SSL-VPN Site-to-Site

notempty

Zu diesem Artikel gibt es bereits eine neuere Version, die sich allerdings auf eine Reseller-Preview bezieht

---

Introduction

SSL-VPN can also be used to establish site-to-site connections. Since this requires the corresponding instance of the service to run explicitly in client or server mode, it is possible to create multiple instances of the SSL-VPN service.

Site-to-Site Server

This method is used when the remote terminal is the initiator of the connection. For this, the service must explicitly start in server mode.

Site-to-Site Client

This method is used when the UTM itself is the initiator of the connection. For this, the service must explicitly start in client mode.

---

Site-to-site server configuration

For the S2S server setup, a CA, a server certificate and a client certificate are required.

SSL-VPN connection

Set up the connection in the → VPN →SSL-VPN Button Add SSL-VPN connection menu.

Installation wizard

Step 1

Installation step 1

In installation step 1 the connection type is selected, the following connections are available:

• Roadwarrior Server
• Site-to-Site Server
• Site-to-Site Client

For the configuration of the Site-to-Site server this is selected.

Step 2

Installation step 2

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.

Step 3

Local settings for the site-to-site server

Caption	Value	Description	Installation step 3
Name:	S2S-server	Unique name
Protocol:	UDP	Desired protocol
Server certificate:	Server-certificate	Selection of the certificate with which the server authenticates itself If a server certificate does not yet exist, it can be created (and if necessary also a CA) in the certificate management. Open with Create a CA in the CA tab using the Add CA button Create a server certificate in the Certificates tab using the Add certificate button. Please note: Server certificate: enable Create the client certificate with the Add certificate button Both certificates must be created with the same CA! The Client certificate and the associated CA are also needed to configure the remote terminal (client). They must be exported with the button. For use with a UTM as client, the PEM-format is required. Further notes in the Wiki article on the use of certificates.
Share server networks:	» ✕ 192.168.175.0/24	Network located at this appliance (VPN server) that is to be accessible via SSL-VPN.

Step 4

In installation step 4, the transfer network for the site-to-site server is entered.

Caption	Value	Description	Installation step 4
Transfer network:	192.168.190.0/24	A network address must be specified that is not used in any network of the involved appliances.
Server tunnel address:	/32	The server and client tunnel address is determined automatically.
IPv4 client tunnel address:	/24

Step 5

Caption	Value	Description	Installation step 5
Name:	S2S-client	Is automatically generated from the name defined in step 3
Client certificate:	CC-S2S-Client-Network1	Certificate of the client network
Share client networks:	» ✕192.168.174.0/24	Networks of the remote terminal that are to be released. (Input by clicking in the click box and then using the keyboard).

The selected certificate should not be used with any other client / network.

---

Other client remote terminals

Overview of SSL-VPN connections

Other remote terminals of the S2S-SSL-.VPNs

Additional remote sites that are to be connected via this site-to-site server can be added via the button.

Display of remote sites by clicking on the folder icon

---

Rulebook

Implied rules

Implied rules

Under → Firewall →Implied Rules section VPN the protocol used for the connection can be enabled. Here On SSL-VPN UDP. This implicit rule frees the ports used for SSL-VPN connections on the WAN interface.

Network objects

A TUN interface was created when the connection was set up. It automatically receives the first IP from the transfer network configured in the connection and a zone "vpn-ssl-<servername>". To be able to reach the client network of the remote terminal, a network object must be created for this purpose.
The TUN interface of the site-to-site client also receives an IP from this network. This serves as a gateway to the subnet of the site-to-site client. The subnet of the client must be created as a network object and is located in the zone on the associated TUN interface.

Network object for the tunnel network

Caption:	Value	Description
Name:	sslvpn-S2S-client-network	Freely selectable name
Type:	VPN network	If only a single host is to be shared in the client network, VPN host can also be selected here.
Address:	192.168.174.0/24	The network address that was shared as the client network in step 5. If multiple client networks have been shared, a separate network object must be created for each of these networks. Subsequently, the network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-Server	The zone on the S2S server through which the S2S client network is accessed.
Group:		Optional

Save

Portfilter rules

Portfilter rules

Menu → Firewall →Portfilter Tab Portfilter Button Add Rule

Two rules allow access to or from the S2S client network:

Caption:	Value	Description
1. Rule
Source:	sslvpn-S2S-client-network	Inbound rule
Destination:	internal-network
Service	required service	Only services that are actually needed should be shared !
2. Rule
Source:	internal-network	Outbound rule
Destination:	sslvpn-S2S-client-network
Service:	required service	Only services that are actually needed should be shared !

Routen

The routes are set automatically.

However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.

Route for remote terminal

Menu → Network →Network configurationTab Routing Button Add route A route should be set so that the network of the remote terminal can be found reliably.

Caption:	Value	Description
Gateway interface:	tun0	A TUN interface was created when the connection was set up and must be specified here.
Target network:	192.168.174.0/24	The network of the remote terminal (S2S Client)

---

Site-to-site client configuration

SSL-VPN connection

Installation wizard

For the S2S server setup, a CA, a server certificate and a client certificate are required.

Step 1

Installation step 1

In installation step 1 the connection type is selected, the following connections are available:

• Roadwarrior Server
• Site-to-Site Server
• Site-to-Site Client

For the configuration of the Site-to-Site Client this is selected.

Step 2

Installation step 2

If a local IPv6 network is to be connected, the option Use IPv6 over IPv4: must be enabled Yes.

Step 3

Local settings for the Site-to-Site Client can be made in step 3. Here you can enter a name for the connection, select protocol, choose a server certificate - by clicking the button with the window you can import a CA and a certificate.

Caption	Value	Description	Installation step 3
Name:	S2S-client	Unique name
Protocol:	UDP	Desired protocol It is necessary to select the same protocol as for the site-to-site server.
Client certificate:	Client certificate	Selection of the certificate with which the client authenticates itself The same certificate must be used here that was selected as the certificate of the remote terminal (client) for the site-to-site server in step 5. Open with Tab CA Button Import CA Import CA from S2S server Tab Certificates Button Import certificate Import the client certificate created on the S2S server .

Step 4

This installation step is omitted for the site-to-site client.

Step 5

Installation step 5

In step 5, the public remote gateway IP address or SPDyn address of the site-to-site server is entered as the remote site.

If port 1194 is used, this specification can be omitted.

Rulebook

Implied rules

Since the site-to-site client establishes the connection to the S2S server and outgoing connections from the firewall itself are always allowed by default, no implicit rules are necessary.

Network objects

Caption:	Value	Description	Network object for the tunnel network
Name:	sslvpn-S2S-server-network	Freely selectable name
Type:	VPN network	If only a single host is to be shared in the server network, VPN host can also be selected here.
Address:	192.168.175.0/24	If several server networks have been shared, a separate network object must be created for each of these networks. The network objects can then be combined into a group.
Zone:	vpn-ssl-S2S-client	the zone on the S2S client through which the S2S server network is accessed.
Group:		Optional

Portfilter rules

Portfilter rules in the S2S Client

Menu → Firewall →PortfilterTab Add rule Button +

Two rules allow access to or from the S2S server network or from the network:

Caption:	Value	Description
1. Rule (#7)
Source	internal-network	Outbound rule
Destination	sslvpn-S2S-server-network
Service	required service	Only services that are actually needed should be shared !
2. Rule
Source	sslvpn-S2S-server-network	Inbound rule
Destination	internal-network
Service	required service	Only services that are actually needed should be shared !

Routen

The routes are set automatically.

However, when using VoIP through the tunnel, routes should be set to ensure that the phones connect correctly to the PBX.

Route on the S2S Client network specified for the remote terminal, the S2S Server

Menu → Network →Network configurationTab Routing Button Add route

Caption:	Value	Description
Gateway interface:	tun0	A TUN interface was created when the connection was set up and must be specified here.
Target network:	192.168.175.0/24	The network of the remote terminal (S2S Server)

---

Note

Encryption

By default, an AES128-CBC method is used. The encryption method can be customized in the server or/and client profile.

The parameters must be identical on the server and client side. Otherwise data transfer is not possible

Hash method

By default, a SHA256 hash method is used. The hash method can be customized in the server or/and client profile.

The parameters must be identical on the server and client side. Otherwise data transfer is not possible

QoS

For the VPN connection, the TOS fields for automatic QoS can be set in the packets.
This setting can be changed in the VPN connection settings in the Advanced tab under Pass TOS: On must be enabled.

Multipath

For multipath on the client side, the VPN connection in the client must be bound to an interface.
To bind a client connection to an interface, the CLI command must be used openvpn get to locate the ID of the connection.
The command openvpn set id $ID_DES_TUNNELS local_addr $IP_DES_INTERFACES can then be used to set the outgoing IP.
In addition, a rule route via the corresponding tunX interface is required in the outgoing rule (internal-network → VPN network → $DIENST).

Search Domain

The search domain can be submitted automatically.
The entry can be found in the VPN connection settings in the General tab under Search Domain:    .

Transmit DNS/WINS

IPv6 for inbound connections

In the settings of the site-to-site server, the protocol UDP6 or TCP6 for IPv6 can be activated under General -> Protocol.

The transparent HTTP proxy

When accessing a server behind the site-to-site connection from the internal network via HTTP, the transparent HTTP proxy may filter the packets. This can lead to errors in the accesses to the target.

To prevent this from happening a rule must be added in the → Applications →HTTP ProxyTab Transparent Mode Button Add transparent rule menu:

Caption:	Value
Protocol:	HTTP
Type:	Exclude
Source:	internal-network
Destination:	name-vpn-netzwerk-objekt

If SSL interception is used, this should be done additionally for the HTTPS protocol.