Firewall HotBrick LB-2 How To LB-2 IPSec Tunnel Setup Guide
LB-2 IPSec Tunnel Setup Guide The HotBrick LB-2 is a VPN capable Dual WAN Gateway with industry standard IPsec encryption. It provides extremely secure LAN-to-LAN connectivity over the Internet. The LB-2 supports VPN by encryption, encapsulation, and authentication using the following methods: DES/3DES/AES MD-5 SHA-1/SHA-2 The maximum tunnels allowed are 10 VPN tunnels. This setup guide will help the user establish an IPsec VPN tunnel between two LB-2s with VPN.
Figure 2 - Global Setting for Site A 5. Under the Global Setting, make sure you enable the WAN interface that you want the VPN IPSec tunnel to establish through. 6. Both WAN1 and WAN2 can initiate and establish VPN Tunnels 7. Figure 2 shows the Global Parameters for WAN1. Remember that these parameters must be identical at both sites.
Figure 3 - IPSec Traffic Binding for Site A Figure 4 - IPSec Traffic Binding for Site B How To establish an IPSec VPN tunnel with LB-2 VPN Property of HotBrick — 2005 4
15. Under Traffic Selector, for Service – Protocol Type select ANY. 16. Under Local Security Network , for Local Type select Subnet. 17. The IP address must reflect the entire subnet. Please see below: a. In Figure 3, Site A IP address is 192.168.2.0 and Mask Address 255.255.255.0 b. In Figure 4, Site B IP address is 10.1.1.0 and Mask Address 255.255.255.0 c. NOTE – LAN subnets and IP addresses must be different or there will be overlapping. 18. The Port Range can be left at 0 ~ 0. 19.
Figure 6 - Policy Setup for Site B 25. Under Key Management there are two types: Autokey (IKE) or Manual Key. 26. If AutoKey (IKE) is selected, your Phase 1 Negotiation can be Main Mode or Aggressive Mode. In our example we used Main Mode. 27. For Perfect Forward Secrecy you can choose to enable it or not. In our example we have used DH Group 2 (1024-bit). 28. The Preshared Key must be characters and/or hexadecimal units. The preshared key entered in our example is “hotbrick”. 29.
32. The Inbound and Outbound Stateful Packet Inspection must also be set. 33. Once all these values all entered you click on Add. 34. Now under Action, select Set Options. This brings you to the IPSec Policy Options page. We recommend that you use this section to always keep the tunnels up. 35. Under Dead Peer Detection Feature, make sure the enable box is checked. Under Check Method there are three options: Heartbeat ICMP host DPD (RFC 3706) In our example we have selected DPD (RFC 3706).
Figure 9 – IPSec Policy Option for Site B Figures 10 and 11 show the tunnel established under Policy Setup. Figures 11 and 12 show the log with all the phases of the IPSec tunnel established.
Figure 10 - Site A tunnel established Figure 11 - Site B tunnel established How To establish an IPSec VPN tunnel with LB-2 VPN Property of HotBrick — 2005 9
Figure 12 - Logs with tunnel established in Site A Figure 13 - Logs with tunnel established in Site B How To establish an IPSec VPN tunnel with LB-2 VPN Property of HotBrick — 2005 10
VPN Policy References IPSec Global Setting Enable Enabling WAN 1, WAN 2 or Both will start global setting. ISAkmp Port Designed to negotiate, establish, modify and delete security associations and their attributes which was assigned by IANA UDP port 500. Phase 1 DH Group Use DH Group 1 (768-bits), DH Group 2 (1024-bits), Group 5 (1536-bits) to generate IP Sec SA Keys. Phase 1 Encryption Method There are 3 data encryption methods available: DES, 2DES, and AES.
PPPoE Session Some ISP’s offer multiple sessions when using PPPoE to make VPN connections. These PPPoE sessions can be selected to construct VPN tunnels. Traffic Selector Service Protocol Type: Choices are TCP/UDP/ICMP/GRE as your connection protocol. By default the protocol type is “Any”. Local Security Network These entries identify the private network on the VPN gateway and the hosts of which can use the LAN-to-LAN connection.
AutoKey (IKE) There are 2 types of operation modes can be used: Main Mode accomplishes a phase 1 IKE exchange by establishing a secure channel. Aggressive Mode is another way of accomplishing a phase 1 exchange. It is faster and simpler than main mode, but does not provide identity protection for the negotiating nodes. Perfect Forward Secrecy (PFS) If PFS is enabled, IKE phase 2 negotiation will generate a new key Material for IP traffic encryption & authentication.