How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Similar documents
How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IPsec VPN to an AWS VPN Gateway with BGP

How to Configure an IKEv1 IPsec VPN to an AWS VPN Gateway with BGP

How to Configure a Site-To-Site IPsec VPN to the Amazon AWS VPN Gateway

Configuration of an IPSec VPN Server on RV130 and RV130W

How to Configure BGP over IKEv2 IPsec Site-to- Site VPN to an Google Cloud VPN Gateway

Configuring VPN from Proventia M Series Appliance to Proventia M Series Appliance

Integration Guide. Oracle Bare Metal BOVPN

Table of Contents 1 IKE 1-1

Cisco Multicloud Portfolio: Cloud Connect

Virtual Tunnel Interface

VNS3 to Windows RRAS Instructions. Windows 2012 R2 RRAS Configuration Guide

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

IPSec VPN Setup with IKE Preshared Key and Manual Key on WRVS4400N Router

Amazon Virtual Private Cloud. Network Administrator Guide

How to configure IPSec VPN between a Cradlepoint router and a SRX or J Series Juniper router

BiGuard C01 BiGuard VPN Client Quick Installation Guide (BiGuard series VPN enabled devices) Secure access to Company Network

Top 30 AWS VPC Interview Questions and Answers Pdf

Configuring VPNs in the EN-1000

How to Configure a Site-to-Site IPsec IKEv1 VPN Tunnel

Google Cloud VPN Interop Guide

Set Up a Remote Access Tunnel (Client to Gateway) for VPN Clients on RV016, RV042, RV042G and RV082 VPN Routers

VMware Cloud on AWS Networking and Security. 5 September 2018 VMware Cloud on AWS

Configuring VPN from Proventia M Series Appliance to NetScreen Systems

Internet. SonicWALL IP Cisco IOS IP IP Network Mask

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 5.2

Quick Note. Configure an IPSec VPN tunnel between a Digi TransPort LR router and a Digi Connect gateway. Digi Technical Support 20 September 2016

Configuring VPN from Proventia M Series Appliance to Symantec 5310 Systems

VPNC Scenario for IPsec Interoperability

Google Cloud VPN Interop Guide

Virtual Tunnel Interface

How to Configure a Route-Based VPN Between Azure and a Forcepoint NGFW TECHNICAL DOCUMENT

VMware Cloud on AWS Getting Started. 18 DEC 2017 VMware Cloud on AWS

Virtual Private Network. Network User Guide. Issue 05 Date

FAQ about Communication

Configuring IPSec tunnels on Vocality units

Configuring a Hub & Spoke VPN in AOS

HOW TO CONFIGURE AN IPSEC VPN

Junos Security. Chapter 8: IPsec VPNs Juniper Networks, Inc. All rights reserved. Worldwide Education Services

Deploying the Barracuda Link Balancer with Cisco ASA VPN Tunnels

IPsec NAT Transparency

Efficient SpeedStream 5861

Proxy Protocol Support for Sophos UTM on AWS. Sophos XG Firewall How to Configure VPN Connections for Azure

VPN Ports and LAN-to-LAN Tunnels

Firepower Threat Defense Site-to-site VPNs

IPSec. Overview. Overview. Levente Buttyán

Index. Introduction UCCS VPC Objective Why VPC VPC Options. Routing Security. Summary. Slides Slides 13-20

Configuration of Shrew VPN Client on RV042, RV042G and RV082 VPN Routers through Windows

Virtual Private Cloud. User Guide. Issue 03 Date

Google Cloud VPN Interop Guide

IPsec Dead Peer Detection Periodic Message Option

Deploying VPN IPSec Tunnels with Cisco ASA/ASAv VTI on Oracle Cloud Infrastructure

VPN Overview. VPN Types

Chapter 6 Virtual Private Networking

The EN-4000 in Virtual Private Networks

BCRAN. Section 9. Cable and DSL Technologies

Cloud Security Best Practices

Configuration Summary

Example: Configuring a Policy-Based Site-to-Site VPN using J-Web

Sample excerpt. Virtual Private Networks. Contents

Hillstone IPSec VPN Solution

Index. Numerics 3DES (triple data encryption standard), 21

Packet Tracer - Configure and Verify a Site-to-Site IPsec VPN Using CLI

This version of the des Secure Enterprise MAC Client can be used on Mac OS X 10.7 Lion platform.

VNS3 IPsec Configuration. Connecting VNS3 Side by Side via IPsec

Internet Key Exchange

Securizarea Calculatoarelor și a Rețelelor 29. Monitorizarea și depanarea VPN-urilor IPSec Site-to-Site

IPsec NAT Transparency

IKE and Load Balancing

Virtual Private Networks

Virtual Private Network

Case 1: VPN direction from Vigor2130 to Vigor2820

CSCE 715: Network Systems Security

Quick Note 65. Configure an IPSec VPN tunnel between a TransPort WR router and an Accelerated SR router. Digi Technical Support 7 June 2018

How to Configure an IKEv1 IPsec Site-to-Site VPN to the Static Microsoft Azure VPN Gateway

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Example: Configuring a Hub-and-Spoke VPN between 3 SRXs using J-Web

In the event of re-installation, the client software will be installed as a test version (max 10 days) until the required license key is entered.

Configuration Guide. How to connect to an IPSec VPN using an iphone in ios. Overview

VNS3 IPsec Configuration. VNS3 to Cisco ASA ASDM 9.2

Release Notes. NCP Android Secure Managed Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Cradlepoint to Palo Alto VPN Example. Summary. Standard IPSec VPN Topology. Global Leader in 4G LTE Network Solutions

Securizarea Calculatoarelor și a Rețelelor 28. Implementarea VPN-urilor IPSec Site-to-Site

show crypto group summary, page 1 show crypto ikev2-ikesa security-associations summary spi, page 2

Service Managed Gateway TM. How to Configure and Debug Generic Routing Encapsulation (GRE)

Data Sheet. NCP Secure Enterprise macos Client. Next Generation Network Access Technology

Chapter 8 Lab Configuring a Site-to-Site VPN Using Cisco IOS

The IPsec protocols. Overview

Crypto Templates. Crypto Template Parameters

Digi Application Guide Configure VPN Tunnel with Certificates on Digi Connect WAN 3G

NCP Secure Enterprise macos Client Release Notes

SAM 8.0 SP2 Deployment at AWS. Version 1.0

OpenVPN protocol. Restrictions in Conel routers. Modified on: Thu, 14 Aug, 2014 at 2:29 AM

IPSec Site-to-Site VPN (SVTI)

Configuring IPsec and ISAKMP

Site-to-Site VPN. VPN Basics

How to Install Forcepoint NGFW in Amazon AWS TECHNICAL DOCUMENT

Abstract. Avaya Solution & Interoperability Test Lab

Release Notes. NCP Secure Enterprise Mac Client. 1. New Features and Enhancements. 2. Improvements / Problems Resolved. 3.

Lab - Configuring a Site-to-Site VPN Using Cisco IOS and CCP

Transcription:

How to Configure Forcepoint NGFW Route-Based VPN to AWS with BGP TECHNICAL DOCUMENT

Table of Contents TABLE OF CONTENTS 1 INTRODUCTION 2 AWS Configuration: 2 Forcepoint Configuration 3 APPENDIX 7 Troubleshooting tips 7 Reference Quagga configuration 7 Reference AWS configuration 8 Technical Document 1

Introduction The configuration for this scenario includes a virtual private cloud (VPC) with a public subnet and private subnets, using a virtual private gateway to enable communication with your own network over an IPsec VPN tunnel. All routing configuration is done through BGP. AWS CONFIGURATION: Create the Customer Gateway specifying the public IP address of the Forcepoint NGFW: Create the Virtual Private Gateway and attach to the VPC: Create the VPN Connection, specify dynamic BGP and download the configuration: Technical Document 2

When downloading the VPN Connection configuration, specify a vendor type of generic. FORCEPOINT CONFIGURATION Use the downloaded AWS configuration to fill in the values for the remaining NGFW settings. AWS configuration will provide the tunnel interface IP addresses, next hop gateway, AS numbers, preshared keys and crypto specifications. Configure two separate VPN external gateway s representing the two AWS endpoints (Configuration- >VPN->Gateways): Configure each external GW sites to match the VPC network (172.31.0.0/16): Create two tunnel interfaces, one for each VPN gateway (Home->FW->Interfaces) Technical Document 3

Enable BGP (Home->FW->Routing->Dynamic Routing). Use the AS number that AWS specified in the configuration, by default this will be 65000. Add your protected network to the Announced Network configuration: Edit the routing configuration under the engine properties (Home->FW->Routing): Under each tunnel interfaces, add a BGP Peering. Right click on the BGP Peer created under each tunnel interface and Add External BGP Peer. Specify the AWS gateways, one per tunnel interface. For Autonomous System, create a new object and specify the value provided by AWS using their AS number (AS: 7224 of us-east) Create a VPN Profile to match AWS required settings (Configuration->VPN->VPN Profiles) Technical Document 4

Edit the Route Based VPN (Configuration->VPN->Route Based VPN) and create two separate entries, one for each AWS gateway created. Make sure you map the correct AWS GW to the correct tunnel interface. Enter the shared key from the AWS configuration for each. AWS Tunnel #1: AWS Tunnel #2: Technical Document 5

Once complete, you should have two RBVPN entries, one for each AWS GW mapping to each of the tunnel interfaces Create a Firewall Policy allowing bi-directional traffic between the networks (Configuration->Policy- >Firewall Policy) Verify IPSEC tunnel is correctly established (Home->FW->Monitoring->VPN SA s): Verify BGP propagates routes (Home->FW->Monitoring->Routing): Verify tunnels show active on AWS console: Technical Document 6

APPENDIX TROUBLESHOOTING TIPS SSH to NGFW and enter vtysh. Useful commands: show ip bgp show ip bgp neighbors show ip bgp summary show ip bgp? (list all possible command options) From SMC: Log Viewer Home->FW->Configuration->Dynamic Routing->Quagga Preview Home->FW->Configuration->Dyanmic Routing->Restart SSH to FW, ping tunnel interface BGP peer GW Tcpdump on tunnel interface/s to verify traffic is passing REFERENCE QUAGGA CONFIGURATION!Configuration generated by the SMC via DRCFGD hostname SG-Quagga-Router! router bgp 65000 bgp router-id 172.18.1.254!element979 network 172.18.1.0/24 neighbor 169.254.11.5 remote-as 7224 neighbor 169.254.11.5 update-source 169.254.11.6 neighbor 169.254.11.5 timers 60 180 neighbor 169.254.11.5 timers connect 120 neighbor 169.254.11.5 disable-connected-check neighbor 169.254.11.5 soft-reconfiguration inbound neighbor 169.254.11.5 next-hop-self neighbor 169.254.9.21 remote-as 7224 neighbor 169.254.9.21 update-source 169.254.9.22 neighbor 169.254.9.21 timers 60 180 neighbor 169.254.9.21 timers connect 120 neighbor 169.254.9.21 disable-connected-check neighbor 169.254.9.21 soft-reconfiguration inbound neighbor 169.254.9.21 next-hop-self bgp graceful-restart distance bgp 20 200 200 Technical Document 7

REFERENCE AWS CONFIGURATION Amazon Web Services Virtual Private Cloud VPN Connection Configuration =============================================================================== AWS utilizes unique identifiers to manipulate the configuration of a VPN Connection. Each VPN Connection is assigned a VPN Connection Identifier and is associated with two other identifiers, namely the Customer Gateway Identifier and the Virtual Private Gateway Identifier. Your VPN Connection ID Your Virtual Private Gateway ID Your Customer Gateway ID : vpn-b00996e8 : vgw-9c93ccd9 : cgw-f1b0efb4 A VPN Connection consists of a pair of IPSec tunnel security associations (SAs). It is important that both tunnel security associations be configured. IPSec Tunnel #1 =============================================================================== #1: Internet Key Exchange Configuration Configure the IKE SA as follows: Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. The address of the external interface for your customer gateway must be a static address. Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall!rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. - Authentication Method : Pre-Shared Key - Pre-Shared Key : mjd8fxehatu33y3xz0.ufuwbm1nfx0_a - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 1,2, 5, 14-18, 22, 23, and 24. - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We Technical Document 8

recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : 73.88.56.153 - Virtual Private Gateway : 52.9.152.47 Inside IP Addresses - Customer Gateway : 169.254.11.6/30 - Virtual Private Gateway : 169.254.11.5/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Border Gateway Protocol (BGP) Configuration: The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside IP addresses, to exchange routes from the VPC to your home network. Each BGP router has an Autonomous System Number (ASN). Your ASN was provided to AWS when the Customer Gateway was created. BGP Configuration Options: - Customer Gateway ASN : 65000 - Virtual Private Gateway ASN : 7224 - Neighbor IP Address : 169.254.11.5 - Neighbor Hold Time : 30 Configure BGP to announce routes to the Virtual Private Gateway. The gateway will announce prefixes to your customer gateway based upon the prefix you Technical Document 9

assigned to the VPC at creation time. IPSec Tunnel #2 =============================================================================== #1: Internet Key Exchange Configuration Configure the IKE SA as follows: Please note, these sample configurations are for the minimum requirement of AES128, SHA1, and DH Group 2. You will need to modify these sample configuration files to take advantage of AES256, SHA256, or other DH groups like 2, 14-18, 22, 23, and 24. The address of the external interface for your customer gateway must be a static address. Your customer gateway may reside behind a device performing network address translation (NAT). To ensure that NAT traversal (NAT-T) can function, you must adjust your firewall!rules to unblock UDP port 4500. If not behind NAT, we recommend disabling NAT-T. - Authentication Method : Pre-Shared Key - Pre-Shared Key : ilunblqo_edlwgw2ldsjbmdc7i8ny5ay - Authentication Algorithm : sha1 - Encryption Algorithm : aes-128-cbc - Lifetime : 28800 seconds - Phase 1 Negotiation Mode : main - Perfect Forward Secrecy : Diffie-Hellman Group 2 #2: IPSec Configuration Configure the IPSec SA as follows: Please note, you may use these additionally supported IPSec parameters for encryption like AES256 and other DH groups like 1,2, 5, 14-18, 22, 23, and 24. - Protocol : esp - Authentication Algorithm : hmac-sha1-96 - Encryption Algorithm : aes-128-cbc - Lifetime : 3600 seconds - Mode : tunnel - Perfect Forward Secrecy : Diffie-Hellman Group 2 IPSec Dead Peer Detection (DPD) will be enabled on the AWS Endpoint. We recommend configuring DPD on your endpoint as follows: - DPD Interval : 10 - DPD Retries : 3 IPSec ESP (Encapsulating Security Payload) inserts additional headers to transmit packets. These headers require additional space, which reduces the amount of space available to transmit application data. To limit the impact of this behavior, we recommend the following configuration on your Customer Gateway: - TCP MSS Adjustment : 1387 bytes - Clear Don't Fragment Bit : enabled - Fragmentation : Before encryption #3: Tunnel Interface Configuration Your Customer Gateway must be configured with a tunnel interface that is associated with the IPSec tunnel. All traffic transmitted to the tunnel Technical Document 10

interface is encrypted and transmitted to the Virtual Private Gateway. The Customer Gateway and Virtual Private Gateway each have two addresses that relate to this IPSec tunnel. Each contains an outside address, upon which encrypted traffic is exchanged. Each also contain an inside address associated with the tunnel interface. The Customer Gateway outside IP address was provided when the Customer Gateway was created. Changing the IP address requires the creation of a new Customer Gateway. The Customer Gateway inside IP address should be configured on your tunnel interface. Outside IP Addresses: - Customer Gateway : 73.88.56.153 - Virtual Private Gateway : 52.52.40.216 Inside IP Addresses - Customer Gateway : 169.254.9.22/30 - Virtual Private Gateway : 169.254.9.21/30 Configure your tunnel to fragment at the optimal size: - Tunnel interface MTU : 1436 bytes #4: Border Gateway Protocol (BGP) Configuration: The Border Gateway Protocol (BGPv4) is used within the tunnel, between the inside IP addresses, to exchange routes from the VPC to your home network. Each BGP router has an Autonomous System Number (ASN). Your ASN was provided to AWS when the Customer Gateway was created. BGP Configuration Options: - Customer Gateway ASN : 65000 - Virtual Private Gateway ASN : 7224 - Neighbor IP Address : 169.254.9.21 - Neighbor Hold Time : 30 Configure BGP to announce routes to the Virtual Private Gateway. The gateway will announce prefixes to your customer gateway based upon the prefix you assigned to the VPC at creation time. Technical Document 11

2024 © technodocbox.com Privacy Policy | Terms of Service | Feedback