Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 51
71. Lecture-71: Site-to-Site IPsec Route-Based VPN Template Lab.
So, now let’s start the lab, we will create a topology like this one site to start to be in first we will decide to start weepin and this is that our base will be in rediscuss. There are two types of people, broad based VPN side to side, and the other one is policy based VPN. First we will do our best VPN, then we will do start to side with being broad based. But men will matter first. We will do through template, then we will do manually. Then we will do policy based and then we will do remote access will be in two different ways.
So, let’s go. This is due to Bolaji we will use and the middle. I will take one router to represent an Internet router. This side we will assign one one one IP 248 firewall port one. And this is another for the Great Firewall. We will assign them two to two or number three on both sides. We will make them as a management interfaces. And board number two is my land, this side, which is 190 to 168 one branch and this start another branch branches are range 192 168 to range.
So, our main point is that these two pieces can reach in cryptically to this branch and nobody can see the traffic. What is going on between these two Iwon? We will enable to initiate this stratum.
So, when you send the net traffic, even we know the traffic is reasonable. It will be not visible because these interfaces will make them encrypted. Encryption will start from here and it will end because we will use tunnel mode, which I told you an Internet, nobody will see this. It will IP, they will see that to do is going to one one. But actually insert these Prickett like a public car, which I told you these fake will go.
So, this is the story of plebian.
So, outside we will use one one on side, one schema local, we will use one network. Remote is to network inside our layer three interfaces, one 100 management interface. We have one one four and said what IP is one ten other third they will use to to to localize their two and remote as one. Definitely. And so they have to understand one and management exchange. Now we have 144 and said what they are to do two.
So, this is the story to create this type of topology. Now let’s go.
So, first of all, I need one router to represent our Internet and let me give them name Internet. Now I need to firewall.
So, let me drag two for one from here. This is site it. And this is side B. Okay, now I need two speeches, so let me take two speeches, by the way, let me correct this too.
So, four tonight’s connected to zero and one is connected to what? One. Let me on this, please. It will start. And now I need to switch.
So, let me take this domy switch, okay? So, let me do this a switch, let me change this one to change symbol.
So, this is which they start and let me duplicated this, the search for this.
So, switch, switch, anything.
So, guess which one we make this switch, too, because this is. I do. And this is Skype. Okay, so now two switches. Now I need to clone fire management to that I can access them.
So, I take management cloud one and management cloud two. Okay, let me put them you, by the way, to the management cloud, okay, and let me connect them to board three, which will decide board three for management. And this one is for management. Three or two is connected to local land and for two is connected to local land. Okay, and I need to speak for this purpose.
So, this started I will take one server. This is Ripsaw. Okay, this is one whipsaw and one line ripped from. Okay, so we can see the traffic, which is not encrypted, that it will be encrypted or not, and this side I will use one PC and also a router to make them Mazatlán, etc., so that I can show you the Internet traffic will be also encrypted.
So, this is my whole topology led me to the Mindel.
So, this my line. By the way, let me explain this one to here. This is for you to NBC one as this site and one is this site.
So, this is. Let it sort of me.
So, this is my next door and this is B.S. one, and this is Ripsaw. As we saw, one scientist said, what are the results? So, this is HHTTP, which is not encrypted, and this was we will create a template.
So, in this way, we will test both now coming to hear what I need to do. Let me change this symbol to a client.
So, Glenn, let me choose this one and let me sit and empty one and let me change this one to. Look, Laurent. Okay. And this is MGD to. Okay, and let me put them here like this, where this is our management, okay? And so let me put here this way. Okay, let me correct this. Interfaces to the next set of one and we see and hear these two. And here we said, well, now the IP schema, we need the IP schema to assign.
So, far, I be schema, we decide 190 to 160, one or two range, should we decide this, what we decide for this site and for this site, we decide. Okay, now for peace, let us sign this is one. And this is 11 suppos. And here with what is whatever anyone. Okay, let’s do it the same. And this is one, but this is two, that one and two that anyone in here is we have wondered. One and one tardily one. This is our IP schema. And here we will use one, not one dark one, but one branch. Okay, and this site we will use to. To dark, to that, to orange. It’s our schemata.
So, this I should be let me duplicate this one. This will lead to. And this side should be one, part one, part one and interfaces, you already know, I don’t want to read them if you don’t bought one. This is for one. And this is also part one, this is for two. Or two and three is connected to management. This is war and this is paltry, not to mention there and for three or management is one ninety two point sixty eight one one four zero twenty four, which is very different at close range. Okay, then this is the basic schema. First, let me configure this rotor.
So, right. Click on rotor start and go to console. Make them incertain, etc..
So, configure interface is zero zero IP address 192 one sixty eight one, dark one, I think zero two five four two five five five five zero no shut down exist do right. And we will configure IP around that water. What do you call zero zero zero. Give it to 192 168 wunderkinder. This is five to one IP which we will assign line. We divide zero two for transport transport input all and Pasquale’s. But what is one, two, three and login enabled Internet on this one and do right, that’s it.
So, my HTTP attorney said what is really now configured? This one, right. Click on this one. Edit configuration, remove ah to remove this one. This one. This one and this one.
So, we decided one and this should be a layer one. This should be handled and this should be one. No need to DNS because we do not require VNS to control. See and one that when it’s done now go to PC to edit configuration control, air control. We just changed this one to two and this one is to one. And this one is to to control air control. See Suu. And right, click on Ripsaw, control a control, we do that the one only change this one.
So, let me double check it configuration to that one, okay? And this. Should we go to that configuration to that that one. Yes. And this one is one that we already know and. Yes. Is correct. Just to double check now we can enable these if you want. No need, but we will need them later on. Okay, so IP is done now coming to Firehole, but before going too far, let’s configure Internet router, MUTLU Internet router and we just need to IP Zizic because we don’t have any control on Internet.
So, unintelligible, what I will do will do configuration interface, this interfaces zero zero and this one is zero one, so interface is usually zero. Here I will assign one dart one dot two two five five zero zero. No shut down. That’s it. And interface is one here I will assign. Two to two, and this should be one, two, two, one, no shut down, so should I interface, but only to be N.W., right? That’s a no need anything up here because we don’t have any controller Internet out there.
So, this is, by the way, to if I have to somewhere, it might not be.
So, I assigned to IP here and this site I assign. One might be two to one. Two to one, let me. There’s the okay now coming to fight. Now the last thing, so right click go to console and log into this device because the ATP is enable and bought one.
So, we will not get any IP so far as to login edman no password to enter. One, two, three, one, two, three or two. Config board three config sorry. Interface. Config sys interface and edit Witchboard port one, two, three and enable three set allow access htp and being kidnapped ok and SSH. Whatever you want to allow enter and set mode be it will get the ATP in and show system interface support. Number three, we will get IP. A provider of care for number three is the ATP. Yeah. To which we get 141 141.
So, one router is really solid firewall. We will get access to this one. And now let’s go to the other one.
So, right. Click on this one. Go to console admin. One, two, three. One, two, three. Conflict system interface added one to three and said, allow access is too deep. Is being a SSH, whatever we want to know and it be, it could be. And and so now if I check for system interface support number three, will I be truly HCB after a while because we are connected to net cloud first. Good one for to do so is a good one once we get 141 orders for 142.
So, this is one.
So, let me log in the first one admin and one, two, three. Let me change the name, so this is site one, so house names are done so that we will understand this. We started this.
So, this is started one. And let me log into a admin and one, two, three, and let me give them the name this Pardoel site to.
Sorry to be so good. Now let me change the color one for a while so you will not be confused about the system, what water doing and there is to change the theme, whereas we can change them. Yeah, this is so let me make them this one.
So, sorry. One is this color and this one is green color.
So, this is third one. Now what I need first I need interfaces which we normally do. Auto interfaces, wudu interfaces pt. one Eurosport one can connect this one. This is green so give them the name when and what is the IP we decide. I remember one one one one.
So, let me assign one dart one dart one slash eight. This what we decide. No need of assistance, no need of htp. Just need to bring. This is not that one. That’s it. Done.
So, our brain interface is done now we have another interface to so two interfaces our LAN interface. And the IP, we decided one night to do what, a 60 year one Dortmunder, that’s what we decided to you remember this one hundred and we just need a ping to test them to third interfaces for three, which is management. Just for the sake of understanding, we will type in GMT and we will make them as men will the same IP, but we will make them manual and ok because they say you are connected, you will be disconnected. I say so. Okay, so land management and when three interfaces, we are using no need of VNS because in this case we don’t have anything otherwise we can configure DNS, be in no need of strategic crowd, no nothing. We need nothing. That’s it. Now we’ll be the other one. Do the same thing, the interface. And here first interface is the one interface. This is their third fight, one man will be, but we decided we should be too dark, too dark to okay this one.
So, the other side public appears to that to no need of anything, only ping is allowed and okay, so one interface is done which is bought. One or two is the LAN interface site to an IP address, 100 to 150 to 200 and put here so that we know and allowed being on this interface. Then third interface is the management interface.
So, here M.G. empty and make them manual one four to do that once for one forty one and ok and ok then.
So, these are the basic setup interfaces name just for understanding purposes and we assign them IP interfaces lan when and manage when their interfaces ip now go do any firewalls, start from site a less configure start to start with Beom. But before decided to start with being what we want to do, we need to configure one static road from firewall that if you have anything, anything, give it to Internet. Troughton So, here I will use here when and what is the way IP one dart one that to this is one day one one to this one. This is Saadeh one. I say give it to this guy and ok on the other for while I will say whatever you give it to two two one two year old sister degrowth create new and here I will choose one and you will sell to dark to start to that one. Anything. Give it to this guy. Let me see. I can figure this one correctly at one one buia and this is two to one this Routier IP. Now, before configuring firewalled, do you think this rotaries reachable to PC one, no, let them from this router. Let me bring this IP 190 160 to that one. Being 192 in 68 to that one, no, I’m not reachable because it’s not possible there is no routing nor routing in the middle road. This is Internet Roder and Internet router will never accept our private IP to reach here and neither they can build a road for us until you pay them some, you pay them.
So, why then what is the advantages of Libyan descent? The Metro only No. One one IP and this are the only no to do IP. But the communication is going from 190 to 168 one dark one to 192 168 to dark one, which is not acceptable. It’s not working. And even if you are not sure, let me from you want to offset what exists, it will not work. Let me open this and we’ve said what IP is one ninety two one sixty eight to that India one. It will not work. I’m sending the traffic here. And this traffic will be visible here if I start by a wide shot, you will see that somebody is sending HTTP traffic, but Private Alby’s is not allowed. There is no road to reach the way I’m showing you, because now when we configure, we believe that things will be changed.
So, let me generate traffic again. Okay. Still generating you will see visible that who is going. It has to show me the issue a bit slowly. 192, 168, because this traffic is not reaching here, it has to reach, by the way, here, it has to for 192. Let’s see. He is one one to issuing some arbitrary but not the other one, but it is just to show us, but it’s not reachable because there is no doubt. Let me read this one right now. I don’t need this one. Stop. It’s not reachable. Look at two, that one is not reachable, this website, one neither from here, neither from this site known as Configures, to start with in between four to get one to four to get to how go will be in here and start when I’m inside one. Okay. This is all controller VPN, which I told you need to register in 40 cloud, which I told you we don’t need to touch this one. Then the second one is a basic terminal.
So, there is nothing. When I click it it will take me to IP with a basic wizard.
So, either coming from here, either from here is the same thing. But here it will show you when it’s created. It will show you here. But ABC, it is a wizard. I don’t know what is a it’s a complete this.
So, either click on Create New IP aggregate if you want to combine more than one VPN is a one I will show you when you create a basic tunnel, it will take you here, either from here or not. Let me start from here. IP IP Wizard named them.
So, I will say side one side to this. I just give them the name of the two and make them more simple. I just want to add to this my name. This is what is done by bardoli. What is template side to side to spok and more taxes are custom side to start issuing here one card for the year from the other half to one to more if you are connected more.
So, this is how to spell remote access. If you are connected, your plan back to your firewall and custom if you want to customize them. But I said no.
Sorry to start right now. I want to do this one. Then they said net configuration. Is there any network device, you know, because you are not connected through if there is like this this set out. Now I said this idea behind it, then they will apply a, you know, net reversal, which I told you, if you see a remote service within the boundaries, I’m sorry, but in our case, we don’t have any network devices done. Now, this is a remote device type is a four digit a Cisco.
So, it can be configured with any render out that in firewall, keep in mind.
So, I said 48, so 48 before they get side to side, okay, and click next now is asking me dynamic business. If you don’t know and the ideas are changing, then you can use dynamic DNS. It’s a good option, by the way, if you have an environment like home and small office, so small office there don’t have static IP, then you can use dynamic DNS dynamic. Benazir is there by DNS concept. I will tell you some other day what is possible. But in our case we have a starting IP. What is the remote IP to door to door to. This the when interface, which I’m reaching, you know, to to to this to do to do next IP no authentication method, I told you to type of authentication method pre shirkey and signature. We will use pre shirkey. I will type one, two, three, four, five, six. Then now click next, now the asset rich IP you want to encrypt to send that side.
So, I say my so it’s automatically Meilin this Meilin 101 68 and this is where you want to send your traffic.
So, this is the opposite one.
So, this is my local Lenn 101, section 1.0.
So, I said in this local Lochlyn, go to this Lochlyn. More, this one. Do they said that they want to exit the Internet and Mark either share local? Either you use the remote either.
So, in this case, they are not using any Internet, these lowline and this done and created. It was so simple. They created each and everything look at they created a group for us, they created a moderate risk group, they created a phase two that create a strategic road for us. They create a black hole road, which I told you, they’ll create a local subnet for us, you know, the IP and also remote local policy and everything. They’re done in how we know. Let’s go. The policy does. We created policy before. No, there will be policy automatically. Look at two policies automatically. We’re from we’re from land to weapon and another policy is from Libyan Boulin. Keep in mind, next time we will do this manually.
So, which policy they create, we will create this policy manually, which they created lane to weapon and VPN to lead. Let’s go to network. Static crowd Oh, they created two rodwin. It’s one two as remote and as one to as two remote. Blackhall you know Blackhall which I told you to pull before the last one.
So, guess the network is down on one side they will be destroyed and this they create a VPN.
So, we’ve been brought as well.
So, they create a policy and let’s go to a budget and policy and addresses. They created addresses for us as will look at this is our local subnet. One hundred and sixty eight that one. And this is the remote one. One hundred and sixty eight. And look at necessary dominatrices. Well, they created addresses for us. They created a policy. They created a road. They created addresses, everything. They don’t have to magically just in three click need to do the other side. Now we need to do the same job on the other side of the wall. You will call security engineer. Look at there is no doubt. Let me show you, there is no policy.
Sorry, where is. There is no policy, nothing, after a while, you will see each and every thing. Nothing be implicit, benign, no less will do will be on the other side. Click on Piecyk visit and this site, I will say site to two sites, one site to site non-natural devices for Pigott. In next remote address is one that went public IP. Okay, and Preacher Shaky, we put here one, two, three, four, five, six, it should be similar and click next. My local is this one puzzle and the other one is one and create done everything local. The more fair is to state Blackwall out local remote policy, remote to local policy. They created everything for us. If we go to object and addresses there will be addresses created automatically. This one they created. If we go to policy they are created to policy for us. This visit land to side to side and side to side to land to policy has been created. And if we were to network in drought, you will see to drought has also created. But before bursting, I want to Warshak here to show you the capture. And now we will generate traffic and you will see it will be encrypted and it will show the public IP, not our private IP communication, will do the private IP and it will show public I.D. and also how to verify.
So, if we were to monitor it, there is a basic monitor now if we check.
So, it’s down down arrow because there is no traffic generated right now.
So, let me go to capture, okay, and let me drive. I zakim this the first because nothing is, you know, let’s generate the traffic before it was not working. I hope it will work. Now look at internet when we train. It was not working. Look it is working but here look at Creekmore. What is the other one. There are six because they missed them. Okay, let me see. Like here. Maybe they give them some other name. Okay, so from where it started, there are six figures, so maybe we missed them. Yeah, they just started directly with great Motsyk and more. This is these first two more, which is encrypted, by the way. All the traffic will be encrypted, but before a quick moriches three because there are six figure exchanged more information, which I missed for some reason, they start from phase two and there is no phase one. They missed the phase one we need to clear. Now there is E.S.P. Look at who is going one dark one. I’m sending a clear text traffic, but here issuing me E.S.P. This the last big idea. How many? One zero five. Now you will see more if I refresh one zero five. Now you will see one zero five one zero. Let me put them in the E.S.P only look at one one four Penya regional traffic. One one four, Benoist, 128. And who is going one one is going to Tutut, it’s not showing that basically 100 to 168 to that one is going to 190 to 160 or 230. One is been interrupted by E.S.P and E.S.P. You remember, IPIC is using encapsulating security payload to encrypt our traffic. Nothing is visible. Let me do a Telnet. You know, we, we always say that then it is not secure. Let me do what I need from this site.
So, Ben. To this stunning upset, one 192, the other said 100, 160 had one dark one and possibly two, one, two, three. Do you think there will be traffic? No. There is no doubt that’s been converted by E.S.P, which is encrypted and nobody can see anything and encryption, I told you our garbage data. This is the beauty of it now. Everything, even if it isn’t clear it’s going in. Oh, yes. Then it is authority. Encryption is starting from this one and ending at this point. If I give you a break in here, it will be done. And if I gave — up, it will be delayed. Let me show you. Let me start giving. Here it will show benot. But I would go out from the interface if they become E.S.P.
So, let’s start this one and let me just read it again, except. Let me show you let’s start and now let’s do you will you to look at one, two, three. There is a definite interpenetrating, but when we go out, there is no denying it is. It’s become a sausage.
Sorry, E.S.P. And this public IP is doing communication for us. Even we don’t have a out, but these two have out because this is the prerequisite that public IP has to be reachable.
So, this public IP is reachable here and they’re hiding information and they’re deceiving the internet router there to do is going to oneone and this are they said this is one one is going to do to hiding the information and how to verify it. Now, if you refresh it, will be cleaning up. This metadata is gone to the other side. And now we can see from the other side, if you like, and you can see here is been. Go to monitor and there is a basic monitor from here you can refer you to a screening of.
So, let me go through if I missed something for some reason so we can figure this one okay, and then we management interfaces, we test them.
So, nothing was working before the test. Then we configure we from one side, okay? And we check them that they configure each and every thing automatically. Then we monitor them and then the other side we configure from the other side we configure VPN and what we do. And then when we start so it’s working and in Washakie issuing E.S.P rather than the actual data and it will show you six figured if I give a — herea I did not give those six fricatives well.
So, it’s E.S.P and they’re testing for the exit.
So, this was side to side with being around this, okay.