...
| Info |
|---|
| This scenario also includes the “parallel” solution as described in this article. |
Procedure:
The setup for scenarios 1 and 2 are basically the same. Scenario 2 additionally requires port forwarding to be set up on the upstream router (see section 4).
In order for the Unified Firewalls in the headquarter as well as in the branch office to be able to accept VPN SSL dial-in connections, a CA and two certficates one certficate have to be created on each Unified Firewall. One of the The VPN SSL certificates certificate is used in the VPN SSL settings and serves to decrypt the connections. The second VPN SSL certificate along with the certificate chain is then exported and imported into the other Unified Firewall. The There, the imported certificate is used in the VPN SSL connection and serves to encrypt the connection.
...
- Certificate Type : Select the option Certificate .
- Template: Select the template Certificate.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Headquarter).
- Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.
- Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections.
- Signing CA: In the dropdown menu select the CA created in step 1.1.2.
- CA Password: Enter the Private Key Password entered in step 1.1.2 .
1.1.4) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL connection in the branch office. For this purpose modify the following parameters and click Create:For the certificate created in step 1.1.3 click on the icon for the certificate export.
1.1.6) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.
1.1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.
1.1.8) Activate the VPN SSL service via the slider, modify the following parameters and click Save:
- Host certificate: In the dropdown menu select the VPN certificate
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Headquarter-Office).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
- Signing CA: In the dropdown menu select the CA created in step 1.1.23.
- CA Private Key Password: Enter the Private Key Password entered in step 1.1.23.
| Info |
|---|
You can also modify the Validity of the certificate if necessary. |
1.1.5) For the certificate created in step 1.1.4 click on the icon for the certificate export.
1.1.6) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.
1.1.7) Switch to the menu VPN → VPN SSL → VPN SSL Settings.
1.1.8) Activate the VPN SSL service via the slider, modify the following parameters and click Save:
- Host certificate: In the dropdown menu select the VPN certificate created in step 1.1.3.
- Private Key Password: Enter the Private Key Password entered in step 1.1.3.
- Routes: Enter the networks in CIDR notation (Classless InterDomain Routing), which should be accessible via the VPN connection. In this example, the local network at the headquarter has the IP address range 192.168.23.0/24.
- Encryption Algorithm: On the tab Site-to-Site select the option AES 256.
| Info |
|---|
If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall. |
- Routes: Enter the networks in CIDR notation (Classless InterDomain Routing), which should be accessible via the VPN connection. In this example, the local network at the headquarter has the IP address range 192.168.23.0/24.
- Encryption Algorithm: On the tab Site-to-Site select the option AES 256.
| Info |
|---|
If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall. |
1.2) Creating certificates and modifying the VPN SSL settings on the Unified Firewall in the branch office:
1.2.1) Connect to the Unified Firewall in the branch office, switch to the menu Certificate Management → Certificates and ckick on the "Plus" icon to create a new certificate.
1.2.2) Modify the following parameters to create a CA and click Create:
1.2) Creating certificates and modifying the VPN SSL settings on the Unified Firewall in the branch office:
1.2.1) Connect to the Unified Firewall in the branch office, switch to the menu Certificate Management → Certificates and ckick on the "Plus" icon to create a new certificate.
1.2.2) Modify the following parameters to create a CA and click Create:
- Certificate Type: Select the option Certificate.
- Template: Select the template Certificate Authority.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-CA-Office).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
1.2.3) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL settings in the branch office (see step 1.2.8). For this purpose modify the following parameters and click Create:
- Certificate Type : Select the option Certificate .
- Template: Select the template Certificate Authority.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Office).
- Private Key Password: Enter a password. This is used for encrypting the Private Key.
- Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections.
- Signing CA: In the dropdown menu select the CA created in step 1.2.2.
- CA Password: Enter the Private Key Password entered in step 1.2.2.
- Name (in this example VPN-SSL-CA-Office).
- Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.
1.2.43) Create another certificate by clicking on the "Plus" icon. This is used in the VPN SSL connection settings in the headquarterbranch office (see step 1.2.8). For this purpose modify the following parameters and click Create:
- Certificate Type : Select the option Certificate .
- Template: Select the template Certificate.
- Common Name (CN): Enter a descriptive Common Name (in this example VPN-SSL-Office-Headquarter).
- Private Key Password: Enter a passwor d. This is used for encrypting the Private Key.
- Validity: Set the validity to at least 5 years. This is recommended, since this certificate is used for all VPN SSL connections.
- Signing CA: In the dropdown menu select the CA created in step 1.12.2.
- CA Password: Enter the Private Key Password entered in step 1.12.2 .
| Info |
|---|
You can also modify the Validity of the certificate if necessary. |
1.2.54) For the certificate created in step 1.2.43 click on the icon for the certificate export.
1.2.65) Select the format PEM / CRT, activate the option Export Certificate Chain and click Export.
1.2.76) Switch to the menu VPN → VPN SSL → VPN SSL Settings.
1.2.87) Activate the VPN SSL service via the slider, modify the following parameters and click Save:
...
| Info |
|---|
| If necessary, you can change the Protocol and the Port. The Adress Pool is the range of IP addresses that are assigned to the dial-in VPN SSL clients. This address range may not already be in use as an internal network in the Unified Firewall. |
2) Importing the certificates:
...
2.1.1) On the Unified Firewall in the headquarter go to the menu Certificate Management → Certificates and click on the button for the certificate import.
2.1.2) Leave the setting on Import Certificate, select the certificate file exported in the branch office in step 1.2.65) and click Import.
| Info |
|---|
Since the Private Key has not been exported no passwords have to be entered. |
2.2) Importing the VPN SSL certificate on the Unified Firewall in the branch office:
2.2.1) On the Unified Firewall in the branch office go to the menu Certificate Management → Certificates and click on the button for the certificate import.
2.2.2) Leave the setting on Import Certificate, select the certificate file exported in the headquarter in step 1.1.65) and click Import.
| Info |
|---|
Since the Private Key has not been exported no passwords have to be entered. |
3) Setting up the VPN SSL connections and the firewall rules:
...
3.1.1) In the headquarter go to the menu VPN → VPN SSL → Connections and click on the "Plus" icon to create a new VPN SSL connection.
3.1.2) Modify the following parameters and click Create:
- Name: Enter a descriptive name (in this example VPN_SSL_Office). Please note, that only letters, numbers and underscores are allowed in the name.
- Certificate: In the dropdown menu select the VPN certificate imported in step 2.1.2.
- Connection type: Select the option Site-To-Site (Server).
- Remote Networks: Add Enter the local network of the branch office in CIDR notation and add it via the "Plus" icon (in this example 192.168.24.0/24).
| Info |
|---|
If additional networks should be reachable from the Office via the Headquarter (e.g. via a separate VPN connection), these networks have to be entered as Additional Local Networks. The configuration is pushed from the Headquarter (Server) to the Office (Client), which creates routing entries for the transmitted networks. |
3.1.3) Click on the button to create a VPN network.
3.1.4) Modify the following parameters and click Create:
- Name : Enter a descriptive name (in this example VPN-SSL-Office).
- Connection Type : Select the option VPN-SSL .
- VPN-SSL Connection : In the dropdown menu select the VPN connection created in step 3.1.2 .
3.1.5) On the desktop click on the VPN network created in step 3.1.4, select the "connection tool" and click on the network object the site-to-site connection should have access to.
3.1.6) Click on the "Plus" icons to assign the necessary protocols to the connection.
| Info |
|---|
| A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication. |
3.1.7) Finally, implement the configuration changes by clicking Activate in the Unified Firewall. This concludes the configuration steps on the Unified Firewall in the headquarter.
...
3.2.1) In the headquarter go to the menu VPN → VPN SSL → Connections and click on the "Plus" icon to create a new VPN SSL connection.
3.2.2) Modify the following parameters and click Create:
- Name: Enter a descriptive name (in this example VPN_SSL_Headquarter). Please note, that only letters, numbers and underscores are allowed in the name.
- Certificate: In the dropdown menu select the VPN certificate imported in step 2.2.2.
- Connection type: Select the option Site-To-Site (Client).
- Remote Addresses: Enter the public IP address or the DNS name of the Unified Firewall or the router in the headquarter and addit via the "Plus" icon.
3.2.3) Click on the button to create a VPN network.
3.2.4) Modify the following parameters and click Create:
- Name : Enter a descriptive name (in this example VPN-SSL-Headquarter).
- Connection Type : Select the option VPN-SSL .
- VPN-SSL Connection : In the dropdown menu select the VPN connection created in step 3.2.2 .
3.2.5) On the desktop click on the VPN network created in step 3.2.4, select the "connection tool" and click on the network object the site-to-site connection should have access to.
3.12.6 Click on the "Plus" icons to assign the necessary protocols to the connection.
| Info |
|---|
| A Unified Firewall uses a deny-all strategy. You therefore have to explicitly allow communication. |
3.12.7 Finally, implement the configuration changes by clicking Activate in the Unified Firewall. This concludes the configuration steps on the Unified Firewall in the branch office.
...