Encrypt All IPSEC Traffic

Dor_Azumi · ‎2018-10-30

Hi,

I have a question about how to encrypt all the traffic through IPSEC VPN between two sites managed by the same management server.

The topology is:

I have a center site with 3 interfaces - Internet interface, Center LAN interface, Interface to remote site (site2).
I have a remote site (I will name him site2) with 2 interfaces - site2 LAN interface, Interface to center site.

The management server is sitting in the center site LAN interface.

The center site GW is Gaia os R77.30 cluster.

The remote site site2 is 1430 appliace running Gaia Embedded.

Both GWs are managed by the central management server.

My goal is to route and encrypt all traffic coming from the remote site site2 - including:

Traffic to center site LAN.
Traffic to the Internet.

How should I configure it?

What I need to configure in the Encryption domains?

Regards,

Dor.

_Val_ · ‎2018-10-30

When you say "interface to remote site", do you mean you have MPLS leading to those? Cause there is also Internet connection at the center, as I see. Remote sites, are they connected to Internet directly as well? If you have dedicated WAN to reach remote sites, why do you need to encrypt?

Dor_Azumi · ‎2018-10-30

The interface to remote site is simply a layer2 line (IPVPN).

Consider it as one subnet.

Dor_Azumi · ‎2018-10-30

Only the center site has a connection to the Internet.

In order for site2 to reach the internet, they need to go to the center site.

I want to encrypt all traffic from the remote site (including internet traffic).

_Val_ · ‎2018-10-30

Okay then. Each GW needs VPN domain including all internal networks on its own site. Treat IPVPN interfaces as external. All behind internal interface goes to VPN domain

Dor_Azumi · ‎2018-10-30

Ok, but what about the internet traffic?

If someone from the remote site LAN will go to the intenet, it won’t be encrypted by the IPSEC VPN.

_Val_ · ‎2018-10-30

For that, you need to create star based community where your satellites are allowed to go S2S and to Internet through the central GW. All of above are standard options

Dor_Azumi · ‎2018-10-30

What I need to configure in the VPN Domain unger the GW objects?

How the GWs determines if the traffic should be encrypted or not?...

_Val_ · ‎2018-10-30

1. depending on how many networks are behind GW, and routing to those, you can use either manual groups or "based on topoligy" settings.

2. with domain based VPNs, GW decides to encrypt by checking that source and destination belong to VPN domains. In start topology with the mentioned VPN routing option all traffic from satellites to center GW will be encrypted.

As mentioned, your situation is one of classic configurations. I recommend you to read the admin guide for VPN, as all the questions above are answered there Site to Site VPN R80.10 Administration Guide

Dor_Azumi · ‎2018-10-30

Hi,

Thanks but I have a R77.30 Gaia GW at center and 1430 77.20 GaiaEmbedded GW at the remote site.

I am not sure that satellite community will enforce all traffic routed to the center to be encrypted by the IPSEC, regardless VPN Domain configuration under each GW.

_Val_ · ‎2018-10-30

R77.30 admin guide is not so much different.

G_W_Albrecht · ‎2018-10-31

If you do not believe, look into this sk107641: Configure "Route All Traffic" from locally managed SMB appliances to a centrally managed g... - you will find how you can achieve this even for locally managed satellites, for centrally managed, it needs just choosing the lowest option in Start Community VPN Routing: To center, or through the center to other satellites, to internet and other VPN targets.