Steps for configuring the branch office model: Part 1 (host-to-gateway with IPSec)
The branch office model part 1 consists of two networks whose IP connectivity relies on the Internet. The server is protecting traffic that originates from hosts outside the internal network, which at some point is routed over the Internet.
Before you begin
The following topics are covered in the discussion of this model:
- Host-to-gateway
- Gateway-to-gateway
- Autoactivation
- Command-line activation
- Using wildcards for location and identity
- Pre-shared key peer authentication
Figure 1 shows the branch office portion of the security model network.
Transport-mode IPSec is used exclusively for transporting encrypted data directly between two hosts. Tunnel-mode IPSec encapsulation must be used if one of the security endpoints is a security gateway routing traffic for any number of hosts. In the branch office model, there can be multiple hosts behind a security gateway that is providing the security mechanism for all hosts that are behind the security gateway. The base assumption is that the local secure server represents a single data endpoint and a single security endpoint, whereas the remote subnetwork represents multiple data endpoints which share a common security endpoint, namely the security gateway host. Traffic from the local server to the branch office gateway is IPSec protected, while traffic from the branch office gateway to the hosts behind the security gateway need not be encrypted or even filtered.
As in the previous models, a complete IP security policy defines the traffic that is allowed between the local server and the zone representing the branch office. However, the difference lies primarily in where the remote security endpoint is situated. In the previous examples, all of the IPSec protection was provided on a host-to-host basis. Each set of communicating endpoints had a single dynamic VPN that represented a secure channel of communication between two hosts, local and remote. In contrast, any scenario that involves an IPSec security gateway can require that one VPN carry traffic for multiple hosts. This difference is highlighted in this branch office example.
For this example, assume the following requirements to allow network communications from zone C, a branch office network (9.6.0.0/16), to a public IP address (9.3.3.3) on this host. The hosts on the branch office network connect to the Internet through the public branch office gateway server (9.5.5.5).
- Allow IKE traffic from branch office zone C to this host.
- Allow EE traffic from branch office zone C to an EE service running on this host, using a dynamic VPN with strong authentication and encryption. The VPN should be up when the stack initializes.
- Allow normal FTP traffic from branch office zone C to an FTP server
running on this host, using a dynamic VPN with strong authentication
and encryption. The VPN is command-line activated. Only one VPN should
be established to carry all FTP traffic. There will not be one VPN
per connection, but rather one Security Association will be negotiated
for all of the remote FTP clients. Restriction: Negotiating a single Security Association for multiple remote clients is possible only when the remote security endpoint is acting as a secure gateway.
- Peers authenticate themselves using the pre-shared key method.
Procedure
Perform the following steps to meet these requirements and configure part 1 of the branch office model.
Results
The following policy is a complete IP security policy for traffic from the local secure server to zone C, assuming that the reusable statements are included in the common IP security configuration file:
#-------------------------------------------------------
# Filter Policy for Secure Server
#-------------------------------------------------------
IpFilterPolicy
{
PreDecap off
FilterLogging on
AllowOnDemand no
IpFilterGroupRef ZoneC
}
#-------------------------------------------------------
# KeyExchange Policy for Secure Server
#-------------------------------------------------------
KeyExchangePolicy
{
KeyExchangeRuleRef ZoneC_KeyExRule1
}
#-------------------------------------------------------
# LocalDynVpn Policy for Secure Server
#-------------------------------------------------------
LocalDynVpnPolicy
{
LocalDynVpnGroupRef ZoneC_BranchOfficeVPNs
}
########################################################
# Connectivity Profile
# Secure Server To Zone C
#
# Server to Trusted Branch Office Network
#
########################################################
IpFilterGroup ZoneC
{
#-------------------------------------------------------
# Permitted Zone C traffic:
# Allow IKE traffic from the gateway IKE Server
# for branch office to this host.
#
# IKE (UDP port 500) - IKE negotiations
#-------------------------------------------------------
IpFilterRule Rule1C
{
IpSourceAddrRef PublicServerAddressA1
IpDestAddrRef BranchOfficeGateway
IpServiceRef IKE
IpGenericFilterActionRef permit
}
#-------------------------------------------------------
# IPSec-protected Zone C traffic:
#
# Enterprise Extender (ports 12000-12004)
# FTP Server - SubnetC to PublicServerAddressA
#-------------------------------------------------------
IpFilterRule Rule2C
{
IpSourceAddrRef PublicServerAddressA1
IpDestAddrSetRef SubnetC
IpServiceRef Enterprise-Extender
IpServiceGroupRef FTPServer
IpGenericFilterActionRef ipsec
IpDynVpnActionRef Gold-TunnelMode
IpLocalStartActionRef StartZoneC
}
}
IpLocalStartAction StartZoneC
{
AllowOnDemand yes
RemoteSecurityEndpointRef ZoneC_IKED
}
KeyExchangeRule ZoneC_KeyExRule1
{
LocalSecurityEndpointRef Public_IKED
RemoteSecurityEndpointRef ZoneC_IKED
KeyExchangeActionRef Gold-PSK
}
#--------------------------------------------------------
# Zone C LocalDynVpnRules
#
# Setup SAs for EE traffic from branch office zone C to
# EE (UDP ports 12000-12004).
#--------------------------------------------------------
LocalDynVpnGroup ZoneC_BranchOfficeVPNs
{
LocalDynVpnRule ZoneC_VPN-EE1
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 12000
RemoteDataPort 12000
Protocol UDP
AutoActivate Yes
}
LocalDynVpnRule ZoneC_VPN-EE2
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 12001
RemoteDataPort 12001
Protocol UDP
AutoActivate Yes
}
LocalDynVpnRule ZoneC_VPN-EE3
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 12002
RemoteDataPort 12002
Protocol UDP
AutoActivate Yes
}
LocalDynVpnRule ZoneC_VPN-EE4
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 12003
RemoteDataPort 12003
Protocol UDP
AutoActivate Yes
}
LocalDynVpnRule ZoneC_VPN-EE5
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 12004
RemoteDataPort 12004
Protocol UDP
AutoActivate Yes
}
#-------------------------------------------------------
# Setup SAs for FTP traffic from branch office zone C
# to an FTP server running on this host using a dynamic
# vpn (TCP port 20, 21).
#-------------------------------------------------------
LocalDynVpnRule ZoneC_VPN-FTP-Data
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 20
RemoteDataPort 0
Protocol TCP
AutoActivate Yes
}
LocalDynVpnRule ZoneC_VPN-FTP-Control
{
LocalIpRef PublicServerAddressA1
RemoteIpSetRef SubnetC
LocalDataPort 21
RemoteDataPort 0
Protocol TCP
AutoActivate Yes
}
}