Creating a site-to-site SSL VPN

We want to establish secure, site-to-site VPN tunnels using an SSL connection. This VPN allows a branch office to connect to the head office. Users in the branch office will be able to connect to the head office LAN.

Objectives

When you complete this unit, you’ll know how to do the following:
  • Define LANs.
  • Add an SSL VPN (Site-to-Site) server connection.
  • Download the client configuration file.
  • Add an SSL VPN (Site-to-Site) client connection.
  • Troubleshoot SSL VPN settings.

Prerequisites

Before getting started, select a firewall to be the server. It is good practice to select the more powerful unit if there is a difference in models. If there is one system with a dynamic IP address and another with a static IP address, use the static IP system.

Define LANs

We create hosts for the head office and branch office networks.

The following steps are executed on the head office firewall.

  1. Go to Hosts and services > IP host and click Add.
  2. Create a host for the head office LAN.
  3. Click Save.
  4. Click Add.
  5. Create a host for the branch LAN.
  6. Click Save.

Add an SSL VPN site-to-site server connection

We create a connection and download the file that will be used to configure the client system.

The following steps are executed on the head office firewall.

  1. Go to VPN > SSL VPN (site-to-site).
  2. In the Server section, click Add.
  3. Specify the logical name for the tunnel and the networks to be accessed through the tunnel.
  4. Click Save.
    The connection is created and it appears in the server list.
  5. Click and save the file that will be used to configure the client system.
    You can supply a password to encrypt the file, if required. The file format is .apc.

Add SSL VPN site-to-site client connection

We use the file that was created on the server to create and configure the client connection.

The following steps are executed on the client firewall.

  1. Go to VPN > SSL VPN (site-to-site).
  2. In the Client section, click Add.
  3. Specify the settings.
    OptionDescription
    Connection name HQ_to_branch_client
  4. Click Choose file and select the file that you downloaded from the SSL VPN server.
  5. Click Save.

The new connection appears in the client list. The tunnel is operational when the status indicator shows green.

Troubleshooting VPN settings

SSL VPN settings are generally left in default status. Here are some of the most common changes that you may need to make:
  • Protocol: This is almost never changed from TCP, but the VPN will still work if both sides use UDP.
  • Override hostname: If your system has a hostname that is not publicly routable, add your public IP address here.
  • Cryptographic settings: You can alter the cryptographic settings. This won’t affect the tunnel’s operation if both sides of the tunnel match.
  • Compress SSL VPN traffic: If you would like to compress packets through the tunnel to conserve bandwidth, enable this option.
  • Enable debug mode: If you are having difficulties with the connection, you can enable debug mode to output extra information into the log file.