Thursday, 11 June 2009

Site A to Site B tunnel

Keeping Site to Site traffic simple has never been simple and keep it secure and at the same time reducing the packets flowing over it is not easy ether.

So what types of traffic will be going from site A to B?
Active Directory traffic and Replication
WINS/DNS
DFS
Microsoft SQL
PPTP

To keep your traffic as simple as you can I would always recommend using a proxy at each end of the site to site VPN however for some traffic like SQL Replication might not be such a good idea because of the delay it can add, but still I would try to resolve the issue with the proxy then work around it.

Now to give you an idea why I would do this have a look at how many open ports you have with Active Directory

RPC endpoint mapper 135/tcp, 135/udp
Network basic input/output system (NetBIOS) name service 137/tcp, 137/udp
NetBIOS datagram service 138/udp
NetBIOS session service 139/tcp
RPC dynamic assignment 1024-65535/tcp
Server message block (SMB) over IP (Microsoft-DS) 445/tcp, 445/udp
Lightweight Directory Access Protocol (LDAP)389/tcp
LDAP ping 389/udp
LDAP over SSL 636/tcp
Global catalog LDAP 3268/tcp
Global catalog LDAP over SSL 3269/tcp
Kerberos 88/tcp, 88/udp
Domain Name Service (DNS) 53/tcp1, 53/udp
Windows Internet Naming Service (WINS) resolution (if required) 1512/tcp, 1512/udp
WINS replication (if required) 42/tcp, 42/udp

As you can imagine this is much harder to trouble shoot and track of then PPTP on tcp 1723
This is the reason why I would suggest setting up proxy at each end of the VPN. That's not to say you can't open up the ports but to keep it secure you'll need to know the source and destination of all packets, and this can be something of an over head on your configuration.

SQL server uses 1433 and 1434 however this can change depending on settings of the server but for the most part is quite easy.

So lets be begin.
First of all we should have a VPN between the sites the one I like best is a VPN Tunnel as this allows you not only to have the VPN but setup the interfaces with all the ACL rules you want.

I'll use a quite well known example I think, from Richard Deal's Complete Cisco VPN Configuration Guide, I found it a nice bit of night time reading.

RouterA Configuration:
RTRA(config)# crypto isakmp policy 10
RTRA(config-isakmp)# encryption aes 128
RTRA(config-isakmp)# hash sha
RTRA(config-isakmp)# authentication pre-share
RTRA(config-isakmp)# group 2
RTRA(config-isakmp)# exit
RTRA(config)# crypto isakmp key cisco123 address 193.1.1.1 255.255.255.255 no-xauth
RTRA(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRA(cfg-crypto-trans)# exit
RTRA(config)# crypto ipsec profile VTI
RTRA(ipsec-profile)# set transform-set RTRtran
RTRA(ipsec-profile)# exit
RTRA(config)# interface tunnel 0
RTRA(config-if)# ip address 192.168.3.1 255.255.255.0
RTRA(config-if)# tunnel source 192.1.1.1
RTRA(config-if)# tunnel destination 193.1.1.1
RTRA(config-if)# tunnel mode ipsec ipv4
RTRA(config-if)# tunnel protection ipsec VTI
RTRA(config)# interface Ethernet0/0
RTRA(config-if)# ip address 192.1.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# interface Ethernet 1/0
RTRA(config-if)# ip address 192.168.1.1 255.255.255.0
RTRA(config-if)# exit
RTRA(config)# ip route 192.168.2.0 255.255.255.0 tunnel0


RouterB Configuration:
RTRB(config)# crypto isakmp policy 10
RTRB(config-isakmp)# encryption aes 128
RTRB(config-isakmp)# hash sha
RTRB(config-isakmp)# authentication pre-share
RTRB(config-isakmp)# group 2
RTRB(config-isakmp)# exit
RTRB(config)# crypto isakmp key cisco123 address 192.1.1.1 255.255.255.255 no-xauth
RTRB(config)# crypto ipsec transform-set RTRtran esp-aes esp-sha-hmac
RTRB(cfg-crypto-trans)# exit
RTRB(config)# crypto ipsec profile VTI
RTRB(ipsec-profile)# set transform-set RTRtran
RTRB(ipsec-profile)# exit
RTRB(config)# interface tunnel 0
RTRB(config-if)# ip address 192.168.3.2 255.255.255.0
RTRB(config-if)# tunnel source 193.1.1.1
RTRB(config-if)# tunnel destination 192.1.1.1
RTRB(config-if)# tunnel mode ipsec ipv4
RTRB(config-if)# tunnel protection ipsec VTI
RTRB(config)# interface Ethernet0/0
RTRB(config-if)# ip address 193.1.1.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# interface Ethernet 1/0
RTRB(config-if)# ip address 192.168.2.1 255.255.255.0
RTRB(config-if)# exit
RTRB(config)# ip route 192.168.1.0 255.255.255.0 tunnel0


So once you have your tunnel up and running we can setup the access lists on the tunnel interfaces remember that you must have permitted GRE protocol on the WAN interfaces for this to work.

In this next example we are using a PPTP connection on both of the Active Directory controllers so that only PPTP traffic is needed to flow over the tunnel, the domain controllers are address on the 3rd IP at each site x.x.x.3

access-list 108 permit tcp host 192.168.1.3 host 192.168.2.3 eq 1723

This can also be used by file server with DFS if remote access and routing is setup on both to use PPTP between them or via the proxy.
DFS by default uses a number of ports that I would not recommend opening for security reasons in the same way Active Directory does.

In this final part I've allowed SQL to travel without the PPTP connection between the SQL servers at each site on IP 50 of the range x.x.x.50

access-list 108 permit tcp host 192.168.1.50 host 192.168.2.50 eq 1433
access-list 108 permit tcp host 192.168.1.50 host 192.168.2.50 eq 1434


Now its important to note that if you are using this in a fail over your going to need to allow all clients to connect to SQL and if its no part of the PPTP then you'll have to set the ACL with a larger allowance for sources.

access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.50 eq 1433
access-list 108 permit tcp 192.168.1.0 0.0.0.255 host 192.168.2.50 eq 1434


Another note to this if your going to send the SQL traffic only in the tunnel without PPTP because of the extra delay in response times, secure it by using certificate authority and force encryption on the Server protocols to make it more secure, however this will mean you'll need to permit tcp 445 for the SQL as well.

now your rule are created you can simply apply them to the tunnel interface

interface tunnel 0
access-list 108 out


You should now be done and secure.

Best practice is also to have access-list on the LAN interface to reduce the traffic on the router but this you will need to know more about you network to setup.

Reblog this post [with Zemanta]

2 comments:

canderson said...
This comment has been removed by a blog administrator.
John Edward Hall said...
This comment has been removed by the author.