Site-to-Site VPN
Site-to-Site VPN
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241031132132.png)
-
Typically Connecting two remote offices, and we are using hardware to do it.
-
Each of this devices is capable of supporting a site-to-site IPSec VPN
-
Connecting two sites together securely
-
Less expensive than leased line
-
VPN access device on both sides
- Router
- Firewall
- Network Operative System (NOS) - (pfSense)
- pfSense is an open source firewall that you can configure yourself and install it on any computer, this is gonna be better packet processing than just sitting down and using like a Windows computer or regular Linux computer.
- VPN concentrator
- Types of appliances for terminating remote access VPNs
- VPN 3000 series from Cisco
- Private Internet Exchange (PIX) firewall
- They had one device that was a firewall, and one device that was a VPN concentrator. They colapsed these two into a new device called Advanced Security Appliance (ASA). Those have become, since then, Firepower appliances, which happened after Cisco's acquisition of sourceFire.
- VPN concentrators are not something you will typically find from every vendor today, a lot of times is a sub-feature of another device.
Site-to-site VPN Design
- Private addressing considerations
- We want unique IP addresses at each of the sites (no overlapping)
- Public addressing considerations
- Is your public IP address static? or does it change?
- If it's static we can build a configuration that goes there
- If the IP address changes now we got some problems, we need to keep track of those changes
- Typically what we like to see for site-to-site connections are static IP addresses on both sides.
- Is your public IP address static? or does it change?
- Dynamic DNS
- Matches a domain name with whatever the IP address is currently registered for that domain.
- Whenever the IP changes if it's dynamic, when that change first occurs the information in the DNS isn't right, so we've got to wait for the update, it can maybe only take a few seconds.
- Static IP addresses might be the most stable but they are more expensive.
- Provider Independent Addressing
- When you change your ISP, they're going to give you a different IP, so what did that just do to all your configurations? They're busted now. Do we have to re-do everything?
- Typically when you get on the internet you get an IP address that comes from an ISP, an Internet Service Provider.
- With Provider Independent Addressing you can get an IP address that has nothing to do with a service provider. You will then take your IP address from provider to provider, which means all of our configurations stay the same.
- In order to do this you have to purchase address space, (purchase IP's).
- Today all the available IPv4 addresses have been purchased up but there is people that resell what's available.
- SLA or no SLA
- Service Legal Agreement (SLA)
- Is it important for your business or not really important.
- Could impact your insurance policy.
- If you need SLA, you might want to look into Multiprotocol Label Switching (MPLS), this is where the service provider builds you an MPLS VPN, which doesn't have encryption but it can, through the environment and they give you that SLA that goes with it.
IPsec VPN Tutorial
/CAP/Network+/Visual%20Aids/Pasted%20image%2020241101115600.png)
- Let's say that this is an IP packet, source from 192.168.1.0 and it's headed for 192.168.2.0.
- As this envelope comes into the router that connects us to the internet, there's a policy on this router that defines what should be encrypted. Sometimes this is called a crypto ACL. Access Control List have permit and deny statements, so what we'll do is we'll permit traffic from 192.168.1.0 to 192.168.2.0.
- Our if condition is then based on this packet, "Hey router, when you see 192.168.1.0 talking to 192.168.2.0 don't just note that and send it out to the internet like you normally would, I want you to actually encrypt it." Then the action that we take is "then" to encrypt it. We say take that data and wrap it inside of ESP. Put that over a new IP header and send it to the far side.
- So your then VPN configuration is going to contain the peer IP address. It will say, "Hey, if you see packets coming from 192.168.1.0 go into 192.168.2.0, encrypt them." And we'll have a policy that says: "Use AES encryption or Use SHA256 for hashing, send it to this peer IP address". This will be where we've got that ESP transport with an IP header, which we call Tunnel, it's just a tube for encrypted packets, that's going from one router to the other.
- Once you get to the other router, it looks at the ESP header and it goes: "Oh, this is encrypted payload, no problem, I know what to do with this.". Goes in, decrypts everything, does an integrity check to make sure that it decrypted properly and then we send it out the other side, clear text.
- The way that you construct your VPN policy is going to be different to each device, this is the construct of the "if" and the "then".
- In order to construct this tunnel, we've got to have matching policies. The policies that have to match are the if conditions.
- What I mean with "match" is really the word Mirror, I f a packet was coming in here, it would be mirrored, course it's coming from 192.168.0.2, going to 192.168.1.0. So our policies are kind of like opposites of each other, but the encryption policy is Identical. If it's not, it will not work.
- We have got to agree upon how to do crypto. And if we agree on how to do crypto, then we'll pass the traffic back and forth. That's all a VPN.