Asynchronous routing
- Updated to Redesign of the webinterface
Initial situation
Many service providers require their own VPN router for connecting to their own server landscape, which establishes a secure connection to it and through which the connections are routed.
There are various approaches for implementation in the customer network. This article discusses the problems of such an implementation and gives a suggestion for optimal integration in customer networks.
Routing issues
If the router is simply included in the internal network, then initially a routing problem arises:
Connections to the third-party network must go through this router. Local routing on the network devices is not an option. Routing via the firewall is also problematic.
When establishing a TCP connection, this results in asynchronous routing:
If such a connection is initiated by a device, the SYN packet of the TCP three-way handshake is first routed to the UTM and then via the third-party router. The SYN/ACK packet of the responder from the third-party network, on the other hand, is delivered by the router directly to the initiator and not via the UTM. The third packet of the three-way handshake (ACK) goes via the UTM again and is discarded there by the packet filter due to an implausible status (stateful inspection).
Zero trust issue
Even if the routing problems described above could be solved or circumvented, the connections to the third-party network are beyond the control of the UTM (virus scanner, web filter, port filter, ...), which is not acceptable in an untrusted network. Therefore, integration into existing customer networks should not be considered.
Solutions
All the problems described can be solved by placing the router in a separate subnet at the UTM and establishing a transfer network. In principle, this is possible with any UTM appliance from Securepoint. All that is needed is another free Ethernet interface or VLAN interface.
Approach
- Prerequisites:
- Specify an internal network 10.0.0.0/24 on LAN2.
- There is another interface available on the UTM that has not been used yet (LAN3)
- Objective:
- A service provider's router is to be used to connect to a private subnet 172.16.0.0/16
- Approach:
- The unused interface (LAN3) should get the subnet 10.0.1.0/24 with the IP 10.0.1.1
- The router of the service provider receives the IP 10.0.1.100
- To simplify the integration of the router, the UTM should serve as a DHCP server in this subnet.
For this purpose, a fixed lease is to be configured for the router interface with the IP 10.0.1.100
Network configuration
| Caption | Value | Description | UTMuser@firewall.name.fqdnNetzwerkNetwork configuration  Configuration of DMZ interface
|
|---|---|---|---|
| IP addresses: | » ✕10.0.1.1/24 | For the configuration of LAN3 the network configuration is opened under and then the interface LAN3 for editing . Under "IP addresses" the IP 10.0.1.1/24 is now entered and saved. | |
Create DHCP poolEs wird ein DHCP-Pool für dynamische Adressen vergeben. | |||
| Name: | dmz-pool | Pool name | UTMuser@firewall.name.fqdnNetzwerk  Configured DHCP pool
UTMuser@firewall.name.fqdnNetzwerkNetwork configuration
 Step 1  Step 2  Step 3
|
| Pool starting address: | First IP address that can be assigned via DHCP | ||
| Pool ending address: | Last IP address that can be assigned via DHCP | ||
| Step 2 | |||
| Nameserver: | The UTM itself serves as the name server, i.e. the IP of the associated interface | ||
| Step 3 | |||
| Router | The UTM itself serves as the router, i.e. the IP of the associated interface | ||
Add leaseIn the Static DHCP tab, the button adds a fixed lease for the router. | |||
| Host: | Router | Name for the host (for clear classification) | UTMuser@firewall.name.fqdnNetzwerkNetwork configuration  Static IP address for the service provider's router
|
| Ethernet | __:__:__:__:__:__ | MAC address of the service provider router | |
| IP: | Static IP address for the service provider's router to be assigned via DHCP. | ||
Add routeThe UTM must have a route into the service provider's network through this router. | |||
| Source network: | It is not necessary to specify a source network. | UTMuser@firewall.name.fqdnNetzwerkNetwork configuration 
| |
| Gateway Type: | IPSchnittstelle | Der Typ des Gateways | |
| Gateway: | IP of the service provider's router | ||
| Target network | Network IP of the service provider with subnet mask | ||
| Weight | 0 |
||
RulebookTwo network objects are needed to design the rule book. | |||
| Name: | Service provider router | Freely selectable name | UTMuser@firewall.name.fqdnFirewall  Network object for the router
|
| Type: | |||
| Address | IP address assigned as a static lease via DHCP to the service provider's router. | ||
| Zone: | |||
| Groups: | Optional. If necessary, the network object groups can be added | ||
| For the service provider's network: | |||
| Name: | Service provider network | Freely selectable name | UTMuser@firewall.name.fqdnFirewall  Network object for the network
|
| Type: | |||
| Address | Network IP of the private network to which the VPN tunnel connects, which is established by the service provider's router. | ||
| Zone: | |||
| Groups: | Optional. If necessary, the network object groups can be added | ||
Port filter rules
The required port filter rules depend on which VPN method the router uses and which services are required within the secured connection.
Assumptions for this example:
- The connection is established via IPSec
- In the service provider's network, various terminal servers are to be reached via the RDP protocol
| # | Quelle | Target | Service | NAT | Action | Active | |||
| Enable IPSec connection |  |
4 |  Service provider router |
 internet |
 ipsec |
HN | Accept | On | |
| DNS release, so the router can address its VPN server via a host name | |
5 | Service provider router |
 dmz1-interface |
dns |
Accept | On | ||
| Access to the service provider's network | |
6 |  internal-network |
Service provider network |
 ms-rdp |
Accept | On | ||
Summary
By integrating the service provider router into the DMZ, all of the routing issues described above were eliminated while maintaining control over all connections into and out of its own network.