1
00:00:00,770 --> 00:00:06,680
Hello and welcome to this lecture in this lecture we configure the essay final for site to site VPN

2
00:00:07,100 --> 00:00:11,020
through going through the Internet up to the headquarters though.

3
00:00:11,080 --> 00:00:14,410
So to the HQ for the gate firewall.

4
00:00:14,420 --> 00:00:19,650
So now let's jump and connect to the here's the m.

5
00:00:19,810 --> 00:00:24,260
Let's see if the session has expired or not.

6
00:00:24,330 --> 00:00:25,200
No we're actually.

7
00:00:25,260 --> 00:00:32,400
So let's go to wizards and let's say VPN wizards and let's select site to site VPN wizard.

8
00:00:33,780 --> 00:00:40,140
So this is the setup and it is between two two devices through the Internet.

9
00:00:40,140 --> 00:00:41,420
This is what we need.

10
00:00:41,430 --> 00:00:47,640
So use this wizard to set up new side to side VPN tunnel a tunnel between two devices is called side

11
00:00:47,640 --> 00:00:50,170
to side tunnel and is bidirectional.

12
00:00:50,180 --> 00:00:54,150
Side to side VPN tunnel protects data using the IP SEC protocol.

13
00:00:54,210 --> 00:00:56,670
Actually it's IP SEC protocol suite.

14
00:00:56,700 --> 00:01:02,010
So anyway let's go and say next so peer device ID.

15
00:01:02,030 --> 00:01:03,820
What's the IP address of.

16
00:01:03,820 --> 00:01:06,420
In this case of the HQ for the gate firewall.

17
00:01:06,910 --> 00:01:12,020
So let's check the diagram and it's ADHD 80 and 81.

18
00:01:12,110 --> 00:01:22,050
So let's configure this so the IP address it's 80 that 80 80 that 1 VPN access interface.

19
00:01:22,060 --> 00:01:26,620
So we are accessing we are reaching this IP address through the outside interface.

20
00:01:26,650 --> 00:01:28,990
Let's just click next.

21
00:01:29,020 --> 00:01:30,460
Now what is the local network.

22
00:01:30,520 --> 00:01:36,330
So again traffic to protect or proxy ACL what Cisco calls it.

23
00:01:36,370 --> 00:01:37,570
Or interesting traffic.

24
00:01:38,080 --> 00:01:40,420
So what's my private IP address.

25
00:01:40,420 --> 00:01:43,030
My local land and was the remote network.

26
00:01:43,030 --> 00:01:48,100
What's the remote private network that we are going to talk to or connect to.

27
00:01:48,470 --> 00:01:55,090
So local network I'll just click here and our local network is this insight network 1 and 2 1 6 8 3

28
00:01:55,250 --> 00:02:00,580
0 and I'll now click on local network so that I select this this object.

29
00:02:00,610 --> 00:02:04,270
This is what they're called they're objects and I'll pick.

30
00:02:04,370 --> 00:02:09,280
OK now for the remote network we don't have one defined.

31
00:02:09,430 --> 00:02:09,830
We don't.

32
00:02:09,880 --> 00:02:11,210
We do not have it in the least.

33
00:02:11,210 --> 00:02:12,820
So we'll just create one.

34
00:02:12,820 --> 00:02:26,640
So click on add and say network object the name will be let's say HQ for the gate private land.

35
00:02:26,650 --> 00:02:29,420
This is not a host but this is a network.

36
00:02:29,500 --> 00:02:36,550
So the IP address will be one name to that one six say that one the zero and the net mask is 2 5 5 2

37
00:02:36,580 --> 00:02:39,270
5 5 5 5 0.

38
00:02:39,430 --> 00:02:47,160
So net will we will not add to any net so we don't want these traffic to be netted.

39
00:02:47,440 --> 00:02:55,780
And let's just say OK I will select it now and say remote network is this and click ok.

40
00:02:55,780 --> 00:02:58,810
Now we have to say next.

41
00:02:58,810 --> 00:03:07,390
Now in this in this step in the fourth step the security step we can say that we can go through I mean

42
00:03:07,510 --> 00:03:10,980
select simple configuration or customized configuration.

43
00:03:10,990 --> 00:03:17,890
Now here's the here's the thing in the simple configuration option says NSA uses the pressure key entered

44
00:03:17,890 --> 00:03:20,760
here to authenticate this device with the pier.

45
00:03:20,770 --> 00:03:28,050
So remember on the on the photo gate we have defined the pressure key as 14 at as GM will select common

46
00:03:28,470 --> 00:03:35,310
icon Isaac Cam security parameters for that will allow tunnel establishment foot means that it will

47
00:03:35,310 --> 00:03:36,780
select.

48
00:03:36,870 --> 00:03:43,780
It will have more than one available as security associations as well as proposals better said.

49
00:03:43,830 --> 00:03:51,150
And from that list the SDM will try to select one in order to match one percent what the 48 will present

50
00:03:51,150 --> 00:03:52,760
when trying to establish the tunnel.

51
00:03:53,400 --> 00:03:58,500
But we are network engineers we're going to select customized configuration.

52
00:03:58,500 --> 00:03:59,070
Why is this.

53
00:03:59,070 --> 00:04:05,250
Because we want to be as exact as possible and select only what we need not select everything that's

54
00:04:05,250 --> 00:04:08,370
available right so let's go for I.

55
00:04:08,370 --> 00:04:09,050
Version 1.

56
00:04:09,060 --> 00:04:10,790
This is what we have configured on.

57
00:04:10,950 --> 00:04:14,670
On the footnote firewall and the authentication method.

58
00:04:14,670 --> 00:04:18,320
So we are not using any certificate the authentication is appreciate key.

59
00:04:18,450 --> 00:04:20,970
And let's say now 40 net.

60
00:04:21,030 --> 00:04:27,210
So again let me just make sure I'm typing it correctly for net encryption algorithms.

61
00:04:27,210 --> 00:04:32,070
So we see here that there are a lot a lot of policies and IP SEC proposals.

62
00:04:32,100 --> 00:04:35,920
So we want to make sure that we select only what we need.

63
00:04:36,390 --> 00:04:40,710
Appear first we have selected first and the group was five.

64
00:04:40,770 --> 00:04:46,090
Let's get back to encryption algorithms and say manage OK

65
00:04:48,740 --> 00:04:57,280
and from this list we will delete everything and only let the one we need.

66
00:04:57,280 --> 00:05:06,730
So there is a Shah with pressured key so I'll delete this one and RSA Sig means authentication through

67
00:05:06,730 --> 00:05:07,820
certificates.

68
00:05:07,930 --> 00:05:08,620
We don't need it.

69
00:05:08,650 --> 00:05:09,620
So we need only this.

70
00:05:09,640 --> 00:05:14,770
We said there's encryption Shah as the algorithm did we had one group.

71
00:05:14,770 --> 00:05:15,820
This is not good.

72
00:05:15,850 --> 00:05:16,480
I'll just say.

73
00:05:16,490 --> 00:05:19,660
Edit And if you had one should be five.

74
00:05:19,660 --> 00:05:21,860
This is what we said.

75
00:05:22,150 --> 00:05:23,350
This is what we have configured.

76
00:05:23,500 --> 00:05:29,950
So again we have seen a bunch of things here a bunch of a bunch of Ivy one policies.

77
00:05:29,950 --> 00:05:32,160
We have configured only one.

78
00:05:32,290 --> 00:05:33,580
And this is what we need.

79
00:05:34,210 --> 00:05:36,220
So let's just verify again.

80
00:05:36,250 --> 00:05:45,670
Shah if you have one group five preshow keys and eighty six thousand four hundred seconds if we look

81
00:05:45,760 --> 00:05:53,330
on the H Q four to get five roll.

82
00:05:53,380 --> 00:05:57,000
So again for the VPN to establish we have to match these parameters.

83
00:05:57,850 --> 00:06:07,240
So if you go now into the custom one and say EDIT Let's go and and for the phase one we have this show

84
00:06:07,260 --> 00:06:11,680
one group five perfect and we have eighty six thousand four hundred.

85
00:06:11,730 --> 00:06:13,200
I can remember it correctly.

86
00:06:13,200 --> 00:06:15,890
Anyway just check edit 86.

87
00:06:15,890 --> 00:06:18,870
Four hundred thousand seconds for the key.

88
00:06:18,870 --> 00:06:20,060
Lifetime.

89
00:06:20,100 --> 00:06:23,900
Now I'll say cancel and get back to you.

90
00:06:24,290 --> 00:06:28,940
So now I will say OK and this is the policy.

91
00:06:29,600 --> 00:06:31,700
So this is pressure pressure.

92
00:06:31,770 --> 00:06:38,130
There's a sharp IP SEC proposal now let's say select again we have a bunch of them here.

93
00:06:38,170 --> 00:06:41,680
I will just go and delete everything.

94
00:06:41,690 --> 00:06:43,380
Hopefully it's possible.

95
00:06:43,580 --> 00:06:48,870
Actually you know we have to select here on the list and delete everything that we don't need.

96
00:06:49,070 --> 00:06:58,310
And I will just leave this one which is there's a sharp and delete everything else.

97
00:06:58,310 --> 00:07:04,300
So I will assign as an IP SEC proposal this for this is for phase two.

98
00:07:04,310 --> 00:07:05,100
By the way.

99
00:07:05,180 --> 00:07:08,190
So there's a shot and click OK.

100
00:07:08,210 --> 00:07:15,620
Again we can go back to the 40 legged firewall for the second tunnel going to the NSA and click edit

101
00:07:17,270 --> 00:07:23,570
phase to selectors look at it and then move to the advanced section.

102
00:07:23,570 --> 00:07:28,390
We need theirs and share one with peer first and group five.

103
00:07:28,560 --> 00:07:35,210
So going back to this one peer Fest has been enabled with Group Five encryption algorithm.

104
00:07:35,370 --> 00:07:36,830
Yes speed is.

105
00:07:37,430 --> 00:07:40,300
So we are ready to say next.

106
00:07:40,470 --> 00:07:42,190
Now the net exempt.

107
00:07:42,200 --> 00:07:48,480
So this step allows you to exempt the local network address from network translation and that'll just

108
00:07:48,930 --> 00:07:50,010
enable this option.

109
00:07:50,010 --> 00:07:57,970
We don't want traffic going from mom from our private private land going to the private land on the

110
00:07:58,130 --> 00:08:00,830
on the HQ side to be translated.

111
00:08:00,840 --> 00:08:08,090
Otherwise the the the traffic will not flow correctly so exempt essay site host network from others.

112
00:08:08,090 --> 00:08:14,190
Translation in this I mean with this configuration with this private with its private IP addressing

113
00:08:14,550 --> 00:08:18,390
1 9 2 1 6 8 3 that one slash 24.

114
00:08:18,840 --> 00:08:20,950
So this is good and click next.

115
00:08:22,750 --> 00:08:26,380
So this is an overview of the configuration pure IP.

116
00:08:26,380 --> 00:08:33,160
This is the VPN the VPN access we're using a virtual one with pressure key peace efforts is enabled

117
00:08:33,160 --> 00:08:34,270
with Group Five.

118
00:08:34,300 --> 00:08:35,350
I view on policy.

119
00:08:35,350 --> 00:08:41,440
Pressured the Shah I was a proposal ESPN calculating security payload with this and shot.

120
00:08:42,070 --> 00:08:48,820
And regarding net the protected traffic is not subject to network address translation which is good.

121
00:08:48,820 --> 00:08:58,530
I will now say let's see say finish and luckily I have this option enabled and I will show you exactly

122
00:08:58,770 --> 00:09:01,170
in a moment where you can enable it as well.

123
00:09:02,100 --> 00:09:07,850
So we are running and we are configuring basically everything we need in these graphical user interface.

124
00:09:07,950 --> 00:09:13,560
But basically what's happening behind the scenes is that at the end a configuration is generated like

125
00:09:13,560 --> 00:09:20,160
you see here and these commands will be pushed to the NSA device so that it is configured like you have.

126
00:09:20,490 --> 00:09:25,290
We have entered in the graphical user interface but there is an option that you have to check so that

127
00:09:25,290 --> 00:09:29,450
you can see the commands before they're pushed to the device anyway.

128
00:09:29,460 --> 00:09:36,860
Now I will say send and the configuration has been has been sent to the device.

129
00:09:36,860 --> 00:09:40,170
So here in file let me just check.

130
00:09:40,400 --> 00:09:50,900
So tools and let's see what it is so file no you tools.

131
00:09:50,930 --> 00:09:52,020
I think it's here.

132
00:09:52,130 --> 00:10:02,600
So tools preferences and here is so preview commands before sending them to the device and they have

133
00:10:02,600 --> 00:10:08,600
enabled this this option and it's a good practice so that you also get a good understanding of what's

134
00:10:08,600 --> 00:10:14,250
happening there and what commands are really delivered to your device in a way.

135
00:10:14,330 --> 00:10:18,540
This has been the configuration to the NSA.

136
00:10:18,860 --> 00:10:19,310
Nothing.

137
00:10:19,310 --> 00:10:21,350
Nothing more to be to be done now.

138
00:10:21,500 --> 00:10:26,570
Let's just meet in the next lecture where we do some testing and verification and any troubleshooting

139
00:10:26,600 --> 00:10:27,620
if needed.

140
00:10:27,620 --> 00:10:29,930
So thanks a lot and see you in the next section.