VPN S2S and Description ssl in Wires mode

cancel
Showing results for 
Show  only  | Search instead for 
Did you mean: 
Announcements
Please sign in to see details of an important advisory in our Customer Advisories area.

VPN S2S and Description ssl in Wires mode

L0 Member
Hello,

I have a couple of doubts and I would like you to help me about it.

1.- Is it possible to perform an Ipsec VPN when the firewall is in V-Wires mode? Only having an IP in the administration interface?

2.- Is it possible to perform SSL decryption when the firewall is in V-Wires mode? If so, what parameters should the digital certificate have?

Thank you very much for your help in this regard.
2 REPLIES 2

Cyber Elite
Cyber Elite

Hello there

 

In both situations, you can do SSL and S2S VPNs with VWire...  but... you will also need to configure a L3 interface/address that is private on your network.  I have configured this on my PA220, when my ISP had its DHCP public IP (residential cable modem/router/all in one) and I wanted to setup a VPN.  

 

For S2S VPN, you need to ensure that L3 interface is connected to your downstream switch (so that the Vwire AND this L3 interface are on the same broadcast domain).

 

Configure the IKE Gateway using the L3 interface and traffic will be able to pass through the VWire.

 

Now, SSL Inbound Inspection (where you take the public/private keys from your servers and put onto the FW, should allow you do decrypt traffic as it passes through the FW downstream to your DMZ, or vice versa.

 

For SSL Forward Proxy, you may want to test it out, but you can try to leverage the ability to do SNAT or DNAT on traffic.

Example:  When VWire-trusted goes to VWire-Untrusted, then SNAT the traffic using a Translated Address object (vs an Interface Address).  If I created an Address Object called VWire-Translate with an IP of 9.9.9.9, then it would be this Translated Address object (of 9.9.9.9) that your traffic would be using.

 

If this does not work, then you would need to create a L3 interface to use for SSL Forward Proxy.

 

Read SSL Decryption documentation and substitute your L3 interface for CN field and you should be fine. 

Help the community: Like helpful comments and mark solutions

Hi,

Thank you very much for your response, I will do the indicated and I will tell you the results.

Regards.

 

  • 2237 Views
  • 2 replies
  • 0 Likes
Like what you see?

Show your appreciation!

Click Like if a post is helpful to you or if you just want to show your support.

Click Accept as Solution to acknowledge that the answer to your question has been provided.

The button appears next to the replies on topics you’ve started. The member who gave the solution and all future visitors to this topic will appreciate it!

These simple actions take just seconds of your time, but go a long way in showing appreciation for community members and the LIVEcommunity as a whole!

The LIVEcommunity thanks you for your participation!