red one) 2. The traffic of HTTP and ICMP are outgoing via WAN2 (Black one) GW:1.1.1.2GW:3.3.3.2 WAN1 IP Group1: 1.1.1.11 Group2: 1.1.1.12 Group3: 1.1.1.13 WAN2 IP Group1: 3.3.3.11 Group2: 3.3.3.12 Group3: 3.3.3.13 … …

29 2007 July29 PBR Tips Step 1 Setup the IP address for each physical interface Step 2 Create the PBR’s table and set the entry of default route to ISP2 Step 3 Create a Routing Rule set Step 4 Create the IP rule sets for deciding the traffic’s behavior Step 5 Using the command of “rules -ruleset=pbr -verbose” and “rules -ruleset=main -verbose” to verify the configuration

30 2007 July30 PBR Scenario 1 Settings 1/5 1 Set the object of IP4 address 2 Alter the routing table of “Main”

31 2007 July31 PBR Scenario 1 Settings 2/5 3 Creating the PBR’s table Note. If Remove Interface IP Routes is enabled, the default interface routes are removed, i.e. routes to the core interface (127.0.0.1) (which are routes to NetDefendOS itself).

32 2007 July32 PBR Scenario 1 Settings 3/5 4 Creating the “Routing Rules” for triggering to use the specific PBR’s table. Why we set the destination interface to WAN1 instead of “wan2” ? Due to all the traffic still will lookup the “Main” routing table, so in here we shall set this value to the default gateway of routing table of “Main”. Based on our scenario, the default gateway in the “Main” routing table is the “WAN1” interface, so we shall set “wan1” on above figure.

33 2007 July33 PBR Scenario 1 Settings 4/5 Finally step we shall create the IP rule set for allowing the specific service. 5

34 2007 July34 PBR Scenario 1 Settings 5/5 6 To verify the configuration via console.

35 2007 July35 PBR Scenario 1-Link Sharing ISP1 ISP2 HTTP/FTP server 7.7.7.5 WAN1: 1.1.1.1/24WAN2: 3.3.3.1/24 PC1: 192.168.1.50 LAN: 192.168.1.1/24 PC1: 192.168.1.101 1. The traffic of FTP is outgoing via WAN1(Red one) 2. The traffic of HTTP and ICMP are outgoing via WAN2 (Black one) GW:1.1.1.2GW:3.3.3.2 WAN1 IP Group1: 1.1.1.11 Group2: 1.1.1.12 Group3: 1.1.1.13 WAN2 IP Group1: 3.3.3.11 Group2: 3.3.3.12 Group3: 3.3.3.13 … …

36 2007 July36 PBR Scenario 2 Link Sharing with failover ISP1 ISP2 HTTP/FTP server 7.7.7.5 WAN1: 1.1.1.1/24WAN2: 3.3.3.1/24 PC1: 192.168.1.50 LAN: 192.168.1.1/24 PC1: 192.168.1.101 1. The traffic of FTP is outgoing via WAN1. When wan1 is broken the traffic will switch to WAN2.. 2. The traffic of HTTP and ICMP are outgoing via WAN2. When wan2 is broken the traffic will switch to WAN1 FTP HTTP

37 2007 July37 PBR Secenario2-Tips Based on the configuration of previous scenario Step 1 Cancel the feature of auto add default route for both physical interfaces wan1 and wan2. Step 2 Manually add the default gateway routing along with the monitoring feature in Main routing table for wan1 and wan2 respectively, and give the wan1 with higher priority than wan2. Step 3 Setup the PBR’s table and repeat the step 2 but the wan2 with higher priority than wan1 instead. Step 4 Grouping the wan1 and wan2 interface for easy configuration. Step 5 Setup the IP rule set for allowing the specific traffic via both wan1 and wan2 interfaces.

38 2007 July38 Policy Base Route Scenario 2 Settings 1/3 1 Add the value of default gateway for WAN2 then enable the function of monitor and set different priority (Metric) for failover on both interfaces.

39 2007 July39 Policy Base Route Scenario 2 Settings 2/3 2 Add PBR’s table for wan2 and repeat the same action with step 1 to enable the function of monitor and change the value of metric 3 Add a “routing rules” for triggering the HTTP service to use the table of “http-go-wan2”.

40 2007 July40 Policy Base Route Scenario 2 Settings 3/3 4 Add interface group including wan1 and wan2 for simply configuration. 5 Creating the IP rules set for both kinds of services.

41 2007 July41 PBR Scenario 2 Link Sharing with failover ISP1 ISP2 HTTP/FTP server 7.7.7.5 WAN1: 1.1.1.1/24WAN2: 3.3.3.1/24 PC1: 192.168.1.50 LAN: 192.168.1.1/24 PC1: 192.168.1.101 1. The traffic of FTP is outgoing via WAN1. When wan1 is broken the traffic will switch to WAN2.. 2. The traffic of HTTP and ICMP are outgoing via WAN2. When wan2 is broken the traffic will switch to WAN1 FTP HTTP

42 2007 July42 Chapter 4 NAT combine with Semi-Transparent mode (ProxyArp)

43 2007 July43 NAT combine with Semi-Transparent mode(ProxyArp) What is Proxy ARP RFC 1027 - Using ARP to implement transparent subnet gateways Fools the sender of the ARP request into thinking that the router is the destination. The router is acting as a proxy agent for the destination, relaying packets to it from other hosts Proxy ARP is also known as promiscuous ARP or the ARP hack

44 2007 July44 NAT combine with Semi-Transparent mode(ProxyArp) How it works How it works? Router E0E1 A B E0 IP address: 1.1.1.1 /24 MAC:00:13:46:aa:bb:cc E1 IP address:192.168.1.1 /24 MAC:00:13:46:aa:bb:dd Host A IP address:1.1.1.100 /24 MAC:00:11:22:33:44:bb:aa Host B IP address:1.1.1.200 /24 MAC:55:66:77:dd:bb:ff Sender’s MAC address (Host B) Sender’s IP address (Host B) Target’s MAC address Targer’s IP address (Host A) 55:66:77:dd:bb:ff1.1.1.20000:00:00:00:00:001.1.1.100 1 Sender’s MAC address (E1) Sender’s IP address (E1) Target’s MAC address (Host B) Targer’s IP address (Host B) 00:13:46:aa:bb:dd1.1.1.10055:66:77:dd:bb:ff1.1.1.200 Request from :Host B  Host A 2 Reply from : E1  Host B Subnet B 192.168.1.0/24 Subnet A 1.1.1.0/24 bb:ff 1.1.1.200 bb:aa 1.1.1.100 bb:dd 192.168.1.1 bb:cc 1.1.1.1

45 2007 July45 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1 1.2 3.2 Server 7.7.7.5 WAN1 3.1 Proxy Arp the IP of ISP1 to LAN1 Proxy Arp the IP of ISP2 to LAN2 LAN1 Hosts IP address 1.1.1.5~1.1.1.100 Gateway:1.1.1.2 LAN2 Hosts IP address 3.3.3.5~3.3.3.100 Gateway:3.3.3.2 DHCP server on LAN1 DHCP pool: 1.1.1.5~1.1.1.100 ---------------------------------- DHCP server on LAN2 DHCP pool: 3.3.3.5~3.3.3.100 ISP1 1.1 1.1.1.0/24 ISP2 3.3.3.0/24 WAN2

46 2007 July46 NAT combine with Semi-Transparent mode(ProxyArp) Tips 1 The traffic between WAN1 and LAN1 –The settings in main routing table Proxy ARP the ISP1’s IP address to LAN1 The hosts located at LAN1 side we have to proxy those hosts’ IP address to WAN1 interface. Default route go through WAN1 interface

47 2007 July47 NAT combine with Semi-Transparent mode(ProxyArp) Tips 2 The traffic between WAN2 and LAN2 –The settings in main routing table Proxy ARP the ISP2’s IP address to LAN2 The hosts located at LAN2 side we have to proxy those hosts’ IP address to WAN2 interface. –The setting in “Access” component Add an Access rule, let incoming traffic won’t lookup the main routing table.

48 2007 July48 Tips 3

49 2007 July49 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-01 1 Create the object of IP4 address 2 Create the routing in main routing table for the settings of ProxyARP

50 2007 July50 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-02 3 Proxy the IP address of WAN1’s gateway to the interface of LAN1

51 2007 July51 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-03 4 Add another route on the interface of LAN1, and Proxy the IP addresses of LAN1’s hosts to the interface of WAN1.

52 2007 July52 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-04 5 Based on the same concept with step 3 to create the route for WAN2.

53 2007 July53 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-05 6 Based on the same concept with step 4 to create the route for LAN2.

54 2007 July54 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-06 7 Then create a route of default gateway on WAN1 for the “main” routing table. 8 Add PBR’s table for the traffic between WAN2 and LAN2

55 2007 July55 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-07 9 Create the necessary routes as below figure on the PBR’s table of “wan2-lan2”

56 2007 July56 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-08 10 Create the routing rule for triggering to use the PBR’s table of “wan2-lan2” Notice

57 2007 July57 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-9 11 We created a PBR rule for wan2-lan2 as below: 12 Under the “Rules”  ”Access”, we add an access rule for the interface of “WAN2”.

58 2007 July58 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-10 13 Add the interface groups for easy to set the “IP rules” up. 14 Add the “IP rules” for allowing the traffic from bi-direction.

59 2007 July59 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1-setup-11 15 Based on the scenario requirement, we shall set the DHCP server on both interfaces of “LAN1” and “LAN2” respectively.

60 2007 July60 NAT combine with Semi-Transparent mode(ProxyArp) Cast Study1 1.2 3.2 Server 7.7.7.5 WAN1 3.11 Proxy Arp the IP of ISP1 to LAN1 Proxy Arp the IP of ISP2 to LAN2 LAN1 Hosts IP address 1.1.1.110~119 LAN2 Hosts IP address 3.3.3.110~119 DHCP server on LAN1 DHCP pool: 1.1.1.110~119 ---------------------------------- DHCP server on LAN2 DHCP pool: 3.3.3.110~119 ISP1 1.11 1.1.1.0/24 ISP2 3.3.3.0/24 WAN2

61 2007 July61 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP Unknown client 7.7.7.7/24 Proxy Arp the IP of ISP2 to LAN2 LAN1--NAT mode Hosts IP address 192.168.1.0/24 Gateway:192.168.1.1 LAN2--Semi-Transparent mode Hosts IP address 3.3.3.5~3.3.3.100 Gateway:3.3.3.2 LAN1:192.168.1.1 /24 1.2 3.2 ISP1 1.1.1.0/24 ISP2 3.3.3.0/24 WAN1 3.1 WAN2 1.1

62 2007 July62 Scenario2 Tips Based on the previous scenario, we only have to adjust two settings: –Under the “IP rules” The traffic from LAN1 to WAN1, we set the Action field to “NAT”. Disable the Allow rule set between WAN1 and LAN1

63 2007 July63 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP--Setup-01 1 Create the object of IP4 addressCreate the routing in main routing table for the settings of ProxyARP 2

64 2007 July64 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP--Setup-02 3 4 Add a route on the interface of WAN2, and Proxy the Gateway IP addresses of WAN2 to the interface of LAN2. Add another route on the interface of LAN2, and then Proxy the IP addresses of LAN2’s hosts to the interface of WAN2.

65 2007 July65 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP--Setup-03 5 Setup default gateway(1.1.1.2) on the interface of WAN1 Below figure is a glance of main routing table:

66 2007 July66 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP--Setup-04 6 Add a PBR’s table for the traffic from LAN2 Below figure is a glance of PBR’s table of “wan2-lan2”:

67 2007 July67 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP--Setup-05 7 Add the PRB for triggering the traffic from LAN2 to use the routing table of “wan2-lan2”

68 2007 July68 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP--Setup-06 8 9 Under the “rules”  ”access”, add an access rule for wan2 interface to ignore the checking of routing table. Under the “IP Rules”  create the necessary IP rules sets for lan1 to wan1, bi-direction traffic of lan2-wan2 and lan1-lan2.

69 2007 July69 NAT combine with Semi-Transparent mode(ProxyArp) NAT combine with ProxyARP Unknown client 7.7.7.7/24 Proxy Arp the IP of ISP2 to LAN2 LAN1--NAT mode Hosts IP address 192.168.1.0/24 Gateway:192.168.1.1 LAN2--Semi-Transparent mode Hosts IP address 3.3.3.5~3.3.3.100 Gateway:3.3.3.2 LAN1:192.168.1.1 /24 1.2 3.2 ISP1 1.1.1.0/24 ISP2 3.3.3.0/24 WAN1 3.1 WAN2 1.1

70 2007 July70 Chapter 5 Traffic Shaping

71 2007 July71 Traffic shaping Algorithm Two predominant methods for shaping traffic existing: 1. Token bucket Reference : http://en.wikipedia.org/wiki/Token_buckethttp://en.wikipedia.org/wiki/Token_bucket 2. Leaky bucket Reference : http://en.wikipedia.org/wiki/Leaky_buckethttp://en.wikipedia.org/wiki/Leaky_bucket

72 2007 July72 Traffic shaping Terminology Two major components and two sub-items in DFL’s traffic shaping: Pipe object PipeRule –Traffic filter factor Service (protocol) Direction (the traffic from…to…) –Pipe Chain First Pipe – (a kinds of statement for declaring the traffic’s precedence) Following Pipe –( Assign the token for specific traffic)

73 2007 July73 Traffic shaping Terminology Pipe –Is an object for loading up all kinds of traffics. –We can limit the total bandwidth or dynamic balancing bandwidth for First Pipe and Following Pipe respectively.

74 2007 July74 Traffic shaping Terminology PipeRule –Traffic filter factor Set up the specific traffic which you want to control. –Pipe Chain Assign the role to Pipe (First / Following)for bi-direction (Forward chain, Return chain) traffic. Declare the precedence of First pipe by following way: –Use the default from first pipe –Fixed precedence (0~7) –Use IP DSCP (TOS) Assign the traffic’s token by Following pipe.

75 2007 July75 Traffic shaping Terminology First Pipe –The role is assigned by PipeRule –Bandwidth control –Declare the precedence level (0~7) Following Pipe –The role is assigned by PipeRule –Total bandwidth control –Assign the token for the traffic from First Pipe

76 2007 July76 Prec 5 : 200 Prec 5 : 150Prec 5 : 100 Traffic shaping Flow chart Two tiers concept First Pipe Following Pipe Raw Packet A 100 kbps BW Limitation: 50 kbps Declared precedence : 5 Total BW Limitation: 200 kbps Prec 7 : 200 Prec 6 : 200 Prec 4 : 200 Prec 3 : 200 Prec 2 : 200 Prec 1 : 200 Total BW : 200 Buffer Raw Packet A 50 kbps Out Prec 0 : 200 Raw Packet A 50 kbps (5) Prec 5 : 200 Raw Packet A 50 kbps

77 2007 July77 Prec 5 : 100 Prec 0 : 200 Prec 0 : 100 Prec 4 : 100 Prec 3 : 100 Prec 1 : 100 Prec 2 : 100 Raw Packet A 100 kbps (5) Raw Packet A 100 kbps (0) Prec 5 : 0 Traffic shaping Flow chart Two tiers concept First Pipe Following Pipe Raw Packet A 200 kbps BW Limitation: No limitation Declared precedence : 5 Total BW Limitation: 200 kbps Prec 7 : 100 Prec 6 : 100 Total BW : 200 Out Raw Packet A 200 kbps

78 2007 July78 Traffic shaping Scenario hands-on 1 ISP HTTP/FTP server 7.7.7.5 GW:3.3.3.2 14 15 11 16 13 17 12 18 Network: 3.3.3.0 /24 Upstream commit rate is 500 kilobits/per sec Downstream commit rate is 500 kilobits/per sec 1. Insure the HTTP CR to 200 kbps for bi-direction traffic. (Marking the HTTP traffic to precedence 7 (highest priority). HTTP doesn’t utilize the rest of bandwidth. 2. Set 400 kbps to precedence 1 for FTP bi-direction traffic. When the FTP token is running out, the part of overflow have flow to precedence 0 to compete with other services, it’s so-called “utilize remaining bandwidth ”.

79 2007 July79 Traffic shaping Tips1 Step 1 Create the “IP rule” set for specific service you want to control, and then make sure this rule set will be first triggered in all of the IP rules Step 2 Create the Pipe objects for containing each kinds of traffic. Step 3 Create the same rule set we created before in Step 1 under the pipe rule. Step 4 In the tab of traffic shaping, select the desired pipe object respectively for both forward sessions and return sessions along with the chain concept, and then announce the precedence by “Use defaults from first pipe”, “Use Fixed Precedence” or “Map IP DSCP (ToS)” for first pipe object of return chain or forward chain. Step 5 Make sure whether the specific pipe rule will be first triggered in all of the pipe rules.

80 2007 July80 Traffic shaping Tips2

81 2007 July81 Traffic shaping Scenario hands-on 1 Settings-01/12 1 Changing the WAN1 IP address and subnet mask 2 Set the default gateway on interface on wan1

82 2007 July82 Traffic shaping Scenario hands-on 1 Settings-02/12 3 Add the necessary IP rule sets in IP rules

83 2007 July83 Traffic shaping Scenario hands-on 1 Settings-03/12 4 Add a pipe object for inbound FTP traffic, and we don’t have to set anything in the tag of “Pipe limits”

84 2007 July84 Traffic shaping Scenario hands-on 1 Settings-04/12 5 Add a pipe object for outbound FTP traffic, and we don’t have to set anything in the tag of “Pipe limits”

85 2007 July85 Traffic shaping Scenario hands-on 1 Settings-05/12 6 Add a pipe object for inbound HTTP traffic, and we shall set the total Kbps to limit the HTTP traffic

86 2007 July86 Traffic shaping Scenario hands-on 1 Settings-06/12 7 Add a pipe object for outbound HTTP traffic, and we shall set the total Kbps to limit the HTTP traffic

87 2007 July87 Traffic shaping Scenario hands-on 1 Settings-07/12 8 Add a pipe object for: 1.marking the total downstream commit rate. 2.pointing out the bandwidth for each precedence, in another words, it’s marking out how much token we will give for each precedence level.

88 2007 July88 Traffic shaping Scenario hands-on 1 Settings-08/12 9 Add a pipe object for marking the total upstream commit rate and also pointing out the bandwidth for each precedence level.

89 2007 July89 Traffic shaping Scenario hands-on 1 Settings-09/12 10 Under the Pipe Rule, we have to point out which one target, service and traffic flow shall be applying the Shaper. How to read the tab of Traffic Shaping in right page ? Outgoing FTP service (Forward Chain) which the traffic will flow to the First Pipe-- ftp-out and declare the precedence 1 first, then this traffic will take the token from Following Pipe--total-out. Vice versa for the traffic of Return FTP service. Outgoing traffic Step1 P 1 Step2 give p1 token

90 2007 July90 Traffic shaping Scenario hands-on 1 Settings-10/12 11 Under the Pipe Rule, we have to point out which one target, service and traffic flow shall be applying the Shaper.

91 2007 July91 Traffic shaping Scenario hands-on 1 Settings-11/12 12 Under the Pipe Rule, we shall mark the other services to precedence level “0”, let those services compete with each other under the precedence level zero.

92 2007 July92 Traffic shaping Scenario hands-on 1 Settings-12/12 13 Below is an overview of pipe rule sets. The theory of operation is the same with the “IP rules”, it also following the rule of “first trigger first go ”. So based on the below rule’s order, you can’t put the pipe index 3 to the index 1 because of the original index 1 won’t be triggered anymore.

93 2007 July93 Traffic shaping Scenario hands-on 1 ISP HTTP/FTP server 7.7.7.5 GW:3.3.3.2 14 15 11 16 13 17 12 18 Network: 3.3.3.0 /24 Upstream commit rate is 500 kilobits/per sec Downstream commit rate is 500 kilobits/per sec 1. Insure the HTTP CR to 200 kbps for bi-direction traffic. (Marking the HTTP traffic to precedence 7 (highest priority) ). HTTP have no Utilizing the rest of bandwidth. 2. Setting the 400 kbps in precedence 1 for FTP bi-direction traffic. When the FTP token is running out, the part of overflow can flow to precedence 0 to compete with other services, it’s so-called “utilizing remaining bandwidth ”.

94 2007 July94 Traffic shaping Traffic flow 1/5-Http-download 1. Check IP rules 2. Pipe rules Triggered

95 2007 July95 Traffic shaping Traffic flow 2/5-Http-download

96 2007 July96 Traffic shaping Traffic flow 3/5-Http-download Following Pipe CLI

97 2007 July97 Traffic shaping Traffic flow 4/5-Http-download The bandwidth limitation to First pipe First Pipe Following Pipe

98 2007 July98 Traffic shaping Traffic flow 5/5-Http-download We don’t give the limitation to First Pipe First PipeFollowing Pipe

99 2007 July99 Traffic shaping-Sum up the traffic flow IP rule  pipe rule  set precedence for each service based on 1.use from default first pipe 2. fixed precedence setting 3. Map IP DSCP (TOS)  pipe  pipe chain (if required)  prioritize packets in memory queue  packet outgoing Note. the traffic shaper will buffer and delay packets when the speed specified in the pipe is reached. If the buffers get full we remove the longest and the lowest precedence packet when a new packet arrive.

100 2007 July100 Traffic Shaping How to observe the traffic shaping status The relative command: Pipe [pipename] Showing the specific pipe status, in common way we always showing the overall pipe object for checking the status easily. Pipe –users Showing the status of the pipe’s overall usage.

101 2007 July101 Chapter 6 VPN-IPSEC

102 2007 July102 VPN-IPSEC For IPSec, we have two roles in IPSec terminology for distinguishing from server and client : –Initiator (Client) Who is the role to initial the IPSec session for establishing the IPSec tunnel. It’s a security gateway (IPSec server) or road warrior (Roaming client). –Responder (Server) Who is the role to receive the request from initiator, and response some necessary information for establishing the IPSec Tunnel It’s a security gateway (IPSec Server)

103 2007 July103 IPSEC Tunnel IPSEC VPN Main mode Phase1 Initiator Responder IPSEC server Road Warrior/Security Gateway Initiator Responder M1 UDP(500,500) M2 (Source Port, Destination port) UDP(500,500) UDP(500,500) Key Exchange M3 UDP(500,500) Key Exchange M4 UDP(500,500) ID,Auth M5 (encrypt) UDP(500,500) IDr,Auth M6 (encrypt Provide proposal lists, support features Reply which one proposal matched and supported feature Provide key material for encrypting. Provide key material for encrypting Provide ID, authenticate request if necessary Provide ID, authenticate reply, produce key material for phase 2 process

104 2007 July104 IPSEC Tunnel IPSEC VPN Main mode Phase1 Initiator NAT Responder IPSEC server Road Warrior /IPSEC server Initiator Responder M1 NATed UDP(500,500) UDP(x,500) M2 (Source Port, Destination port) UDP(500,x) UDP(500,500) NAT-D,NAT-D UDP(x,500) NAT-D,NAT-D M3 UDP(500,x) NAT-D,NAT-D UDP(500,500) NAT-D,NAT-D M4 UDP(4500,4500) UDP(Y,4500) M5 UDP(4500,Y) UDP(4500,4500) M6 Both peers must support the feature of NAT-T

105 2007 July105 VPN-IPSEC The Quick mode Phase2 Initiator Responder IPSEC server Road Warrior Initiator Responder M1 Hash using Phase 1 information, Message ID, SA Proposal List, Nonce I, [DH Public Key I ], Proxy ID M2 Hash using Phase 1 information, Message ID, SA Proposal List Accept, Nonce R, [DH Public Key I ], Proxy ID Hash using Phase 1 information, Notify M3 Security Tunnel established (Data be protected by AH/ESP protocol)

106 2007 July106 VPN-IPSEC Several key components must consistent between the Initiator and Responder –Initiator’s Remote net the same with Responder’s Local net –Responder must has one of the proposal lists match the proposal which’s provided by Initiator. –If both peers based on the preshare key to authenticate, the keying value must the same to each other. –Both peers must base on the same IKE mode (main or aggressive)with the same DHGroup(1,2,5) in Phase 1 exchange. –The PFS feature also require consistence to each other in Phase2 exchange. –For security protocol (AH or ESP), both peers must base on the same mode (tunnel or transport) to transmit.

107 2007 July107 VPN-IPSEC DFL IPSEC-General page 1.Establish the SA for the usage of input traffic mapping 2.Establish the SA for the usage of output traffic mapping 3.For the local device can initial the IPSEC session to specific remote peer. (Be the role of initiator in IPSEC process ) 4. Select the encapsulation mode of tunnel or transport for the ESP packet. 5. Select the support proposal lists of IKE hash algorithm for IKE phase 1 (main mode or aggressive mode) 6. Select the support proposal lists of IPSEC hash algorithm for IKE phase 2 (Quick mode)

108 2007 July108 VPN-IPSEC DFL IPSEC-IKE settings 1. Select IKE main mode or aggressive mode Note. Both peers must using the same mode for establishing the IPsec tunnel. 2. Enable the function of PFS (perfect forward secrecy) or not. The value must consistent on both peers. 3. Select the way for producing Security Association. Select to Per Host or Per Net, these options will affect the mapping relation between SPI (or SPD) and IP addresses. 4. Select if the NAT Traversal feature should be enabled or not. There have three options, Off. On if supported and NATed, On if supported. 5. The DPD feature, it pinpoint detect the tunnel status using the ISAKMP protocol.

109 2007 July109 VPN-IPSEC Tunnel Mode-scheme-2

110 2007 July110 VPN-IPSEC Transport Mode-Scheme

111 2007 July111 VPN Scenario hands-on

112 2007 July112 VPN-IPSEC Scenario1 Hands-on IPSEC-VPN-----LAN to LAN (Spilt tunnel) WAN1:5.5.5.5 /24 GW:5.5.5.2 WAN1:1.1.1.1 /24 GW:1.1.1.2 LAN1:192.168.123.1 /24 LAN:192.168.1.1/24 HostA: 192.168.123.58 GW:192.168.123.1 HostB: 192.168.1.60 GW:192.168.1.1 IPSEC Tunnel DFL-800 Branch office DFL-1600 Headquarter DS:192.168.123.58 DS: xx.xx.xx.xx xx=ANY, except local and remote nets Setup the Spilt Tunnel

113 2007 July113 VPN-IPSEC Scenario1 Hands-on Tips Step1 Set the IP address and default gateway for physical interface if necessary. Step2 Add an object of Pre-shared key Step3 Create Proposal lists for IPsec and IKE respectively if necessary Step4 Add IPsec interface Step5 Add IP Rule for allowing the bi-direction traffic Step6 Input the below commands via console for verify the IPSEC status –vpnstat -verbose -ike –Vpnstat -verbose -ipsec –ikesnoop -on -verbose Branch office

114 2007 July114 VPN-IPSEC Scenario1 Hands-on 1 1 2 Under the Authentication Object, add pre-shared key (value: testtest) Create the IPSec objects and change the IP of wan1 and lan, subnet mask of lan1 and wan1, under the Address Book Branch office

115 2007 July115 VPN-IPSEC Scenario1 Hands-on 2 Add an object of IKE Algorithm under VPN objects, and select the encryption algorithm to 3DES, the integrity algorithm to SHA1 3 Note. This IKE proposal list must match one of the proposals of remote peer (headquarter-DFL1600). Branch office

116 2007 July116 VPN-IPSEC Scenario1 Hands-on 3 Add an object of IPsec Algorithm under VPN objects, and select the encryption algorithm to 3DES, the integrity algorithm to MD5 4 Note. This IPSEC proposal list must have one of the proposals match to remote peer (headquarter-DFL1600). Branch office

117 2007 July117 VPN-IPSEC Scenario1 Hands-on 4 6 In the General tab, set the necessary parameter for establishing VPN Local Network: lannet (192.168.1.0/24) Remote Network: ipsec-remote-net (192.168.123.0/24) Remote Endpoint:ipsec-endpoint1 (3.3.3.3) Encapsulation Mode: Tunnel IKE Algorithms: ph1-3des-sha1 (3DES-SHA1) IKE Life Time: 28800 (Secs) IPSec Algorithms:ph2-3des-md5 (3DES-MD5) IPSec Life Time: 3600 (seconds) IPSec Life Time: 0 kilobytes (unlimited) Under Interface, add the IPSEC tunnel interface. 5 Branch office

118 2007 July118 VPN-IPSEC Scenario1 Hands-on 5 7 Select the authentication way, in this scenario we using the way of pre-shared key (testtest) 8 No using the Xauth feature in this scenario. Branch office

119 2007 July119 VPN-IPSEC Scenario1 Hands-on 6 9 The settings of routing page as below:Make sure the IKE settings is the same with HQ. 10 Branch office

120 2007 July120 VPN-IPSEC Scenario1 Hands-on 7 The Keep-alive feature 12 Select auto add route feature 13 Put the IPSec and LAN interface into a group for easily configure the IP rule sets. 11 Branch office

121 2007 July121 VPN-IPSEC Scenario1 Hands-on 8 14 Create the Allow (routing) IP rule sets for the bi-direction traffic between LAN and IPSEC tunnel. 15 Create the NAT IP rule sets for internal hosts using the way of NAT wan1 interface to go to the internet. Branch office

122 2007 July122 Scenario1 Hands-on 1 1 Create the IPSec objects and change the IP of wan1 and lan1, subnet mask of lan1 and wan1, under the Address Book 2 Under the Authentication Object, add pre-shared key (value: testtest) HQ

123 2007 July123 Scenario1 Hands-on 2 At the IKE algorithms, we choice using one of the default proposals— Medium for high compatibility. 3 Note. why we selected a series of proposals in HQ? Since the HQ will based on that proposal lists to compromise with remote peer till no any proposal lists can be matched, then we will receive the log message of “No proposal chosen” on both peers. HQ

124 2007 July124 Scenario1 Hands-on 2-1 Initiator’s IPSEC fail logs HQ

125 2007 July125 Scenario1 Hands-on 3 5 In the General tab, set the necessary parameter for establishing VPN Local Network: lan1net (192.168.123.0/24) Remote Network: ipsec-remote-net (192.168.1.0/24) Remote Endpoint:ipsec-endpoint1 (1.1.1.1) Encapsulation Mode: Tunnel IKE Algorithms: Medium IKE Life Time: 28800 (Secs) IPSec Algorithms:Medium IPSec Life Time: 3600 (seconds) IPSec Life Time: 0 kilobytes (unlimited) Under Interface, add the IPSEC tunnel interface. 4 HQ

126 2007 July126 Scenario1 Hands-on 4 6 Select the authentication way, in this scenario we using the way of pre-shared key (testtest) 7 No using the Xauth feature in this scenario. HQ

127 2007 July127 Scenario1 Hands-on 5 8 The routing page’s settings as below:Make sure the IKE settings is the same with HQ. 9 HQ

128 2007 July128 Scenario1 Hands-on 6 The Keep-alive feature 11 Select auto add route feature 12 Put the IPSec and LAN1 interface into a group for easily configure the IP rule sets. 10 HQ

129 2007 July129 Scenario1 Hands-on 7 14 Create the Allow (routing) IP rule sets for the bi-direction traffic between LAN1 and IPSEC tunnel. 15 Create the NAT IP rule sets for internal hosts using the way of NAT wan1 interface to go to the internet. HQ

130 2007 July130 VPN-IPSEC Scenario2 Hands-on IPSEC-VPN-----LAN to LAN (Non-split tunnel) WAN1:5.5.5.5 /24 GW:5.5.5.2 WAN1:1.1.1.1 /24 GW:1.1.1.2 LAN1:192.168.123.1 /24 LAN:192.168.1.1/24 HostA: 192.168.123.58 GW:192.168.123.1 HostB: 192.168.1.60 GW:192.168.1.1 IPSEC Tunnel DFL-800 Branch office DFL-1600 Headquarter DS:192.168.123.58 DS: xx.xx.xx.xx xx=ANY, except local and remote nets Setup the Non-Spilt Tunnel

131 2007 July131 VPN-IPSEC Scenario1 Hands-on Tips-1 For HQ settings Step1 Set the IP address and default gateway for physical interface if necessary. Step2 Add an object of Pre-shared key Step3 Create Proposal lists for IPsec and IKE respectively if necessary Step4 Add IPsec interface (Local-net= all-nets) Step5 Add IP Rule –Allowing the bi-direction traffic (the partial of LAN to LAN) –Create the NAT rule let the traffic from IPSEC remote peer can outgoing to internet Step6 Verify by CLI HQ

132 2007 July132 VPN-IPSEC Scenario1 Hands-on Tips-2 For Branch settings Step1 Set the IP address and default gateway for physical interface if necessary. Step2 Add an object of Pre-shared key Step3 Create Proposal lists for IPsec and IKE respectively if necessary Step4 Add IPsec interface (Remote net: all-net) Step5 Add a static routing entry as below in routing table. Step6 Add IP Rule for allowing all of the traffic via IPsec tunnel. Branch office

133 2007 July133 VPN-IPSEC Scenario2 Hands-on DFL-800-1 1 Based on the settings of scenario 1, we only have to change three parts on DFL-800 for achieving the scenario 2 requirement. In the tag of General, change the Remote Network to “all-nets” which the value is 0.0.0.0/0, it means the DFL unit allow the unknown traffic outing via IPSEC tunnel. Branch office

134 2007 July134 VPN-IPSEC Scenario2 Hands-on DFL-800 -2 2 Under the IP Rules, add an IP rule set for allowing the LAN net users’ outgoing traffic pass through the IPSEC tunnel by routing. 3 Under the Routing table of main, add a static routing entry for the DFL can initial the IPSEC session to remote peer(DFL-1600) which IP address is 5.5.5.5. Branch office

135 2007 July135 VPN-IPSEC Scenario2 Hands-on DFL-800 -3 Now we shall check again the whole routing status on DFL-800 first, to make sure all of the traffic is following our direction. Select the Routes which is under the tab of Status on web GUI 1. You can find it from left page have two default route entries on the main routing table, you shall make sure the ipsec-tunnel with a lower metric value than WAN1, since all of the outgoing traffic must be put into the IPSEC tunnel, let the HQ do the centralize control. 2. Because of the ipsec-tunnel not yet exists in the main routing table before we initial the IPSEC tunnel, so we must inform the DFL unit the way of how to contact IPSEC remote peer(DFL-1600). Branch office

136 2007 July136 VPN-IPSEC Scenario1 Hands-on DFL-1600 -1 Regarding the headquarter (DFL-1600) settings, we just only have to adjust two components based on the settings of scenario 1. 1 In the tag of General, change the Local Network to “all-nets” which the value is 0.0.0.0/0, it means the DFL unit accept unknown traffic (destination field) incoming via IPSEC tunnel. HQ

137 2007 July137 VPN-IPSEC Scenario1 Hands-on DFL-1600 -2 2 Under the IP Rules, add an IP rule set for allowing the traffic from IPSEC tunnel can outgoing to wan1 using the way of NAT.. HQ

138 2007 July138 VPN-IPSEC Scenario1 Hands-on DFL-1600 -3 Now we still shall check again the whole routing status on DFL-1600 first, to make sure all of the traffic is following our direction. HQ

139 2007 July139 L2TP-over-ISPEC For roaming user VPN-Gateway 1.1.1.1 Road Warrior Windows XP SP2 Company Network 192.168.123.0/24 5.5.5.60 L2TP-over-IPSEC Tunnel DFL-1600

140 2007 July140 L2TP-over-ISPEC For roaming user

141 2007 July141 L2TP-over-ISPEC For roaming user----DFL-1600-settings-1/7 1 Create the IP pools, L2tp-server’s IP address and change the IP of wan1 and lan1, subnet mask of lan1 and wan1, under the Address Book 2 Under Authentication Objects, create a pre-share key for the usage of IPSEC tunnel

142 2007 July142 L2TP-over-ISPEC For roaming user----DFL-1600-settings-2/7 3 Under the Interfaces, create the IPSEC interface for roaming users. 1. Why I select the Local Network to wan1_ip? Because we shall let the remote roaming users knowing the firewall is a final destination. Or you can set this value to all-nets, let the DFL unit auto search suitable policy. 2. Due to we don’t know the roaming user address,we also let DFL unit auto search suitable policy.

143 2007 July143 L2TP-over-ISPEC For roaming user----DFL-1600-settings-3/7 4 Under the authentication, select the pre- shared key “ipsec-pre” that we created in step 2 5 In this scenario we have no use the Xauth feature. Under the Routing field, enable the function of “Dynamically Add Route To Remote Net..”

144 2007 July144 L2TP-over-ISPEC For roaming user----DFL-1600-settings-4/7 6 Under IKE Settings: IKEMode: Main (Mainmode) DHGroup: 2 PFS: None SetupSAPer: Host (Per host) DeadPeerDetection: Yes NATTraversal: OnIfNeeded (Only if needed) Disable Keep-alive feature Under Advanced: AutoInterfaceNetworkRoute: No

145 2007 July145 L2TP-over-ISPEC For roaming user----DFL-1600-settings-5/7 7 Under Interfaces field, add L2TP server’s interface, below is a step-by-step settings. Note the field of “Outer Interface Filter” shall set to IPSEC interface which is created at STEP 3

146 2007 July146 L2TP-over-ISPEC For roaming user----DFL-1600-settings-6/7 8 Add Local User Database Add User Authentication rule

147 2007 July147 L2TP-over-ISPEC For roaming user----DFL-1600-settings-7/7 9 Add Interface Groupes, grouping the interface of L2TP and LAN1 for easy setup. Create IP Rules set, allow bi-direction traffic between the interfaces of L2TP and lan1.

148 2007 July148 L2TP-over-ISPEC For roaming user----Windows XP –settings-1/3 1 Checking the status of IPSEC service on Windows XP to make sure the IPSEC service is enabled.

149 2007 July149 L2TP-over-ISPEC For roaming user----Windows XP –settings-2/3 1 Under the Network Connections--->Create a new connection and following the procedure as below to set it up.

150 2007 July150 L2TP-over-ISPEC For roaming user----Windows XP –settings-2/3 2 After the wizard step by step settings, we shall adjust some advance value for fitting the settings with DFL-1600

151 2007 July151 L2TP-over-ISPEC For roaming user—Confirmation-1/2 1 On the Windows platform, we shall try to connect the DFL-1600 server and checking the connection status and to see if we can get the IP address from L2TP server by using the command tool “ipconfig” and “ping”.

152 2007 July152 L2TP-over-ISPEC For roaming user—Confirmation-2/2 Under the Status field, select User Authentication Status

153 2007 July153 Thanks

154 2007 July154 Appendix A IPSec pass through V.S NAT-T

155 2007 July155 IPSec pass through V.S NAT-T IPSec pass through IPSec pass through feature is the old way for solving the issue which one of the IPSec peers behind the NAT device. This feature is implemented in the NAT device which is playing the role of intermediate during the IPSEC process. Have no standard for descript how to implement it, so each vendor have different solutions for it.

156 2007 July156 IPSec pass through V.S NAT-T NAT traversal The new way for solving the same issue which one of the remote peers is behind the NAT device The feature is implemented on the both peers of IPSec tunnel respectively. Only both peers support this feature and necessary then the function will be enabled. The feature fully replace the IPSec Pass through. The intermediate doesn’t involving the process.

157 2007 July157 IPSEC NAT-traversal On DFL unit NAT traversal drafts supported by NetDefendOS firewall: (DFL-210/800/1600/2500) –draft-ietf-ipsec-nat-t-ike-00 –draft-ietf-ipsec-nat-t-ike-01 –draft-ietf-ipsec-nat-t-ike-02 –draft-ietf-ipsec-nat-t-ike-03

158 2007 July158 IPSEC NAT-traversal The timing for using the function of NAT-T Initiator hosts are behind the NAT device. WAN1:5.5.5.5 /24 IPSEC server Host B DS601 Host A DS-601 NAT-device Internet IPSEC-tunnel 1 IPSEC-tunnel 2 Both peers must support the function of NAT-traversal

159 2007 July159 IPSEC NAT-traversal How to detection NAT traversal is only used if both ends has support for it. NAT-device DFL-800 IPSec server NAT-Traversal Client A( DS-601 )ˇˇxˇ DFL unitsˇˇˇx NAT-DiscoverrequiredunnecessaryN/A ResultEnableDisable Client A(DS-601)

160 2007 July160 Appendix B VPN limitation & solution in DFL / DS-601

161 2007 July161 IPSEC-Limitation 1/4 The remote peer is behind the NAT device and with the same identification WAN1:7.7.7.7/24 IPSEC server Internet IPSEC-tunnel 1 IPSEC-tunnel 2 NAT-device2 WAN1:1.1.1.1/24 LAN: 192.168.1.1/24 NAT-device1 WAN1:3.3.3.1/24 LAN: 192.168.1.1/24 Network 192.168.80.0/24 Network 192.168.90.0/24 DFL-800-A DFL-800-B WAN1:192.168.1.80 Company Network 192.168.3.0/24 LAN1:192.168.3.1 The first IPSEC session will be replaced by the later session, It’s due to both remote peers along with identical ID in the IPSEC tunnel.

162 2007 July162 IPSEC-Limitation 2/4 DFL solution Changing the local ID value for one of remote peers.

163 2007 July163 IPSEC-Limitation 3/4 Roaming users behind the NAT device and with the same identification WAN1:7.7.7.7/24 IPSEC server Internet IPSEC-tunnel 1 NAT-device1 Company Network 192.168.3.0/24 LAN1:192.168.3.1 DS-601 Road Warrior 2 IP: 192.168.1.80 The earlier IPSEC session will be replaced by the later session, It’s due to both remote peers along with identical ID in the IPSEC tunnel. 1.1 IP: 192.168.1.80 IPSEC-tunnel 2 NAT-device2 DS-601 Road Warrior 1 1.1 WAN: 1.1.1.1 WAN: 3.3.3.3

164 2007 July164 IPSEC-Limitation 4/4 DS-601 Solution Changing the Local ID value on one of the DS-601 client. Note. At present our DFL unit support four kinds of ID type: 1. IP address 2. IP subnet address 3. FQDN 4. User FQDN (so-called E-mail)

165 2007 July165 Appendix C Certification

166 2007 July166 L2TP-over-ISPEC(Certification) With certification which is issued by CA server SC--CA server DFL-1600 Road Warrior 3.3.3.100 Root CA SC’s CA Gateway CA DFL’s self-signed CA Certification1 Certification2 Personal CA Request from SC--CA server Trusted CA SC’s CA Certification1 Certification2 Revoke list Enroll list 1.Roaming client send the ISAKMP packet (proposal list) for initialing IPSEC tunnel. 6. VPN gateway ask the CA server to see if the client’s certification include in enroll list. (it also called CRL check -- certificate revocation lists). 7. Reply the CRL lists to DFL 9. Encrypt the sensitive data by the initiator’s certification (PKI). 8.Approve the certification from roaming client. 2.DFL reply one of the suitable proposals which is requested by initiator. 3. (message#3) Send packet of NAT- discover. 4.Send certificate request to initiator 5.Encrypt the ISAKMP packet by itself certification (PKI). WAN1:1.1.1.1/24 IP : 7.7.7.7 LAN:192.168.123.1/24

167 2007 July167 L2TP-over-ISPEC(Certification) The authentication is based on the certificate DFL requirement:  Gateway certificate  The X.509 certificate of CA-server  DNS setting Roaming clients requirement:  Request a X.509 certification from CA server for end-user  Make sure the personal certificate is available  Install the personal certification into the certificates of “Local Computer” and ”Current User”  ”personal”  Add the X.509 certification of CA server into the certificates of “Local Computer” and ”Current User”  ”Trusted Root Certification Authorities ”  Enable the function of L2TP over IPSEC along with certification.

168 2007 July168 L2TP-over-ISPEC(Certification) CA-server settings --Preparing the CA server Before you start using the CA server, one setting should be changed on the CA server to simplify creation of certificates: Start the program Administrative Tools\Certification Authority. Right-click on your CA server and select Properties. Open up the tab Policy Module and select Properties. Select Follow the settings in the certificate template....... This setting will enable the CA server to automatically issue a pending certificate request that is created from the Web page dialogue.

169 2007 July169 L2TP-over-ISPEC(Certification) Certificate Save the CA server root certificate 1 Open up the page http://DFL.win2k3/certs rv with Internet Explorer and select Download a CA certificate...... Select DER encoding and Download CA certificate. Select a name for your CA root certificate (for example certnew.cer) and save it on a folder on the server.

170 2007 July170 L2TP-over-ISPEC(Certification) Certificate Generate client certificates 2 Open up the page http://DFL.win2k3/certs rv with Internet Explorer. Select Request a certificate, advanced certificate request and Create and submit a request to this CA. Enter the certificate information and select IPsec Certificate. Install the certification and export it with password from the MMC console of certificate-current user. Repeat the steps for every client certificate.

171 2007 July171 L2TP-over-ISPEC(Certification) Certificate Generate gateway certificate 3 All of the generate procedure just the same with client’s certificate. Repeat the steps for every gateway certificate.

172 2007 July172 L2TP-over-ISPEC(Certification) Certificate Preparing the gateway certificate for import 4 Install the Crypto4 tool first in your computer and then select the gateway certificate which is produced by step 3, unpacked the gateway certificate into two files: One is the format of certificate, another is the private key and the extended file name is *.cer and *.key respectively.

173 2007 July173 L2TP-over-ISPEC(Certification) Certificate Importing certificates for DFL 5 Certcache  for checking the certificate status. Under Authentication Object add CA certificate and gateway certificate on DFL unit respectively. Set DNS value on DFL unit for downloading and checking the CRL from CA server. Save and Activate the DFL unit, and then using the command of Certcache to check the certificate status again.

174 2007 July174 L2TP-over-ISPEC(Certification) Certificate Importing certificates for Windows XP 6 Run and input mmc. Add/Remove snap-in and select Certificate for My user account and Computer account. Install the personal certificate (summer.pfx) into both personal certificates of user account and computer account respectively. Install the CA certificate (certnew.cer) into both personal certificates of user account and computer account respectively. Repeat the steps for importing both certificates into Current User and Local Computer respectively.

175 2007 July175 L2TP-over-ISPEC(Certification) Certificate-Windows Client Configure the Windows client 7 We can based on the previous scenario’s settings to change the client’s value as right figure

176 2007 July176 L2TP-over-ISPEC(Certification) Certificate-Confirm Confirm the result on windows platform. 8

177 2007 July177 L2TP-over-ISPEC(Certification) Certificate-Confirm Confirm the result on DFL-1600 9

178 2007 July178 VPN-IPSEC IPsec-debug-CLI ipsecstats -ike -verbose (vpnstats -ike -verbose) ipsecstats -ipsec -verbose (vpnstats -ipsec -verbose) ipsecstats -ipsec -u (vpnstats -ipsec -u) ipsecstats -ike -u (vpnstats -ike -u) -----IKE utilization ikesnoop -on -verbose killsa -all ipsecglobalstats -verbose

Download ppt "2007 July1 DFL-210/800/1600/2500 Training Material DFL fundamental Part I Created on 2007 ©Copyright 2007. All rights reserved."

Similar presentations

Internet Protocol Security (IP Sec)

Internet Protocol Security (IP Sec)
CPSC 441 - Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-

CPSC Network Layer4-1 IP addresses: how to get one? Q: How does a host get IP address? r hard-coded by system admin in a file m Windows: control-panel->network->configuration-
2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright 2008. All rights reserved.

2008 NetDefend Firewall Series Technical Training Firewall Fundamental - Part 2 ©Copyright All rights reserved.
11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.

11 TROUBLESHOOTING Chapter 12. Chapter 12: TROUBLESHOOTING2 OVERVIEW  Determine whether a network communications problem is related to TCP/IP.  Understand.
Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.

Module 10: Troubleshooting Network Access. Overview Troubleshooting Network Access Resources Troubleshooting LAN Authentication Troubleshooting Remote.
Module 5: Configuring Access for Remote Clients and Networks.

Module 5: Configuring Access for Remote Clients and Networks.
Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.

Chapter 13 IPsec. IPsec (IP Security)  A collection of protocols used to create VPNs  A network layer security protocol providing cryptographic security.
1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.

1 Objectives Configure Network Access Services in Windows Server 2008 RADIUS 1.
1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.

1 Objectives Wireless Access IPSec Discuss Network Access Protection Install Network Access Protection.
Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.

Hardware Firewalls: Advanced Feature © N. Ganesan, Ph.D.
Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.

Hands-On Microsoft Windows Server 2003 Administration Chapter 11 Administering Remote Access Services.
Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.

Configuration of a Site-to-Site IPsec Virtual Private Network Anuradha Kallury CS 580 Special Project August 23, 2005.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod9_L8 1 Implementing Secure Converged Wide Area Networks (ISCW)
70-270, 70-290 MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.

70-270, MCSE/MCSA Guide to Installing and Managing Microsoft Windows XP Professional and Windows Server 2003 Chapter Twelve Implementing Terminal.
1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.

1. A router is a device in computer networking that forwards data packets to their destinations, based on their addresses. The work a router does it called.
Virtual Private Network (VPN) © N. Ganesan, Ph.D..

Virtual Private Network (VPN) © N. Ganesan, Ph.D..
7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.

7400 Samsung Confidential & Proprietary Information Copyright 2006, All Rights Reserved. -1/100- OfficeServ 7400 Enterprise IP Solutions Quick Install.
© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.

© 2012 Cisco and/or its affiliates. All rights reserved. 1 CCNA Security 1.1 Instructional Resource Chapter 10 – Implementing the Cisco Adaptive Security.
© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.

© 2007 Cisco Systems, Inc. All rights reserved.ISCW-Mod3_L7 1 Network Security 2 Module 6 – Configure Remote Access VPN.
DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

DrayTek VPN Solution. Outline What is VPN What does VPN Do Supported VPN Protocol How Many Tunnels does Vigor Support VPN Application Special VPN Application.

Similar presentations

Ads by Google