topic Re: VPN tunnel in local LAN for Internet connectivity in Firewall and Security Management

VPN tunnel in local LAN for Internet connectivity

Christian_Koehl — Mon, 25 Mar 2024 13:48:47 GMT

Hi folks,

the big internal 26.000 VSX cluster is running some virtual systems on R81.20 + JHF-53.
One of these virt. system is for guests. The guests can connect here their own equipment. Which is very unsecure....

The guest are allowed to connection to the internet and ONLY to the internet.
For this reason, a VPNtunnel should be used, when the data pass the internal network / backbone.

The VPN endpoint (the cluster of 1570er appliance) does not have any networks, which should be reached by the guests. There is only the connection to the Internet.

How do i configure this, especially as there is no real enc-domain on the 1570er appliances?

Best regards,
Christian

Re: VPN tunnel in local LAN for Internet connectivity

spottex — Tue, 26 Mar 2024 02:10:11 GMT

I don't know if this is possible as a VPN is to join internal lans???
I'm curious how you get on with this.

How about a rule on the gateways the traffic traverses:

SRC:Guest-networks, Dst: 'Negated' Internal-networks, port: http/s etc
or dst: all_internet.
Basically all networks except internal. Routing and Anti-spoofing considered.

If you still want to go the VPN route then I would test with one tunnel per GW pair in tunnel settings.
So the GW will consider the Encryption domain during authentication to be IPv4 Universal Range, i.e. as long as both sides are configured the same the auth will be happy with any IP in the Traffic Selector - Initiator and Traffic Selector - Responder but the traffic will only hit the community if there is traffic that consists of the Guest-networks and 'other'.

On the External GW the Encryption domains would be Guest-NW object for the peer, but for the local I see as the problem.
I don't see the objects you can specify like all_internet or all networks regarding Enr Doms.
You could create an NW object with 0.0.0.0/0.0.0.0 and see if you can use that specifying a specific VPN domain for the GW community in GW Properties. Or leave as is and test because the initiating traffic will be coming from the internal FW so auth may make it through.

There is the radical option to change and test traditional mode where you have to specify the VPN community in the VPN column of the rule. - Guessing that is not recommended by CP now though.
There is a warning that config will applied to new policies only so this would be a headache.

Re: VPN tunnel in local LAN for Internet connectivity

AmirArama — Tue, 26 Mar 2024 18:26:44 GMT

if you are asking how to route all traffic towards the Spark VPN peer.

with domain based: in the vpn community, VPN routing, you select the 3rd option. (BE CAREFUL - it will cause all your traffic not known by other VPN peers, and which not included in the local VPN domain of the guests VS GW, to be routed to this tunnel, including traffic from the VS itself, and the VS will also expect traffic it to arrive encrypted (such as ssh etc) (if needed you can apply excluded services/crypt.def/exclude external ip from vpn domain)

with route based: just set the main default route to the VTI of the spark. (AGAIN - it will route everything which doesn't have any more specific route towards the tunnel, including traffic from the GW itself (unless you use PBR)