Tag Archives: Site-to-Site VPN

IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

Cisco Systems, FRITZ!Box, IPsec/VPN, Template, , ,

Der Titel sagt eigentlich schon alles: Es geht um das Herstellen eines S2S-Tunnels zwischen einem Cisco Router (statische IPv4) und einer FRITZ!Box (dynamische IP). Ich liste nachfolgend alle Befehle für den IOS Router sowie die Konfigurationsdatei für die FRITZ!Box auf. Für eine etwas detaillierte Beschreibung des VPNs für die FRITZ!Box verweise ich auf diesen Artikel von mir, bei dem ich zwar ein VPN zu einem anderen Produkt hergestellt habe, aber etwas mehr auf die Schritte der Konfiguration eingegangen bin.

Continue reading IPsec Site-to-Site VPN Cisco Router <-> AVM FRITZ!Box

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router

Cisco Systems, IPsec/VPN, Juniper Networks, , , ,

Similar to all my other site-to-site VPN articles, here are the configurations for a VPN tunnel between a Juniper ScreenOS SSG firewall and a Cisco IOS router. Due to the VPN Monitor of the SSG firewall, the tunnel is established directly after the configuration and stays active all the time without the need of “real” traffic.

I am using the policy-based VPN solution on the Cisco router and not the virtual tunnel interface (VTI) approach. That is: No route is needed on the router while the Proxy IDs must be set on the Juniper firewall. (However, I also documented the route-based VPN solution between a ScreenOS firewall and a Cisco router here.)

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco Router

IPsec Site-to-Site VPN Palo Alto <-> Cisco Router

Cisco Systems, IPsec/VPN, Palo Alto Networks, , ,

This time I configured a static S2S VPN between a Palo Alto firewall and a Cisco IOS router. Here comes the tutorial:

I am not using a virtual interface (VTI) on the Cisco router in this scenario, but the classical policy-based VPN solution. That is, no route entry is needed on the Cisco machine. However, the Palo Alto implements all VPNs with tunnel interfaces. Hence, a route to the tunnel and Proxy IDs must be configured. (I also wrote a guide for a route-based VPN between a Cisco router and a Palo Alto firewall here.)

Continue reading IPsec Site-to-Site VPN Palo Alto <-> Cisco Router

Site-to-Site VPNs with Diffie-Hellman Group 14

Crypto, IPsec/VPN, , , , , , , ,

When talking about VPNs it is almost always clear that they are encrypted. However, it is not so clear on which security level a VPN is established. Since the Perfect Forward Secrecy (PFS) values of “DH group 5” etc. do not clearly specify the “bits of security”, it is a misleading assumption that the security is 256 bits due to the symmetric AES-256 cipher. It is not! Diffie-Hellman group 5 has only about 89 bits of security…

Therefore, common firewalls implement DH group 14 which has a least a security level of approximately 103 bits. I tested such a site-to-site VPN tunnel between a Palo Alto and a Juniper ScreenOS firewall which worked without any problems.

Continue reading Site-to-Site VPNs with Diffie-Hellman Group 14

Bidirectional Policy Rules on a Palo Alto Firewall

Design/Policy, Palo Alto Networks, Security, ,

The Palo Alto firewall supports policy entries that refer to multiple source and destination zones. This is useful especially when there are branch offices with multiple zones and a site-to-site VPN to the main office. In this scenario, every zone in the branch office might have a “permit any any” to the main office and vice versa, while the zones on the branch office should not have a permit among themselves. (Of course, the traffic on the main office is restricted and not permitted generally.) Here are two ways to accomplish that scenario.

Continue reading Bidirectional Policy Rules on a Palo Alto Firewall

IPsec Site-to-Site VPN Cisco ASA <-> AVM FRITZ!Box

Cisco ASA, FRITZ!Box, IPsec/VPN, Template, , ,

Mit diesem Beitrag möchte ich zeigen, wie man ein Site-to-Site VPN von der FRITZ!Box zu einer Cisco ASA Firewall aufbaut. Mein Laboraufbau entspricht dabei dem typischen Fall, bei dem die FRITZ!Box hinter einer dynamischen IP hängt (klassisch: DSL-Anschluss), während die ASA eine statische IP geNATet bekommt.

Beide Geräte habe ein policy-based VPN implementiert, so dass das hier endlich mal ein Fall ist, wo man nicht durch den Mix einer route-based VPN-Firewall und einer policy-based VPN-Firewall durcheinander kommt. Man muss bei beiden Geräten einfach das eigene sowie das remote Netzwerk eintragen, ohne weitere Routen zu ändern.

Continue reading IPsec Site-to-Site VPN Cisco ASA <-> AVM FRITZ!Box

IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA

Cisco ASA, IPsec/VPN, Juniper Networks, , , ,

This post describes the steps to configure a Site-to-Site VPN between a Juniper ScreenOS firewall and the Cisco ASA firewall. With the correct IKE and IPsec parameters as well as the correct Proxy IDs on both sides, the VPN establishment works without any problems. And since the Juniper firewall can ping an IPv4 address on the remote side through the tunnel (VPN Monitor), the VPN tunnel is established by the firewalls themselves without the need for initial traffic.

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> Cisco ASA

IPsec Site-to-Site VPN Palo Alto <-> Cisco ASA

Cisco ASA, IPsec/VPN, Palo Alto Networks, , ,

I configured a static Site-to-Site IPsec VPN tunnel between the Cisco ASA firewall and the Palo Alto next-generation firewall. If the same phase 1 & 2 parameters are used and the correct Proxy IDs are entered, the VPN works without any problems though the ASA uses a policy-based VPN while the PA implements a route-based VPN.

I made a few screenshots from the VPN configuration of both firewalls which I will show here. I am also listing a few more hints corresponding to these two firewalls.

Continue reading IPsec Site-to-Site VPN Palo Alto <-> Cisco ASA

IPsec Site-to-Site VPN Palo Alto <-> AVM FRITZ!Box

FRITZ!Box, IPsec/VPN, Palo Alto Networks, Template, , ,

Wer im Büro auf eine Palo Alto Networks Firewall setzt und von zu Hause hinter seiner FRITZ!Box per VPN im Büro arbeiten möchte, der muss die richtigen Einstellungen auf beiden Geräten finden. Genau das habe ich getan und stelle hier die entsprechenden Details online. Viel Spaß dabei. ;)

Continue reading IPsec Site-to-Site VPN Palo Alto <-> AVM FRITZ!Box

IPsec Site-to-Site VPN Juniper ScreenOS <-> AVM FRITZ!Box

FRITZ!Box, IPsec/VPN, Juniper Networks, Template, , , ,

Hier kommen die Einstellungen die nötig sind, um ein Site-to-Site VPN zwischen einer AVM FRITZ!Box und einer Juniper ScreenOS Firewall herzustellen. Neben einigen Anleitungen im Netz habe ich selber ein paar Einstellungen getestet, um eine möglichst detaillierte *.cfg Datei zu haben. Außerdem ist erfreulicherweise anzumerken, dass die Juniper auch ein statisches VPN zu einer dynamischen Adresse erlaubt und somit sogar beide Seite einen Verbindungsaufbau initiieren können. Mit dem VPN Monitor von Juniper wird der Tunnel konstant “up” gehalten.

Continue reading IPsec Site-to-Site VPN Juniper ScreenOS <-> AVM FRITZ!Box

IPsec Site-to-Site VPN Palo Alto <-> Juniper ScreenOS

IPsec/VPN, Juniper Networks, Palo Alto Networks, , , ,

For a quick documentation on how to build a Site-to-Site IPsec VPN tunnel between a Palo Alto Networks firewall and a Juniper ScreenOS device I am listing the configuration screenshots here.

It is quite easy because both firewalls implement route-based VPNs. That is: The tunnel must not be configured with Proxy IDs or the like. It is simply built upon the correct parameters for IKE and IPsec. The related traffic can then be routed into the tunnel afterwards. And since the tunnel monitor from the Palo Alto firewall triggers the tunnel to be built even though no real traffic flows through it, the admin immediately sees green status bubbles in the GUI and can be sure that the tunnel establishment was successful. Continue reading IPsec Site-to-Site VPN Palo Alto <-> Juniper ScreenOS