UTM/VPN/IPSec-S2E v12.6.2

notempty

Dieser Artikel bezieht sich auf eine nicht mehr aktuelle Version!

notempty

Der Artikel für die neueste Version steht hier

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Beta-Version bezieht

12.6.2

Zuletzt aktualisiert:

12.5 12.4 12.2.5 12.2.3 11.8 11.7 11.6.12

1 -
		[[Datei: ]] 1


2 -
Name:	IPSec Roadwarrior	[[Datei: ]] 2
\|\| IKEv1 - Native \|\| : IKEv1 - XAuth IKEv1 - Native IKEv2 - Native IKEv1 - L2TP


– IKEv1 3 - - IKEv1
Local Gateway ID:		[[Datei: ]] 3 - IKEv1
	Pre-Shared Key

	RSA
X.509 : '
Privater RSA-Schlüssel:	IPSec Key
' *\|\| »192.168.250.0/24 \|\|*

– IKEv2 3 - - IKEv2
Local Gateway ID:		[[Datei: ]] 3 - IKEv2
	Pre-Shared Key

	RSA
	EAP-TLS '
X.509 : '
\|\| IPSec Key \|\|
\|\| 192.168.250.0/24 \|\|

– IKEv1 4 - - IKEv1
'	IPSec Key	[[Datei: ]] 4 - IKEv1
Remote Gateway ID: '	192.0.2.192
'	»192.168.22.35/24
'
'	192.168.222.35

– IKEv2 4 - - IKEv2
'	IPSec Key	[[Datei: ]] 4 - IKEv2
	192.168.22.35/24
'
	EAP-MSCHAPV2
	EAP-TLS
X.509 : '	IPSec Cert
' *\|\| IPSec \|\|*

		[[Datei: ]] [[Datei: ]]



		[[Datei: ]]
Name:	ngrp-IPSec-Roadwarrior
\|\| \|\|
\|\| 192.168.222.0/24 \|\|
Zone:	vpn-ipsec
\|\| \|\| Optional

#				NAT
4	internet	external-interface	ipsec		Accept
5	IPSec Roadwarrior	dmz1-network			Accept

IKEv1


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

{{var | DH-Gruppe (PFS) | DH-Gruppe (PFS): | DH-Group (PFS):


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:


IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	»aes128	AES 128 Bit
	»sha2_256	Hash: SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	»aes128	AES 128 Bit
	»sha2_256	SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

IKEv2


1.	2.	3.


Abb.1	Abb.2	Abb.3


Abbildungen

{{var | DH-Gruppe (PFS) | DH-Gruppe (PFS): | DH-Group (PFS):


Phase 1
VPN Phase 1
			[[Datei: ]]	[[Datei: ]]	[[Datei: ]]	[[Datei: ]]
\|\| Default \|\|
\|\| Outgoing \|\|
	Incoming
	Route
	Route
Ignore
' *\|\| \|\|*
Dead Peer Detection:
DPD Timeout:	30
\|\| 10 \|\|
Compression:


IKE IKE
	Default UTM	Default NCP Client	[[Datei: ]] 1	[[Datei: ]] 2
	»aes128	AES 128 Bit
	»sha2_256	Hash: SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521

IKE :
Strict:
Strict:
	3
	1
IKE Rekeytime:	2
IKE Rekeytime:	notempty ike_lifetime = 2 ike_rekeytime = 0 ike_lifetime = 0 ike_rekeytime = 2 ---- ike_lifetime = 2 ike_rekeytime = 1 ike_lifetime =2 ike_rekeytime = 1
Rekeying:

Phase 2
VPN Phase 2
	Default UTM	Default NCP Client	[[Datei: ]] / IKEv1 / Roadwarrior	[[Datei: ]] / IKEv2 / Roadwarrior	[[Datei: ]] / IKEv1 / S2S	[[Datei: ]] / IKEv2 / S2S
	»aes128	AES 128 Bit
	»sha2_256	SHA2 256 Bit
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
	»ecp521	IKE DH-Gruppe: DH2 (modp1024)
Aktuelle Kombinationen:	aes128-sha2_256-ecp521
\|\| 8 \|\|
\|\| Main Mode () \|\| Aggressive Mode (IKEv1)
\|\| \|\|

DHCP:


		[[Datei: ]]
\|\| 192.168.250.0/24 \|\|
	192.168.22.35/24


	' `root@firewall:~# swanctl --list-conns` `IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns` IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24 IPSec$20S2S_7: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.193.0/24		[[Datei: ]]

	' `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 192.168.219.0/24 remote: 192.168.192.0/24 192.168.193.0/24` `root@firewall:~# swanctl --list-conns IPSec$20S2S: IKEv2, reauthentication every 3060s, no rekeying, dpd delay 10s` `local: %any remote: 192.0.2.192 local pre-shared key authentication: id: 192.168.175.218 remote pre-shared key authentication: id: 192.0.2.192 IPSec$20S2S_4: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.192.0/24 IPSec$20S2S_5: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.218.0/24 remote: 192.168.193.0/24 IPSec$20S2S_6: TUNNEL, rekeying every 28260s, dpd action is restart local: 192.168.219.0/24 remote: 192.168.192.0/24`		[[Datei: ]]

Troubleshooting

'

extc-Variable	Default
CONNECTION_RATE_LIMIT_TCP	0
CONNECTION_RATE_LIMIT_TCP_PORTS
CONNECTION_RATE_LIMIT_UDP	20 / 0
CONNECTION_RATE_LIMIT_UDP_PORTS		[ 1194 1195 ]


extc value get application securepoint_firewall spcli extc value get application securepoint_firewall \| grep RATE	application \|variable \|value --------------------+-------------------------------+----- securepoint_firewall \|… \|… \|CONNECTION_RATE_LIMIT_TCP \|0 \|CONNECTION_RATE_LIMIT_TCP_PORTS\| \|CONNECTION_RATE_LIMIT_UDP \|20 \|CONNECTION_RATE_LIMIT_UDP_PORTS\|
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 0 system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ 1194 1195 ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule
extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_TCP_PORTS value [ 443 11115 ] extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP value 20 extc value set application securepoint_firewall variable CONNECTION_RATE_LIMIT_UDP_PORTS value [ ] system update rule

– IKEv1

– IKEv2

– IKEv1

– IKEv2

IKEv1

Phase 1

IKE

Phase 2

Troubleshooting

IKEv2

Phase 1

IKE

Phase 2

Troubleshooting