We need to connect with a remote site (new temporary business partner) via IPSec. We already have 3 tunnels (with other partners) which were easy to configure but that new remote vpn gateway might use different naming for some options which is hard to translate to UTM9 since it could be just a missing feature) They sent us list with their recommended settings for the tunnel but it's difficult to match them with the available IPSec Policy options in the UTM9. I suppose they use a Palo Alto VPN solution and some settings may just have a different naming. Phase 1 parameters: Remote site local site Peer IP: x.x.x.x y.y.y.y Peer authentication method: preshared-key preshared-key IKE version: IKEv2 Not explicitly selectable (does the UTM9 have IKEv2 ?) Exchange mode: main Not selectable - probably "main" Encryption: aes-256-cbc AES-256 (is the AES-256 in UTM9 the same as aes-256-cbc ?) Authentication: sha512 SHA2-512 DH group: group20 (available: 1, 2, 5, 14, 19 or 20) group14 Lifetime: 8 hours 8 hours (28800 seconds) Phase 2 parameters: ESP or AH: ESP Not explicitly selectable in UTM9 Encryption: aes-256-cbc Available on UTM9: AES 128 CTR (128 bit) AES 192 CTR (192 bit) AES 256 CTR (256 bit) AES 128 GCM (96 bit) AES 192 GCM (96 bit) AES 256 GCM (96 bit) AES 128 GCM (128 bit) AES 192 GCM (128 bit) AES 256 GCM (128 bit) ...does any of them match aes-256-cbc ? Authentication: sha512 SHA2 512 PFS DH group: group20 group14 (MODP 2048) Lifetime: 1 hour 1 hour compression off Encryption domains: 10.159.0.0/16 172.28.92.128/25 (they want us to use that subnet) Our main subnett with workstations is actually 192.168.91.0/24 . They say to have that subnet already occupied and want us to use the 172... subnet. Do we have to create that subnet and move all affected workstations (currently just 2) into this subnet (open FW between our 192.168.91.0 subnet, etc.) or is there a method to do a 1:1 NAT traversal between the IPSec tunnel and our existing 192... subnet? Every hint is highly appreciated!

This discussion has been locked.

You can no longer post new replies to this discussion. If you have a question you can start a new discussion

IPSec tunnel - matching settings with remote gateway

We need to connect with a remote site (new temporary business partner) via IPSec. We already have 3 tunnels (with other partners) which were easy to configure but that new remote vpn gateway might use different naming for some options which is hard to translate to UTM9 since it could be just a missing feature)

They sent us list with their recommended settings for the tunnel but it's difficult to match them with the available IPSec Policy options in the UTM9.

I suppose they use a Palo Alto VPN solution and some settings may just have a different naming.

Phase 1 parameters:
	Remote site	local site

Peer IP:	x.x.x.x	y.y.y.y
Peer authentication method:	preshared-key	preshared-key
IKE version:	IKEv2	Not explicitly selectable (does the UTM9 have IKEv2 ?)
Exchange mode:	main	Not selectable - probably "main"
Encryption:	aes-256-cbc	AES-256 (is the AES-256 in UTM9 the same as aes-256-cbc ?)
Authentication:	sha512	SHA2-512
DH group:	group20 (available: 1, 2, 5, 14, 19 or 20)	group14
Lifetime:	8 hours	8 hours (28800 seconds)



Phase 2 parameters:

ESP or AH:	ESP	Not explicitly selectable in UTM9
Encryption:	aes-256-cbc	Available on UTM9: AES 128 CTR (128 bit) AES 192 CTR (192 bit) AES 256 CTR (256 bit) AES 128 GCM (96 bit) AES 192 GCM (96 bit) AES 256 GCM (96 bit) AES 128 GCM (128 bit) AES 192 GCM (128 bit) AES 256 GCM (128 bit) ...does any of them match aes-256-cbc ?
Authentication:	sha512	SHA2 512
PFS DH group:	group20	group14 (MODP 2048)
Lifetime:	1 hour	1 hour

		compression off

Encryption domains:	10.159.0.0/16	172.28.92.128/25 (they want us to use that subnet)

Our main subnett with workstations is actually 192.168.91.0/24 . They say to have that subnet already occupied and want us to use the 172... subnet.

Do we have to create that subnet and move all affected workstations (currently just 2) into this subnet (open FW between our 192.168.91.0 subnet, etc.) or is there a method to do a 1:1 NAT traversal between the IPSec tunnel and our existing 192... subnet?

Every hint is highly appreciated!

This thread was automatically locked due to age.

Parents

0 BAlfson over 2 years ago
Hallo Chris,

You didn't say what hardware your UTM is running on.

They should make some changes.

UTM won't do IKEv2.

AES 256 GCM is more secure than cbc. I prefer AES 128 GCM (128 bit) since there are security flaws (don't remember the details) in AES 256.

Your subnet is 192.168.91.0/24, but they want you to fit that in a /25. If you can't easily do that and they can't give you a /24, you're stuck with using one or more SNATs depending on whether it's practical to connect to them using a single IP for all accesses. If you can agree on a /24 or /25, you can use a 1-1 source NAT for traffic initiated by you. I'm assuming they aren't going to initiate traffic to you, but you'd need another 1-1 destination NAT rule for that.

Cheers - Bob
Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel
0 ChrisSoukup over 2 years ago in reply to BAlfson

Assuming they give us some kind of 172.2.3.0/24 class (that could be mapped to our /24 class) and we would only need to connect to hosts on their side....I would create the tunnel like:

Tunnel:
- Create the tunnel in IPSec -> "New IPSec Connection"
- In that "Local Network" list create that Network 172.2.3.0/24
- Automatic firewall rules: off

NAT Mapping:
- In Network Protection -> NAT -> Create rule "1:1 NAT" with...
For traffic from: 192.168.91.0/24 (our real physical network)
Using service: Any
Going to: 10.159.0.0/16 (their real physical network)
Action: 1:1 NAT mode: Map source ???
Map to: 172.2.3.0/24
Automatic firwall rules: off

Firewall (since I didn't select automatic firewall rules):
- In Firewall ... create a rule like:
Sources: 192.168.91.0/24 (our physical network)
Services: Any
Destinations: 10.159.0.0/16 (their physical network)
Automatic firwall rules: off

...or would I need 2 firewall entries like one from 192.xxx to 172.xxx and then the second from 172.xxx to 10.159.0.0/16 ?

Anything else?

Thank you in advance for your help!
Cancel
Vote Up 0 Vote Down

Cancel

Reply

0 ChrisSoukup over 2 years ago in reply to BAlfson

Assuming they give us some kind of 172.2.3.0/24 class (that could be mapped to our /24 class) and we would only need to connect to hosts on their side....I would create the tunnel like:

Tunnel:
- Create the tunnel in IPSec -> "New IPSec Connection"
- In that "Local Network" list create that Network 172.2.3.0/24
- Automatic firewall rules: off

NAT Mapping:
- In Network Protection -> NAT -> Create rule "1:1 NAT" with...
For traffic from: 192.168.91.0/24 (our real physical network)
Using service: Any
Going to: 10.159.0.0/16 (their real physical network)
Action: 1:1 NAT mode: Map source ???
Map to: 172.2.3.0/24
Automatic firwall rules: off

Firewall (since I didn't select automatic firewall rules):
- In Firewall ... create a rule like:
Sources: 192.168.91.0/24 (our physical network)
Services: Any
Destinations: 10.159.0.0/16 (their physical network)
Automatic firwall rules: off

...or would I need 2 firewall entries like one from 192.xxx to 172.xxx and then the second from 172.xxx to 10.159.0.0/16 ?

Anything else?

Thank you in advance for your help!
Cancel
Vote Up 0 Vote Down

Cancel

Children

0 BAlfson over 2 years ago in reply to ChrisSoukup

If all traffic is originated on your side, then the connection tracker will pass the response traffic without another firewall rule. I would just select Automatic rules in the NAT, though.

Cheers - Bob

Sophos UTM Community Moderator
Sophos Certified Architect - UTM
Sophos Certified Engineer - XG
Gold Solution Partner since 2005

MediaSoft, Inc. USA
Cancel
Vote Up 0 Vote Down

Cancel