Configuration of two Gibraltar Firewalls to connect two networks via an IPSec VPN tunnel. Additionally this scenario shows the configuration of PPTP to connect external workers with the LAN. The local Gibraltar LDAP server does the user administration.

System Requirements
Computer with two compatible network interfaces or two Gibraltar Security Gateways. Broadband Internet connection with static public IP addresses.
Note: All stated values are only examples. You have to adapt these values to your individual needs.
Installation of Gibraltar
Please install Gibraltar as described in chapter Installation.
System configuration
System configuration as described in Scenario 1.
Network settings - Network interface cards
Network and routing configuration as described in Scenario 2
ATTENTION: By changing the IP address on the network card which you use for access to Gibraltar, the connection is interrupted. Please adapt the IP address on your work station computer as well.
Set default route
1. | Choose the tab Routing. |
2. | Default route: Enter the default route in this textfield. You get the value for the default route from your provider. All packets, that are not determined to be forwarded to other networks will be forwarded to this address. |
3. | Save: Confirm your changes with clicking the button Save. |
Firewall rules
Firewall rules as described in Scenario 2
NAT rules
NAT rules as described in Scenario 2
Connect a remote computer with the internal network via PPTP
1. | Choose VPN in the main menu. |
3. | Choose the tab General settings. |
4. | Local IP (with netmask): Enter the IP address with which the remote computer contacts the internal network. This IP address has to be in the internal network (e.g. 192.168.1.100/24). Please also indicate a netmask. |
5. | Remote IP from: Enter the first IP address of a range of IP addresses. A remote user will get assigned an IP address of this range (e.g: 192.168.1.211). |
6. | Remote IP to: Enter the last IP address of the range of IP addresses. A remote user will get assigned an IP address of this range (e.g: 192.168.1.220). Because of setting the range 192.168.1.211 - 192.168.1.220, 10 IP addresses can be used for remote users. |
7. | Domain: Enter the domain the remote user should be assigned to in this textfield. |
8. | DNS server: Enter the DNS server. By default this is Gibraltar. |
9. | WINS server: Enter the WINS server, the remote user should use (you can also leave this field blank). |
10. | Save: Confirm your changes with clicking the button Save. |
PPTP remote user
1. | Choose User in the main menu. |
2. | You will be forwarded automatically to the tab LDAP Settings. |
3. | Choose local OpenLDAP in the drop down field and start the LDAP service at the same tab afterwards. |
5. | Add a new user by setting username and password and activate the checkbox VPN. |
6. | Save: Confirm your changes with clicking the button Save. |
Setting filter rules for the PPTP access
1. | Choose Firewall in the main menu. |
2. | Choose the tab Firewall rules. |
3. | Incoming: Choose "ext0" as incoming interface. |
4. | Outgoing: Choose "local" as outgoing interface. |
5. | Go!: Click this button to get displayed all filter rules for the packets that come from "ext0" and go to "local". |
6. | Add Rule: Click this button to add a new rule. |
7. | Service: Choose the value "pptp". |
8. | Source: Choose ANY from the selection box to allow all source addresses. |
9. | Destination: Choose ANY from the selection box to allow all destination addresses. |
10. | Save: Confirm your changes with clicking the button Save. |
To allow the remote users to connect to the network behind the firewall you have to define additional rules. These rules have to forward the data traffic from the PPTP dial-in to the internal network.
1. | Choose the tab Firewall rules. |
2. | Incoming: Choose "ppp+" as incoming interface. |
3. | Outgoing: Choose "int0" as outgoing interface. |
4. | Go!: Click this button to get displayed all filter rules for the packets that come from "ppp+" and go to "int0". |
5. | Add Rule: Click this button to add a new rule. |
6. | Source: Choose ANY from the selection box to allow all source addresses. |
7. | Destination: Choose ANY from the selection box to allow all destination addresses. |
8. | Service: Choose ANY from the selection box. |
9. | Save: Confirm your changes with clicking the button Save. |
Starting the PPTP server
1. | Choose Services in the main menu. |
2. | Available services: Select the option On next to PPTP. The PPTP server will be started automatically when Gibraltar boots. |
3. | Save: Confirm your changes with clicking the button Save. |
4. | Start service : Click this button next to PPTP, if the PPTP server is not started. Thereby the service will be started. The state will change to (started) and the button to Stop service . |
Thereby the access via PPTP is set and the remote user can log in to the internal network with his registration data.
For the setting of the IPSec tunnel we use two Gibraltar firewalls ("gibraltar1" and "gibraltar2").
Starting the IPSec service
1. | Choose Services in the main menu. |
2. | Available services: Select the option On next to IPSec. The IPSec service will be started automatically when Gibraltar boots. |
3. | Save: Confirm your changes with clicking the button Save. |
4. | Start service : Click this button next to IPSec, if the IPSec service is not started. Thereby the service will be started. The state will change to (started) and the button to Stop service . |
IPSec
1. | Choose IPSec in the main menu. |
2. | Choose the tab General settings. |
3. | Activate for IPSec: Activate the checkboxes of the network interface cards, on which you want IPSec to be activated (e.g "ext0"). |
4. | Save: Confirm your changes with clicking the button Save. |
Download certificate
To disclose the certificate at the remote station, you have to download it and upload it at your remote firewall. Therefore we use the Gibraltar firewalls "gibraltar1" and "gibraltar2".
1. | Choose VPN in the main menu of "gibraltar1". |
2. | Choose Certificates in the sub menu. |
3. | Host certificates: In this element group the self-created certificates and the uploaded certificates from the remote firewalls are shown. |
4. | Download certificate : Click this button to download the certificate ("gibraltar.pem"). You have to enter a storage-destination. Change the name of the certificate, so that thereinafter you can definitively identify it as a certificate of this firewall (e.g. "gibraltar1Cert.pem"). Afterwards you have to upload this certificate at the remote computer. |
5. | Change to the other firewall "gibraltar2", log in and upload the certificate "gibraltar1Cert" in the element group Host certificates. |
6. | Download the certificate "gibraltar.pem" from the firewall "gibraltar2" and upload it at the firewall "gibraltar1" in the element group Host certificates after you renamed it (e.g. "gibraltar2Cert"). |
Therewith every firewall has the certificate of the remote station now, and you can start to configure the tunnels.
Configure an IPSec tunnel
1. | Choose VPN in the main menu of "gibraltar1". |
2. | Choose IPSec in the sub menu. |
4. | Add Tunnel: Click this button to add a new tunnel. |
5. | Name: Enter a name for the tunnel (e.g. "gib1Tunnel"). |
6. | State after start: Choose the state the tunnel should have after a restart of the IPSec service (e.g. "(standby)"). |
7. | Local IP: Choose the IP address of "gibraltar1" through which the tunnel should go. Note that only those IP addresses of the network interface cards can be chosen which were activated for IPSec in the card General settings. If you want to connect two locations, you should take the public IP address. |
8. | Local subnet: Enter the local subnet here if it should be accessible over the IPSec tunnel. |
9. | Local certificate: Choose the certificate you created before ("gibraltar1Cert"). |
10. | Remote IP address: Enter the IP address of the remote firewall (the public IP address of "gibraltar2"). |
11. | Remote Subnet: Enter the subnet of the remote network if you want it to be accessible over the tunnel. |
12. | Authorization: Choose a variant for authorization (in this case X.509). Choose the certificate of the remote firewall in the select box ("gibraltar2Cert"). |
13. | Save: Click this button to save the changes. You will be redirected to the overview. |
14. | Change to firewall "gibraltar2" and create a tunnel "gib2Tunnel" that ends in the IP address of the firewall "gibraltar1". |
Starting/Stopping the IPSec tunnel
1. | Starting IPSec tunnel : Click this button to start the tunnel if the current state is (deactivated) or (standby). |
2. | Activate IPSec tunnel (standby mode) : Click this button to set the tunnel to the standby mode if the current state is (deactivated). |
3. | Stopping IPSec tunnel (standby mode) : Click this button to set the tunnel to the standby mode if the current state is (started). |
4. | Deactivate IPSec tunnel : Click this button to deactivate the IPSec tunnel, if the current state is (standby) or (started). |
Setting filter rules for the IPSec tunnel
To allow the remote users to reach the network behind the firewall you have to set additionally filter rules for the IPSec tunnel. These rules forward the traffic from the IPSec tunnel to the internal network (FORWARDING rules).
1. | Choose Firewall in the main menu. |
2. | Choose the tab Firewall rules. |
3. | Incoming: Choose "ipsec0" as incoming interface. |
4. | Outgoing: Choose "int0" as outgoing interface. |
5. | Go!: Click this button to get displayed all filter rules for the packets that come from "ipsec0" and go to "int0". |
6. | Add Rule: Click this button to add a new rule. |
7. | Service: Choose ANY from the selection box. |
8. | Source: Choose ANY from the selection box to allow all source addresses. |
9. | Destination: Choose ANY from the selection box to allow all destination addresses. |
10. | Save: Confirm your changes with clicking the button Save. |
11. | Incoming: Choose "int0" as incoming interface. |
12. | Outgoing: Choose "ipsec0" as outgoing interface. |
13. | Go!: Click this button to get displayed all filter rules for the packets that come from "int0" and go to "ipsec0". |
14. | Add Rule: Click this button to add a new rule. |
15. | Service: Choose ANY from the selection box. |
16. | Source: Choose ANY from the selection box to allow all source addresses. |
17. | Destination: Choose ANY from the selection box to allow all destination addresses. |
18. | Save: Confirm your changes with clicking the button Save. |
Save config
1. | Save your configuration on an USB-stick. |
|