A VPN connection that makes it possible to interconnect the local networks of remote offices is called a Site-to-Site VPN.
In this case, one firewall works as a VPN server and another as a VPN client. The client initiates a connection to the server. A Site-to-Site VPN can be created between two UserGate firewalls or between a UserGate firewall and a third-party device.
To create a Site-to-Site VPN, L2TP/IPsec(IKEv1) and IKEv2/IPsec protocols are used.
Configuring Site-to-Site VPN Using Admin Console
Creating a Site-to-Site VPN requires that the relevant settings be configured at both endpoints of the secure connection, i.e., the VPN server and VPN client.
VPN Server Host Configuration
Name |
Description |
---|---|
Step 1. Create a local user for the authentication of the VPN client server. |
This login name is used for authenticating the VPN client host only during the establishment an L2TP tunnel in the L2TP/IPsec VPN scenario. In the Users and devices ➜ Users section, create a user for each of the remote hosts that will work as VPN clients, and set passwords for the users. For convenience, all such users thus created can be placed in the existing VPN servers group that will be granted VPN connection access. |
Step 2. Allow the VPN service in the zone to which VPN clients will connect. |
In the Network ➜ Zones section, edit the access control settings for the zone to which VPN clients will connect and enable the VPN service. Usually, this is the Untrusted zone. |
Step 3. Create a zone where the servers connecting using a VPN will be placed. |
In the Network ➜ Zones section, create a zone where the servers connecting via a VPN will be placed. This zone can later be used in security policies. As an example, a zone called VPN for Site-to-Site is created in the admin console. |
Step 4. If required, create a firewall rule that allows traffic from the zone created earlier. |
To grant VPN users access to certain network segments or, for example, Internet, go to Network policies ➜ Firewall and create a firewall rule that allows traffic from the zone just created to the desired zones. In the admin console, there is a predefined rule named VPN for Site-to-Site to Trusted and Untrusted that allows all traffic from the zone VPN for Site-to-Site to the Trusted and Untrusted zones. This rule is disabled by default. To let the traffic pass to the client via the VPN tunnel from the desired server zone, you need to create an allowing firewall rule, specifying that zone as the source and, for example, VPN for Site-to-Site as the destination zone. |
Step 5. Create an authentication profile if it is required. |
If required, create an authentication profile for VPN users in the Users and devices ➜ Auth profiles section. The same authentication profile may be used that you use to authenticate users for Internet access. Note that transparent authentication methods such as Kerberos, NTLM, or SAML IDP cannot be used for VPN authentication. For more details on authentication profiles, see the Authentication Profiles section. |
Step 6. Create a VPN security profile. |
In the VPN security profile settings, the types and settings of encryption and authentication algorithms are defined. Multiple security profiles may be used for connecting to different client types. Security profiles for the VPN server and VPN client hosts are configured separately in the VPN section of the admin console. To create a VPN server security profile, go to VPN ➜ Server security profiles, click Add, and fill in these fields:
When IKEv1 is selected, the following fields are available:
When IKEv2 is selected, the following fields are available:
Next, the settings for the first and second phases of secure connection negotiation need to be configured. In the first phase, an IKE SA is negotiated and established. The authentication is done using a pre-shared key in the mode selected earlier. Provide the following settings:
In the second phase, the method for securing data in the IPsec connections is selected. You need to specify the following:
In the admin console, there is a predefined security profile named Site-to-Site VPN profile that provides the required settings. If you plan to use this profile, make sure to change the pre-shared encryption key when the IKEv1/IPsec protocols are used. |
Step 7. Create a VPN interface. |
A VPN interface is a virtual network adapter that will be used to connect VPN clients. This is a cluster-type interface, which means that it will be created automatically on all UserGate nodes included in a configuration cluster. If an HA cluster exists, in case any problems are identified with the active server, VPN clients will be automatically switched to a backup server, and without terminating existing VPN connections. In the Network ➜ Interfaces section, click Add and select Add VPN. Provide the following settings:
As an example, there is a predefined VPN interface named tunnel2 in the admin console that is recommended for use as a site-to-site VPN interface. |
Step 8. Create a VPN network. |
A VPN determines the network settings that will be used for connecting the client to the server. This is primarily the assignment of IP addresses to the clients inside the tunnel, the DNS settings, and the routes that will be passed to the clients that support the use of routes assigned to them. Multiple tunnels may be used with different settings for different clients. To create a VPN tunnel, go to VPN ➜ VPN networks, click Add, and fill in these fields:
As an example, there is a predefined network in the admin console named Site-to-Site VPN network with the default settings. To use this network, you need to add routes that will be passed to the client server. To allow the VPN server to know about the client's subnets, configure a static route on the server by specifying the VPN tunnel address used on the client server as the destination address. |
Step 9. Create a VPN server rule. |
Create a VPN server rule using the network and VPN server security profile created earlier. To create the rule, go to VPN ➜ Server rules, click Add, and fill in these fields:
As an example, a server rule is created in the admin console named Site-to-Site VPN rule that provides the required settings for a site-to-site VPN, and VPN access is allowed for the members of the VPN servers local group. Important! To apply different server rules to different clients, use the Source zone and Source address settings. The Users setting does not govern the selection of a server rule, as the user is checked only after the VPN connection has been established.
|
VPN Client Host Configuration
Name |
Description |
---|---|
Step 1. Create a zone where the interface used for VPN connections will be placed. |
In the Network ➜ Zones section, create a zone where the interfaces used for VPN connections will be placed. This zone can later be used in security policies. As an example, a zone called VPN for Site-to-Site is created in the admin console. |
Step 2. If required, create a firewall rule that allows traffic to the zone created earlier. |
If required, create a firewall rule that allows traffic in the Network policies ➜ Firewall section. In the admin console, there is a predefined rule named VPN for Site-to-Site to Trusted and Untrusted that allows all traffic between the VPN for Site-to-Site, Trusted, and Untrusted zones. To let the traffic pass to the server via the VPN tunnel from the desired client server zone, you need to create an allowing firewall rule, specifying the desired source zone and destination zone --- for example, VPN for Site-to-Site. |
Step 3. Create a VPN security profile. |
In the VPN security profile settings, the types and settings of encryption and authentication algorithms are defined. Multiple security profiles may be used for connecting to different client types. In the VPN section, security profiles are created for the VPN server and client. To create a VPN client security profile, go to VPN ➜ Client security profiles, click Add, and fill in these fields:
When IPsec L2TP is selected, the following fields are available:
When IPsec is selected, the following fields are available:
When IKEv2 with certificate is selected, the following fields are available:
Next, the settings for the first and second phases of tunnel negotiation need to be configured. In the first phase, an IKE SA is negotiated and established. The authentication is done using a pre-shared key in the mode selected earlier. Provide the following settings:
In the second phase, the method for securing data in the IPsec connections is selected. Specify the following parameters:
As an example, a profile named Site-to-Site VPN profile is created in the admin console that provides the required settings. If you plan to use this profile, make sure to change the pre-shared encryption key when the IPsec L2TP and IPsec protocols are used. |
Step 4.. Create a VPN interface. |
A VPN interface is a virtual network adapter that will be used to connect VPN clients. This is a cluster-type interface, which means that it will be created automatically on all UserGate nodes included in a configuration cluster. If an HA cluster exists, in case any problems are identified with the active server, VPN clients will be automatically switched to a backup server, and without terminating existing VPN connections. In the Network ➜ Interfaces section, click Add and select Add VPN. Provide the following settings:
As an example, a VPN interface named tunnel3 is created in the admin console that can be used for a client Site-to-Site VPN connection. Important! If you select the same example tunnel interface with the default settings in the VPN server and VPN client configuration sections, an IP address conflict will arise during the establishment of a client-to-server connection. For things to work correctly, the address ranges of the tunnel interfaces should not overlap. Make sure to set unique address ranges on the client and server.
|
Step 5. Create a VPN client rule. |
Create a VPN client rule that will initiate a VPN server connection. To create the rule, go to VPN ➜ Client rules, click Add, and fill in these fields:
|
When the VPN server and client have been configured, the client initiates a connection to the server, and if the settings are correct, a VPN tunnel is brought up. To bring down the tunnel, disable the VPN client rule (set on the client) or the VPN server rule (set on the server).
Configuring Site-to-Site VPN Using CLI
This example shows the creation of a Site-to-Site VPN using the L2TP/IPsec protocols.
VPN Server Host Configuration
Step 1. Create a local user for the authentication of the VPN client server.
Use the following command:
Admin@nodename# create users user <parameters>
To learn more about the commands and parameters for creating local users using the CLI, see the Configuring Users article.
Here is an example command that creates a user named VPN-client 1 with the login vpn_client1 and adds the user to the VPN servers group:
Admin@nodename# create users user name "VPN-client 1" login vpn_client1 groups [ "VPN servers" ] enabled on
Step 2. Allow the VPN service in the zone to which VPN clients will connect.
To edit the zone parameters, use the following command:
Admin@nodename# set network zone <parameters>
To learn more about the commands and parameters for creating and editing zones using the CLI, see the article Zones.
Here is an example command that edits the Untrusted zone to allow the VPN service inside it:
Admin@nodename# set network zone Untrusted enabled-services [ VPN ]
Step 3. Create a zone where the servers connecting using a VPN will be placed.
To create a zone, use the following command:
Admin@nodename# create network zone <parameters>
To learn more about the commands and parameters for creating and editing zones using the CLI, see the article Zones.
Here is an example command that creates a zone called S2S_VPN:
Admin@nodename# create network zone name S2S_VPN enabled-services [ VPN ]
Step 4. If required, create a firewall rule that allows traffic from the zone created earlier to the desired network segment.
Firewall rules are created using a command that employs the UPL syntax:
Admin@nodename# create network-policy firewall <position> upl-rule <commands>
For more details on how to configure firewall rules using the CLI, see the Configuring Firewall Rules article.
An example of creating firewall rules that allow traffic from the zone S2S_VPN to the zone Zone1 is shown below. To let the traffic pass to the client in Zone1 from the desired server zone via the VPN tunnel, you also need to create an allowing firewall rule, specifying the desired source and destination zones.
Admin@nodename# create network-policy firewall 1 upl-rule PASS \ ...src.zone = S2S_VPN \ ...dst.zone = Zone1 \ ...rule_log(session) \ ...name("S2S_VPN to Zone1") \ ...enabled(true) Admin@nodename# create network-policy firewall 2 upl-rule PASS \ ...src.zone = Zone1 \ ...dst.zone = S2S_VPN \ ...rule_log(session) \ ...name("Zone1 to S2S_VPN") \ ...enabled(true)
Step 5. Create an authentication profile for VPN users.
For more details on configuring authentication profiles using the CLI, see the Configuring Authentication Profiles article.
Here are example commands that create an LDAP authentication server named New ldap server for the domain testd.local and authentication profile named New profile:
Admin@nodename# create users auth-server ldap name "New ldap server" address 192.168.1.2 domains [ test.local ] bind-dn test@test.local password 12345 enabled on Admin@nodename# create users auth-profile name "New profile" auth-methods ldap [ "New ldap server" ]
Step 6. Create a VPN server security profile.
To create a VPN server security profile, use the following command:
Admin@nodename# create vpn server-security-profiles <parameters>
For more details on configuring VPN security profiles using the CLI, see the Configuring VPN Security Profiles article.
Here is an example command that creates a VPN server security profile named "New VPN-server profile" for a L2TP/IPsec VPN:
Admin@nodename# create vpn server-security-profiles name "New VPN-server profile" ike-version 1 ike-mode main psk 12345 dh-groups [ "Group 2 Prime 1024 bit" "Group 14 Prime 2048 bit" ] phase1-security [ SHA1/AES256 SHA256/AES256 ] phase2-security [ SHA1/AES256 SHA256/AES256 ] Repeat preshared key: Admin@nodename#
Step 7. Create a VPN interface.
To create a VPN interface, use the following command:
Admin@nodename# create network interface vpn <parameters>
For more details on how to create a VPN interface using the CLI, see the Interfaces article.
Here is an example command that creates a VPN interface named tunnel4 belonging to the zone S2S_VPN:
Admin@nodename# create network interface vpn interface-name 4 zone S2S_VPN ip-addresses [ 172.30.251.1/24 ] enabled on
Step 8. Create a VPN network.
To create a VPN network, use the following command:
Admin@nodename# create vpn networks <parameters>
For more details on how to create a VPN network using the CLI, see the Configuring VPN Networks article.
Here is an example command that creates a VPN network named "New VPN network":
Admin@nodename# create vpn networks name "New VPN network" ip-range 172.30.251.2-172.30.251.200 mask 255.255.255.0 use-system-dns on routes-ip-list [ "Int net address" ]
Step 9. Create a VPN server rule.
VPN server rules are created using a command that employs the UPL syntax:
Admin@nodename# create vpn server-rules <position> upl-rule <commands>
For more details on how to create VPN server rules using the CLI, see the Configuring Server Rules article.
Here is an example command that creates a VPN server rule named "New VPN-server rule" using the following previously defined items: VPN server security profile "New VPN-server profile", VPN network "New VPN network", user authentication profile "New profile", VPN interface tunnel4, and VPN server external IP address list "Ext VPN address":
Admin@nodename# create vpn server-rules 1 upl-rule OK \ ...name("New VPN-server rule") \ ...profile("New VPN-server profile") \ ...vpn_network("New VPN network") \ ...auth_profile("New profile") \ ...interface(tunnel4) \ ...src.zone = Untrusted ...dst.ip = lib.network("Ext VPN address") ...user = (vpn_client1) ...enabled(true)
VPN Client Host Configuration
Step 1. Create a zone where the interface used for VPN connections will be placed.
Here is an example command that creates a zone called S2S_VPN:
Admin@nodename# create network zone name S2S_VPN enabled-services [ VPN ]
Step 2. Create a firewall rule that allows traffic to the zone created earlier if it is required.
Here is an example of creating firewall rules for a zone named Zone2:
Admin@nodename# create network-policy firewall 1 upl-rule PASS \ ...src.zone = S2S_VPN \ ...dst.zone = Zone2 \ ...rule_log(session) \ ...name("S2S_VPN to Zone2") \ ...enabled(true) Admin@nodename# create network-policy firewall 2 upl-rule PASS \ ...src.zone = Zone2 \ ...dst.zone = S2S_VPN \ ...rule_log(session) \ ...name("Zone2 to S2S_VPN") \ ...enabled(true)
Step 3. Create a VPN client security profile.
To create a VPN client security profile, use the following command:
Admin@nodename# create vpn client-security-profiles <parameters>
For more details on configuring VPN security profiles using the CLI, see the Configuring VPN Security Profiles article.
Here is an example command that creates a VPN client security profile named "New VPN-client profile" for a L2TP/IPsec VPN:
Admin@nodename# create vpn client-security-profiles name "New VPN-client profile" protocol ipsec2 ike-mode main psk 12345 authentication-login vpn_client1 authentication-password 12345 dh-groups [ "Group 2 Prime 1024 bit" "Group 14 Prime 2048 bit" ] phase1-security [ SHA1/AES256 SHA256/AES256 ] phase2-security [ SHA1/AES256 SHA256/AES256 ] Repeat preshared key: Admin@nodename#
Step 4. Create a VPN interface.
Here is an example command that creates a VPN interface named tunnel5 belonging to the zone S2S_VPN:
Admin@nodename# create network interface vpn interface-name 5 zone S2S_VPN iface-mode dynamic enabled on
Step 5. Create a VPN client rule.
VPN client rules are created using a command that employs the UPL syntax:
Admin@nodename# create vpn client-rules <position> upl-rule <commands>
For more details on how to create VPN client rules using the CLI, see the Configuring Client Rules section.
Here is an example command that creates a VPN client rule named "New VPN-client rule" using the following previously defined items: VPN client security profile "New VPN-client profile", VPN interface tunnel5, and VPN server IP address 10.10.0.1:
Admin@nodename# create vpn client-rules 2 upl-rule OK \ ...name("New VPN-client rule") \ ...profile("New VPN-client profile") \ ...interface(tunnel5) \ ...server_address("10.10.0.1") \ ...enabled(true)