topic Encrypt All IPSEC Traffic in General Topics

Encrypt All IPSEC Traffic

Dor_Azumi — Tue, 30 Oct 2018 09:48:28 GMT

Hi,

I have a question about how to encrypt all the traffic through IPSEC VPN between two sites managed by the same management server.

The topology is:

I have a center site with 3 interfaces - Internet interface, Center LAN interface, Interface to remote site (site2).
I have a remote site (I will name him site2) with 2 interfaces - site2 LAN interface, Interface to center site.

The management server is sitting in the center site LAN interface.

The center site GW is Gaia os R77.30 cluster.

The remote site site2 is 1430 appliace running Gaia Embedded.

Both GWs are managed by the central management server.

My goal is to route and encrypt all traffic coming from the remote site site2 - including:

Traffic to center site LAN.
Traffic to the Internet.

How should I configure it?

What I need to configure in the Encryption domains?

Regards,

Dor.

Re: Encrypt All IPSEC Traffic

_Val_ — Tue, 30 Oct 2018 10:12:05 GMT

When you say "interface to remote site", do you mean you have MPLS leading to those? Cause there is also Internet connection at the center, as I see. Remote sites, are they connected to Internet directly as well? If you have dedicated WAN to reach remote sites, why do you need to encrypt?

Re: Encrypt All IPSEC Traffic

Dor_Azumi — Tue, 30 Oct 2018 10:13:22 GMT

The interface to remote site is simply a layer2 line (IPVPN).

Consider it as one subnet.

Re: Encrypt All IPSEC Traffic

Dor_Azumi — Tue, 30 Oct 2018 10:14:59 GMT

Only the center site has a connection to the Internet.

In order for site2 to reach the internet, they need to go to the center site.

I want to encrypt all traffic from the remote site (including internet traffic).

Re: Encrypt All IPSEC Traffic

_Val_ — Tue, 30 Oct 2018 10:22:33 GMT

Okay then. Each GW needs VPN domain including all internal networks on its own site. Treat IPVPN interfaces as external. All behind internal interface goes to VPN domain

Re: Encrypt All IPSEC Traffic

Dor_Azumi — Tue, 30 Oct 2018 10:24:21 GMT

Ok, but what about the internet traffic?

If someone from the remote site LAN will go to the intenet, it won’t be encrypted by the IPSEC VPN.

Re: Encrypt All IPSEC Traffic

_Val_ — Tue, 30 Oct 2018 10:26:34 GMT

For that, you need to create star based community where your satellites are allowed to go S2S and to Internet through the central GW. All of above are standard options

Re: Encrypt All IPSEC Traffic

Dor_Azumi — Tue, 30 Oct 2018 10:28:24 GMT

What I need to configure in the VPN Domain unger the GW objects?

How the GWs determines if the traffic should be encrypted or not?...

Re: Encrypt All IPSEC Traffic

_Val_ — Tue, 30 Oct 2018 10:33:05 GMT

1. depending on how many networks are behind GW, and routing to those, you can use either manual groups or "based on topoligy" settings.

2. with domain based VPNs, GW decides to encrypt by checking that source and destination belong to VPN domains. In start topology with the mentioned VPN routing option all traffic from satellites to center GW will be encrypted.

As mentioned, your situation is one of classic configurations. I recommend you to read the admin guide for VPN, as all the questions above are answered there Site to Site VPN R80.10 Administration Guide

Re: Encrypt All IPSEC Traffic

Dor_Azumi — Tue, 30 Oct 2018 11:01:55 GMT

Hi,

Thanks but I have a R77.30 Gaia GW at center and 1430 77.20 GaiaEmbedded GW at the remote site.

I am not sure that satellite community will enforce all traffic routed to the center to be encrypted by the IPSEC, regardless VPN Domain configuration under each GW.

Re: Encrypt All IPSEC Traffic

_Val_ — Tue, 30 Oct 2018 12:12:03 GMT

R77.30 admin guide is not so much different.

Re: Encrypt All IPSEC Traffic

G_W_Albrecht — Wed, 31 Oct 2018 08:42:52 GMT

If you do not believe, look into this sk107641: Configure "Route All Traffic" from locally managed SMB appliances to a centrally managed gateway - you will find how you can achieve this even for locally managed satellites, for centrally managed, it needs just choosing the lowest option in Start Community VPN Routing: To center, or through the center to other satellites, to internet and other VPN targets.