UTM/VPN/IPSec-S2E

12.6.2

Zuletzt aktualisiert:

12.5 12.4 12.2.5 12.2.3 11.8 11.7 11.6.12

1 -
		[[Datei: ]] 1


2 -
Name:	IPSec Roadwarrior	[[Datei: ]] 2
\|\| IKEv1 - Native \|\| : IKEv1 - XAuth IKEv1 - Native IKEv2 - Native IKEv1 - L2TP


– IKEv1 3 - - IKEv1
Local Gateway ID:		[[Datei: ]] 3 - IKEv1
	Pre-Shared Key

	RSA
X.509 : '
Privater RSA-Schlüssel:	IPSec Key
' *\|\| »192.168.250.0/24 \|\|*

– IKEv2 3 - - IKEv2
Local Gateway ID:		[[Datei: ]] 3 - IKEv2
	Pre-Shared Key

	RSA
	EAP-TLS '
X.509 : '
\|\| IPSec Key \|\|
\|\| 192.168.250.0/24 \|\|

– IKEv1 4 - - IKEv1
'	IPSec Key	[[Datei: ]] 4 - IKEv1
Remote Gateway ID: '	192.0.2.192
'	»192.168.22.35/24
'
'	192.168.222.35

– IKEv2 4 - - IKEv2
'	IPSec Key	[[Datei: ]] 4 - IKEv2
	192.168.22.35/24
'
	EAP-MSCHAPV2
	EAP-TLS
X.509 : '	IPSec Cert
' *\|\| IPSec \|\|*

		[[Datei: ]] [[Datei: ]]



		[[Datei: ]]
Name:	ngrp-IPSec-Roadwarrior
\|\| \|\|
\|\| 192.168.222.0/24 \|\|
Zone:	vpn-ipsec
\|\| \|\| Optional

#				NAT
4	internet	external-interface	ipsec		Accept
5	IPSec Roadwarrior	dmz1-network			Accept

IKEv1


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:


IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	»aes128	AES 128 Bit
	»sha2_256	Hash: SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	»aes128	AES 128 Bit
	»sha2_256	SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

IKEv2


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:


IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	»aes128	AES 128 Bit
	»sha2_256	Hash: SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	»aes128	AES 128 Bit
	»sha2_256	SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

'

extc-Variable	Default
CONNECTION_RATE_LIMIT_TCP	0
CONNECTION_RATE_LIMIT_TCP_PORTS
CONNECTION_RATE_LIMIT_UDP	20 / 0
CONNECTION_RATE_LIMIT_UDP_PORTS		[ 1194 1195 ]


extc value get application securepoint_firewall spcli extc value get application securepoint_firewall \| grep RATE	application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule

– IKEv1

– IKEv2

– IKEv1

– IKEv2

IKEv1

Phase 1

IKE

Phase 2

Troubleshooting

IKEv2

Phase 1

IKE

Phase 2

Troubleshooting