Fortinet NSE4_FGT-7.2 — FortiGate Firewall — Section 1: FortiGate Firewall V6.4 1 Part 52
72. Lecture-72: Site-to-Site IPsec Route-Based VPN Custom Lab.
Last time we danced side to side, we’d in, but using a template just next, next, next, and that thing was done so easy to create a side to side with, in and by the good to know. First of all, we will do men really in this way. We will see the things, what they whatever we study in first class or related to VPN.
So, now we will see step by step each and everything. And this way I will explain you as well through Tumblr. There was nothing just next. Next and after three Glik or so to start with and was ready.
So, let’s create a technology like this and we will do manually.
So, let me I need to file one.
So, let me go for the Great Firewall, okay, and make them two and okay, so this is side one and side to them in the middle. I need it out to play around like the internet. Sahota I know I will. And take one out from here ok. Yeah, okay, and let me put them here is the Internet and let me change the name, by the way, to Internet. Yeah, and if there is any Internet sort of thing, so that will be great.
So, uh, let me go to I cannot see anything which is like the Internet. But anyway, let me make them like this is Internet, okay, so kind of old one two zero zero and connect for one to zero one of this out. Okay, now we need two switches.
So, go back to our law and from here, take two switches. And make them switch and change. Are you going to switch? okay, so this is sorry, this stretch and this our districts.
So, let me change the name to switch to either switch one. This is switch one side and let me change the name, which is very difficult here. And we make them as a switch to an okay, so this is representing my lane. I need few PC to test them.
So, what I need to be taken out to doctor by the way.
So, let me go to Rohter. We will make them Mizusawa so Essawi and change the icon to settle okay. And okay, so this is somewhat one. I don’t know why they’re giving them six.
So, this is what one and this certainly here. Well said. What do. Let me change them to persuade me to. Okay, so both side we have a set of. Then I need a client, so what can I do? We can use Rapke as well, by the way, it’s not a big issue. We just need up today.
So, why not use Paepcke? So, let me make them pieces and. Okay, so this one is. It may make them as a pick one for some reason, they give them A, B, C it okay, so said for one and pick one. And here we have somewhat to NBC to. Let me change it to two, this is a small technology which we need.
So, let me correct board one will be connected here and from which we don’t get anything to be connected and connect. This one is well. And connect this one. And connect to settle one. And connect this one to pick one, just multipotent you sort of presenting our topology. Okay. Okay, now what I need, I need management so far, management, I will take a cloud, in my case, cloud one is connected to my PC.
So, here I will see my grandchildren and okay from both, I will come in this two for three and from zero support three.
So, my management is this one.
So, this is my management. Let me select on and make them online. For some reason it’s not going to. You okay, and let me make it okay and let me make this one okay, that’s enough. And let me start them start on. Not okay.
So, this is site one, this is site, too.
So, here we have something and this site will now until the devices start.
So, what I need to do, 192, 168, 1.0, 24. This is over this site subnet. This site, SOAPnet, is this one and the opposite side, this side to supporters to. Okay, and here we will use one one, one wrench, which we normally do.
So, one wondered, one, no one should be this P.C. this far, one and one, two to two should be the other side. This one. Too dark, too dark, too, is this well, public itis undoubtedly Wilpert, which is Internet representing Internet 1.0 and this Sardis should be to Daquan Farsad one one. The IP will be 192 168 one dark one.
So, let me put them. It’s better to assign it one dark one and you see two, which is speci one.
So, let me assign them Illia one. The same guest here is this is one to talk to. Okay, and duplicate, this one is too dark, 22. This is our IP schema firewall. This site will be Dortmunder to start under this hour. We told our. And definitely this should be reported as a wunderkinder. That’s it. Is not IP schema. Now let’s fight on this one before this one letter signed, this one, the IP address so we have to interface with 070 is connected to this site.
So, we will interface to zero one Daquan IP notepad. Okay, config, the interface e0 zero, I built this one, that one dart two and two five five zero zero zero. No shirt. Exit and exit interface to stage one, and this side will assign. To door to door one, the other side, and not sure there’s the Internet, rather, that’s what we need in that I don’t interpret that sort config. Hostname Internet and best. And do right, that’s it.
So, I’ve been prophase brief just to verify, yes, one vote on that one and two, the two, the two and both are up. We don’t need anything else here included. What else we need a. This character, so this robot interface is easier, play zero, but the IP address is 190 to 168 one dark one, which we decide and there should be two, four or five and there should be two, five, five and no shirt on. No need of this one exit. And I believe it will be zero zero zero zero zero zero zero 192 168 one hundred. Which is basically another thing I need to do is to enable Telenor just to check if it is encrypted or not.
So, line we T.Y. zero two for transport and for all and logging in exit.
So, let me go in this one and go to this Rohter. Which is representing our Satterwhite. And open it and apply this thing, so no know, okay, let me change the name to a side of you first, then we will apply. And the same thing we will do on this side.
So, let me open this, are we to as well so anyone can figure. His name is Sarobi and those materials, so one that one has been assigned or shut down the industry to grow and log in, which is why they say there is no password, whole line wheaty, one zero two four. Transport and boobed. And put on and pass what I forgot. One, two, three, and the. And right, so let me drive your password, one, two, three, okay, and just decide to do the two and change this gateway to two Dortmunder and based the other side. I’m proud to either let me drive hostname Asabi too, so everything will be done at once.
So, this is no other side of the road did so this one I’m doing this one. It is too dark to ok and it and best suchin is are we to an IP address to the tune of Shut Down and get where internet is done.
So, do right. Okay, these two are the pieces. Okay, we will assign IP. Now the thing is we are using three and port three as a management.
So, let’s configure for the get for three for us so that we can get access. Admin password is nothing. Enter one, two, three, one, two, three, four, two. Config sys interface and edit port one day, one day to day three and enter and type here. Sit allow access htp htp. Beeping It’s a switch and fingers in our to communicate. Didn’t need anything and and also.
Sorry, one thing I forgot to make the system interface added all three and six more so will get the menu in. It automatically said no need of anything until they get IP. Let’s do the other side with the same configuration admin and one, two, three, one, two, three and config sys interface. Edit for one day to day pretape and set more BHP and certainly no HTTP. DP is being developed a SSH, etc.. And what else. Yeah. And. That’s it, we’ll do this one and tell them show me the IP address.
So, let’s get IP on the third interface, which is we are using for monitoring and Type II Type B here and type admin and one, two, three to login. Chain them is site a site one, just give them a side one name. Let’s go to the other 49 and choose system interface.
So, it’s good to 134.
So, this is one zero four and it’s far away, 134 and one, two, three, and tell them to begin and give them names, right to. Okay, Jane, the color started to go to system to sit down and change the theme to it is the theme bring to this one. Okay, so then one side is green color and side two, which is right in here, they have a million dollar question now, so at least we can identify and whichever one we are, okay? So, basic stuff is done, the basic configuration. Okay, now we need to assign for one one, one, one, and this are two to two. Then we need to configure Gateway to give everything to one one to and from this side to everything to to do one which we do. Then we need to go to port and assign one dart under the near blue dot and then we need to give the name of these three interfaces so it will be identified quickly. Management interface when interface and then interface. No need to be in this in this case, but if it is connected to Internet, then we need to configure VNS and then we will configure VPN.
So, now let’s go to this part while for the next one, which is a what we need, as usual, start from interfaces, click on interfaces or one board one is connected to win and give them my name when the Internet is up to and assign IP, which will decide on that one, not one with eight. It may this one and no need to be. No need, no need. This is administered to exist. We already know this one. And okay so one interface is done which is ran for two years. Our LAN interface is we know from the topology and assign here one night to do one sixty eight one hundred twenty four. Just selecting for this purpose and support two is done. Now we need to go to all three. IP is already there. Just start M.G. and use the management and make them manually and in order everything is ok because this is a munadi renaldi and. But okay so three interfaces is done here. No need of DNS. Normally we do static around.
So, I will say anything, give it to one one two which is intended to create around here and say we’re not going to give it to anything on which on when interface anything. And this the first firewall. Now let’s go to the other one. From here we will repeat the same thing, click on board one, which is a random prophase and IP addresses. Do door to door to no need of this one, only bring in okay, will do is our land interface and assign IP 190 to 160 to that kind of, you know, young. We already decided this one and I would bring in them for number three is which is through DCP, make the men one and time GMT so that you know this is a management interface and okay. We’ll be sticking around and this case, they will go to two to one everything, which is a prototype Internet protocol.
So, here I will say get ready to door to that one. And this was through an interface and okay, that’s it. This is the basic configuration. If you test from here, this public IP has to be reachable from each one. This is the first requirement, if I could bring to our food, our food is reachable. But keep in mind, which I repeat 100 times, the other subnet is not reachable below one one, 92, 160 or too dark to be configured that Sahuarita is not reachable. Even you cannot bring this one to the yeah. After we open it will be accessible. But there is no road and internet internet. These two are reachable because they are directly connected with each other and both interfaces is connected to internet router deltoid. They both are reachable and destroyed. Configure everything to here and give everything. But it doesn’t mean that they have to be reached here. Two hundred and forty four. They need to has to be regional because to reach here if they give everything to Internet, Internet, don’t know about one zero and subnet their only new one.
So, if you give anything for one one then internet can give it to one one. But if you give anything it’s internet protocol. Say no because there is nothing really to IP reconfigure.
So, keep in mind, just to clarify.
So, my basic topology is ready. Now, let’s start side to side with Beon. We need learn to learn VPN. We call them side to side when we call it okay provided to provide ReliOn we call them so that might provide one 968 reach to 100 sixty two. But nobody can see the traffic in the middle Internet protocol will say one one is going to do two right now is not bringing the other way, but now it will be because Internet will consider that as a one on one. Insert that one one is Whodini going this and this concept. We call them VPN.
So, now let’s go to the first firewall site. We give them this name and go to VPN, this division. And this is a basic reason because I again, when you click so it will take you here, which I told you last time.
So, give them the name suppose we’ve been to. Yeah, we’ve been. From one eye socket, from being to a it means from here, I’m going to do either we’ve been to site to. Which we’ve been side to side, but I don’t need side to side custom, I need a custom one, we are legitimate side to side last time. This is our template based on custom one. Now everything is change. Click next month if you want. And they say which Autogen up side to side would be and you want to configure. We need IP for this Tamae remote. Get the remote get like this two to two.
So, I say remote IP gateways two to two and my one is this one. This is my local gateway, if you want to mention the country, maybe you can mention and we are reaching through this interface. Mode configuration, no need if you want to enable air travel that I mentioned you in the middle. There is no doubt there are no delays coming. We’re neighbors in general, so I can enable to work that I can disable and I can force them. I mentioned, at least right now, I said, no, you don’t need any net because there is nothing in there to come in that direction. I let me also mention this one. If the other one is done, it will try to enable it if you want. And you can put on demand. And I did I already mentioned theoretically and forward error correction if something is wrong or something.
So, you can put this on ingress and egress, an inside and outside both interfaces. And if you click on advanced device creation, these two things, if you want to aggregate more than one VPN, this is part of that one right now, make them disable Wynonie. I will show you later on. This is authentication. You know, NVP and I told you anything. The first one is authentication through signature means certificate either appreciate this week. Maybe we use pre shirkey 123456. It has to be same on both site. One, two, three, four, five, six. And this is I guess Turian I werdum one. And I guess you were going to this is updated version and this is the old method. But still we are using like a virtual one most of the time because the support Annamarie firewall and router.
So, I get Ikki what one then I more than one. There are two more aggressive mode and many more aggressive more. There will be three bechard will be exchanged and first phase in man mode six Prickett will be exchange for packet will be in clear text and the last two Pigott will be an encrypted and the second phase everything will be encrypted. Engracia more they will all the things which do by basics it will do in triplicate. This one is called immigration anyway. I will say man mode, which is more widely used. Then there is phase one encryption authentication. They give us many things I don’t need. I just need one.
So, I remove all because this is not a license device, which really shouldn’t be. Yes, I already discussed these. Grisby is 3V is a Yes, A is 28 192. And so maybe because this one is not a register one, they’re only showing us this. We will use this authentication. We will differentiate which we discuss theoretically. You can use any we will use modified BP Halman we discussed they are supporting all of them. Let’s do five. Five is already selected so far. Phase one, we use encryption with the bias for authentication and authentication means so nobody can alter the data. It will generate hash, which I told you last time of the first phase will be this one which become maybe one day or something. No need of local ID x authentication. We don’t need authentication. We are. I already told you this was our plan. Authentication now coming to face to fight phase two. We will do the same thing.
So, let me go to advance so I don’t need so many. I just need one for phase two. Again, encryption is and this should be modified. Suppose, a keyboard the same. And Dudi player. I already told you this is a basic feature so nobody can change the packet and send them later on schedule will be discarded. And this is also security related, like a phase one and again department for phase two.
So, I just five local board and more board and protocol. You say use on. If you want to specify, you can specify the more board, but the trafficking before any board, for any remote port, for any protocol. Protocol is about two to four or five. If I type 256, maybe it will get error. I told you there are 255.
So, maximum they say this one anyways, all are doing negotiation. They will do after negotiation. And for our negotiation there will be a keep alive message continuously. They will happen automatically if you want to do and this is the lifetime, like a phase one lifetime. We have a phase two lifetime. And second, it can put in kilobyte. But if you are so this is all the thing, because to start with pain is and to tell the first one, we call them a management management and the other one we call them Datatel either the first one is like a security guard and second one is the actual person which visiting any other country. And the first is purpose is to protect the second phase. But first phase, the first few, Prickett will be not in clear text. But it’s okay. They are just exchanging that reach method. We will use like a B is modified, which you are using. Let’s do this one. They will decide everything in four package and then then the first two will be encrypted. The actual data and this dumb.
So, this is Custom-Built, which I created, but we have not finished here. Last time we done it as a template, which we’ve done in two minutes, and everything was created automatically routing and everything. But here. No, no, no, because we enable no policy, is there? We need to do it on our own.
So, if I go to honestly an object, I’d be for policy. There is no policy created. Look at only implicit one last time when there is a template. Everything was done even here as well.
So, now I have to create a policy part of this to allow the VPN traffic.
So, I need to create two policy lane to be in and VPN Tulane.
So, first the traffic will go from Lane to VPN and from LAN subnet can be either you can create your own address, which we’ll discuss. But anyway, I say an investigation, you can put the specific destination. This is too dark to. But anyway I put on because I need to create to last time they created automatically. You remember this. The beauty of the template base and services will be any services you can restrict HTTP, Artnet, whatever inspection work we don’t get Najid we don’t need.
So, let me disable it all session. I need to see the logs and. But only one policy. You created the traffic from LAN to VPN. Now I need to create a new policy from VPN to let VPN Dulaine which was created in template based automatically.
So, choose VPN to learn submit VPN subnet.
So, do we begin to learn something. But in this case we don’t have anything and no need of net and Alsatian, but we are not finished yet.
So, manuell procedure take many. Maybe you can be confused and rather than to use a complete an actual word, but you have to know how we can do it. Now I need a road as well because this road based VPN, not a policy based VPN, so I need to go to network and go to St. Cloud.
So, there is we created Bardes for the other purpose here. I will say that if somebody tried to go to 100 to 160 or 2.0 subnet, which is the opposite side, we’d be in the subnet.
So, give it to our VPN. We at this hour, we begin this one, so give it to the people, because if somebody is trying to what to do something, it means they want to tell them this. They want to encourage them this picture, not other government. And okay. Why is not taking anything inside? Yes, in. To submit correctly, the destination is this one two hundred years need to do. I did something wrong. No. It’s good for some reason it’s not making them okay. Let me see, maybe I don’t always take something.
So, when will the last time it created automatically these things I will show you here? I mean, they created automatically what you think this one is done, played, based. But I just need to show you the clear look at last time they create local subnet ATRISCO to promote redressal and also steady they created and Blackhall around. They created automatically and they created to policy automatically. But this time we don’t have we have to do it ourselves.
So, let me choose. For some reason why he’s not taking it. We make them again.
So, if somebody want to world to 192, 168, 2.0, 24, okay. And Gateway is. I don’t need to get in this case. Okay, one nine to one, six to eight.
Sorry for not one, not two, but here I need to choose. You know, something is wrong here. I’m doing because you can choose your interface directly. Your work is done now. That statement was not taking note. You can choose directly that if this is the subject, give it to VPN. And the third thing if you want, which is not word. If anything. Okay. And to the black hole, but for this administrative distance to for the last one.
So, if any traffic, which is not matching and maybe one side is down and somebody is sending their traffic, so definitely one will be a burden on your firewall.
So, it will be you know, it will be a distrait here by this black hole. And Cisco, we use a null interface. We call them on interface. I explain Utøya an idea, BWP and BGP. We are using Nullah interface.
So, I mean some grotesquerie like summarisation when we do symbolization and Aegerion always there is an interface is created automatically for this purpose. If Aroud is coming, which is coming under summarization and it’s not there on the other side.
So, it will be destroyed by the null interface. Here we are using Blackhall if you want, for safety purposes. And this is.
So, my one site is really what we and we will do the same thing on the other side.
So, what I need to do first, I think, is to interfaces. We are legitimate and everything.
So, now let’s go to Rippin IP Piecyk visit Chew’s custom one but dopier. We begin to cite one Jewish custom next. Okay ip for and remote gurdwaras wonderful ndarc. One interface is when ok if you use your own local so you can use your own localist to to to network said we don’t need that protection. If you want to use PreCheck you will use 123456, which has to be the same on both side. We are using than one man mode and we use encryption with their bias and amplify and using BP five. Okay, and phase two, ok. Our local subnet is very beautiful. I did not want that local SOAPnet, I figured, therefore I need to go big there.
So, our local subnet is this one 190 to 160 or 2.0, 24. And the remote subnet is opposite, which is one. This one. And go to advance, remove all of them. We don’t need to apply this, this is phase two now phase two to use them to fight and we have to use deployment five, and we enable everything in our negotiation. And okay, let me go back either let me finish this one because we left one thing. The second thing, what I need the policies. Which is not created automatically, we need to create two policy to work first policy from lane to to.
So, my lane is going to VPN too, by the way. You have to put your range. But anyway, I choose here and for all services, no need of net and all station. And okay, one policy is created, which is the traffic will be an hour from land to VPN land to Repin, but there will be traffic coming back from will be allowed to land.
So, weapons and choose lane source should be a missing destination. All and services should be on no need of net and all station and ok, last thing we need are network would do static growth, create a static road and say wanted to do one year one dark zero to four before any traffic which is going to warm dark this subnet from while two.
So, give it to weapon. This should go to encrypt to go out again and again. And also if our traffic is coming and I’m done for some reason. Okay, suppose anything, let me pull anything.
So, what need to do. Call and give them the highest administrative distance for security reasons. For safety reasons. Now I need to go back. I done one mistake. I do not put local and remote subnet so to VPN and it should be created already internally. Here, just create and edit here I put zero zero so I need to it with this pencil icon and local subnet is the opposite. 192 168 1.0 is my local and the opposite side one is 2.0.
So, basically when this 102 168, one and zero means anyone like a one two, up to 254 is going to 190 to 160, two, two to three for our proposal before anyone is going between these two, it has to be encrypted. This the only thing.
So, now we are almost so let’s test it. But before test, let me on our workshop here.
Sorry. Right. Click and give support one. This one.
So, that we can see the traffic. Okay. And of the protests by health care.
So, they’re not working. Let me try this one, if they can give your. For one. Okay, so for some reason, it’s not captioning anyway, so what I need to do now, we need to try them.
So, from this router to this one to the two, let me generate being that we can regenerate.
So, it’s sort of we won, okay, and they’re both config no cbb run to. Right, because they will give you this error again and again.
So, it’s better to disable. And being 192, 168, too dark to see if anything is okay, it has to be Riccio’s before dark for unbreachable Vietnam to the speci without any restriction before you remember from here to here, I mean, I you it was not working. Now it’s working. You went from here to here. I can reach now. Okay, so and there will be and no you’d be so right.
So, now this is read to this book. Unfortunately they cannot capture otherwise. I will show you. Let me try it. If I give her zero zero. Julia, I’m running this from Setswana so maybe that’s the reason. Yeah, from remorse also because from the Molterer cannot capture it has to be inserted here.
So, that can be the issue anyway. Okay, so now we try this one before it was Daunia because now we generated traffic.
So, if you refresh by the way, here, it has to be green and up now. Yeah, that means it’s working. And also from Monitor there is a Piecyk monitor. And if you go there, so there is a traffic six zero eight but coming in, coming in out which is showing here. Okay, and also from the other side, if we go to Reburn, so we be internal.
So, it’s green and up now and we can really from here if we go to IPCA monitor and click here.
So, there is a part.
So, now issuing the trophy and everything is working, unfortunately, I need to show you, by the way, to capture the picture, you will see six Prickett and then encrypted, bigger than you would think, but unfortunately. But anyway, it’s working from here to here now. I can reach HCB, otherwise I can show you from here before when we’re trying to admen one, two, three, execute ping from here again. It will not work, but I need to board as a source this one because we mentioned if the source is 192 168 dark one, any IP and going to the destination year to any IP.
So, encrypt their traffic and now one, one and two will see in the middle. But this packet will be encrypted going here each year.
So, after this, the traffic will be decrypted after this for but encryption will start from here and it will go to this one. Unfortunately, Warshak is not working at troubleshowing traffic. If you’re captured and the traffic, it will be sure year. But when you capture it, they will show E.S.P, which I mentioned you and theoretically.
So, this is called side to side with been, but we’ve done it and men will be completed as soon as they create everything automatically addressed through a local address, profile, remote, then they create strategic road, then they create black hole road, then they create local policy. Then they create remote policy, which we create ourselves. We create two policy. We create two road and local address. We are using all which I did not create local address I say on.
So, this is the difference between template based and this one. And then we really far from here, you can go to a basic monitor. The traffic is here. It’s a the only thing to see.