79. Lecture-79:Remote Access IPSec VPN Theory and Lab.
Now we can use the same topology to configure SSL VPN. But not this time a web portal. But this time I want to encrypt my entire PC. Until now this I have configured only, you know to what is called I forgot the name split tunneling. Until like this you configure split tunnel, they will encrypt entire PC traffic in SSL VPN we saw only limited to the web only. Okay? But this time we want to configure them to encrypt the entire traffic. For that purpose you need an application to install 40 client. So you will install 40 client. It means that’s the difference between web portal and 40 client web portal doesn’t require anything to install. You just need web browser, any web browser.
Like a Google Chrome firefox anything. And just type the IP and access web portal and access the resources. But in 40 client you need to install. It means you need a privileges to install an application on your mobile phone, on your laptop, on your desktop or whatever you want to access them. That’s the only difference between these two. And also it will encrypt your entire PC. This one is only limited to the browser. So let’s go. Let me show you the same topology outside we are using 100 and 9200 range.
This the internet. 100 is one PC from internet. And we have web server as well on the internet somewhere. And we have two server inside. This is playing role of TenneT and web and Http and Https and also this one as well. One one and one two. I need someone that in this corona time so that they can access these resources through VPN and they can access their enterprise network in encrypted way. So that nobody can see, they just need internet access and they just need an application to install on their system. Okay, so how we can configure? So let’s go to VPN. And there is VPN SSL VPN setting. We already done this VPN setting from where the traffic will come, which port they will use, who are going to access this one. Okay. And this the inactive session client certificate. Okay, specify custom. Now I will change. They will use automatically assign this range. But I say this one, they already created one for us by the way. And address this 110 two. So let’s use this one.
If you don’t like, you can create your own as well. DNS they will use and these are the bookmark and these users, which user will actually switch thing. Okay. And apply. So this is the basic setting. Now let’s go to SSL VPN portal. So web access only to allowed web access but no need of application to install. Tunnel access means to make them tunnel to create require application to install. But there will be no web mode access and full access has two. So why not use full access either we can create our own by the way, it doesn’t mean to use these three. So full access means this the full access they say limit user on SSL VPN connection at a time if you want that only one person can log in through SSL portal like which we use right now. So you can limit them. The same user can log in multiple times but anyway that is related to SSL. Now say tunnel mode for tunnel mode if somebody whenever you connect through VPN any application basically they created if I have where is my one? This one this one p A, NGP basically this is Palo Alto network. This one VPN.
This one global protect same every firewall will create a virtual interface. And this virtual interface require virtual ethernet adapter is written there. Every interface require IP address to connect and date interface required range so this is the range so those interfaces will get which is 1022. It can be anything by the way. So they say enable split tunneling split tunnel means suppose if this user, this is my user who’s going to log in and will access these resources. This user from house and this Corona and COVID-19 they will access these resources if I send no split tunnel. So suppose this user also accessing these resources but at the same time want to listen a video either want to listen to music or want to watch a video. So what they will do they will enable in the browser they will type suppose Youtube. com. So the traffic if you doesn’t enable split tunnel the traffic will come here tunnel is up to this point. Yeah then this tunnel will send them to the internet from internet it will get the traffic and will give it to him. Now each and everything they access this PC it will be encrypted even if they want to go to internet.
So it means you have a lot of burden on firewall if every user if you have 1000 user anywhere and they want to access it nowadays in COVID-19 so what they will do all the traffic will come to firewall and then we’ll go to encryptedly for YouTube. Because we don’t need a tunnel for YouTube videos, we need a tunnel for our internal resources. So what you can do, you can enable split tunnel that whenever this user hitting this range our enterprise network maybe enterprise network is mainly range private ranges mention those that if they are hitting this one make a tunnel up to this point if this user is going to YouTube. So YouTube is not coming under this category. Just split them and send them unencrypted. You don’t send to me, don’t put extra burden on me. This is called split tunnel. So I say enable split tunnel but routing address which address so I say my local subnet if they’re coming to 100 and 9268 one which is my internal range and it can be many just mention them many what to do and source IP pool I just show you the interface. It will create a virtual interface and virtual interface needs address.
So I say assign from this range ten two, one, two something, whatever you can change them, I already mentioned just add it and if you don’t like, just give them suppose 1100 suppose and okay now this is the new subnet which they will get. It means 100 user can come. Another thing they are asking something allow client to save password if you want like this one if I log in so my user will be there. This ambo is my colleague. Yeah but if you say allow client to save it will be saved here and if they click it will connect automatically. But sometimes time user directly connected and they are in office they are just wasting the so that’s why it’s better not to allow client to save password. Allow client to connect automatically whenever they connect. This is also not a good idea. So uncheck allow client to keep connection alive so they will connect it automatically is also not good. And DNS split you can enable route but you can enable split DNS as well.
Maybe user has their own DNS host check if you mentioned they will check the firewall. If firewall is not enabled on the PC they will not access our VPN just for the extra security and real time antivirus if they don’t have an antivirus either both. But anyway I don’t want but in real world you have to enable this one. So if user has disabled firewall so they will not access VPN so uncheck restrict to specific somebody is trying to connect from a window XP system from home so it’s not a good idea because they are using a very weak operating system. So you can put restrictions that at least they need window eight and you can choose control and choose many windows like a window ten, et cetera but I don’t want it’s. Okay, enable web mode. We just check it web mode this is web mode related because this is full access full access can be used for both purposes. Okay, if you need a bookmark, enable 40 client to download and that’s it. We already discussed an okay, so this is already created a little bit. I modify them now let’s go to visit IPsec visit and here SSL VPN client client base client is enough but remote access choose remote access. You know remote user will log in to your firewall head and then they will access the resources client base and 40 client will require next incoming interface definitely when from when it will come.
What is the pre share key? Just give them 123456 suppose and which user will access these resources? VPN group we already created where two user are already there. VPN one and VPN two which is local. You can enable active directory as well which we already discussed. Local interface my local interface is LAN local addresses. I already created one local subnet 192. This is just an object and client addresses range. So client addresses range 1100 I think so 100 full. And what is the subnet mask? Okay, sorry, subnet mask. Let me give them like this DNS server so they will use their own DNA, enable IP four split tunnel I told you and allow endpoint registration if you want to register them. And next save password. I already told you how to connect is already mentioned and always up. Keep alive if you want and next so they already created split tunnel. They created phase one.
They created phase two. They created address range for you and they also endpoint registration and create. Okay, so everything they’ve done it already. Let’s see, they create a policy for us or not? If not, then we have to create a policy as well. So let’s go. Okay, so they already done the policy as well. So no need of anything. I believe lend to when NSSL VPN if they have, I think so they’ve done it. If not, then if we cannot access, then I will check back. So they said that was client based. Now let me go to client and for client two way either log in through web which is VPN 1123 and download VPN client from here we give them an option to download from here for window. Second, if you don’t have this one, go to any website google and type 40 gateway client 40 gateway client download which is free available on their website. So go to 40 client VPN like a global protect like a Cisco any connect so they have their own and let’s try download for window and download them. So you have two options either take your PC toy to support to install and give it to you. Readymade? So click on this one I download and click run. Okay, so it will require some time. So this is not a web based, okay? It is you require a client to install and when you install a client, it will create a new virtual interface. Keep in mind every firewall client created this concept. It’s similar. I have only two. After a while when install, let me give them something name. This is my van interface. And let me give them this some other name so that I can show you. This is my lane interface. After a while they will create a new interface and that interface when you connect it successfully, they will get one one one range which we assign them. Okay? And let’s see it will take some time to download the image and install up to that point. Let’s go there. So. VPN. Go to VPN. Okay, so we created SSL VPN client client base which we gave them the name. By the way, interface binding the traffic will come from when state is inactive yet and it has been used in two places, definitely in policies. Okay, which we create this one and these are the predefined appointment if you want to utilize this portal and if you want to create your own, you can create your own as well like my VPN. And if you need a tunnel, just choose a tunnel. If you use a pool, suppose pool if you want to allow access anything. If you enable web mode as well.
If you say no, only this one, so it will be only one, the other will be disabled my VPN this is enable, this is disable web mode. But if you say no, I need both on one policy, just enable web mode and color and everything bookmark which we discuss and okay, now it both is enabled. So you create your own template as well and utilize them. Either they already have three for you to use them, you can use those as well. Okay and for SSL VPN setting, you have to do some settings basically before use SSL VPN portal, either client based VPN, either client list, VPN from visit or any other place. First you have to configure SSL VPN setting like from where it will come, the traffic change the port and other ideal time and et cetera. All these things to be configured first. So let’s go there. So it’s still downloading because this require internet access to download from internet and then you will install this application. But if you don’t have a right normally an organization your PC will be under domain. So you will require because this is workgroup, you will require authority to install an authorization. So that’s why normally it support will install and give it to you. This one, this application.
Okay, so what else I need to tell you? Okay let’s go there. At least we need to discuss until it’s on. So there are basically two way to configure, one is IPsec VPN and other one is SSL VPN IPsec tunnel and this is Https base which we call them SSL RTLS layer. IPC can be used for 40 client and also for 40 gate. One side you need to install 40 client. We are installing another side be 40 gate but you can use for side to side VPN as well. So forgot one side and FortiGate other side. But SSL VPN can only be used for web based only. By the way you can use this one as well. Browse 40 client and 40 gate. Now we are doing this one SSL web based and now we are doing 40 client as well. SSL so both can provide you configuration. But SSL you cannot configure side to side. But in IPsec you can configure side to side. Here it only can give you web based and 40 client as well as the difference between these two. It work on from four to seven layer and it only work on layer three. Okay? It’s required only web browser if you are using as an SSL TLS Https. But if you are using as a 40 client. So then you need application to install. So these are the two protocol to use them SSL. Normally we call them a tunnel mode as well. And it can be used for web mode or portal mode as well, which we just used in the last slave. Okay, NSSL can also be used for 40 client as well. They said that the difference.
Let’s go there. It’s almost done. Okay, so let’s wait for a while. It will download 40 client to install. Okay, we just need to click Next, next next to install. It’s not difficult to install, but it’s better to show you. Okay? Because this application at least require windows seven and above to work. Okay, so if you are trying and label and window XP, it will not work because it’s the updated one. So an updated one, it’s required minimum Windows seven to work. That’s why I use window eight in this lab, so that I do not face any issue, because I check it’s not working. The old one is working anyway, so it’s come up 40 client. Okay, so accept next few location, just the default location and install. Okay, so let’s see. It will take not more than two minutes to finalize it. Okay, this is only one time job to install this application in your system. If you are using make, so then you require another application same 40 client, but for make and also for Linux. Even for mobile phone, they have a different version. Okay, but I download window version. Okay, it’s almost done. Let’s see. After a while it will create an interface here, a virtual interface. Maybe they already created. Let me refresh if there is not yet here, my IP address is 192, 100 and 6800. Okay. And I have another interface, which is now I’m not using, so it’s 169. But they will create a third interface by the way as well. Let me go there if anything.
Okay, so we already configure this one portal is there and VPN visit tunnel. We already created one VPN tunnel, which is inactive right now, because nobody is connected here. Okay, so let’s go there. We are still waiting. And if you want to see the detail, view templates to see whatever we configure them. So all the detail is here. And go back, return to see them. You can edit them if you want to edit some changes, anything. If you want to change like this, the subnet they will assign and it’s the other group and everything they will use it. Okay, so you can change as well from here. Now you see, before it was only Lane and when now they created two more, it will make them one. After a while, every VPN do the same things the client base one, but client based VPN. You say it was so easy, just type in browser and access the resources. But the only thing was you are only encrypted to only that browser. You are limited to that one. Okay so just to show you now it’s here and after a while when I connect it will get one one one IP automatically which I will show you from here. Anyway when you type Ipconfig also it will show you here now I have four interfaces showing now. Okay so it’s almost done by the way, take much time. Yeah so finish now there is a 40 client application this the installation once you do it this one, it will come here automatically.
First time you have to create profile so acknowledge, accept configure VPN which VPN we are using? We are using SSL VPN. Choose SSL and give them anything like SSL client based VPN just give them the any name description if you want to give remote gateway. So my remote gateway is 192, 168, 102, three, four this is the public IP of our firewall two, three four which they will access them customized port by the way they will use another port but anyway single sign in we don’t need a no certificate we are using it’s. Okay prompt and login either save authentication if you want if you have envelope certificate we want you. So I say no and save now this is the first time to create your profile and now you can connect. So our user was VPN one and password was one two three and connect. So if there is nothing wrong in configuration so credential SSL VPN configuration is wrong. Okay so they say VPN one and one two three this is our user I think so VPN one so they say there is something wrong. So which one we use it. So let me see we use VPN SSL one either we use the other one.
So let’s go to where is this one? So let me see which protocol we use. Okay let me try maybe we use Ipsick. So let’s go back there and create edit node add a new connection. Let me create IPsec this one ipsecvpn description nothing and remote gateway 192 one 6802 three, four and pre share key 123456 I think so we did not use this one prompt and save. Let’s try this one. So VPN one and one, two three we have two protocol to use either IPsec so I can’t remember I configure as an SSL either I configure as Ipsick so I created two different profiles. So I configure IPsec. So now it’s connected. It’s showing me that Ipsic can look at this the same IP one one range and if you go to that interfaces okay you will see that interface will get IP. Which one? This one. One, one. IP. Look it. And now I can access all the resources directly. No need to go to browser directly type the IP 109, 216811 this is the IP of my server. Yeah it will open automatically. Look at admin one two three and web server is enabled there and I can do TenneT directly 1921-6811 and open. Yes. One, two, three. Now we have an inside server. Do you think it is? I’m using telnet and http no, it will be encrypted. If I go to this one, it will be Ipsic. Look at so it’s going and encrypted. There is no telenet traffic before the firewall. No telnet but after the firewall there will be telenet traffic. There is telephone. You know, last time I opened these two Warshock. One Warshock is open from here and one is after this one. So the one now entire PC is encrypted and sending and traffic is here. And now I don’t need to go to browser in the browser inside to access this server. Now I can access these resources directly.
My entire PC is encrypted and what is split tunnel now. So if I go to Internet, this traffic will not go to browser, it will go directly. So this is not encrypted. And the other one is encrypted. If I have a wireshark here so I can show you wireshark. No, I thought to show you when I’m sending Google traffic it will be TLS because this is also Https. But when I am accessing this one, this will be IPsec traffic. Because I’m connected here. But if I disconnect then google it’s. Okay, but this server will be not accessible. Not anymore. Because I cannot access this. Look at your connection is not interrupted. It will not work. But as a VPN two user either VPN one if I click OK, so now these resources will be accessible after connected. Now I connected. And if you refresh it will open. Because my piece is now encrypted and it’s open now. And if I can see the detail there is one detail that which resources the split tunnel detail I want to show you. Okay. There is one place where we can see the detail.
Okay, it’s not showing. There was one place to see there in this setting. This the backup logs. No, it’s not showing. I thought there was one place to show you which subnet will be encrypted. But it’s not showing in this one. Let me see. No, this exit. No, it’s okay, this the application. Okay. And maybe right click. I saw some here. There is in place about shutdown open client console. No. Anyway, now I can access the resources encryptedly but entire system I don’t need. I can access my any resources which is allowed by firewall. It doesn’t mean that any user will access all the thing. Then you can put restriction that from VPN. If this user came just allowed them this IP only not entire this IP. It’s up to you which rule you want to put. And now here you can see the traffic. It will be IPsec Traffic. For that it will use. There is a protocol. There is another this one. And now there is one Ipsic. Let me type IPC. Maybe they will show me. I forgot the protocol name to show you from here. Okay. Anyway, so they said this was the full tunnel through IPsec and also you can create a full tunnel through SSL as well. But anyway, it’s the same thing. Just to show you what is the difference between client base and client list VPN?
