1
00:00:00,860 --> 00:00:07,190
Hello and welcome to this lecture in this lecture will try to initiate the VPN connection from the remote

2
00:00:07,190 --> 00:00:12,310
worker going to the Internet going through the HQ port gate firewall.

3
00:00:12,320 --> 00:00:14,970
So now let's connect on the windows.

4
00:00:14,970 --> 00:00:18,220
P.S. And here it is.

5
00:00:18,530 --> 00:00:25,850
And because we have the 40 client installed we should initiated so right click and open 40 client console

6
00:00:26,780 --> 00:00:29,770
and we will go into the remote access section.

7
00:00:29,930 --> 00:00:37,640
So it says no vpn connected so we should click on the remote access and then go to configure VPN so

8
00:00:37,640 --> 00:00:39,850
click on configure VPN.

9
00:00:39,850 --> 00:00:44,580
We will have to provide by the way not in the SSL but in the IP sic.

10
00:00:44,910 --> 00:00:46,760
We will have to provide a connection name.

11
00:00:46,880 --> 00:00:54,750
So let's say this is the HQ or the HQ firewall.

12
00:00:54,920 --> 00:01:02,200
If you file the remote Gateway should be the IP address of the open gateway you're trying to connect.

13
00:01:02,200 --> 00:01:03,200
Right.

14
00:01:03,230 --> 00:01:06,920
So now it's here going to the genius tree.

15
00:01:07,760 --> 00:01:10,430
So it's ADHD 80 and 81.

16
00:01:10,550 --> 00:01:14,360
So let's fill in these these details.

17
00:01:14,360 --> 00:01:18,450
ADHD 80 81.

18
00:01:18,550 --> 00:01:19,740
Appreciate key.

19
00:01:19,900 --> 00:01:21,430
It's 14 net.

20
00:01:22,820 --> 00:01:27,320
And now let's show let's click on the advanced settings and you will see why.

21
00:01:27,320 --> 00:01:33,230
So although this is remote access VPN maybe you are familiar or you're not familiar with this kind of

22
00:01:33,500 --> 00:01:35,130
a VPN setup.

23
00:01:35,210 --> 00:01:41,940
It is the same as you you would configure a site to site VPN so some settings should be configured for

24
00:01:41,940 --> 00:01:46,160
Phase 1 and Phase 2 of the VPN whole setup.

25
00:01:46,260 --> 00:01:49,880
So let's now navigate and see what's available here.

26
00:01:50,400 --> 00:01:57,480
So in terms of VPN settings I will I will leave it to let's say aggressive at the moment and mode config.

27
00:01:57,480 --> 00:01:59,650
Now let's go to Phase 1.

28
00:01:59,910 --> 00:02:06,590
So in terms of encryption and authentication you see that for phase one by default the fully client.

29
00:02:06,630 --> 00:02:14,060
It's using a yes 128 and show one or 8 56 and shot 46.

30
00:02:14,120 --> 00:02:21,140
This is absolutely a valid configuration but because we are running the 40 net firewall VM in evaluation

31
00:02:21,140 --> 00:02:27,390
mode we do not have this specific encryption and authentication Piers available.

32
00:02:27,410 --> 00:02:33,800
So remember we have Emily five and Emily five and this.

33
00:02:33,800 --> 00:02:37,950
So let's go for that with SHA 1.

34
00:02:38,280 --> 00:02:43,770
And basically that's it because again we do not have this this available.

35
00:02:43,910 --> 00:02:45,080
So we should.

36
00:02:45,440 --> 00:02:52,210
We could not should but we could configure here multiple multiple pairs of encryption and authentication.

37
00:02:52,220 --> 00:02:59,960
But we have to have some matching matching attributes for Phase 1 and Phase 2 that are available on

38
00:03:00,010 --> 00:03:00,370
the.

39
00:03:00,630 --> 00:03:01,630
The fortunate firewall.

40
00:03:02,330 --> 00:03:08,330
So because we are doing testing and we are learning you know we are in a learning process we should

41
00:03:08,330 --> 00:03:11,590
leave Des and shell one so that it matches what we have on.

42
00:03:11,590 --> 00:03:20,640
On the other side on the on the Gateway in terms of Phase Two again we should use something that's available

43
00:03:20,640 --> 00:03:22,070
on the 40 gate firewall.

44
00:03:22,170 --> 00:03:26,200
So there is and show one and I will leave everything the same.

45
00:03:26,220 --> 00:03:36,690
So peer fast perfect forward secrecy enable this one group it's five and four Phase 1 I proposal we

46
00:03:36,690 --> 00:03:44,870
have deeply held one group five let's say now apply and the VPN should be configured.

47
00:03:45,440 --> 00:03:46,930
Please note that the name has changed.

48
00:03:46,940 --> 00:03:49,150
It is now HQ firewall.

49
00:03:49,250 --> 00:03:51,200
So I will say close

50
00:03:53,900 --> 00:03:58,070
and we have to provide here username and password.

51
00:03:58,640 --> 00:04:15,690
So let's look in at mean later let's look in the groups so where the user and device user groups.

52
00:04:15,860 --> 00:04:25,360
We have remote access group and we have one member member each user user definition user in the password

53
00:04:25,450 --> 00:04:33,550
of let's say user with the password Oh for the net just to make sure.

54
00:04:33,550 --> 00:04:39,380
And OK now going back so here

55
00:04:42,750 --> 00:04:47,750
here we have user name user and password for the net.

56
00:04:47,850 --> 00:04:48,780
Let's try.

57
00:04:49,320 --> 00:05:12,040
So for the net let's try and connect and we'll see what happens.

58
00:05:12,220 --> 00:05:13,130
Perfect.

59
00:05:13,300 --> 00:05:16,690
So for a client connected to HQ firewall.

60
00:05:16,720 --> 00:05:22,620
Now if we take a look or let's do it this way if we take a look in.

61
00:05:22,610 --> 00:05:26,880
OK please close in adaptive settings.

62
00:05:27,070 --> 00:05:35,060
Now remember from previous sections and lectures now we have an ethernet adapter that is no longer disabled.

63
00:05:35,110 --> 00:05:36,570
As you see this one.

64
00:05:36,610 --> 00:05:39,940
So this is the SSL VPN virtual ethernet adapter.

65
00:05:39,940 --> 00:05:41,870
And this one is for IP Sec.

66
00:05:42,100 --> 00:05:50,080
So now because we have remote access VPN connection up and running this niqab these virtual niqab has

67
00:05:50,080 --> 00:05:53,970
now been enabled and we have received an IP address.

68
00:05:54,220 --> 00:05:55,870
So let's see.

69
00:05:55,870 --> 00:06:02,890
And basically so properties and fund let's make it something bigger

70
00:06:05,720 --> 00:06:14,640
if we now say I mean one that if you now say IP coffee we should check

71
00:06:19,040 --> 00:06:20,300
and here it is.

72
00:06:20,720 --> 00:06:24,230
So this is the niqab connecting to Internet.

73
00:06:24,370 --> 00:06:27,210
OK so 19 19 1990.

74
00:06:27,290 --> 00:06:28,550
Let's check that.

75
00:06:28,550 --> 00:06:29,140
Here it is.

76
00:06:29,150 --> 00:06:31,930
Nineteen ninety ninety and ninety.

77
00:06:32,000 --> 00:06:39,230
And we have another niqab which is this one which has received an IP address 1 9 2 1 6 8 1.

78
00:06:39,270 --> 00:06:45,330
That 200 and again if we look here we don't have this.

79
00:06:45,340 --> 00:06:51,700
We have two cards physical cards one for the ISP Internet connection and one for management purposes

80
00:06:52,240 --> 00:06:58,960
but another niqab a virtual one here on the window station on the remote worker has been assigned an

81
00:06:58,960 --> 00:07:04,930
IP address that we have defined when configuring the remote access VPN on the HQ for the gate file.

82
00:07:04,930 --> 00:07:06,910
All right.

83
00:07:06,910 --> 00:07:13,430
So going back we now have as I said this niqab up and running it's enabled.

84
00:07:13,430 --> 00:07:17,660
It has received an IP address when when doing the connection.

85
00:07:17,690 --> 00:07:25,640
Now the ultimate goal for this remote access VPN is that the remote worker is able to access through

86
00:07:25,640 --> 00:07:32,540
Internet and through the HQ for the Great Firewall some resource that's available in the in the in the

87
00:07:32,540 --> 00:07:38,510
remote site or in the HQ site in this case and the land P.C..

88
00:07:38,510 --> 00:07:41,550
Let's check again anyway.

89
00:07:41,660 --> 00:07:43,820
NBC has 1 into 2 1 6 8 1.

90
00:07:43,820 --> 00:07:45,990
That 100 is the IP address.

91
00:07:46,090 --> 00:07:50,860
We can't think of it as a server or mail server or a file sharing server anyway.

92
00:07:51,090 --> 00:07:57,360
So now that we have the VPN connected we should be able to ping and access this resource through the

93
00:07:57,360 --> 00:08:01,040
VPN and let's try to do that.

94
00:08:01,560 --> 00:08:13,310
So ping one line to that one succeed that one that one hundred one hundred and let's say enter and here

95
00:08:13,310 --> 00:08:13,760
it is.

96
00:08:13,760 --> 00:08:17,920
So we have connectivity and everything works as expected.

97
00:08:17,960 --> 00:08:28,190
Now in terms of in terms of the risk in terms of the photo gate for the gate user interface or the glory

98
00:08:28,190 --> 00:08:32,410
the graphical user interface you can do some verification.

99
00:08:32,630 --> 00:08:41,110
And here if you go into the monitor and again I basic monitor you can see your connection here.

100
00:08:41,180 --> 00:08:46,750
This is the same that you would do for site to site VPN with 48 firewalls.

101
00:08:46,760 --> 00:08:52,550
Again if you're interested in this topic site aside not remote access VPN like this course I have another

102
00:08:52,550 --> 00:08:54,830
one published already and available for you.

103
00:08:55,730 --> 00:08:57,970
So again core connection is up.

104
00:08:58,010 --> 00:09:02,680
Everything is working now in the VPN.

105
00:09:02,720 --> 00:09:09,530
If you go into basic tunnels you have here and it says one dial up connection so the status has been

106
00:09:09,530 --> 00:09:12,910
changed to one dial up connection is in progress.

107
00:09:12,920 --> 00:09:16,250
Now logging and reporting.

108
00:09:16,250 --> 00:09:25,650
So this is a manual logging reporting going through VPN events you can see here logs for specifically

109
00:09:25,650 --> 00:09:28,060
for this connection and so on.

110
00:09:28,080 --> 00:09:29,940
So it is working as expected.

111
00:09:29,970 --> 00:09:32,000
Let's now move on.

112
00:09:32,250 --> 00:09:41,370
I would like to show you some some some troubleshooting scenarios in the next section but because whether

113
00:09:41,370 --> 00:09:46,860
you're familiar or you're not familiar with this with this kind of troubleshooting in terms of VPN it

114
00:09:46,860 --> 00:09:48,520
doesn't matter that the vendor.

115
00:09:48,840 --> 00:09:55,620
You should expect that the logs and the bugs that are generated are not self-explanatory.

116
00:09:55,640 --> 00:09:57,710
So they're not easy to read.

117
00:09:57,710 --> 00:09:58,520
Not always.

118
00:09:58,520 --> 00:09:59,930
It depends on what's the problem.

119
00:09:59,930 --> 00:10:01,070
And so on.

120
00:10:01,070 --> 00:10:09,050
So the idea is that if you know what are the bugs generated when the set up works and you're familiar

121
00:10:09,050 --> 00:10:16,820
with with the with these logs it means that or it should mean that when something breaks you should

122
00:10:16,820 --> 00:10:19,580
spot the problem faster.

123
00:10:19,820 --> 00:10:27,410
In Europe you're going to be able faster to to generate a resolution and solve the problem anyway.

124
00:10:27,530 --> 00:10:31,310
So what I would like to do now is break the connection.

125
00:10:31,310 --> 00:10:41,910
So let's say going to monitor IP sic monitor if I say right click I'll say bring down and are you sure.

126
00:10:41,940 --> 00:10:44,180
Yes I'm sure.

127
00:10:44,260 --> 00:10:44,790
Good.

128
00:10:44,830 --> 00:10:52,120
And I would like to generate or start or start logs on the HQ for the gate and see exactly what are

129
00:10:52,120 --> 00:11:00,070
the bugs generated when the VPN is successful and in the next section we will analyze the successful

130
00:11:00,070 --> 00:11:03,630
logs with the love that I'm generating when something is broken.

131
00:11:04,210 --> 00:11:12,430
So let's say now diagnose debug application and the application is like Internet key exchange and the

132
00:11:12,430 --> 00:11:13,840
level it's minus one.

133
00:11:13,840 --> 00:11:20,040
Just take it for granted it means you will get all the all the debug.

134
00:11:20,350 --> 00:11:29,610
Now are you there so something is happening already and diagnose debug and enable good.

135
00:11:29,650 --> 00:11:39,540
And now let's go to let's go to the machine Windows 10 machine and initiate again the connection.

136
00:11:39,880 --> 00:11:44,130
So right click and open for the client console.

137
00:11:44,220 --> 00:11:52,950
It has already been connected let's say disconnect and user and forth net.

138
00:11:53,410 --> 00:11:54,650
I'll just save the password.

139
00:11:55,460 --> 00:11:56,360
Let's look here

140
00:11:59,280 --> 00:12:02,030
so it's any tunnel down.

141
00:12:02,040 --> 00:12:02,620
Trap.

142
00:12:02,670 --> 00:12:04,790
Perfect.

143
00:12:04,800 --> 00:12:09,600
Now let's do the connection.

144
00:12:09,640 --> 00:12:10,510
So connecting

145
00:12:27,580 --> 00:12:30,790
for a client connected to each 48 firewall.

146
00:12:31,330 --> 00:12:41,560
I will now say diagnose the bug disable and let me just take the output from from here.

147
00:12:41,660 --> 00:12:43,540
So I'm going up up up up up

148
00:12:47,660 --> 00:12:49,910
something to see

149
00:12:56,460 --> 00:12:57,670
and from here.

150
00:12:57,780 --> 00:13:02,470
So here's where this would start.

151
00:13:06,320 --> 00:13:10,100
You diagnose debug these evil

152
00:13:13,600 --> 00:13:15,250
let me go the other way around.

153
00:13:35,670 --> 00:13:36,620
Let's say

154
00:13:44,760 --> 00:13:46,270
now that was a bad one.

155
00:13:52,190 --> 00:13:54,170
Oh I see no

156
00:14:07,610 --> 00:14:12,950
logs are generated then I'm not able to copy exactly everything that I want

157
00:14:25,840 --> 00:14:26,660
maybe now.

158
00:14:26,700 --> 00:14:31,410
Perfect and I here

159
00:14:38,250 --> 00:14:40,840
so format and font

160
00:14:52,560 --> 00:14:53,350
this way.

161
00:14:59,650 --> 00:15:00,950
So let's see.

162
00:15:00,950 --> 00:15:07,650
So like internet geeks change comes from this IP address coming to this IP address nineteen ninety nineteen

163
00:15:07,650 --> 00:15:08,450
ninety.

164
00:15:08,480 --> 00:15:13,720
If you look on the diagram it's the the Windows machine which is perfect.

165
00:15:14,270 --> 00:15:20,900
So therefore 48 get firewalls that I have received and I request or an IP request for negotiation and

166
00:15:20,900 --> 00:15:21,790
like packet.

167
00:15:21,810 --> 00:15:26,200
Anyway to my IP address 80 ADHD 81.

168
00:15:26,270 --> 00:15:28,890
So this is what it says here.

169
00:15:28,910 --> 00:15:32,680
So aggressive mode gets first message.

170
00:15:32,870 --> 00:15:33,760
What.

171
00:15:33,920 --> 00:15:34,340
What else.

172
00:15:34,340 --> 00:15:40,160
It's important I view IP version 1 so not version 2 in aggressive mode.

173
00:15:40,160 --> 00:15:46,330
And here is the negotiation result proposal idea number one either camp encapsulation like none.

174
00:15:47,000 --> 00:15:54,890
So it says here that okay we're using does the CBC does and we're using also the the shot algorithm.

175
00:15:54,920 --> 00:16:01,040
So there's an shot pressured key and the lifetime shouldn't be this good.

176
00:16:01,340 --> 00:16:06,000
So essay proposal chews them mashed gateway.

177
00:16:06,170 --> 00:16:10,790
What do we have configured so remote access VPN 40 created connection.

178
00:16:10,790 --> 00:16:13,180
So this is good.

179
00:16:13,330 --> 00:16:14,740
What else what else.

180
00:16:14,740 --> 00:16:24,760
It's important and we should note sending some expert packages or packets and authentication.

181
00:16:24,770 --> 00:16:25,760
Okay this is important.

182
00:16:25,770 --> 00:16:28,700
Appreciate your dedication succeeded authentication okay.

183
00:16:28,800 --> 00:16:35,010
We don't have any net adding a new dynamic tunnel for this IP address on port five hundred.

184
00:16:35,010 --> 00:16:36,710
This is UDP.

185
00:16:36,810 --> 00:16:40,760
Let's look for the next step.

186
00:16:43,210 --> 00:16:51,230
So received extended authentication user name user with the specific password length eight 14.

187
00:16:52,150 --> 00:16:53,380
Which is good.

188
00:16:58,220 --> 00:16:59,000
Okay.

189
00:16:59,000 --> 00:17:00,200
Known server

190
00:17:03,450 --> 00:17:04,860
now here is the IP address.

191
00:17:04,860 --> 00:17:12,120
We have seen on the virtual any card on the windows b c so mode configure designed this IP address with

192
00:17:12,120 --> 00:17:14,720
this IP for subnet mask.

193
00:17:14,880 --> 00:17:20,090
So indeed when you weird when you're connecting the remote worker to the HQ for the firewall.

194
00:17:20,310 --> 00:17:23,780
Again an IP address that we have configured.

195
00:17:23,790 --> 00:17:32,940
We have specified on on the HQ for the Great Firewall setup is a sign from that pool to the to the remote

196
00:17:32,940 --> 00:17:33,550
worker.

197
00:17:33,660 --> 00:17:40,290
And this is the confirmation that this is the IP address and why we have this IP address on on the remote

198
00:17:40,290 --> 00:17:41,270
worker.

199
00:17:41,760 --> 00:17:47,990
Going further so IP for subnet 1 and 2 16 8 1 0.

200
00:17:48,010 --> 00:17:55,900
So you're going to have access to this subnet when when trying to connect to some local resources local

201
00:17:55,900 --> 00:18:04,480
meaning to resources in the HQ what else we should see something related to also Phase Two.

202
00:18:04,660 --> 00:18:09,920
So pure proposal is this here is this one into 168.

203
00:18:09,930 --> 00:18:17,000
One that two hundred and only that me means everything matched phase two.

204
00:18:17,000 --> 00:18:20,530
So here is the Phase 2 dynamic client because we do not have.

205
00:18:20,780 --> 00:18:26,560
We do not have a specific and already specified IP address so we can connect from anywhere.

206
00:18:26,620 --> 00:18:31,070
And again from a cafe from an airport and anything like that.

207
00:18:32,000 --> 00:18:34,480
So that's why we are a dynamic client.

208
00:18:34,490 --> 00:18:43,730
My proposal proposal like one we are using IP sic and USP for encapsulation first group 14 yes does

209
00:18:44,770 --> 00:18:48,940
and encapsulation mode its tunnel what else.

210
00:18:48,980 --> 00:18:54,240
And Sha good proposal idea number two.

211
00:18:54,410 --> 00:19:01,840
So multiple proposal are used but the first matched proposal is the one that is going to be used.

212
00:19:01,940 --> 00:19:02,330
Good.

213
00:19:02,330 --> 00:19:09,010
So these are my proposal in coming proposal is this my proposal meaning what I have configured on myself

214
00:19:09,040 --> 00:19:16,700
on the for the great firewall and the incoming proposal what is the remote worker 40 client able to

215
00:19:16,750 --> 00:19:23,750
two to negotiate with me if we are going to have Phase 1 and Phase 2 matching then we will be able to

216
00:19:23,750 --> 00:19:32,180
establish this this remote VPN and the negotiation result is here proposal I.D. one with this does ESB

217
00:19:32,180 --> 00:19:37,950
does and SHA 1 so using tunnel mode perfect.

218
00:19:38,090 --> 00:19:48,650
This is also important adding a dynamic IP assay so security association selector good adding a route

219
00:19:48,740 --> 00:19:55,970
so something something else that's doing behind the scenes of adding a route for the remote IP that's

220
00:19:55,970 --> 00:19:58,670
going to be configured on the remote worker.

221
00:19:58,670 --> 00:19:59,970
So basically the.

222
00:20:00,230 --> 00:20:07,940
So if you look here basically the land APC has to have a route or has to have some connectivity in the

223
00:20:07,940 --> 00:20:10,070
other side going to the remote worker.

224
00:20:10,070 --> 00:20:18,080
So the issue for a firewall it's adding a route as we can see here for that specific IP address again

225
00:20:18,170 --> 00:20:23,690
the land b c doesn't need to have a specific ground because this is the HQ for the final this is the

226
00:20:23,690 --> 00:20:30,590
default gateway so any way it will send all its packets to the firewall but the firewall to have connectivity

227
00:20:30,620 --> 00:20:37,070
to this IP because it is not in the land it says OK I will add a route so that I know that I can reach

228
00:20:37,400 --> 00:20:38,480
reach you.

229
00:20:38,920 --> 00:20:41,900
And how can I do that through this gateway.

230
00:20:42,170 --> 00:20:43,670
So through this IP address.

231
00:20:43,670 --> 00:20:54,520
So that's the the idea of adding this route now going further let's say so added IP sic with this with

232
00:20:54,600 --> 00:20:55,720
these SBI.

233
00:20:55,750 --> 00:20:56,140
Good.

234
00:20:57,520 --> 00:20:58,500
Now what else

235
00:21:01,330 --> 00:21:08,730
perfect and now because the VPN is up there are just there are just hello messages.

236
00:21:08,730 --> 00:21:10,740
Are you there so saying that.

237
00:21:10,810 --> 00:21:11,780
OK either.

238
00:21:11,790 --> 00:21:18,000
Yes I'm here so the VPN should still be up we should not tear down the connection because we can see

239
00:21:18,000 --> 00:21:18,440
each other.

240
00:21:18,470 --> 00:21:25,250
So some kind of hello packets at specific intervals that those two are sending to each other and acknowledging.

241
00:21:25,260 --> 00:21:27,980
So you can see are you there message received.

242
00:21:28,170 --> 00:21:30,190
And I will send are you there.

243
00:21:30,190 --> 00:21:30,930
Acknowledge.

244
00:21:30,930 --> 00:21:39,760
So a c k so I believe that's it because we can see now only either and acknowledging the packet either

245
00:21:39,770 --> 00:21:47,840
acknowledge and this is everything we should know in terms of how how the logs should appear in case

246
00:21:47,840 --> 00:21:56,600
of or for working of a working VPN setup and in case something breaks we should see hopefully we should

247
00:21:56,600 --> 00:22:02,870
see some some self explanatory messages but I'm definitely not going to tell you that this is going

248
00:22:02,870 --> 00:22:03,410
to happen.

249
00:22:04,010 --> 00:22:06,450
And anyway going.

250
00:22:06,450 --> 00:22:15,140
Going this going this way and trying reverse engineering approach like OK I know how it works and what

251
00:22:15,140 --> 00:22:21,440
messages are locked when it works well if if it's not working then I will work my way from that point

252
00:22:21,440 --> 00:22:25,970
on and see where it breaks so that I can pinpoint the problem.

253
00:22:25,970 --> 00:22:26,960
So this is the problem.

254
00:22:26,960 --> 00:22:36,350
So anyway let's say the shared secret password is not good or maybe I'm not using correct Paramount

255
00:22:36,380 --> 00:22:41,240
parameters for Phase 1 or maybe for Phase 2 in the negotiation.

256
00:22:41,330 --> 00:22:45,030
So that will be all for this for this lecture and section.

257
00:22:45,020 --> 00:22:50,620
Now please join me in the next section where we will talk about different troubleshooting scenarios.

258
00:22:50,630 --> 00:22:51,170
Thanks a lot.