In this case, NGFW acts as a VPN server, and the user with the UserGate Client software installed acts as a VPN client. When you create a VPN using L2TP/IPsec(IKEv1), L2TP creates a tunnel that carries network layer packets in PPP frames. IPsec provides encryption, authentication, and integrity checks for transmitted data.
To do this you need to follow these steps:
Name |
Description |
---|---|
Step 1. Allow the VPN service in the zone to which VPN clients will connect. |
In the Network ➜ Zones section, edit the access control settings for the zone to which VPN clients will connect and enable the VPN and Connecting endpoints services. |
Step 2. Create a zone where the clients connecting using a VPN will be placed. |
In the Network ➜ Zones section, create a zone where the clients connecting via a VPN will be placed. This zone can later be used in security policies. There is already a default zone VPN for remote access. |
Step 3. Create a NAT rule for the newly created zone. |
In order for connected VPN clients to be able to access the Internet through the NGFW tunnel, it is necessary to create a NAT rule from the VPN for remote access zone to the Untrusted zone. Create the corresponding rule in the Network policies ➜ NAT and routing section. As an example, a rule named NAT from VPN for remote access to Trusted and Untrusted is created in NGFW that allows IP address substitution from the zone VPN for remote access to the Trusted and Untrusted zones. |
Step 4. Create a firewall rule that allows traffic from the zone created earlier. |
In the Network policies ➜ Firewall section, create a firewall rule that allows traffic from the zone you created to other zones. To let the traffic pass to the server via the VPN tunnel from the client zone, you need to create an allowing firewall rule, specifying desired source zone and destination zone. For example, there ia a rule created in NGFW from the zone of remote VPN connections VPN for remote access allowing access to the zones Trusted and Untrusted. |
Шаг 5. Create authentication profile. |
Create a profile for VPN users in the Users and devices ➜ Auth profiles section. Note that transparent authentication methods such as Kerberos, NTLM, or SAML IDP cannot be used for VPN authentication. |
Step 6. Create a VPN server security profile. |
In the VPN security profile settings, the encryption and authentication algorithms are defined. Multiple profiles may be used for connecting to different client types. To create a VPN server security profile, go to VPN ➜ Server security profiles, click Add, and fill in these fields:
Next, the settings for the first and second phases of tunnel negotiation need to be configured. In the first phase, IKE security is negotiated. The authentication is done using a pre-shared key in the mode selected earlier. Provide the following settings:
In the second phase, the method for securing IPsec connections is selected. You need to specify the following:
|
Step 7.. Create a VPN interface. |
A VPN interface is a virtual network adapter that will be used to connect VPN clients. This is a cluster-type interface, which means that it will be created automatically on all UserGate nodes included in a configuration cluster. If an HA cluster exists, in case any problems are identified with the active server, VPN clients will be automatically switched to a backup server, and without terminating existing VPN connections. In the Network ➜ Interfaces section, click Add and select Add VPN. Provide the following settings:
|
Step 8. Create a VPN network. |
A VPN determines the network settings that will be used for connecting the client to the server. This is primarily the assignment of IP addresses to the clients inside the tunnel, the DNS settings, and the routes that will be passed to the clients that support the use of routes assigned to them. Multiple tunnels may be used with different settings for different clients. To create a VPN tunnel, go to VPN ➜ VPN networks, click Add, and fill in these fields:
Important! A maximum of two DNS servers can be specified.
Important! Route settings transmitted to UserGate Client endpoints are transmitted only with VPN with IKEv2.
|
Step 9. Create a VPN server rule. |
Create a VPN server rule using the VPN network, interface, and profile created earlier. To create the rule, go to VPN ➜ Server rules, click Add, and fill in these fields:
Important! The traffic processing logic is as follows:
-- The conditions are combined using Boolean OR, if several IP address and/or domain lists are specified. -- The conditions are combined using Boolean AND, if GeoIPs and IP address and/or domain lists are specified.
Important! To apply different server rules to different clients, use the Source zone and Source address settings. The Users setting does not govern the selection of a server rule, as the user is checked only after the VPN connection has been established.
|
Step 10. Configure a VPN connection on the client computer. |
To configure a VPN connection on a user's computer, provide these settings:
For more details on using UserGate Client endpoints in conjunction with NGFW, see the UserGate Client Endpoints section. |
Configuring Remote Access VPN Using CLI
Step 1. Allow the VPN service in the zone to which VPN clients will connect.
To edit the zone parameters, use the following command:
Admin@UGOS# set network zone <parameters>
To learn more about the commands and parameters for creating and editing zones using the CLI, see the article Zones.
Here is an example command that edits the Untrusted zone to allow the VPN service inside it:
Admin@UGOS# set network zone Untrusted enabled-services [ VPN ]
Step 2. Create a zone where the servers connecting using a VPN will be placed.
To create a zone, use the following command:
Admin@UGOS# create network zone <parameters>
To learn more about the commands and parameters for creating and editing zones using the CLI, see the article Zones.
Here is an example command that creates a zone called RA_VPN:
Admin@UGOS# create network zone name RA_VPN enabled-services [ VPN ]
Step 3. Create a NAT rule for the newly created zone.
NAT rules are created using a command that employs the UPL syntax:
Admin@UGOS# create network-policy nat-routing <position> upl-rule <parameters>
For more details on how to configure firewall rules using the CLI, see the Configuring NAT and Routing Rules article.
Here is an example command that creates a NAT rule from RA_VPN to Zone1:
# create network-policy nat-routing 1 upl-rule PASS \ ...src.zone = RA_VPN \ ...dst.zone = Zone1 \ ...nat \ ...rule_log(session) \ ...name("RA NAT rule") \ ...enabled true
Step 4. If required, create a firewall rule that allows traffic from the zone created earlier to the desired network segment.
Firewall rules are created using a command that employs the UPL syntax:
Admin@UGOS# create network-policy firewall <position> upl-rule <commands>
For more details on how to configure firewall rules using the CLI, see the Configuring Firewall Rules article.
An example of creating firewall rules that allow traffic from RA_VPN to Zone1 is shown below:
Admin@UGOS# create network-policy firewall 2 upl-rule PASS \ ...src.zone = RA_VPN \ ...dst.zone = Zone1 \ ...rule_log(session) \ ...name("RA_VPN to Zone1") \ ...enabled(true)
Step 5. Create an authentication profile for VPN users.
For more details on configuring authentication profiles using the CLI, see the Configuring Authentication Profiles article.
Here are example commands that create an LDAP authentication server named New ldap server for the domain testd.local and authentication profile named New profile:
Admin@UGOS# create users auth-server ldap name "New ldap server" address 192.168.1.2 domains [ test.local ] bind-dn test@test.local password 12345 enabled on Admin@UGOS# create users auth-profile name "New profile" auth-methods ldap [ "New ldap server" ]
Step 6. Create a VPN server security profile.
To create a VPN server security profile, use the following command:
Admin@UGOS# create vpn server-security-profiles <parameters>
For more details on configuring VPN security profiles using the CLI, see the Configuring VPN Security Profiles article.
Here is an example command that creates a VPN server security profile named "VPN-server profile 2" for a L2TP/IPsec VPN:
Admin@UGOS# create vpn server-security-profiles name "VPN-server profile 2" ike-version 1 ike-mode main psk 12345 dh-groups [ "Group 2 Prime 1024 bit" "Group 14 Prime 2048 bit" ] phase1-security [ SHA1/AES256 SHA256/AES256 ] phase2-security [ SHA1/AES256 SHA256/AES256 ] Repeat preshared key: Admin@UGOS#
Step 7. Create a VPN interface.
To create a VPN interface, use the following command:
Admin@UGOS# create network interface vpn <parameters>
For more details on how to create a VPN interface using the CLI, see the Interfaces article.
Here is an example command that creates a VPN interface named tunnel1 belonging to the zone RA_VPN:
Admin@UGOS# create network interface vpn interface-name 1 zone RA_VPN ip-addresses [ 172.30.252.1/24 ] enabled on
Step 8. Create a VPN network.
To create a VPN network, use the following command:
Admin@UGOS# create vpn networks <parameters>
For more details on how to create a VPN network using the CLI, see the Configuring VPN Networks article.
Here is an example command that creates a VPN network named "VPN network 2":
Admin@UGOS# create vpn networks name "VPN network 2" ip-range 172.30.252.2-172.30.252.254 mask 255.255.255.0 use-system-dns on routes-ip-list [ "Int net address" ]
Step 9. Create a VPN server rule.
VPN server rules are created using a command that employs the UPL syntax:
Admin@UGOS# create vpn server-rules <position> upl-rule <commands>
For more details on how to create VPN server rules using the CLI, see the Configuring Server Rules article.
Here is an example command that creates a VPN server rule named "VPN-server rule 2" using the following previously defined items: VPN server security profile "VPN-server profile 2", VPN network "VPN network 2", user authentication profile "New profile", VPN interface tunnel1, and VPN server external IP address list "Ext VPN address":
Admin@UGOS# create vpn server-rules 2 upl-rule OK \ ...name("VPN-server rule 2") \ ...profile("VPN-server profile 2") \ ...vpn_network("VPN network 2") \ ...auth_profile("New profile") \ ...interface(tunnel1) \ ...src.zone = Untrusted ...dst.ip = lib.network("Ext VPN address") ...enabled(true)