Chapter 10 – IPSec VPN and SSL VPN

HCSA-NGFW 2022
 1 Concept of VPN
Contents
2 IPsecVPN

3 Policy-based IPsecVPN

4 Route-based
IPsecVPN

5 SSLVPN
Concept of VPN
Virtual Private Network

• VPN （ Virtual Private Network ）

- Virtual Private Network across public wide area network (WAN)
- Provides a significant cost advantage
- Simplifies LAN and WAN operations
- Provides good compatibility and expansibility
- Helps an enterprise quickly start new services and connect its branches
around the world
- Needs security measures such as encryption, integrity verification and
user authentication

[Link]
VPN Implementation

Branch Headquarter
s

A X Y
B

From A to B From X to Y From A to B From A to B

• Provides a secure communication tunnel between remote computers across

a public wide area network (WAN)

• Guarantees connection security by encrypted tunnel

– Provides encapsulation service for private data between two public
gateways
[Link]
Three Elements of VPN
VPN guarantees secure data transmission over Internet by the
following three elements:

Confidentiality
• Hides and secures data in WAN

Integrity
• Ensures the data is not tampered

Authentication
• Verifies whether the data source is trusted

[Link]
Confidentiality
• Ensures data confidentiality by encryption
• Data encryption is reversible
• Data encryption and decryption by secret keys
- Symmetric (secret) key
- Asymmetric (public) key

[Link]
Symmetric Key
• Operates fast, suitable for encryption of large amount of data
• Typical key length: 40 bits to 1024 bits
• Example: DES, 3DES, AES

Sender Receiver

1 Original data
+ Encrypted data +

Encrypted data
3 Original data

[Link]
[Link] | Hillstone Confidential
Asymmetric Key (Public Key)
• Slower than encryption with symmetric keys
• Typical key length: 512 bits to 2048 bits

Sender Receiver
Pub
Pub Pub
Pub
1

Original data
+ Pub
Pub Encrypted data
+ Priv

2 4

3
Original data
Encrypted data

[Link]
[Link] | Hillstone Confidential
Integrity
• Hash algorithm is widely used to provide data integrity service

• One-way hashing algorithm

– Cannot calculate the original data by reverse engineering

• Output of fixed length (specially depending on the algorithm)

• Algorithm example
– MD5, SHA
• MD5 provides 128-bit output
• SHA provides 160-bit output

[Link]
One-Way Hash Procedure
Sender Receiver
Data Hash
Data

2 Data Hash
1 HASH
algorithm

4
HASH
Data Hash algorithm

Hash 5 Hash

Compare the hash

比对哈希值是否一致
values [Link]
Authentication
• Verifies data by authenticating the data source

• Uses HMAC (Hash message authentication code)

– PSK (pre-shared key)
– RSA-sig
– DSA-sig

[Link]
Hash Calculation with a Secret Key
Sender Receiver
Data
Data Hash

Hash Key 3

2 Data Hash
1 HASH
algorithm Hash key
4 HASH
algorithm
Data Hash
Hash 5 Hash

Compare the hash

比对哈希值是否一致
values
[Link]
[Link] | Hillstone Confidential
SA(Security Association )
• Two types of SAs are used in IP security:
- ISAKMP SA - Protects secret key negotiation
- IPSec SA - Protects IP data

• When two IP entities communicates over IPSec VPN ：

- First negotiates ISAKMP SA - Phase 1
 Two negotiation modes: Main mode and Aggressive mode
- Uses ISAKMP SA to negotiate IPSec SA - Phase 2
 One negotiation mode: Quick mode
- Uses IPSec SA to encrypt data

[Link]
IPsec VPN
IPsec VPN Topology

Internet

E0/4 E0/4
untrust untrust
[Link]/2
FW1 Tunnel [Link]
FW2
4
E0/1 E0/2
trust dmz

[Link]/ [Link]/ [Link]

24 24
IPSec VPN
• VPN is classified according to the data driver type ：
- Policy-based
- Route-based

Server
LAN

Internet

Site Site
1 2

[Link]
Configuration Steps of IPSec VPN
• IKE VPN adopts the auto negotiation method. The configurations of IKE
VPN include:
• Step 1: Configure IKE VPN
– Configure Phase 1 proposal (optional)
– Configure ISAKMP gateway
– Configure Phase 2 proposal (optional)
– Configure IPSec Tunnel

• Step 2: Configure data-driven

• Option 1 (policy-based): Configure a VPN policy rule. The action of the
policy rule must be Tunnel or From tunnel
• Option 2 (route-based): Bind the configured VPN instance to a tunnel
interface, create a VPN tunnel route, and configure a permit policy
rule based on the zone the tunnel interface is bound to.
[Link]
Configuring IPSec VPN - Phase 1 Proposal
Network > VPN > IPSec VPN > P1 Proposal, click 『 New 』

CLI:
isakmp proposal p1-name
authentication {pre-share/rsa-sig}
encryption {3des/des/aes/aes192/aes256}
hash {sha/md5}
group {1/2/5/14/15/16}
lifetime <300-86400>

[Link]
 Configuring IPSec VPN - Phase 2 Proposal
Network > VPN > IPSec VPN > P2 Proposal, click 『 New 』

CLI:
ipsec proposal p2-name
protocol {esp/ah}
encryption {3des/des/aes/aes-192/aes-256 /null}
hash {md5/sha/null}
group {no pfs/1/2/5/14/15/16}
lifetime <180-86400>

[Link]
Configuring IPSec VPN P1- Peer ISAKMP Gateway (WebUI)

Network > VPN > IPSec VPN > VPN Peer List ， click 『 New 』

[Link]
 Configuring IPSec VPN - Peer ISAKMP Gateway (CLI)

• Configuring an ISAKMP gateway (peer)

CLI:
isakmp peer peer-name
connection-type {bidirectional | initiator-only |responder-only}
interface interface-name
isakmp-proposal p1-proposal1
mode {main | aggressive}
type {dynamic | static} //IP type of peer side
peer ip-address //peer id address
pre-share string //pre-share key

[Link]
Configuring IPSec VPN P2 - Tunnel (WebUI)
Network > VPN > IPSec VPN > IKE VPN List ， click 『 New 』

[Link]
 Configuring IPSec VPN Tunnel (CLI)
CLI:
tunnel ipsec tunnel-name auto
mode tunnel
isakmp-peer peer-name
ipsec-proposal p2-name
id {auto | local ip-address/mask remote ip-address/mask service service-name}
auto-connect

Note ：
1 、 id is the LAN subnet address for both sides, which is the object that VPN need to protect.
2 、 Need to enable the auto-connect, otherwise the VPN connection will not be triggered actively

[Link]
Policy-based IPsecVPN
Create Address Book
• Create the local and peer LAN address book in advance.

[Link]
Configure a policy (WebUI):
• Local to peer action: “Tunnel”
• Peer to local action:“From tunnel”
• Select“Bi-directional policy”will create
bidirectional policies automatically

[Link]
Configure a policy （ CLI)
• Create outbound policy
policy-global
rule top from local to remote service any tunnel tunnel-name

• Create inbound policy

policy-global
rule top from remote to local service any fromtunnel tunnel-name

[Link]
Create SNAT Rule
Policy > NAT > SNAT>, click 『 new 』 to create a No NAT rule, and put at top position.

[Link]
Policy-Based IPSecVPN Configuration Steps
1. Create address entry of protected data flow
2. Set the phase 1 ISAKMP proposal
3. Create phase 1 ISAKMP peer instance
4. Set the phase 2 IPSec proposal
5. Create phase 2 IPSecVPN instance
6. Use policy to call IPSec instance, put this policy at top position
7. Create no NAT SNAT rule and put at top position.

[Link]
Route-based IPsecVPN
Create Address Book
• Create the local and peer LAN address book in advance.

[Link]
Create a tunnel interface
Network > Interface, click 『 New 』 to create a “Tunnel Interface”

[Link]
Create Destination Route （ WEBUI ）
Network > Routing > Destination Route, click 『 New 』 to create access route to peer
side

[Link]
Create Policy
• Create permit policy
- Create a policy with the action of permit based on the zone that the tunnel interface
is bound to.
- If the access is bidirectional, you should add an inbound policy. The inbound policy
can be configured by exchanging the source and destination zones

[Link]
Route-based VPN (CLI)
• Create Tunnel interface
interface tunnelNumber
zone VPNHub
tunnel IPSec tunnel-name
• Create route entry
ip vrouter trust-vr
ip route A.B.C.D/M tunnelNumber
• Create inbound and outbound policies
policy-global
rule top from local to remote service any permit
rule top from remote to local service any permit

[Link]
Route-Based IPSecVPN Configuration Steps
1. Create address entry of protected data flow
2. Set the phase 1 ISAKMP proposal
3. Create phase 1 ISAKMP peer instance
4. Set the ohase 2 IPSec proposal
5. Create phase 2 IPSecVPN instance
6. Create tunnel interface and call IPSec instance
7. Create VPN route
8. Create the policy to permit traffic between tunnel interface and LAN zone

[Link]
Check VPN Status (WebUI)
Network > VPN >IPSec VPN, click 『 Configuration 』 button ， select IPSec VPN Monitor from the list

[Link]
Check VPN Status （ CLI ）
1. Check P1 ISAKMP SA
SG-6000# show isa sa
Total: 1
================================================================================
Cookies Gateway Port Algorithms Lifetime
--------------------------------------------------------------------------------
4964a49b7e~ [Link] 500 pre-share md5/3des 85733
================================================================================

2. Check P2 IPSec SA, bidirectional for both outbound and inbound, the success status is
Active
SG-6000# show ipsec sa
Total: 1
S - Status, I - Inactive, A - Active;
==========================================================================
======
Id VPN Peer IP Port Algorithms SPI Life(s) S
--------------------------------------------------------------------------------
4 to-[Link] >[Link] 500 esp:3des/md5/- 4eccb22b 28130 A
4 to-[Link] <[Link] 500 esp:3des/md5/- 59f95ee0 28130 A
==========================================================================
======

[Link]
SSLVPN
SSL VPN – Remote access to Intranet

Internet

WAN
Interface
E0/4 ： [Link]/24

Headquarte LAN
rs Interface
E0/1 ： [Link]/24

Server/
Database
[Link]
SSL VPN Introduction
• Functions
– Remote secure access, SSLVPN also called SCVPN in Hillstone
• Elements
– PC host / Mobile host
– Local/Radius/LDAP/AD/Tacacs+ authentication server

[Link]
SSL VPN Client
• Functions of SSL VPN server
– Accepting connections from the clients
– Assigning IP addresses, DNS server addresses, and WIN server addresses to SSL VPN
clients
– Authenticating and authorizing SSL VPN clients
– Encrypting and forwarding IPSec data
• SSL VPN Client Access
– Client: Hillstone Security Connect
• SSL VPN Client Download
– Hillstone official website: [Link]

[Link]
Configuring SSL VPN
Network > VPN > SSL VPN ， Click 『 New 』 to create SSL VPN, select the AAA server.
Support local and 3rd party AAA server

[Link]
Configuring SSL VPN – Access Interface
Specify an SSL VPN service interface and a service port , configure a tunnel interface and an address pool, and
then click Next.

• If there are two links, client

can choose one of the egress
interface address to access

• Service port is the port for

SSLVPN connection, default is
4433, you can also change it

[Link]
Configuring SSL VPN – Tunnel Interface
• The tunnel interface and
address pool must be in
the same IP address
segment without overlap.

• Must set IP for SSLVPN

tunnel interface because
this IP is the gateway IP
for client

[Link]
Configuring SSL VPN – Address Pool
• Configure address pool to
distribute the IP for SSLVPN
client, it is recommended to
use some unusual IP
addresses to avoid address
conflict with the client IP.
• Tunnel interface IP must not
be included in address pool.

[Link]
Configuring SSL VPN – Tunnel Route
Click 『 Tunnel Route 』
• Tunnel route specify the server access after client connected with SSLVPN server

[Link]
Configuring SSL VPN – Policy
• Configure SSLVPN permit policy:
- SSL VPN tunnel interface bound to zone VPNHub, need to permit the access to server zone

[Link]
Questions
1. What types of VPN does a Hillstone device support?
2. How to configure site2site IPSec VPN, what are the steps ？
3. There are two negotiation modes on P1 ISAKMP configuration, what are the
difference ？
4. What are the requirements of address pool when configuring SSL VPN?

[Link]
Thanks