Create a Post
cancel
Showing results for 
Search instead for 
Did you mean: 
SaxMan
Participant

1500/1600 Locally Managed - IPSEC Local encryption domain

  1. Hi,
    I'm trying to test the following scenario in a LAB with locally managed 1500 and 1600 appliances - running R81.10.

    POC Requirement:
    A local encryption domain for each IPSEC (S2S) tunnel.
    Example:
    HQ's LAN = 192.168.88.0/24
    Interesting traffic:
    1. Warehouse_WMS_Server_192.168.88.22 Port: tcp/9443
    2. Biometrics_Access_Server_192.168.88.24 Ports: rdp_33899
    3. HQ's LAN = 192.168.88.0/24
    Required rules:
    1. Delivery company must access Warehouse_WMS_Server_192.168.88.22 Port: tcp/9443 ONLY
    2. Access/physical security company must access Biometrics_Access_Server_192.168.88.24 Ports: rdp_3389 ONLY
    3. Remote/Branch office to have access to entire 192.168.88.0/24 network for AD, MFA, SIP/VOIP, HR, etc

    When appliance (HQ) has STANDARD mode enabled on the firewall blade control, it auto generates:
    Source: VPN Sites       Destination:Any     Service:Any     Action:Accept      Log:log
    (cannot be changed)
    In the section "Site To Site" --> "Advanced" there is an option to define local encryption separately.
    With only 192.168.88.22 and 192.168.88.24 defined therein, it means that the delivery company is able to "ping" / access the Biometrics server at 192.168.88.24 and vice versa.
    If the entire 192.168.88.0/24 is in local encryption then it's basically "open" to all. (and so is "automatically determine local network topology")

    If, the blade control is switched to STRICT, the "VPN Sites" object is no longer available and thus manual rules cannot be created.

    Any suggestions on how to achieve the above would be greatly appreciated.
    I also had a look at the "NextGen" rules in SMP/Infinity - does not appear to be 'doable' there either.
    (I hope it something simple that I'm overlooking) 😄 😀

    Many thanks.
    👍


0 Kudos
6 Replies

This is beyond the scope of the SMB appliances ! You can open a SR# with CP TAC to get that confirmed.

CCSE CCTE CCSM SMB Specialist
SaxMan
Participant

Thanks a million for the feedback.
Let me engage my local CP Account Manager and explore the chances/possibility of applying for a RFE.
👍

0 Kudos

RFE for GAiA features on GAiA Embedded is a nice try ! I would not think that there are any hopes for fullfillment...

CCSE CCTE CCSM SMB Specialist
SaxMan
Participant

I think it'll be worth a shot?
'Cos if we build IPSEC tunnels (as outlined above) on the current (I get the embedded aspect) topology, could it not be seen as a risk by potential clients that we demo IPSEC to?
In other words: 2 different business partners connecting to their network, but cannot be separated by individual local encryption domains?

The other option would be to build ("Non-VPN") rules:
Each business partner connects from their public/static IP address to the HQ's NATted IPs for the appropriate/relevant server(s).
(Or...servers are put in the DMZ?)
But, the brief/requirement (in this case) is IPSEC.

0 Kudos

It took very, very long until we did receive more than one VPN community in GAiA - so i think this is not very realistic...

CCSE CCTE CCSM SMB Specialist
SaxMan
Participant

For real?? 😃
OK...I also asked a while back for on-prem/3rd party MFA for AD/VPN users. (SMB appliances)
I saw a few mentions regarding this on the "SMB Masters" webinar a few weeks back - so, I'm crossing fingers. 
😀
Thanks a million for your insight.

 

0 Kudos